Bug 136065 - dev-lang/pike: <7.6.86 SQL injection vuln
|
Bug#:
136065
|
Product: Gentoo Security
|
Version: unspecified
|
Platform: All
|
|
OS/Version: Linux
|
Status: RESOLVED
|
Severity: minor
|
Priority: P2
|
|
Resolution: FIXED
|
Assigned To: security@gentoo.org
|
Reported By: falco@gentoo.org
|
|
Component: Vulnerabilities
|
|
|
URL:
http://secunia.com/advisories/20494/
|
|
Summary: dev-lang/pike: <7.6.86 SQL injection vuln
|
|
Keywords:
|
|
Status Whiteboard: B3 [glsa] jaervosz
|
|
Opened: 2006-06-08 06:25 0000
|
Software: Pike 7.x
Description:
A vulnerability has been reported in Pike, which potentially can be exploited
by malicious people to conduct SQL injection attacks.
Some unspecified input isn't properly sanitised before being used in a SQL
query in a PostgreSQL database. This may be exploited to manipulate SQL queries
by injecting arbitrary SQL code.
The vulnerability has been reported in version 7.6.66. Prior versions may also
be affected.
Solution:
Update to version 7.6.86.
http://pike.ida.liu.se/download/
Provided and/or discovered by:
Reported by the vendor.
Vapier, you was the latest who made a bump on this package. Mind to bump again
?
security devs, please email gentoo-dev@ , there is no herd and no maintainer
for dev-lang/pike
i'm working on it, just havent gotten the bugs ironed out yet
mike any news on this one?
I just updated the version of pike to 7.6.86, so this bug shouldn't be there,
also revbump 7.6.50 to fix bug #116795 (also fixed in latest version).
I also added myself as the maintainer of this package, and tweaked the
configuration so now it needs gmp/nettle (crashes without them) , so let me
know if any problem.
Closing bug....
@Luis since this is only fixed in 7.6.86 is this version ready for stable
marking?
Yes Sune , i think this version should be marked stable.
Thx Luis.
Arches please test and mark 7.6.86 stable.
1) emerges fine
2) does not pass test suite
Doing tests in tlib/modules/testsuite (324 tests)
test 319, line 807
[WATCHDOG] Pike testsuite timeout, sending SIGABRT.
Failed to parse subresult for testsuite "tlib/modules/testsuite" (exitcode:-1):
3) passes collision test
4) QA Notice: the following files contain executable stacks
Files with executable stacks will not work properly (or at all!)
on some architectures/operating systems. A bug should be filed
at http://bugs.gentoo.org/ to make sure the file is fixed.
For more information, see http://hardened.gentoo.org/gnu-stack.xml
Please include this file in your report:
/var/tmp/portage/pike-7.6.86/temp/scanelf-execstack.log
"RWX --- --- usr/lib/pike/modules/Image.so"
Portage 2.1-r1 (default-linux/x86/2006.0, gcc-3.4.6, glibc-2.3.6-r4,
2.6.16-gentoo-r12 i686)
=================================================================
System uname: 2.6.16-gentoo-r12 i686 AMD Athlon(tm) XP 2500+
Gentoo Base System version 1.6.15
dev-lang/python: 2.4.3-r1
dev-python/pycrypto: 2.0.1-r5
dev-util/ccache: [Not Present]
dev-util/confcache: [Not Present]
sys-apps/sandbox: 1.2.17
sys-devel/autoconf: 2.13, 2.59-r7
sys-devel/automake: 1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2
sys-devel/binutils: 2.16.1-r3
sys-devel/gcc-config: 1.3.13-r3
sys-devel/libtool: 1.5.22
virtual/os-headers: 2.6.11-r2
ACCEPT_KEYWORDS="x86"
AUTOCLEAN="yes"
CBUILD="i686-pc-linux-gnu"
CFLAGS="-O0"
CHOST="i686-pc-linux-gnu"
CONFIG_PROTECT="/etc /usr/share/X11/xkb"
CONFIG_PROTECT_MASK="/etc/env.d /etc/gconf /etc/revdep-rebuild /etc/splash
/etc/terminfo"
CXXFLAGS="-O0"
DISTDIR="/usr/portage/distfiles"
FEATURES="autoconfig ccache collision-protect distlocks metadata-transfer
parallel-fetch sandbox sfperms strict test"
GENTOO_MIRRORS="ftp://sunsite.informatik.rwth-aachen.de/pub/Linux/gentoo/"
