Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 106149 - www-apps/twiki: Arbitrary command execution
Summary: www-apps/twiki: Arbitrary command execution
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High trivial (vote)
Assignee: Gentoo Security
URL: http://twiki.org/cgi-bin/view/Codev/S...
Whiteboard: ~1 [noglsa]
Keywords: SECURITY
Depends on:
Blocks:
 
Reported: 2005-09-15 23:19 UTC by Andres Pereira (RETIRED)
Modified: 2005-09-17 06:25 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Andres Pereira (RETIRED) gentoo-dev 2005-09-15 23:19:10 UTC 
There is a new vulnerability which affects www-apps/twiki: (remote execution of
arbitrary commands with the permissions of the user running twiki)

http://www.securityfocus.com/bid/14834
http://twiki.org/cgi-bin/view/Codev/SecurityAlertExecuteCommandsWithRev

A number of countermeasures are mentioned in the above website (patches).

I installed the twiki available in portage (~20041030) and it's vulnerable. On
the other hand it seems that there is another vulnerability according to (not
tested):

http://twiki.org/cgi-bin/view/Codev/UncoordinatedSecurityAlert23Feb2005
Comment 1 Thierry Carrez (RETIRED) gentoo-dev 2005-09-16 01:55:10 UTC 
This is public, opening.
web-apps: please bump.
Note that the package being only in ~ it won't generate a GLSA.
Comment 2 Renat Lumpau (RETIRED) gentoo-dev 2005-09-16 04:38:50 UTC 
Thanks for reporting, both fixed in CVS.
Comment 3 Thierry Carrez (RETIRED) gentoo-dev 2005-09-16 09:44:18 UTC 
No GLSA, closing.
Comment 4 Thierry Carrez (RETIRED) gentoo-dev 2005-09-16 09:45:22 UTC 
Hm. no.
Renat: you should revbump so that people get the fix by normal upgrade.
Comment 5 Renat Lumpau (RETIRED) gentoo-dev 2005-09-16 15:58:09 UTC 
doh. fixed.
Comment 6 Thierry Carrez (RETIRED) gentoo-dev 2005-09-17 06:25:00 UTC 
Really closing