81775 2005-02-12 12:25 0000 net-www/awstats More problems (CAN-2005-036{2,3}) 2005-02-16 06:32:10 0000 1 Unclassified Gentoo Security Vulnerabilities unspecified All All RESOLVED FIXED http://packetstormsecurity.nl/0501-exploits/AWStatsVulnAnalysis.pdf B1 [glsa] koon P2 major --- 1 jaervosz@gentoo.org security@gentoo.org ka0ttic@gentoo.org jaervosz@gentoo.org 2005-02-12 12:25:36 0000 Patches are here: http://patches.ubuntu.com/patches/awstats.more-CAN-2005-0016.diff jaervosz@gentoo.org 2005-02-12 12:32:40 0000 Aaron please attach on updated ebuild. I'm not sure of the confidentiality status yet, so filing as restricted. ka0ttic@gentoo.org 2005-02-12 13:03:24 0000 Created an attachment (id=51079) awstats-6.3-r1.ebuild ka0ttic@gentoo.org 2005-02-12 13:04:42 0000 Created an attachment (id=51080) awstats-6.3-CAN-2005-0016.diff Had to modify the patch as it is for 6.2 which is no longer in portage. ka0ttic@gentoo.org 2005-02-12 13:10:30 0000 I just noticed after looking at the patch that the lines being patched out are not the same as in the 6.2 patch... this looks like it only affects 6.2. 6.3 uses a Sanitize subroutine which looks to do the same thing: #------------------------------------------------------------------------------ # Function: Clean a string of all chars that are not char or _ - \ / . \s # Parameters: stringtoclean # Input: None # Output: None # Return: cleanedstring #------------------------------------------------------------------------------ sub Sanitize { my $stringtoclean=shift; $stringtoclean =~ s/[^\w_\-\\\/\.\s]//g; return $stringtoclean; } jaervosz@gentoo.org 2005-02-12 13:43:45 0000 Thx for the swift reaction. Aaron this is at least semi-public. Please commit the reduced patch. ka0ttic@gentoo.org 2005-02-12 13:55:39 0000 Committed. Kept keywords. koon@gentoo.org 2005-02-13 06:15:26 0000 CAN-2005-0016 configdir,pluginmode variable, fixed in 6.3 CAN-2005-0362 [no]loadplugin,pluginmode variables, fixed in 6.3 CAN-2005-0363 config variable, fixed in the latest patch Development version 6.4 contains : - Fix security hole that allowed a user to read log file content even when plugin rawlog was not enabled. That may also require additional patching... ka0ttic@gentoo.org 2005-02-13 08:14:40 0000 I've backported all the bugfixes from 6.4 to 6.3. I also renamed the current patch as I thought CAN-2005-0016 covered all of the variables. I uploaded the patch to the mirrors so I'll commit the revbump in a few hours. koon@gentoo.org 2005-02-13 09:56:18 0000 This is all public from awstats changelogs and te PDF analysis. Not sure if we should release this as an update to the old GLSA or a brand-new one. ka0ttic@gentoo.org 2005-02-13 11:34:51 0000 Committed. koon@gentoo.org 2005-02-14 12:33:39 0000 UPDATE to GLSA 200501-36 sent koon@gentoo.org 2005-02-15 13:51:45 0000 We should doublecheck that everything in http://www.securityfocus.com/archive/1/390368/2005-02-12/2005-02-18/0 has been covered. koon@gentoo.org 2005-02-16 06:32:10 0000 These mails are about CAN-2005-0362 and -363, so this is covered. 51079 2005-02-12 13:03 0000 awstats-6.3-r1.ebuild awstats-6.3-r1.ebuild text/plain IyBDb3B5cmlnaHQgMTk5OS0yMDA1IEdlbnRvbyBGb3VuZGF0aW9uCiMgRGlzdHJpYnV0ZWQgdW5k ZXIgdGhlIHRlcm1zIG9mIHRoZSBHTlUgR2VuZXJhbCBQdWJsaWMgTGljZW5zZSB2MgojICRIZWFk ZXI6IC92YXIvY3Zzcm9vdC9nZW50b28teDg2L25ldC13d3cvYXdzdGF0cy9hd3N0YXRzLTYuMy5l YnVpbGQsdiAxLjQgMjAwNS8wMi8wNSAxMDozNzowNCBrYTB0dGljIEV4cCAkCgppbmhlcml0IGV1 dGlscyB3ZWJhcHAKCkRFU0NSSVBUSU9OPSJBV1N0YXRzIGlzIGEgc2hvcnQgZm9yIEFkdmFuY2Vk IFdlYiBTdGF0aXN0aWNzLiIKSE9NRVBBR0U9Imh0dHA6Ly9hd3N0YXRzLnNvdXJjZWZvcmdlLm5l dC8iClNSQ19VUkk9Im1pcnJvcjovL3NvdXJjZWZvcmdlLyR7UE59LyR7UH0udGd6IgoKTElDRU5T RT0iR1BMLTIiCktFWVdPUkRTPSJ+YWxwaGEgcHBjIH5taXBzIH5zcGFyYyB4ODYgfmFtZDY0IgpJ VVNFPSIiCgpERVBFTkQ9Ij49ZGV2LWxhbmcvcGVybC01LjYuMQoJPj1tZWRpYS1saWJzL2xpYnBu Zy0xLjIKCWRldi1wZXJsL1RpbWUtTG9jYWwKCW5ldC13d3cvYXBhY2hlIgpSREVQRU5EPSIiCgpz cmNfdW5wYWNrKCkgewoJdW5wYWNrICR7QX0KCWNkICR7U30KCWVwYXRjaCAke0ZJTEVTRElSfS8k e1B9LWdlbnRvby5kaWZmCgoJIyBzZWN1cml0eSBidWcgODE3NzUKCWVwYXRjaCAke0ZJTEVTRElS