Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 158831

Summary: dev-util/cscope install includes insecure web frontend
Product: Gentoo Security Reporter: SpanKY <vapier>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: emacs, vim
Priority: High    
Version: unspecified   
Hardware: All   
OS: All   
Whiteboard: B4 [noglsa]
Package list:
Runtime testing required: ---
Bug Depends on: 160559    
Bug Blocks:    

Description SpanKY gentoo-dev 2006-12-22 07:03:30 UTC 
if we're going to be installing the cscope web frontend, we should probably patch it so the default output includes a big warning:
<h1>this script is insecure and does no checking so you can do ask it to show random files on your server</h1>

while generally not a terribly big issue in the normal case, i dont think people would go around installing this if they knew that it could be easily used to glean fun information about the configuration of their system

a quick test shows that you can display any file that is apache readable (so all of your apache config files)

just install cscope into your cgi-bin (i dont think you even need to configure the .pl file) and browse to like:
http://localhost/cgi-bin/cscope/cscope?fshow=1&fshowfile=/etc/passwd
Comment 1 Christian Faulhammer (RETIRED) gentoo-dev 2007-01-05 03:50:34 UTC 
Security, you want the web frontend removed or the big warning?  I will inform upstream about the issue.
Comment 2 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2007-01-06 13:00:51 UTC 
I think a warning would be sufficient.
Comment 3 Christian Faulhammer (RETIRED) gentoo-dev 2007-01-06 18:30:20 UTC 
15.6-r1 with the warning in CVS now, security you now may cc arches if you think that it is needed, or close the bug.
Comment 4 Christian Faulhammer (RETIRED) gentoo-dev 2007-02-03 11:44:22 UTC 
Security, all necessary steps from maintainers have been done.  What will happen here next?
Comment 5 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2007-02-10 21:57:28 UTC 
(In reply to comment #4)
> Security, all necessary steps from maintainers have been done.  What will
> happen here next?
> 


The end of the known universe :)

alpha	amd64	arm	ia64	mips	s390 :
please test and mark stable cscope-15.6-r1, thanks.

hppa, ppc, ppc64, sparc, x86, please test and mark stable cscope-15.6-r1 if everything is OK. That is a very weak security issue, so if something is wrong with it, it should be better to stay with 15.5.20060927-r1 and to patch it with the warning in it.
Comment 6 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2007-02-10 21:59:00 UTC 
Forgot to add arches. And reassigning.


"alpha   amd64   arm     ia64    mips    s390 :
please test and mark stable cscope-15.6-r1, thanks.

hppa, ppc, ppc64, sparc, x86, please test and mark stable cscope-15.6-r1 if
everything is OK. That is a very weak security issue, so if something is wrong
with it, it should be better to stay with 15.5.20060927-r1 and to patch it with
the warning in it."
Comment 7 Christian Faulhammer (RETIRED) gentoo-dev 2007-02-11 10:02:22 UTC 
x86 stable
Comment 8 Tobias Scherbaum (RETIRED) gentoo-dev 2007-02-11 11:14:15 UTC 
ppc stable
Comment 9 René Nussbaumer (RETIRED) gentoo-dev 2007-02-11 21:47:39 UTC 
stable on hppa
Comment 10 Gustavo Zacarias (RETIRED) gentoo-dev 2007-02-12 12:56:40 UTC 
sparc stable.
Comment 11 Bryan Østergaard (RETIRED) gentoo-dev 2007-02-12 20:35:28 UTC 
Stable on Alpha.
Comment 12 Simon Stelling (RETIRED) gentoo-dev 2007-02-12 21:54:35 UTC 
amd64 stable
Comment 13 Markus Rothe (RETIRED) gentoo-dev 2007-02-13 08:56:44 UTC 
ppc64 stable
Comment 14 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2007-02-13 10:34:21 UTC 
I would vote for NOglsa
Comment 15 Tavis Ormandy (RETIRED) gentoo-dev 2007-02-13 11:14:45 UTC 
also vote NO
Comment 16 Alexander Færøy 2007-02-14 11:50:01 UTC 
Stable on MIPS.
Closing.
Comment 17 Christian Faulhammer (RETIRED) gentoo-dev 2007-02-14 11:51:16 UTC 
Security hasn't finished its procedure.
Comment 18 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2007-02-14 12:27:17 UTC 
yes, thanks.

But noone will vote except me and tavis, so closing without glsa. Feel free to rereopen if you disagree :)