From Secunia: A vulnerability has been discovered in Roundup, which can be exploited by malicious users to manipulate certain data. The vulnerability is caused due to improper access restrictions on saved queries, which can be exploited to edit saved queries from other users. Successful exploitation allows e.g. to delete or create users with administrative privileges, when an administrative user clicks on a saved query. The vulnerability is confirmed in version 1.4.6. Other versions may also be affected.
1.4.7 had been released.
New version was just added to the tree. Arch teams please stabilize.
ppc done
# roundup-server Traceback (most recent call last): File "/usr/bin/roundup-server", line 2, in <module> from roundup.scripts.roundup_server import run File "//usr/lib/python2.5/site-packages/roundup/scripts/roundup_server.py", line 33, in <module> from roundup import configuration, version_check File "//usr/lib/python2.5/site-packages/roundup/configuration.py", line 17, in <module> import roundup.date File "//usr/lib/python2.5/site-packages/roundup/date.py", line 34, in <module> from roundup import i18n File "//usr/lib/python2.5/site-packages/roundup/i18n.py", line 222, in <module> translation = get_translation() File "//usr/lib/python2.5/site-packages/roundup/i18n.py", line 212, in get_translation translator = translation_class(open(mofiles[0], "rb")) File "/usr/lib/python2.5/gettext.py", line 180, in __init__ self._parse(fp) File "/usr/lib/python2.5/gettext.py", line 337, in _parse tmsg = unicode(tmsg, self._charset) File "/usr/lib/python2.5/encodings/utf_8.py", line 16, in decode return codecs.utf_8_decode(input, errors, True) UnicodeDecodeError: 'utf8' codec can't decode bytes in position 176-178: invalid data Portage 2.1.6.11 (default/linux/x86/2008.0/desktop, gcc-4.3.2, glibc-2.8_p20080602-r1, 2.6.29-gentoo-r4 i686) ================================================================= System uname: Linux-2.6.29-gentoo-r4-i686-Intel-R-_Core-TM-2_Duo_CPU_T8100_@_2.10GHz-with-glibc2.0 Timestamp of tree: Mon, 25 May 2009 15:00:01 +0000 app-shells/bash: 3.2_p39 dev-java/java-config: 2.1.7 dev-lang/python: 2.4.6, 2.5.4-r2 dev-python/pycrypto: 2.0.1-r8 dev-util/cmake: 2.6.2-r1 sys-apps/baselayout: 1.12.11.1 sys-apps/sandbox: 1.6-r2 sys-devel/autoconf: 2.13, 2.63 sys-devel/automake: 1.5, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2, 1.10.2 sys-devel/binutils: 2.18-r3 sys-devel/gcc-config: 1.4.1 sys-devel/libtool: 1.5.26 virtual/os-headers: 2.6.27-r2 ACCEPT_KEYWORDS="x86" CBUILD="i686-pc-linux-gnu" CFLAGS="-O2 -march=i686 -pipe" CHOST="i686-pc-linux-gnu" CONFIG_PROTECT="/etc /opt/openfire/resources/security/ /usr/kde/3.5/env /usr/kde/3.5/share/config /usr/kde/3.5/shutdown /usr/share/config" CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/env.d/java/ /etc/fonts/fonts.conf /etc/gconf /etc/php/apache2-php5/ext-active/ /etc/php/cgi-php5/ext-active/ /etc/php/cli-php5/ext-active/ /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo /etc/texmf/language.dat.d /etc/texmf/language.def.d /etc/texmf/updmap.d /etc/texmf/web2c /etc/udev/rules.d" CXXFLAGS="-O2 -march=i686 -pipe" DISTDIR="/usr/portage/distfiles" FEATURES="distlocks fixpackages parallel-fetch protect-owned sandbox sfperms strict unmerge-orphans userfetch" GENTOO_MIRRORS="http://distfiles.gentoo.org http://distro.ibiblio.org/pub/linux/distributions/gentoo" LANG="en_EN.UTF8" LDFLAGS="-Wl,--as-needed" LINGUAS="en" MAKEOPTS="-j3" PKGDIR="/usr/portage/packages" PORTAGE_CONFIGROOT="/" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" PORTDIR_OVERLAY="/usr/local/portage" SYNC="rsync://rsync.gentoo.org/gentoo-portage" USE="3dnow 