fS8ke1B9LUNBTi0yMDA1LTAwMTYuZGlmZgoKCSMgY2hhbmdlIEFXU3RhdHMgZGVmYXVsdCBpbnN0 YWxsYXRpb24gZGlyZWN0b3J5IHRvIGluc3RhbGxhdGlvbiBkaXJlY3Rvcnkgb2YgR2VudG9vCglm b3IgZmlsZSBpbiB0b29scy8qIHd3d3Jvb3QvY2dpLWJpbi8qOyBkbwoJICAgIGlmIFtbIC1mICIk ZmlsZSIgXV07IHRoZW4KCSAgICAgICAgc2VkIC1pIC1lICJzIy91c3IvbG9jYWwvYXdzdGF0cy93 d3dyb290L2NnaS1iaW4jJHtNWV9DR0lCSU5ESVJ9I2ciIFwKCSAgICAgICAgICAgLWUgInMjL3Vz ci9sb2NhbC9hd3N0YXRzL3d3d3Jvb3QvaWNvbiMke01ZX0hURE9DU0RJUn0vaWNvbiNnIiBcCgkg ICAgICAgICAgIC1lICJzIy91c3IvbG9jYWwvYXdzdGF0cy93d3dyb290L3BsdWdpbnMjJHtNWV9I T1NUUk9PVERJUn0vcGx1Z2lucyNnIiBcCgkgICAgICAgICAgIC1lICJzIy91c3IvbG9jYWwvYXdz dGF0cy93d3dyb290L2NsYXNzZXMjJHtNWV9IVERPQ1NESVJ9L2NsYXNzZXMjZyIgXAoJICAgICAg ICAgICAtZSAicyMvdXNyL2xvY2FsL2F3c3RhdHMvd3d3cm9vdCMke01ZX0hURE9DU0RJUn0jZyIg XAoJCQkgICAkZmlsZSB8fCBkaWUgInNlZCAkZmlsZSBmYWlsZWQiCgkgICAgZmkKCWRvbmUKCgkj IFJlbW92ZSAuY3ZzKiBmaWxlcyBhbmQgQ1ZTIGRpcmVjdG9yaWVzCglmaW5kICR7U30gLW5hbWUg LmN2c1wqIC1vciBcKCAtdHlwZSBkIC1uYW1lIENWUyAtcHJ1bmUgXCkgfCB4YXJncyBybSAtcmYK CgkjIHNldCBkZWZhdWx0IHZhbHVlcyBmb3IgZGlyZWN0b3JpZXMKCXNlZCAtaSAtZSAicyNMb2dG aWxlPS4qI0xvZ0ZpbGU9XCIvdmFyL2xvZy9hcGFjaGUke0FQQUNIRVZFUn0vYWNjZXNzX2xvZ1wi IyIgXAoJICAgIC1lICJzI1NpdGVEb21haW49LiojU2l0ZURvbWFpbj1cImxvY2FsaG9zdFwiIyIg XAoJICAgIC1lICJzI0Rpckljb25zPS4qI0Rpckljb25zPVwiL2F3c3RhdHMvaWNvbnNcIiMiIFwK CSAgICAtZSAicyNEaXJDZ2k9LiojRGlyQ2dpPVwiL2NnaS1iaW4vYXdzdGF0c1wiIyIgXAoJICAg IC1lICJzI0RhdGFEaXI9LiojRGF0YURpcj1cIiR7TVlfSE9TVFJPT1RESVJ9L2F3c3RhdHMvZGF0 YWRpclwiIyIgXAoJJHtTfS93d3dyb290L2NnaS1iaW4vYXdzdGF0cy5tb2RlbC5jb25mIHx8IGRp ZSAic2VkIGZhaWxlZCIKCn0KCgoKc3JjX2luc3RhbGwoKSB7Cgl3ZWJhcHBfc3JjX3ByZWluc3QK CgkjIGhhbmRsZSBkb2N1bWVudGF0aW9uIGZpbGVzCgkjCgkjIE5PVEUgdGhhdCBkb2MgZmlsZXMg Z28gaW50byAvdXNyL3NoYXJlL2RvYyBhcyBub3JtYWw7IHRoZXkgZG8gTk9UCgkjIGdldCBpbnN0 YWxsZWQgcGVyIHZob3N0IQoKCWRvaHRtbCAtciBkb2NzLyouaHRtbCBkb2NzLyoueG1sIGRvY3Mv Ki5jc3MgZG9jcy8qLmpzIGRvY3MvaW1hZ2VzCglkb2RvYyBSRUFETUUuVFhUIGRvY3MvQ09QWUlO Ry5UWFQgZG9jcy9MSUNFTlNFLlRYVAoJbmV3ZG9jIHd3d3Jvb3QvY2dpLWJpbi9wbHVnaW5zL2V4 YW1wbGUvZXhhbXBsZS5wbSBleGFtcGxlX3BsdWdpbi5wbQoJZG9jaW50byB4c2x0Cglkb2RvYyB0 