LANG="de_DE@euro"
LC_ALL="de_DE@euro"
LINGUAS="de"
MAKEOPTS="-j2"
PKGDIR="/usr/portage/packages"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress
--force --whole-file --delete --delete-after --stats --timeout=180
--exclude='/distfiles' --exclude='/local' --exclude='/packages'"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
PORTDIR_OVERLAY="/usr/local/portage"
SYNC="rsync://rsync.informatik.rwth-aachen.de/gentoo-portage"
USE="x86 3dnow 3dnowext X Xaw3d a52 alsa apache2 arts artworkextra asf
audiofile avi bash-completion beagle berkdb bidi bitmap-fonts bootsplash
branding bzip2 cairo cdda cddb cdparanoia cdr cli cracklib crypt css cups curl
custom-cflags dbus dga directfb divx4linux dlloader dri dts dvd dvdr dvdread
dvi eds emacs emboss encode esd evo exif expat fam fat fbcon fdftk ffmpeg
firefox foomaticdb fortran ftp gb gcj gdbm gif gnome gpm gstreamer gtk gtk2
gtkhtml hal howl icq idn imagemagick imap imlib ipv6 isdnlog java javascript
jikes jpeg jpeg2k kde ldap leim libg++ libwww lm_sensors mad maildir matroska
mbox mikmod mime mmx mmxext mng mono motif mp3 mpeg mpeg2 mule nautilus ncurses
nforce2 nls nocardbus nowebdav nptl nptlonly nsplugin nvidia ogg opengl pam
pcre pdf pdflib perl plotutils pmu png ppds pppd preview-latex print python qt
qt3 qt4 quicktime readline reflection reiserfs samba sdk session slang spell
spl sse ssl svg svga t1lib tcltk tcpd theora thunderbird tiff truetype
truetype-fonts type1-fonts udev usb vcd videos vorbis win32codecs wmf wxwindows
xine xml xorg xosd xv xvid zlib elibc_glibc input_devices_mouse
input_devices_keyboard kernel_linux linguas_de userland_GNU video_cards_radeon
video_cards_vesa video_cards_fbdev"
Unset: CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LDFLAGS,
PORTAGE_RSYNC_EXTRA_OPTS
Can you please describe what steps are you taking to emerge the package? , i
don't find to reproduce this bug. I am using amd64 , anyone else with a x86 box
who could test this?
emerge pike on my system wants gmp pdflib and nettle additionally to pike
itself. I have FEATURES="test", without test it runs through fine...I also
used the ebuild utility to perform all steps separately.
Failed a different test on a different run:
Doing tests in tlib/modules/testsuite (324 tests)
test 317, line 739
[WATCHDOG] Pike testsuite timeout, sending SIGABRT.
Some pike source code runs fine though...
With FEATURES="test" works fine for me on x86 with following USE flags, I'll
mark stable shortly.
dev-lang/pike-7.6.86 USE="gdbm gif gtk jpeg mime opengl pcre pdf sdl ssl svg
tiff truetype zlib -bzip2 -debug -doc -fftw -hardened -kerberos -mmx -mysql
-scanner"
(In reply to comment #14)
> emerge pike on my system wants gmp pdflib and nettle additionally to pike
> itself. I have FEATURES="test", without test it runs through fine...I also
> used the ebuild utility to perform all steps separately.
>
Yes, one of the main changes of this new ebuild version is precisely that
gmp/nettle are mandatory deps, and pdflib required with doc.
> Failed a different test on a different run:
> Doing tests in tlib/modules/testsuite (324 tests)
> test 317, line 739
> [WATCHDOG] Pike testsuite timeout, sending SIGABRT.
>
>
> Some pike source code runs fine though...
>
I can run all my pike scripts fine, and i still don't get to reproduce this
bug, anyone from the amd64 team who could give it a try please?
(In reply to comment #16)
> Stable on x86.
>
Thanks Paul
Breaks for me on ppc:
Making install in build/linux-2.6.17-ppc
make[2]: Entering directory
`/var/tmp/portage/pike-7.6.86/work/Pike-v7.6.86/build/linux-2.6.17-ppc'
/var/tmp/portage/pike-7.6.86/work/Pike-v7.6.86/lib/modules/_Image.pmod/module.pmod:63:Index
'RENDER' not present in module 'GIF'.
