Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 513560 (CVE-2014-4168) - <net-misc/iodine-0.7.0: authentication bypass by client (CVE-2014-4168)
Summary: <net-misc/iodine-0.7.0: authentication bypass by client (CVE-2014-4168)
Status: RESOLVED FIXED
Alias: CVE-2014-4168
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal trivial (vote)
Assignee: Gentoo Security
URL: http://www.openwall.com/lists/oss-sec...
Whiteboard: ~4 [noglsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2014-06-17 11:39 UTC by Agostino Sarubbo
Modified: 2015-01-11 19:35 UTC (History)
4 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2014-06-17 11:39:14 UTC
From ${URL} :

iodine 0.7.0 has just been released, which fixes an authentication bypass
issue
discovered by Oscar Reparaz. The fix is here:

https://github.com/yarrick/iodine/commit/b715be5cf3978fbe589b03b09c9398d0d791f850

and the new release is available at the homepage:
http://code.kryo.se/iodine/



@maintainer(s): since the package or the affected version has never been marked as stable, we don't need to stabilize it. After the bump, please remove the affected versions from the tree.
Comment 1 Michael Weber (RETIRED) gentoo-dev 2014-07-18 14:26:07 UTC
I've reviewed the ebuild and added the version bump plus modified ebuild to my overlay (layman -a xmw) for testing.

I'll add it to the tree later.
Comment 3 Michael Weber (RETIRED) gentoo-dev 2014-07-18 15:58:20 UTC
+*iodine-0.7.0 (18 Jul 2014)
+
+  18 Jul 2014; Michael Weber <xmw@gentoo.org>
+  +files/iodine-0.7.0-TestMessage.patch, +files/iodined-1.init,
+  +iodine-0.7.0.ebuild:
+  Version bump (bug 513560, CVE-2014-4168), EAPI-5, approved by vostoga.
+

  18 Jul 2014; Michael Weber <xmw@gentoo.org> package.mask:
  Masked for removal of affected versions in 30 days. Security issue bug 513560
Comment 4 Pacho Ramos gentoo-dev 2014-09-07 13:00:27 UTC
+  07 Sep 2014; Pacho Ramos <pacho@gentoo.org>
+  -files/iodine-0.5.2-Makefile.patch, -files/iodine-0.6.0_rc1-TestMessage.patch,
+  -files/iodine-0.6.0_rc1-ifconfig-path.patch, -iodine-0.5.2.ebuild,
+  -iodine-0.6.0_rc1-r1.ebuild, -iodine-0.6.0_rc1.ebuild:
+  Remove masked for removal versions
+
Comment 5 GLSAMaker/CVETool Bot gentoo-dev 2015-01-11 19:33:24 UTC
CVE-2014-4168 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-4168):
  (1) iodined.c and (2) user.c in iodine before 0.7.0 allows remote attackers
  to bypass authentication by continuing execution after an error has been
  triggering.