b29scy94c2x0LyoKCgl3ZWJhcHBfcG9zdGluc3RfdHh0IGVuICR7RklMRVNESVJ9L3Bvc3RpbnN0 LWVuLnR4dAoKCWtlZXBkaXIgL3Zhci9saWIvYXdzdGF0cwoKCSMgQ29weSB0aGUgYXBwJ3MgbWFp biBmaWxlcwoJZXhlaW50byAke01ZX0NHSUJJTkRJUn0KCWRvZXhlICR7U30vd3d3cm9vdC9jZ2kt YmluLyoucGwKCglleGVpbnRvICR7TVlfSFRET0NTRElSfS9jbGFzc2VzCglkb2V4ZSAke1N9L3d3 d3Jvb3QvY2xhc3Nlcy8qLmphcgoKCSMgaW5zdGFsbCBsYW5ndWFnZSBmaWxlcywgbGlicmFyaWVz IGFuZCBwbHVnaW5zCglta2RpciAtcCAke0R9JHtNWV9DR0lCSU5ESVJ9Cglmb3IgZGlyIGluIGxh bmcgbGliIHBsdWdpbnM7IGRvCgkJY3AgLVIgJHtTfS93d3dyb290L2NnaS1iaW4vJHtkaXJ9ICR7 RH0ke01ZX0NHSUJJTkRJUn0KCQljaG1vZCAwNzU1ICR7RH0ke01ZX0NHSUJJTkRJUn0vJHtkaXJ9 Cglkb25lCgoJIyBpbnN0YWxsIHRoZSBhcHAncyB3d3cgZmlsZXMKCW1rZGlyIC1wICR7RH0ke01Z X0hURE9DU0RJUn0KCWZvciBkaXIgaW4gaWNvbiBjc3MganM7IGRvCgkJY3AgLVIgJHtTfS93d3dy b290LyR7ZGlyfSAke0R9JHtNWV9IVERPQ1NESVJ9CgkJY2htb2QgMDc1NSAke0R9JHtNWV9IVERP Q1NESVJ9LyR7ZGlyfQoJZG9uZQoKCSMgY29weSBjb25maWd1cmF0aW9uIGZpbGUKCWluc2ludG8g L2V0Yy9hd3N0YXRzCglkb2lucyAke1N9L3d3d3Jvb3QvY2dpLWJpbi9hd3N0YXRzLm1vZGVsLmNv bmYKCgkjIGNyZWF0ZSB0aGUgZGF0YSBkaXJlY3RvcnkgZm9yIGF3c3RhdHMKCW1rZGlyIC1wICR7 RH0vJHtNWV9IT1NUUk9PVERJUn0vZGF0YWRpcgoKCSMgaW5zdGFsbCBjb21tYW5kIGxpbmUgdG9v bHMKCWNkICR7U30vdG9vbHMKCWRvYmluIGF3c3RhdHNfYnVpbGRzdGF0aWNwYWdlcy5wbCBhd3N0 YXRzX2V4cG9ydGxpYi5wbCBcCgkJYXdzdGF0c191cGRhdGVhbGwucGwgbG9ncmVzb2x2ZW1lcmdl LnBsIFwKCQltYWlsbG9nY29udmVydC5wbCBhd3N0YXRzX2NvbmZpZ3VyZS5wbAoJbmV3YmluIHVy bGFsaWFzYnVpbGRlci5wbCBhd3N0YXRzX3VybGFsaWFzYnVpbGRlci5wbAoKCSMgYWxsIGRvbmUK CSMKCSMgbm93IHdlIGxldCB0aGUgZWNsYXNzIHN0cnV0IGl0cyBzdHVmZiA7LSkKCgl3ZWJhcHBf c3JjX2luc3RhbGwKfQoKcGtnX3Bvc3RpbnN0KCkgewoJZWluZm8KCWVpbmZvICJUaGUgQVdTdGF0 cy1NYW51YWwgaXMgYXZhaWxhYmxlIGVpdGhlciBpbnNpZGUiCgllaW5mbyAiIHRoZSAvdXNyL3No YXJlL2RvYy8ke1BGfSAtIGZvbGRlciwgb3IgYXQiCgllaW5mbyAiIGh0dHA6Ly9hd3N0YXRzLnNv dXJjZWZvcmdlLm5ldC9kb2NzL2luZGV4Lmh0bWwgLiIKCWVpbmZvCglld2FybiAiQ29weSB0aGUg L2V0Yy9hd3N0YXRzL2F3c3RhdHMubW9kZWwuY29uZiB0byIKCWV3YXJuICIvZXRjL2F3c3RhdHMv YXdzdGF0cy48eW91cmRvbWFpbj4uY29uZiBhbmQgZWRpdC4iCglld2FybiAidXNlIHRoZSBjb21t YW5kIgoJZXdhcm4gIiAgICAgd2ViYXBwLWNvbmZpZyIKCWV3YXJuICJ0byBpbnN0YWxsIGF3c3Rh