Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 63167 - app-admin/usermin & webmin: Usermin Remote Arbitrary Shell Command Execution Vulnerability
Summary: app-admin/usermin & webmin: Usermin Remote Arbitrary Shell Command Execution ...
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All All
: Highest major (vote)
Assignee: Gentoo Security
URL: http://www.lac.co.jp/security/csl/int...
Whiteboard: B2 [glsa] jaervosz
Keywords:
Depends on:
Blocks:
 
Reported: 2004-09-07 14:45 UTC by Alin Năstac (RETIRED)
Modified: 2011-10-30 22:39 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments
usage of quotemeta (web-lib.pl.diff,9.56 KB, patch)
2004-09-08 14:05 UTC, Alin Năstac (RETIRED)
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Alin Năstac (RETIRED) gentoo-dev 2004-09-07 14:45:01 UTC
Seems that mantainer of usermin should bump version to 1.090 right away.

Overview:
A vulnerability in Usermin's Web mail function could result in arbitrary OS command execution upon viewing a specially crafted HTML mail.

Problem Description:
Usermin is a web interface that allows all users on a Unix system to easily receive mails and to perform SSH and mail forwarding configuration.

A vulnerability exists in Usermin because the module responsible for mail transmission fails to sanitize HTML mails including a link to another Usermin module. An attacker could take advantage of this problem to execute arbitrary OS commands with the privileges of the Usermin user.

Tested Versions:
Usermin Version 1.070
Usermin Version 1.080

Solution:
This problem can be addressed by upgrading Usermin to version 1.090.
Comment 1 Luke Macken (RETIRED) gentoo-dev 2004-09-07 15:02:30 UTC
eradicator,

please bump to 1.090. thanks!
Comment 2 Jeremy Huddleston (RETIRED) gentoo-dev 2004-09-07 15:42:11 UTC
ppc needs to mark stable before GLSA can be issued.

alpha & ppc64 should mark stable to benefit from this GLSA.
Comment 3 SpanKY gentoo-dev 2004-09-07 22:11:29 UTC
ppc is now stable
Comment 4 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2004-09-08 00:05:29 UTC
Seems to be some confusion about what issues where fixed.

From http://www.webmin.com/uchanges.html

Fixed a security problem that can occur at installation time only, if the /tmp/.webmin directory has already been created by a malicious user. 

From http://www.webmin.com/uchanges-1.090.html

Fixed a security hole in the maketemp.pl script, used to create the /tmp/.usermin directory at install time. If an un-trusted user creates this directory before Webmin is installed, he could create in it a symbolic link pointing to a critical file on the system, which would be overwritten when Usermin writes to the link filename (CVE bug CAN-2004-0559). 
Comment 5 Alin Năstac (RETIRED) gentoo-dev 2004-09-08 02:20:41 UTC
forgot to put app-admin/webmin on the spot as well, since it contains usermin ;)
should be bumped to 1.160
Comment 6 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2004-09-08 03:04:39 UTC
Back to ebuild status. Eradicator please bump webmin as well.

Also if anyone can clear up what issues this actually fixes. The advisory seems to be coordinated with webmin, however the changelog mentions another security issue that was fixed.

Comment 7 Alin Năstac (RETIRED) gentoo-dev 2004-09-08 03:20:53 UTC
Secunia has issued an announcement regarding this issue - http://secunia.com/advisories/12488/

I tried to figure it out where was the problem but the diff is just too big (~1M) to understand it few minutes.
 
I think that we need to update webmin/usermin right away even if we don't understand the problem. The maintainer updated his packages on Sept the 5th, you know? In addition, the original announcement is ambiguous to say the least. Seems pretty big hole to me...
Comment 8 Alin Năstac (RETIRED) gentoo-dev 2004-09-08 14:05:50 UTC
Created attachment 39217 [details, diff]
usage of quotemeta

The inserted line which contain quotemeta call is, without a doubt, a security
update.
Comment 9 SpanKY gentoo-dev 2004-09-08 20:04:08 UTC
ok, so what packages/versions need to get tested in stable ?
Comment 10 Alin Năstac (RETIRED) gentoo-dev 2004-09-08 21:44:43 UTC
reply to comment #9:
   app-admin/usermin-1.090
   app-admin/webmin-1.160
Comment 11 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2004-09-08 21:59:31 UTC
app-admin/webmin-1.160 is not in the tree yet. Eradicator please bump.

UnCC'ing arches until we get a bumped build for webmin.
Comment 12 Jeremy Huddleston (RETIRED) gentoo-dev 2004-09-09 10:31:16 UTC
ok, webmin has been bumped now too... not too many of the sf mirrors have it yet, so it may take a couple tries to get it...

amd64, sparc, and x86 were marked by me

ppc hppa ppc64 alpha: you need to mark either usermin, webmin, or both stable.
Comment 13 Pieter Van den Abeele (RETIRED) gentoo-dev 2004-09-10 03:02:48 UTC
ppc stable
Comment 14 Thierry Carrez (RETIRED) gentoo-dev 2004-09-10 05:24:33 UTC
Confirmation from Webmin's Jamie Cameron :

-------------------------------------------------------------------------
> Your ChangeLog says it solves CAN-2004-0559 (the installation-time
> local symlink vulnerability), but a SNS Advisory (and a Secunia
> reference) disclose a remote arbitrary shell execution vulnerability
> that would also be solved by the latest release.
> 
> Could you confirm if that second vulnerability was also solved in
> release 1.090 ? [...]

Yes, all those vulnerabilities are addressed in the latest release. [...]
-------------------------------------------------------------------------
Comment 15 Bryan Østergaard (RETIRED) gentoo-dev 2004-09-10 07:57:05 UTC
Alpha is stable.
Comment 16 Dan Margolis (RETIRED) gentoo-dev 2004-09-12 13:37:22 UTC
GLSA 200409-15
Comment 17 Guy Martin (RETIRED) gentoo-dev 2004-09-13 03:00:52 UTC
Stable on hppa.
Comment 18 Tom Gall (RETIRED) gentoo-dev 2004-10-09 12:00:27 UTC
stable on ppc64