Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 204321 (CVE-2007-6612) - www-servers/mongrel < 1.0.5 "DirHandler" Directory Traversal Vulnerability (CVE-2007-6612)
Summary: www-servers/mongrel < 1.0.5 "DirHandler" Directory Traversal Vulnerability (C...
Status: RESOLVED FIXED
Alias: CVE-2007-6612
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High minor (vote)
Assignee: Gentoo Security
URL: http://secunia.com/advisories/28323/
Whiteboard: B4 [noglsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2008-01-04 19:52 UTC by Lars Hartmann
Modified: 2008-01-28 21:50 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Lars Hartmann 2008-01-04 19:52:49 UTC 
A vulnerability has been reported in Mongrel, which can be exploited by malicious people to disclose sensitive information.

The vulnerability is caused due to an error within the "DirHandler" class in lib/mongrel/handlers.rb. This can be exploited to download arbitrary files by using the "/.%252e" directory traversal sequence.

The vulnerability is reported in version 1.0.4 and in 1.1.x versions prior to 1.1.3.

Solution:
Update to version 1.0.5 or 1.1.3.

Reproducible: Always
Comment 1 Lars Hartmann 2008-01-04 19:54:23 UTC 
maintainers - please provide an updated ebuild
Comment 2 Josh Nichols (RETIRED) gentoo-dev 2008-01-11 05:57:47 UTC 
1.1.3 is now in the tree
Comment 3 Robert Buchholz (RETIRED) gentoo-dev 2008-01-11 11:28:42 UTC 
Thanks!

Arches, please test and mark stable www-servers/mongrel-1.1.3.
Target keywords : "amd64 ppc ppc64 sparc x86"
Comment 4 Brent Baude (RETIRED) gentoo-dev 2008-01-11 14:21:17 UTC 
ppc64 done
Comment 5 Markus Meier gentoo-dev 2008-01-11 16:05:21 UTC 
x86 stable
Comment 6 Tobias Scherbaum (RETIRED) gentoo-dev 2008-01-11 19:46:53 UTC 
ppc stable
Comment 7 Raúl Porcel (RETIRED) gentoo-dev 2008-01-15 15:37:20 UTC 
sparc stable
Comment 8 Mike Doty (RETIRED) gentoo-dev 2008-01-18 00:21:55 UTC 
no tree available, but 1.1.3 has been tested on multiple amd64 servers.  anyone feel free to keyword it for me(welp)  There might be some deps that need to go stable, but do to the nature of my setup I cannot say for certain.
Comment 9 Peter Weller (RETIRED) gentoo-dev 2008-01-22 10:16:49 UTC 
amd64 stable. Thanks Mike.
Comment 10 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2008-01-22 11:09:39 UTC 
This one is ready for GLSA vote. I tend to vote NO.
Comment 11 Pierre-Yves Rofes (RETIRED) gentoo-dev 2008-01-28 21:50:50 UTC 
voting no too, and closing.