Gentoo Bug 214666 - www-apps/roundup < 1.4.4-r1 does not check property permissions (CVE-2008-1475)

First Last Prev Next No search results available Search page Enter new bug

Bug#:	214666
Alias:
Product:
Component:
Status:	RESOLVED
Resolution:	FIXED
Assigned To:	Gentoo Security <security@gentoo.org>

Hardware:
OS:
Version:
Priority:
Severity:

Reporter:	Lars Hartmann <lars@chaotika.org>
Add CC:
CC:

URL:
Summary:
Status Whiteboard:
Keywords:

Flags:			Requestee:
	Pending
	Approved
	Assigned_To		()

Filename	Description	Type	Creator	Created	Size	Actions
xmlrpc_property_permissions.patch	patch	patch	Lars Hartmann	2008-03-25 10:21 0000	7.73 KB	Details \| Diff
Create a New Attachment (proposed patch, testcase, etc.)						View All

Bug 214666 depends on:			Show dependency tree
Bug 214666 blocks:			Show dependency tree

Additional Comments: (this is where you put emerge --info)

Add to CC list

Not eligible to see or edit group visibility for this bug.

Leave as RESOLVED FIXED
Reopen bug
Mark bug as VERIFIED
Mark bug as CLOSED

View Bug Activity | Format For Printing | XML | Clone This Bug

Description:

Opened: 2008-03-25 10:20 0000

The xml-rpc server in Roundup 1.4.4 does not check property permissions, which
allows attackers to bypass restrictions and edit or read restricted properties
via the (1) list, (2) display, and (3) set methods.

------- Comment #1 From Lars Hartmann 2008-03-25 10:21:27 0000 -------

Created an attachment (id=147233) [details]
patch

------- Comment #2 From Lars Hartmann 2008-03-25 10:22:53 0000 -------

maintainers - please provide an updated ebuild

------- Comment #3 From Benedikt Böhm 2008-04-03 10:43:10 0000 -------

1.4.4-r1 in cvs

------- Comment #4 From Pierre-Yves Rofes 2008-05-12 11:54:46 0000 -------

Arches, please test and mark stable www-apps/roundup-1.4.4-r1
target : "amd64 ppc release sparc x86"

------- Comment #5 From Christian Faulhammer 2008-05-12 13:31:02 0000 -------

x86 stable

------- Comment #6 From Markus Meier 2008-05-12 15:38:17 0000 -------

amd64 stable

------- Comment #7 From Ferris McCormick 2008-05-12 20:12:53 0000 -------

Sparc stable.

------- Comment #8 From Tobias Scherbaum 2008-05-16 18:33:14 0000 -------

ppc stable

------- Comment #9 From Gunnar Wrobel 2008-05-17 07:32:52 0000 -------

Removed vulnerable version. webapps done.

------- Comment #10 From Pierre-Yves Rofes 2008-05-17 09:43:06 0000 -------

Time for GLSA decision. I vote YES.

------- Comment #11 From Peter Volkov 2008-05-18 15:19:02 0000 -------

Fixed in release snapshot.

------- Comment #12 From Tobias Heinlein 2008-05-19 15:24:23 0000 -------

Voting YES and filing request.

------- Comment #13 From Tobias Heinlein 2008-05-29 19:16:08 0000 -------

GLSA 200805-21

First Last Prev Next No search results available Search page Enter new bug

Bugzilla Bug 214666

www-apps/roundup < 1.4.4-r1 does not check property permissions (CVE-2008-1475)

Last modified: 2008-05-29 19:16:08 0000