Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 160393 - www-apps/coppermine < 1.4.12 Possible Remote SQL Injection (CVE-2007-0122)
Summary: www-apps/coppermine < 1.4.12 Possible Remote SQL Injection (CVE-2007-0122)
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Highest minor (vote)
Assignee: Gentoo Security
URL: http://www.milw0rm.com/exploits/3085
Whiteboard: ~3 [noglsa]
Keywords:
: 173966 (view as bug list)
Depends on:
Blocks:
 
Reported: 2007-01-06 09:58 UTC by Executioner
Modified: 2007-08-09 11:23 UTC (History)
5 users (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
tentative fix (un-checked) (omg.patch,312 bytes, patch)
2007-01-06 10:59 UTC, Francesco R. (RETIRED) 		no flags Details | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Executioner 2007-01-06 09:58:39 UTC 
There is a remote sql injection exploit out for versions <= 1.4.10 and as of 1/6/07 I don't believe there is a vendor fix.  

Reproducible: Didn't try




http://acid-root.new.fr/poc/19070104.txt
Comment 1 Francesco R. (RETIRED) gentoo-dev 2007-01-06 10:59:44 UTC 
Created attachment 105627 [details, diff]
tentative fix (un-checked)

Last time, around two years ago I checked coppermine it was in a strong need for a security review.

The attached patch should fix this particular vulnerability but every query should be checked in the package.

the patch apply to version 1.4.10, so it need a version bump too.
Comment 2 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2007-01-06 13:02:05 UTC 
web-apps please advise.
Comment 3 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2007-03-25 10:32:59 UTC 
Web-apps any news on this one?
Comment 4 Jakub Moc (RETIRED) gentoo-dev 2007-04-10 06:07:22 UTC 
*** Bug 173966 has been marked as a duplicate of this bug. ***
Comment 5 Pierre-Yves Rofes (RETIRED) gentoo-dev 2007-05-31 09:38:23 UTC 
any news here?
Comment 6 Renat Lumpau (RETIRED) gentoo-dev 2007-06-02 05:42:49 UTC 
Security, please feel free to mask.
Comment 7 cilly 2007-06-02 12:27:47 UTC 
What about contacting upstream?
Comment 8 Pierre-Yves Rofes (RETIRED) gentoo-dev 2007-07-01 12:56:38 UTC 
Seems that upstream released 1.4.11:

http://secunia.com/advisories/25846/
Comment 9 Stefan Cornelius (RETIRED) gentoo-dev 2007-07-13 16:08:44 UTC 
heya webapss, please bump to 1.4.11
Comment 10 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2007-07-15 09:35:54 UTC 
Web-apps do you want to bump or dump(mask) the package?
Comment 11 Pierre-Yves Rofes (RETIRED) gentoo-dev 2007-07-23 15:06:36 UTC 
web-apps, any news here?
Comment 12 Gunnar Wrobel (RETIRED) gentoo-dev 2007-08-09 11:06:11 UTC 
Bumped to 1.4.12. Sorry for the delay. I'll mark it as fixed.