Summary: | media-sound/gnump3d user/passwords can be bypassed (CVE-2007-6130) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | James <james> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | trivial | CC: | sound |
Priority: | High | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | ~3 [noglsa] | ||
Package list: | Runtime testing required: | --- |
Description
James
2007-09-20 02:25:41 UTC
Thanks for your report James. Did you discovered this issue? Have you contacted upstream about it? (In reply to comment #1) > Thanks for your report James. Did you discovered this issue? Have you contacted > upstream about it? > I did discover it. After my logfile quadrupled overnight, I noticed someone (resolved to a Korean ip) downloaded most of my library overnight. Noticing that they didn't use a username/password, I simply clicked 'cancel' when firefox asked me for them, and I had full access. :x As for upstream, I have emailed steve (at) steve.org.uk, the contact email for the author of gnump3d, but as of yet, I have not received a response. (In reply to comment #2) > (In reply to comment #1) > > Thanks for your report James. Did you discovered this issue? Have you contacted > > upstream about it? > > > > I did discover it. After my logfile quadrupled overnight, I noticed someone > (resolved to a Korean ip) downloaded most of my library overnight. Noticing > that they didn't use a username/password, I simply clicked 'cancel' when > firefox asked me for them, and I had full access. :x > > As for upstream, I have emailed steve (at) steve.org.uk, the contact email for > the author of gnump3d, but as of yet, I have not received a response. > OK, so we'll wait a few days so that they can patch this. Just a note: please don't modify the bug fields once they've been set or corrected by a developer ;) (In reply to comment #3) > (In reply to comment #2) > > (In reply to comment #1) > > > Thanks for your report James. Did you discovered this issue? Have you contacted > > > upstream about it? > > > > > > > I did discover it. After my logfile quadrupled overnight, I noticed someone > > (resolved to a Korean ip) downloaded most of my library overnight. Noticing > > that they didn't use a username/password, I simply clicked 'cancel' when > > firefox asked me for them, and I had full access. :x > > > > As for upstream, I have emailed steve (at) steve.org.uk, the contact email for > > the author of gnump3d, but as of yet, I have not received a response. > > > > OK, so we'll wait a few days so that they can patch this. > Just a note: please don't modify the bug fields once they've been set or > corrected by a developer ;) > I'm not sure how I messed that up. Sorry :x James, any news from upstream? From upstream ChangeLog: 3.0 [ 17th October 2007] - Removed several perl warnings. - Removed password protection as being broken beyond repair. No security is better than bad security. Sound, can you provide an updated ebuild? From upstream ChangeLog: 3.0 [ 17th October 2007] - Removed several perl warnings. - Removed password protection as being broken beyond repair. No security is better than bad security. Sound, can you provide an updated ebuild? (In reply to comment #7) > From upstream ChangeLog: > > 3.0 [ 17th October 2007] > - Removed several perl warnings. > - Removed password protection as being broken beyond repair. > > No security is better than bad security. > Sound, can you provide an updated ebuild? > *ping* Sound, please bump. Sorry.. I'll _try_ to get it today. So much to do, so little time ;) bumped, sorry for the delay Thanks. Arches, please test and mark stable media-sound/gnump3d-3.0. Target keywords : "alpha amd64 ppc64 sparc x86" ppc64 stable x86 stable alpha/sparc stable amd64 stable This issue was only introduced in the 2.9final release (bug 182814) which hit the tree 05 Aug 2007 and never went stable. Closing [noglsa] therefore. Does not affect current (2008.0) release. Removing release. |