Bug 81775 - net-www/awstats More problems (CAN-2005-036{2,3})
Bug#: 81775 Product:  Gentoo Security Version: unspecified Platform: All
OS/Version: All Status: RESOLVED Severity: major Priority: P2
Resolution: FIXED Assigned To: security@gentoo.org Reported By: jaervosz@gentoo.org
Component: Vulnerabilities
URL:  http://packetstormsecurity.nl/0501-exploits/AWStatsVulnAnalysis.pdf
Summary: net-www/awstats More problems (CAN-2005-036{2,3})
Keywords:  
Status Whiteboard: B1 [glsa] koon
Opened: 2005-02-12 12:25 0000
Description:   Opened: 2005-02-12 12:25 0000 
Patches are here:
http://patches.ubuntu.com/patches/awstats.more-CAN-2005-0016.diff

------- Comment #1 From Sune Kloppenborg Jeppesen 2005-02-12 12:32:40 0000 ------- 
Aaron please attach on updated ebuild. I'm not sure of the confidentiality
status yet, so filing as restricted.

------- Comment #2 From Aaron Walker (RETIRED) 2005-02-12 13:03:24 0000 ------- 
Created an attachment (id=51079) [details]
awstats-6.3-r1.ebuild

------- Comment #3 From Aaron Walker (RETIRED) 2005-02-12 13:04:42 0000 ------- 
Created an attachment (id=51080) [details]
awstats-6.3-CAN-2005-0016.diff

Had to modify the patch as it is for 6.2 which is no longer in portage.

------- Comment #4 From Aaron Walker (RETIRED) 2005-02-12 13:10:30 0000 ------- 
I just noticed after looking at the patch that the lines being patched out are
not the same as in the 6.2 patch... this looks like it only affects 6.2.  6.3
uses a Sanitize subroutine which looks to do the same thing:

#------------------------------------------------------------------------------
# Function:     Clean a string of all chars that are not char or _ - \ / . \s
# Parameters:   stringtoclean
# Input:        None
# Output:       None
# Return:               cleanedstring
#------------------------------------------------------------------------------
sub Sanitize {
        my $stringtoclean=shift;
        $stringtoclean =~ s/[^\w_\-\\\/\.\s]//g;
        return $stringtoclean;
}

------- Comment #5 From Sune Kloppenborg Jeppesen 2005-02-12 13:43:45 0000 ------- 
Thx for the swift reaction.

Aaron this is at least semi-public. Please commit the reduced patch.

------- Comment #6 From Aaron Walker (RETIRED) 2005-02-12 13:55:39 0000 ------- 
Committed.  Kept keywords.

------- Comment #7 From Thierry Carrez (RETIRED) 2005-02-13 06:15:26 0000 ------- 
CAN-2005-0016 configdir,pluginmode variable, fixed in 6.3
CAN-2005-0362 [no]loadplugin,pluginmode variables, fixed in 6.3
CAN-2005-0363 config variable, fixed in the latest patch

Development version 6.4 contains :
- Fix security hole that allowed a user to read log file content even
  when plugin rawlog was not enabled.

That may also require additional patching...

------- Comment #8 From Aaron Walker (RETIRED) 2005-02-13 08:14:40 0000 ------- 
I've backported all the bugfixes from 6.4 to 6.3. I also renamed the current
patch as I thought CAN-2005-0016 covered all of the variables.

I uploaded the patch to the mirrors so I'll commit the revbump in a few hours.

------- Comment #9 From Thierry Carrez (RETIRED) 2005-02-13 09:56:18 0000 ------- 
This is all public from awstats changelogs and te PDF analysis.
Not sure if we should release this as an update to the old GLSA or a brand-new one.

------- Comment #10 From Aaron Walker (RETIRED) 2005-02-13 11:34:51 0000 ------- 
Committed.

------- Comment #11 From Thierry Carrez (RETIRED) 2005-02-14 12:33:39 0000 ------- 
UPDATE to GLSA 200501-36 sent

------- Comment #12 From Thierry Carrez (RETIRED) 2005-02-15 13:51:45 0000 ------- 
We should doublecheck that everything in
http://www.securityfocus.com/archive/1/390368/2005-02-12/2005-02-18/0 has been
covered.

------- Comment #13 From Thierry Carrez (RETIRED) 2005-02-16 06:32:10 0000 ------- 
These mails are about CAN-2005-0362 and -363, so this is covered.