/var/tmp/portage/pike-7.6.86/work/Pike-v7.6.86/lib/modules/GTKSupport.pmod/Util.pmod:13:Index
'_decode' not present in module 'Image'.
/var/tmp/portage/pike-7.6.86/work/Pike-v7.6.86/lib/modules/GTKSupport.pmod/Util.pmod:21:Index
'_load' not present in module 'Image'.
/var/tmp/portage/pike-7.6.86/work/Pike-v7.6.86/bin/install.pike:954:Error
looking up 'Util' in module 'GTK'.
Pike: Failed to compile script:
Compilation failed.
master.pike:2656:
master()->_main(({"/var/tmp/portage/pike-7.6.86/work/Pike-v7.6.86/build/linux-2.6.17-ppc/pike","-DNOT_INSTALLED","-DPRECO
MPILED_SEARCH_MORE",,,14}),({"PVR=7.6.86","STARTDIR=/root",,,172}))
make[2]: *** [install] Error 10
make[2]: Leaving directory
`/var/tmp/portage/pike-7.6.86/work/Pike-v7.6.86/build/linux-2.6.17-ppc'
make[1]: *** [compile] Error 2
make[1]: Leaving directory `/var/tmp/portage/pike-7.6.86/work/Pike-v7.6.86'
make: *** [install_nodoc] Error 2
!!! ERROR: dev-lang/pike-7.6.86 failed.
Call stack:
ebuild.sh, line 1539: Called dyn_install
ebuild.sh, line 1013: Called src_install
pike-7.6.86.ebuild, line 93: Called die
[ebuild N ] dev-lang/pike-7.6.86 USE="gtk ssl tiff -bzip2 -debug -doc
-fftw -gdbm -gif -hardened -jpeg -kerberos -mime -mysql -opengl -pcre -pdf
-scanner -sdl -svg -truetype -zlib" 0 kB
(In reply to comment #16)
> Stable on x86.
>
There existed some sandbox violation problems with this ebuild. I couldn't
reproduce it until a few days ago, and now i fixed it in the new revision of
the ebuild, please test again and mark stable if possible.
Also, play with the several different use flags combinations, i also fixed a
'doc' useflag problem in this new ebuild, so test hard with this flag enabled.
Thanks.
(In reply to comment #19)
> Breaks for me on ppc:
>
> Making install in build/linux-2.6.17-ppc
> make[2]: Entering directory
> `/var/tmp/portage/pike-7.6.86/work/Pike-v7.6.86/build/linux-2.6.17-ppc'
> /var/tmp/portage/pike-7.6.86/work/Pike-v7.6.86/lib/modules/_Image.pmod/module.pmod:63:Index
> 'RENDER' not present in module 'GIF'.
> /var/tmp/portage/pike-7.6.86/work/Pike-v7.6.86/lib/modules/GTKSupport.pmod/Util.pmod:13:Index
> '_decode' not present in module 'Image'.
> /var/tmp/portage/pike-7.6.86/work/Pike-v7.6.86/lib/modules/GTKSupport.pmod/Util.pmod:21:Index
> '_load' not present in module 'Image'.
> /var/tmp/portage/pike-7.6.86/work/Pike-v7.6.86/bin/install.pike:954:Error
> looking up 'Util' in module 'GTK'.
> Pike: Failed to compile script:
> Compilation failed.
>
> master.pike:2656:
>
> master()->_main(({"/var/tmp/portage/pike-7.6.86/work/Pike-v7.6.86/build/linux-2.6.17-ppc/pike","-DNOT_INSTALLED","-DPRECO
> MPILED_SEARCH_MORE",,,14}),({"PVR=7.6.86","STARTDIR=/root",,,172}))
> make[2]: *** [install] Error 10
> make[2]: Leaving directory
> `/var/tmp/portage/pike-7.6.86/work/Pike-v7.6.86/build/linux-2.6.17-ppc'
> make[1]: *** [compile] Error 2
> make[1]: Leaving directory `/var/tmp/portage/pike-7.6.86/work/Pike-v7.6.86'
> make: *** [install_nodoc] Error 2
>
> !!! ERROR: dev-lang/pike-7.6.86 failed.