3dnowext X acl acpi alsa apache apache2 apm bash-completion berkdb bluetooth bootsplash branding bzip2 cairo cdr cdrom cli cracklib crypt css cups curl dbus directfb dri dvd dvdr dvdread dvi eds emacs emboss encode escreen esd evo fam fat fbcon fbcondecor ffmpeg firefox foomatic fortran gdbm gif gnome gpm gstreamer gtk hal iconv imlib ipv6 isdnlog jadetex jpeg jpeg2k kde kpathsea laptop latex ldap libnotify libotf lm_sensors m17n-lib mad midi mikmod mmx mp3 mpeg mudflap ncurses nls nptl nptl-only nptlonly ntfs ogg opengl openmp openssh pam pcre pdf perl pmu png ppds pppd preview-latex python qt3 qt3support qt4 quicktime readline reflection reports sdl session smp spell spl sqlite sse ssl startup-notification svg svga sysfs t1lib tcpd test-framework tetex theora tiff toolkit-scroll-bars truetype unicode usb userlocales vorbis win32codecs wmf x86 xft xml xorg xpm xulrunner xv xvid zlib" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1 emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mmap_emul mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" ELIBC="glibc" INPUT_DEVICES="synaptics mouse keyboard" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LINGUAS="en" USERLAND="GNU" VIDEO_CARDS="vesa fbdev intel" Unset: CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, FFLAGS, INSTALL_MASK, LC_ALL, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS
amd64/x86 stable, all arches done.
25 May 2009; Markus Meier <maekke@gentoo.org> roundup-1.4.8.ebuild: revert stabilization, bug #262100 comment #4
de, es and fr files contain non utf8 symbols. Bug upstream: http://issues.roundup-tracker.org/issue2550546
Ok, I hope I fixed this bug. Arch teams please stabilize roundup-1.4.8-r1.
(In reply to comment #8) > Ok, I hope I fixed this bug. Arch teams please stabilize roundup-1.4.8-r1. > >>> Compiling source in /var/tmp/portage/www-apps/roundup-1.4.8-r1/work/roundup-1.4.8 ... Traceback (most recent call last): File "setup.py", line 189, in <module> main() File "setup.py", line 79, in main from roundup.init import listTemplates File "/var/tmp/portage/www-apps/roundup-1.4.8-r1/work/roundup-1.4.8/roundup/init.py", line 27, in <module> from roundup.configuration import CoreConfig File "/var/tmp/portage/www-apps/roundup-1.4.8-r1/work/roundup-1.4.8/roundup/configuration.py", line 17, in <module> import roundup.date File "/var/tmp/portage/www-apps/roundup-1.4.8-r1/work/roundup-1.4.8/roundup/date.py", line 34, in <module> from roundup import i18n File "/var/tmp/portage/www-apps/roundup-1.4.8-r1/work/roundup-1.4.8/roundup/i18n.py", line 222, in <module> translation = get_translation() File "/var/tmp/portage/www-apps/roundup-1.4.8-r1/work/roundup-1.4.8/roundup/i18n.py", line 212, in get_translation translator = translation_class(open(mofiles[0], "rb")) File "/usr/lib/python2.5/gettext.py", line 180, in __init__ self._parse(fp) File "/usr/lib/python2.5/gettext.py", line 337, in _parse tmsg = unicode(tmsg, self._charset) File "/usr/lib/python2.5/encodings/utf_8.py", line 16, in decode return codecs.utf_8_decode(input, errors, True) UnicodeDecodeError: 'utf8' codec can't decode bytes in position 176-178: invalid data
Christian, could you help me to reproduce this bug? May be locale settings, env output... I've tried with different locale settings both with stable/unstable chroot and everything works here.
x86 stable
amd64 stable
All arches done, ready for vote. Since this is a webapp, I'm not sure, I'd would vote NO. Anyone?
No, too.