dHMgZm9yIGVhY2ggdmlydHVhbCBob3N0LiBTZWUgcHJvcGVyIG1hbiBwYWdlLiIKfQoK 51080 2005-02-12 13:04 0000 awstats-6.3-CAN-2005-0016.diff awstats-6.3-CAN-2005-0016.diff text/plain ZGlmZiAtLWV4Y2x1ZGU9Jyp+JyAtdXJOIGF3c3RhdHMtNi4zLm9yaWcvd3d3cm9vdC9jZ2ktYmlu L2F3c3RhdHMucGwgYXdzdGF0cy02LjMvd3d3cm9vdC9jZ2ktYmluL2F3c3RhdHMucGwKLS0tIGF3 c3RhdHMtNi4zLm9yaWcvd3d3cm9vdC9jZ2ktYmluL2F3c3RhdHMucGwJMjAwNS0wMS0yMiAxMToz NDozOC4wMDAwMDAwMDAgLTA1MDAKKysrIGF3c3RhdHMtNi4zL3d3d3Jvb3QvY2dpLWJpbi9hd3N0 YXRzLnBsCTIwMDUtMDItMTIgMTU6NTk6MzUuODAyODcxODM0IC0wNTAwCkBAIC01MzY4LDkgKzUz NjgsOSBAQAogCSMgTm8gdXBkYXRlIGJ1dCByZXBvcnQgYnkgZGVmYXVsdCB3aGVuIHJ1biBmcm9t IGEgYnJvd3NlcgogCSRVcGRhdGVTdGF0cz0oJFF1ZXJ5U3RyaW5nPX4vdXBkYXRlPTEvaT8xOjAp OwogCi0JaWYgKCRRdWVyeVN0cmluZyA9fiAvY29uZmlnPShbXiZdKykvaSkJCQkJeyAkU2l0ZUNv bmZpZz0mRGVjb2RlRW5jb2RlZFN0cmluZygiJDEiKTsgfQorCWlmICgkUXVlcnlTdHJpbmcgPX4g L2NvbmZpZz0oW14mXSspL2kpCQkJCXsgJFNpdGVDb25maWc9JkRlY29kZUVuY29kZWRTdHJpbmco IiQxIik7ICRTaXRlQ29uZmlnID1+IHMvW15cd19cLVxcXC9cLlxzXS8vZyB9CiAJaWYgKCRRdWVy eVN0cmluZyA9fiAvZGlyaWNvbnM9KFteJl0rKS9pKQkJCXsgJERpckljb25zPSZEZWNvZGVFbmNv ZGVkU3RyaW5nKCIkMSIpOyB9Ci0JaWYgKCRRdWVyeVN0cmluZyA9fiAvcGx1Z2lubW9kZT0oW14m XSspL2kpCQkJeyAkUGx1Z2luTW9kZT0mU2FuaXRpemUoJkRlY29kZUVuY29kZWRTdHJpbmcoIiQx IikpOyB9CisJaWYgKCRRdWVyeVN0cmluZyA9fiAvcGx1Z2lubW9kZT0oW14mXSspL2kpCQkJeyAk UGx1Z2luTW9kZT0mRGVjb2RlRW5jb2RlZFN0cmluZygiJDEiKTsgJFBsdWdpbk1vZGUgPX4gcy9b Xlx3X1wtXFxcL1wuXHNdLy9nIH0KIAlpZiAoJFF1ZXJ5U3RyaW5nID1+IC9jb25maWdkaXI9KFte Jl0rKS9pKQkJCXsgJERpckNvbmZpZz0mU2FuaXRpemUoJkRlY29kZUVuY29kZWRTdHJpbmcoIiQx IikpOyB9CiAJIyBBbGwgZmlsdGVycwogCWlmICgkUXVlcnlTdHJpbmcgPX4gL2hvc3RmaWx0ZXI9 KFteJl0rKS9pKQkJCXsgJEZpbHRlcklueydob3N0J309JkRlY29kZUVuY29kZWRTdHJpbmcoIiQx Iik7IH0JCQkjIEZpbHRlciBvbiBob3N0IGxpc3QgY2FuIGFsc28gYmUgZGVmaW5lZCB3aXRoIGhv c3RmaWx0ZXI9ZmlsdGVyCkBAIC01NDE2LDkgKzU0MTYsOSBAQAogCSMgVXBkYXRlIHdpdGggbm8g cmVwb3J0IGJ5IGRlZmF1bHQgd2hlbiBydW4gZnJvbSBjb21tYW5kIGxpbmUKIAkkVXBkYXRlU3Rh dHM9MTsKIAotCWlmICgkUXVlcnlTdHJpbmcgPX4gL2NvbmZpZz0oW14mXSspL2kpCQkJCXsgJFNp