Summary: | <app-misc/beanstalkd-1.4.6: Remote command injection (CVE-2010-2060) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Johan Bergström <bugs> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | minor | CC: | patrick, proxy-maint |
Priority: | High | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://kr.github.com/beanstalkd/2010/05/23/1.4.6-release-notes.html | ||
Whiteboard: | B1? [glsa] | ||
Package list: | Runtime testing required: | --- | |
Bug Depends on: | 310033 | ||
Bug Blocks: |
Description
Johan Bergström
2010-06-02 09:07:28 UTC
Ebuilds for 1.4.6 commited Thanks for the report. What is meant by "remote command injection" here? Is this arbitrary shell code i.e. "remote execution of arbitray code" or just commands for the tool itself? Tobias, this command injection was only within beanstalkd, so users could for example do stuff in style with: put <magic data that will enable execution> <insert beanstalkd command here> closing without GLSA as this is not stable on any arch CVE-2010-2060 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2060): The put command functionality in beanstalkd 1.4.5 and earlier allows remote attackers to execute arbitrary Beanstalk commands via the body in a job that is too big, which is not properly handled by the dispatch_cmd function in prot.c. Reopening as bug 288103 has made 1.3 stable meanwhile. Patrick, can 1.4.6 go stable? Actually reopening. I think this version is suitable for stablereq x86 stable amd64 done GLSA Vote: Yes. GLSA request filed. Why did it get just get a serverity of B4?! This issue was resolved and addressed in GLSA 201412-08 at http://security.gentoo.org/glsa/glsa-201412-08.xml by GLSA coordinator Sean Amoss (ackle). |