Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 214666 (CVE-2008-1475)

Summary: www-apps/roundup < 1.4.4-r1 does not check property permissions (CVE-2008-1475)
Product: Gentoo Security Reporter: Lars Hartmann <lars>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor    
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://secunia.com/advisories/29336
Whiteboard: B4 [glsa]
Package list:
Runtime testing required: ---
Attachments:
Description Flags
patch none

Description Lars Hartmann 2008-03-25 10:20:26 UTC 
The xml-rpc server in Roundup 1.4.4 does not check property permissions, which
allows attackers to bypass restrictions and edit or read restricted properties
via the (1) list, (2) display, and (3) set methods.
Comment 1 Lars Hartmann 2008-03-25 10:21:27 UTC 
Created attachment 147233 [details, diff]
patch
Comment 2 Lars Hartmann 2008-03-25 10:22:53 UTC 
maintainers - please provide an updated ebuild
Comment 3 Benedikt Böhm (RETIRED) gentoo-dev 2008-04-03 10:43:10 UTC 
1.4.4-r1 in cvs
Comment 4 Pierre-Yves Rofes (RETIRED) gentoo-dev 2008-05-12 11:54:46 UTC 
Arches, please test and mark stable www-apps/roundup-1.4.4-r1
target : "amd64 ppc release sparc x86"
Comment 5 Christian Faulhammer (RETIRED) gentoo-dev 2008-05-12 13:31:02 UTC 
x86 stable
Comment 6 Markus Meier gentoo-dev 2008-05-12 15:38:17 UTC 
amd64 stable
Comment 7 Ferris McCormick (RETIRED) gentoo-dev 2008-05-12 20:12:53 UTC 
Sparc stable.
Comment 8 Tobias Scherbaum (RETIRED) gentoo-dev 2008-05-16 18:33:14 UTC 
ppc stable
Comment 9 Gunnar Wrobel (RETIRED) gentoo-dev 2008-05-17 07:32:52 UTC 
Removed vulnerable version. webapps done.
Comment 10 Pierre-Yves Rofes (RETIRED) gentoo-dev 2008-05-17 09:43:06 UTC 
Time for GLSA decision. I vote YES.
Comment 11 Peter Volkov (RETIRED) gentoo-dev 2008-05-18 15:19:02 UTC 
Fixed in release snapshot.
Comment 12 Tobias Heinlein (RETIRED) gentoo-dev 2008-05-19 15:24:23 UTC 
Voting YES and filing request.
Comment 13 Tobias Heinlein (RETIRED) gentoo-dev 2008-05-29 19:16:08 UTC 
GLSA 200805-21