dGVDb25maWc9IiQxIjsgfQorCWlmICgkUXVlcnlTdHJpbmcgPX4gL2NvbmZpZz0oW14mXSspL2kp CQkJCXsgJFNpdGVDb25maWc9IiQxIjsgJFNpdGVDb25maWcgPX4gcy9bXlx3X1wtXFxcL1wuXHNd Ly9nIH0KIAlpZiAoJFF1ZXJ5U3RyaW5nID1+IC9kaXJpY29ucz0oW14mXSspL2kpCQkJeyAkRGly SWNvbnM9IiQxIjsgfQotCWlmICgkUXVlcnlTdHJpbmcgPX4gL3BsdWdpbm1vZGU9KFteJl0rKS9p KQkJCXsgJFBsdWdpbk1vZGU9JlNhbml0aXplKCIkMSIpOyB9CisJaWYgKCRRdWVyeVN0cmluZyA9 fiAvcGx1Z2lubW9kZT0oW14mXSspL2kpCQkJeyAkUGx1Z2luTW9kZT0iJDEiOyAkUGx1Z2luTW9k ZSA9fiBzL1teXHdfXC1cXFwvXC5cc10vL2cgfQogCWlmICgkUXVlcnlTdHJpbmcgPX4gL2NvbmZp Z2Rpcj0oW14mXSspL2kpCQkJeyAkRGlyQ29uZmlnPSZTYW5pdGl6ZSgiJDEiKTsgfQogCSMgQWxs IGZpbHRlcnMKIAlpZiAoJFF1ZXJ5U3RyaW5nID1+IC9ob3N0ZmlsdGVyPShbXiZdKykvaSkJCQl7 ICRGaWx0ZXJJbnsnaG9zdCd9PSIkMSI7IH0JCQkjIEZpbHRlciBvbiBob3N0IGxpc3QgY2FuIGFs c28gYmUgZGVmaW5lZCB3aXRoIGhvc3RmaWx0ZXI9ZmlsdGVyCkBAIC01NDQ3LDggKzU0NDcsOCBA QAogaWYgKCRRdWVyeVN0cmluZyA9fiAvKF58JilmcmFtZW5hbWU9KFteJl0rKS9pKQkJeyAkRnJh bWVOYW1lPSIkMiI7IH0KIGlmICgkUXVlcnlTdHJpbmcgPX4gLyhefCYpZGVidWc9KFxkKykvaSkJ CQl7ICREZWJ1Zz0kMjsgfQogaWYgKCRRdWVyeVN0cmluZyA9fiAvKF58Jil1cGRhdGVmb3I9KFxk KykvaSkJCXsgJFVwZGF0ZUZvcj0kMjsgfQotaWYgKCRRdWVyeVN0cmluZyA9fiAvKF58Jilub2xv YWRwbHVnaW49KFteJl0rKS9pKQl7IGZvcmVhY2ggKHNwbGl0KC8sLywkMikpIHsgJE5vTG9hZFBs dWdpbnsmU2FuaXRpemUoIiRfIil9PTE7IH0gfQotaWYgKCRRdWVyeVN0cmluZyA9fiAvKF58Jils b2FkcGx1Z2luPShbXiZdKykvaSkJCXsgZm9yZWFjaCAoc3BsaXQoLywvLCQyKSkgeyAkTm9Mb2Fk UGx1Z2lueyZTYW5pdGl6ZSgiJF8iKX09LTE7IH0gfQoraWYgKCRRdWVyeVN0cmluZyA9fiAvKF58 Jilub2xvYWRwbHVnaW49KFteJl0rKS9pKQl7IGZvcmVhY2ggKHNwbGl0KC8sLywkMikpIHsgcy9b Xlx3X1wtXFxcL1wuXHNdLy9nOyAkTm9Mb2FkUGx1Z2lueyIkXyJ9PTE7IH0gfQoraWYgKCRRdWVy eVN0cmluZyA9fiAvKF58Jilsb2FkcGx1Z2luPShbXiZdKykvaSkJCXsgZm9yZWFjaCAoc3BsaXQo LywvLCQyKSkgeyBzL1teXHdfXC1cXFwvXC5cc10vL2c7ICROb0xvYWRQbHVnaW57IiRfIn09LTE7 IH0gfQogaWYgKCRRdWVyeVN0cmluZyA9fiAvKF58JilsaW1pdGZsdXNoPShcZCspL2kpCQl7ICRM SU1JVEZMVVNIPSQyOyB9CiAjIEdldC9EZWZpbmUgb3V0cHV0CiBpZiAoJFF1ZXJ5U3RyaW5nID1+ IC8oXnwmKW91dHB1dCg9W14mXSp8KSguKikmb3V0cHV0KD1bXiZdKnwpKCZ8JCkvaSkgeyBlcnJv cigiT25seSAxIG91dHB1dCBvcHRpb24gaXMgYWxsb3dlZCIsIiIsIiIsMSk7IH0K