Bug 106149

Summary:	www-apps/twiki: Arbitrary command execution
Product:	Gentoo Security	Reporter:	Andres Pereira (RETIRED) <anpereir>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	RESOLVED FIXED
Severity:	trivial	CC:	web-apps
Priority:	High	Keywords:	SECURITY
Version:	unspecified
Hardware:	All
OS:	Linux
URL:	http://twiki.org/cgi-bin/view/Codev/SecurityAlertExecuteCommandsWithRev
Whiteboard:	~1 [noglsa]
Package list:		Runtime testing required:	---

Description Andres Pereira (RETIRED) gentoo-dev

2005-09-15 23:19:10 UTC

There is a new vulnerability which affects www-apps/twiki: (remote execution of
arbitrary commands with the permissions of the user running twiki)

http://www.securityfocus.com/bid/14834
http://twiki.org/cgi-bin/view/Codev/SecurityAlertExecuteCommandsWithRev

A number of countermeasures are mentioned in the above website (patches).

I installed the twiki available in portage (~20041030) and it's vulnerable. On
the other hand it seems that there is another vulnerability according to (not
tested):

http://twiki.org/cgi-bin/view/Codev/UncoordinatedSecurityAlert23Feb2005

Comment 1 Thierry Carrez (RETIRED) gentoo-dev

2005-09-16 01:55:10 UTC

This is public, opening.
web-apps: please bump.
Note that the package being only in ~ it won't generate a GLSA.

Comment 2 Renat Lumpau (RETIRED) gentoo-dev

2005-09-16 04:38:50 UTC

Thanks for reporting, both fixed in CVS.

Comment 3 Thierry Carrez (RETIRED) gentoo-dev

2005-09-16 09:44:18 UTC

No GLSA, closing.

Comment 4 Thierry Carrez (RETIRED) gentoo-dev

2005-09-16 09:45:22 UTC

Hm. no.
Renat: you should revbump so that people get the fix by normal upgrade.

Comment 5 Renat Lumpau (RETIRED) gentoo-dev

2005-09-16 15:58:09 UTC

doh. fixed.

Comment 6 Thierry Carrez (RETIRED) gentoo-dev

2005-09-17 06:25:00 UTC

Really closing