Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 89196 - net-p2p/mhxd overwrites existing config and user accounts
Summary: net-p2p/mhxd overwrites existing config and user accounts
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: x86 Linux
: High enhancement (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B4 [ebuild+ masked] jaervosz
Keywords:
Depends on:
Blocks:
 
Reported: 2005-04-15 09:26 UTC by Kevin Korb
Modified: 2006-05-27 22:47 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Kevin Korb 2005-04-15 09:26:37 UTC 
Re-merging or upgrading net-p2p/mhxd will overwrite the entire installation.  This includes any news that has been posted and the default account entries of guest and admin.  This means that the admin password is reset to null allowing anyone to access the server as administrator!

Reproducible: Always
Steps to Reproduce:
1. merge and setup mhxd
2. re-merge mhxd
3. login as admin with no password even though one was set in step 1.

Actual Results:  
The admin password is replaced with null and full access is given to anyone that
tries it.

Expected Results:  
The ebuild should not overwrite such files or it should use config-protect to
protect them.

This is a potential security problem since the admin password is being reset to
a null but all published files are still accessible.  Someone could easily wipe
out all files on a server before the admin notices that the password protection
has been removed.
Comment 1 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-06-23 13:40:23 UTC 
Guillaume please advise
Comment 2 Thierry Carrez (RETIRED) gentoo-dev 2005-06-26 11:35:10 UTC 
Kang / net-p2p: please fix ebuild or comment...
Comment 3 Guillaume Destuynder (RETIRED) gentoo-dev 2005-06-26 13:44:35 UTC 
mhxd will be removed from portage as it is not supported anymore upstream

replacement ebuild will be phxd (http://avaraline.net/~cvs/cgi/viewcvs.cgi/phxd/)
It provides the same functionality.

please add:
CONFIG_PROTECT="/var/mhxd/accounts" and whichever necessary to
/etc/env.d/99local and run "env-update;source /etc/profile"

warning added to the ebuild (as anyway its going away)
Comment 4 Thierry Carrez (RETIRED) gentoo-dev 2005-06-27 01:17:58 UTC 
Guillaume: care to mask the package until it's migrated to phxd ?
Comment 5 Guillaume Destuynder (RETIRED) gentoo-dev 2005-06-27 08:59:18 UTC 
done
Comment 6 Thierry Carrez (RETIRED) gentoo-dev 2005-06-27 10:16:33 UTC 
Out of main scope until removal
Comment 7 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2006-03-22 12:41:54 UTC 
net-p2p any news on this one?
Comment 8 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2006-04-20 09:08:13 UTC 
net-p2p any news on this one?
Comment 9 Alec Warner (RETIRED) archtester gentoo-dev Security 2006-05-27 22:47:37 UTC 
Punted