> Call stack:
> ebuild.sh, line 1539: Called dyn_install
> ebuild.sh, line 1013: Called src_install
> pike-7.6.86.ebuild, line 93: Called die
>
>
> [ebuild N ] dev-lang/pike-7.6.86 USE="gtk ssl tiff -bzip2 -debug -doc
> -fftw -gdbm -gif -hardened -jpeg -kerberos -mime -mysql -opengl -pcre -pdf
> -scanner -sdl -svg -truetype -zlib" 0 kB
>
Thanks Tobias,
This was a gtk dependency problem, i already fixed in the latest
revision. Please test again.
note: do as many useflags combinations as you can.
it failed here on amd64 with a strange 'gcc: gdb: No such file or directory'
error, but the latest stable fails exactly the same way. Somebody else from the
amd64 team please give it a try.
make[5]: Entering directory
`/var/tmp/portage/pike-7.6.86-r1/work/Pike-v7.6.86/build/linux-2.6.15-gentoo-r5-x86_64/post_modules/GL'
Compiling
/var/tmp/portage/pike-7.6.86-r1/work/Pike-v7.6.86/src/post_modules/GL/top.c
gcc: gdb: No such file or directory
WARNING: Compiler failure! Trying without optimization!
/var/tmp/portage/pike-7.6.86-r1/work/Pike-v7.6.86/build/linux-2.6.15-gentoo-r5-x86_64/pike
-DNOT_INSTALLED -DPRECOMPILED_SEARCH_MORE
-m/var/tmp/portage/pike-7.6.86-r1/work/Pike-v7.6.86/build/linux-2.6.15-gentoo-r5-x86_64/master.pike
/var/tmp/portage/pike-7.6.86-r1/work/Pike-v7.6.86/src/post_modules/GL/gen.pike
<
/var/tmp/portage/pike-7.6.86-r1/work/Pike-v7.6.86/src/post_modules/GL/auto.c.in
> auto.c
Compiling auto.c
gcc: gdb: No such file or directory
WARNING: Compiler failure! Trying without optimization!
Linking GL
/usr/lib/gcc/x86_64-pc-linux-gnu/3.4.5/../../../../x86_64-pc-linux-gnu/bin/ld:
top.o: relocation R_X86_64_32 against `msg_out_of_mem_2' can not be used when
making a shared object; recompile with -fPIC
top.o: could not read symbols: Bad value
collect2: ld returned 1 exit status
Linking failed:
/var/tmp/portage/pike-7.6.86-r1/work/Pike-v7.6.86/bin/smartlink gcc -shared -o
module.so top.o auto.o -R/usr/local/lib -L/usr/local/lib -R/usr/local/lib32
-L/usr/local/lib32 -R/usr/local/lib64 -L/usr/local/lib64 -R/usr/X11R6/lib
-L/usr/X11R6/lib -R/usr/X11R6/lib32 -L/usr/X11R6/lib32 -R/usr/X11R6/lib64
-L/usr/X11R6/lib64 -lGL -lXext -lX11 -ldl -lrt -lnsl -lm -lpthread -lcrypt
/usr/lib/gcc/x86_64-pc-linux-gnu/3.4.5/libgcc.a -lc
/usr/lib/gcc/x86_64-pc-linux-gnu/3.4.5/libgcc.a
make[5]: *** [module.so] Error 1
my USE flaggery:
[ebuild N ] dev-lang/pike-7.6.86-r1 USE="debug gtk jpeg opengl pcre sdl
ssl
svg tiff truetype zlib -bzip2 -doc -fftw -gdbm -hardened -kerberos -mime -mysql
-pdf -scanner" 0 kB
also, readding x86 as their keyword got lost
pike 7.6.86-r1
1) emerges fine, but textrel (see above) still remains
2) still fails on test 317 of tlib/modules/testsuite (see above), but scripts
run perfectly
3) passes collision test
Pike fails to pass its testsuite here.
Doing tests in tlib/modules/Calendar.pmod/testsuite (416 tests)
/var/tmp/portage/pike-7.6.86-r1/work/Pike-v7.6.86/lib/modules/Calendar.pmod/test
suite.in:49: Test 30 (shift 0) failed.
1: mixed a() { return Calendar.parse("%Y-%M-%D %h:%m","2040-11-08 2:46"); }
2: mixed b() { return Calendar.Minute(2040,11,8,2,46) ; }
3:
Error: Time is out of range for Timezone.localtime()
FEATURES="test" USE="test tiff bzip2 fftw kerberos mime mysql pdf scanner"
emerge pike
Portage 2.1-r1 (default-linux/ppc/ppc32/2006.1/G4, gcc-4.1.1, glibc-2.4-r3,
2.6.
