Seems that mantainer of usermin should bump version to 1.090 right away. Overview: A vulnerability in Usermin's Web mail function could result in arbitrary OS command execution upon viewing a specially crafted HTML mail. Problem Description: Usermin is a web interface that allows all users on a Unix system to easily receive mails and to perform SSH and mail forwarding configuration. A vulnerability exists in Usermin because the module responsible for mail transmission fails to sanitize HTML mails including a link to another Usermin module. An attacker could take advantage of this problem to execute arbitrary OS commands with the privileges of the Usermin user. Tested Versions: Usermin Version 1.070 Usermin Version 1.080 Solution: This problem can be addressed by upgrading Usermin to version 1.090.
eradicator, please bump to 1.090. thanks!
ppc needs to mark stable before GLSA can be issued. alpha & ppc64 should mark stable to benefit from this GLSA.
ppc is now stable
Seems to be some confusion about what issues where fixed. From http://www.webmin.com/uchanges.html Fixed a security problem that can occur at installation time only, if the /tmp/.webmin directory has already been created by a malicious user. From http://www.webmin.com/uchanges-1.090.html Fixed a security hole in the maketemp.pl script, used to create the /tmp/.usermin directory at install time. If an un-trusted user creates this directory before Webmin is installed, he could create in it a symbolic link pointing to a critical file on the system, which would be overwritten when Usermin writes to the link filename (CVE bug CAN-2004-0559).
forgot to put app-admin/webmin on the spot as well, since it contains usermin ;) should be bumped to 1.160
Back to ebuild status. Eradicator please bump webmin as well. Also if anyone can clear up what issues this actually fixes. The advisory seems to be coordinated with webmin, however the changelog mentions another security issue that was fixed.
Secunia has issued an announcement regarding this issue - http://secunia.com/advisories/12488/ I tried to figure it out where was the problem but the diff is just too big (~1M) to understand it few minutes. I think that we need to update webmin/usermin right away even if we don't understand the problem. The maintainer updated his packages on Sept the 5th, you know? In addition, the original announcement is ambiguous to say the least. Seems pretty big hole to me...
Created attachment 39217 [details, diff] usage of quotemeta The inserted line which contain quotemeta call is, without a doubt, a security update.
ok, so what packages/versions need to get tested in stable ?
reply to comment #9: app-admin/usermin-1.090 app-admin/webmin-1.160
app-admin/webmin-1.160 is not in the tree yet. Eradicator please bump. UnCC'ing arches until we get a bumped build for webmin.
ok, webmin has been bumped now too... not too many of the sf mirrors have it yet, so it may take a couple tries to get it... amd64, sparc, and x86 were marked by me ppc hppa ppc64 alpha: you need to mark either usermin, webmin, or both stable.
ppc stable
Confirmation from Webmin's Jamie Cameron : ------------------------------------------------------------------------- > Your ChangeLog says it solves CAN-2004-0559 (the installation-time > local symlink vulnerability), but a SNS Advisory (and a Secunia > reference) disclose a remote arbitrary shell execution vulnerability > that would also be solved by the latest release. > > Could you confirm if that second vulnerability was also solved in > release 1.090 ? [...] Yes, all those vulnerabilities are addressed in the latest release. [...] -------------------------------------------------------------------------
Alpha is stable.
GLSA 200409-15
Stable on hppa.
stable on ppc64