Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 135002

Summary: www-apache/mod_mono possible file disclosure (CVE-2006-2658)
Product: Gentoo Security Reporter: Sune Kloppenborg Jeppesen (RETIRED) <jaervosz>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: enhancement CC: apache-bugs, chriswhite, dotnet, jurek, ramereth
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://svn.myrealbox.com/viewcvs/trunk/xsp/src/Mono.WebServer/MonoWorkerRequest.cs?rev=59868&r1=49611&r2=59868
Whiteboard: ~4 [masked] DerCorny
Package list:
Runtime testing required: ---
Bug Depends on: 147393    
Bug Blocks:    

Description Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2006-05-31 02:04:56 UTC 
A missing check in mod_mono path canonicalization allows disclosure of
arbitrary files when relative path names are used in a HTTP request. As
a result any local file, accessible to the user running Apache, can be
viewed by the attacker.
Comment 1 Stefan Cornelius (RETIRED) gentoo-dev 2006-06-13 02:48:14 UTC 
ramereth please provide fixed ebuilds, thanks
Comment 2 Lance Albertson (RETIRED) gentoo-dev 2006-06-13 19:43:28 UTC 
Do you want this patch applied to all the ebuilds, or is there a current version that has this fix? I'm in desperate need of bumping this ebuild anyways, just hadn't gotten to it.
Comment 3 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2006-06-14 02:30:18 UTC 
I guess a new revision with the patch applied should be fine.
Comment 4 Thierry Carrez (RETIRED) gentoo-dev 2006-07-29 05:52:18 UTC 
Lance, are you with us ?
Comment 5 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2006-09-05 06:01:03 UTC 
Lance any news on this one?
Comment 6 Lance Albertson (RETIRED) gentoo-dev 2006-09-08 07:58:25 UTC 
(In reply to comment #5)
> Lance any news on this one?
> 

Sigh, I've been extremely busy with work/life lately and haven't been able to get to this. See if someone from the dotnet group can take care of it until I can find time. Sorry about that.
Comment 7 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2006-09-08 10:19:23 UTC 
Thx Lance. Back to ebuild status.
Comment 8 Jakub Moc (RETIRED) gentoo-dev 2006-09-13 00:30:33 UTC 
FWIW, there are ebuilds for 1.1.16.1 in Bug 147393, some dotnet folks could checks them out. ;)
Comment 9 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2006-09-19 00:29:31 UTC 
No response from herd, perhaps we should get this one masked?
Comment 10 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2006-09-26 09:19:30 UTC 
Security/dotnet should we mask or bump?
Comment 11 Thierry Carrez (RETIRED) gentoo-dev 2006-09-27 12:54:37 UTC 
I would mask it if they don't bump it very soon
Comment 12 Matthias Geerdsen (RETIRED) gentoo-dev 2006-09-29 04:52:03 UTC 
CC'ing apache since they are listed in metadata too

someone pls patch/bump

otherwise i agree that it should get masked soon
Comment 13 Michael Stewart (vericgar) (RETIRED) gentoo-dev 2006-09-29 16:49:15 UTC 
I would bump, but the depends are too heafty for me to test this and I have no desire of putting the mono/dotnet stack on my system.

This package is not stable on any arch, I'm for package.mask.
Comment 14 Matthias Geerdsen (RETIRED) gentoo-dev 2006-10-11 05:28:08 UTC 
10 more days passed without reaction

someone with commit rights, pls mask this package refering to the security issue in this bug
Comment 15 Chris White (RETIRED) gentoo-dev 2006-10-19 07:35:14 UTC 
Commited to package.mask
Comment 16 Jurek Bartuszek (RETIRED) gentoo-dev 2006-10-27 08:16:44 UTC 
This bug does not affect any newer xsp versions. The older xsp-1.0.x ebuilds have been removed from the tree recently and 1.1.10-r1 was bumped to -r2 which now contains the proper patch. Therefore I'm closing this bug. Thanks!