Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 160393

Summary: www-apps/coppermine < 1.4.12 Possible Remote SQL Injection (CVE-2007-0122)
Product: Gentoo Security Reporter: Executioner <keith>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: beu, cilly, mail, vivo, web-apps
Priority: Highest    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://www.milw0rm.com/exploits/3085
Whiteboard: ~3 [noglsa]
Package list:
Runtime testing required: ---
Attachments:
Description Flags
tentative fix (un-checked) none

Description Executioner 2007-01-06 09:58:39 UTC 
There is a remote sql injection exploit out for versions <= 1.4.10 and as of 1/6/07 I don't believe there is a vendor fix.  

Reproducible: Didn't try




http://acid-root.new.fr/poc/19070104.txt
Comment 1 Francesco R. (RETIRED) gentoo-dev 2007-01-06 10:59:44 UTC 
Created attachment 105627 [details, diff]
tentative fix (un-checked)

Last time, around two years ago I checked coppermine it was in a strong need for a security review.

The attached patch should fix this particular vulnerability but every query should be checked in the package.

the patch apply to version 1.4.10, so it need a version bump too.
Comment 2 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2007-01-06 13:02:05 UTC 
web-apps please advise.
Comment 3 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2007-03-25 10:32:59 UTC 
Web-apps any news on this one?
Comment 4 Jakub Moc (RETIRED) gentoo-dev 2007-04-10 06:07:22 UTC 
*** Bug 173966 has been marked as a duplicate of this bug. ***
Comment 5 Pierre-Yves Rofes (RETIRED) gentoo-dev 2007-05-31 09:38:23 UTC 
any news here?
Comment 6 Renat Lumpau (RETIRED) gentoo-dev 2007-06-02 05:42:49 UTC 
Security, please feel free to mask.
Comment 7 cilly 2007-06-02 12:27:47 UTC 
What about contacting upstream?
Comment 8 Pierre-Yves Rofes (RETIRED) gentoo-dev 2007-07-01 12:56:38 UTC 
Seems that upstream released 1.4.11:

http://secunia.com/advisories/25846/
Comment 9 Stefan Cornelius (RETIRED) gentoo-dev 2007-07-13 16:08:44 UTC 
heya webapss, please bump to 1.4.11
Comment 10 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2007-07-15 09:35:54 UTC 
Web-apps do you want to bump or dump(mask) the package?
Comment 11 Pierre-Yves Rofes (RETIRED) gentoo-dev 2007-07-23 15:06:36 UTC 
web-apps, any news here?
Comment 12 Gunnar Wrobel (RETIRED) gentoo-dev 2007-08-09 11:06:11 UTC 
Bumped to 1.4.12. Sorry for the delay. I'll mark it as fixed.