17.4 ppc)
=================================================================
System uname: 2.6.17.4 ppc 7447A, altivec supported
Gentoo Base System version 1.6.15
app-admin/eselect-compiler: [Not Present]
dev-lang/python: 2.4.3-r1
dev-python/pycrypto: 2.0.1-r5
dev-util/ccache: [Not Present]
dev-util/confcache: [Not Present]
sys-apps/sandbox: 1.2.17
sys-devel/autoconf: 2.13, 2.59-r7
sys-devel/automake: 1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2
sys-devel/binutils: 2.16.1-r3
sys-devel/gcc-config: 1.3.13-r3
sys-devel/libtool: 1.5.22
virtual/os-headers: 2.6.11-r4
ACCEPT_KEYWORDS="ppc"
AUTOCLEAN="yes"
CBUILD="powerpc-unknown-linux-gnu"
CFLAGS="-O2 -mcpu=G4 -mtune=G4 -maltivec -mabi=altivec -fno-strict-aliasing
-pipe"
CHOST="powerpc-unknown-linux-gnu"
CONFIG_PROTECT="/etc /usr/kde/3.5/env /usr/kde/3.5/share/config
/usr/kde/3.5/shutdown /usr/share/X11/xkb /usr/share/config
/usr/share/texmf/dvipdfm/config/ /usr/share/texmf/dvips/config/
/usr/share/texmf/tex/generic/config/ /usr/share/texmf/tex/platex/config/
/usr/share/texmf/xdvi/"
CONFIG_PROTECT_MASK="/etc/env.d /etc/gconf /etc/terminfo"
CXXFLAGS="-O2 -mcpu=G4 -mtune=G4 -maltivec -mabi=altivec -fno-strict-aliasing
-pipe"
DISTDIR="/usr/portage/distfiles"
FEATURES="autoconfig confcache distlocks metadata-transfer parallel-fetch
sandbox sfperms strict userpriv usersandbox"
GENTOO_MIRRORS="http://ftp.snt.utwente.nl/pub/os/linux/gentoo
http://pandemonium.tiscali.de/pub/gentoo/
http://ftp.belnet.be/mirror/rsync.gentoo.org/gentoo/"
PKGDIR="/usr/portage/packages"
SYNC="rsync://192.168.1.33/gentoo-portage"
USE="X alsa altivec apache2 arts berkdb bitmap-fonts bonobo cairo cdr cli crypt
cups divx4linux dlloader dri dvd dvdread eds emboss encode esd flac fortran
gdbm gif glitz gnome gpm gstreamer gtk gtkhtml ipv6 isdnlog jpeg kde
kdeenablefinal ldap libg++ libwww mad mikmod mozilla mp3 mpeg ncurses network
nls nptl nptlonly ogg opengl pam pcre pdflib perl png ppc pppd python qt qt3
quicktime readline reflection ruby sdl session spell spl ssl svg tcpd theora
truetype truetype-fonts type1-fonts udev unicode userlocales vorbis xine xml
xorg xv xvid zlib elibc_glibc input_devices_keyboard input_devices_mouse
input_devices_evdev kernel_linux userland_GNU"
Unset: CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LANG, LC_ALL, LDFLAGS,
LINGUAS, MAKEOPTS, PORTAGE_RSYNC_EXTRA_OPTS, PORTDIR_OVERLAY
Uhm, actually it is a bit worse, 9 tests fail.
Failed tests: 9.
Total tests: 150999 (63 tests skipped)
Finished tests at Fri Jul 28 21:26:30 2006
make[2]: *** [verify] Error 9
make[2]: Leaving directory
`/var/tmp/portage/pike-7.6.86-r1/work/Pike-v7.6.86/build/linux-2.6.17.4-ppc'
make[1]: *** [compile] Error 2
make[1]: Leaving directory `/var/tmp/portage/pike-7.6.86-r1/work/Pike-v7.6.86'
make: *** [verify] Error 2
Sorry for the bugspam
b33fc0d3 verified it builds, it just fails regarding multilib-strict on amd64,
but as the latest stable does so too and it is only cosmetic, i marked it
stable anyway, so...
amd64 done
That's fine.
Thanks Simon.
