Summary: | net-www/roundup directory traversal | ||
---|---|---|---|
Product: | Gentoo Linux | Reporter: | Allan Graves <dgraves> |
Component: | New packages | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | enhancement | CC: | aliz, mholzer |
Priority: | High | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | B4 [glsa] | ||
Package list: | Runtime testing required: | --- |
Description
Allan Graves
2004-06-10 02:14:42 UTC
Daniel/Martin -- You two are the only people who have ever touched this ebuild. Can one of you please update it to the newest version? Masked in package.mask due to lack of ownership. I don't think this mask deserves a temporary GLSA. I've managed to install roundup 0.7.4 by simple copying it as roundup-0.7.4. The security issues, I think, are fixed in this version and the ebuild goes perfectly (the installation script is as simple as "python setup.py"). I think this should be updated and unmasked. It will only be unmasked if a Gentoo dev steps up and agrees to take over maintenance of it. I'm a gentoo dev, this package is mine. I'll take care of this when I get off of work. ebuild in cvs, please remove the package.mask to test. Plan is: ppc, sparc, amd64 mark stable. This package was marked stable on x86 through the following test case: 1) emerge =roundup-0.7.6 2) chdir to the home of a non-privileged user (in my case /home/chris) 3) mkdir roundup 4) roundup-admin install - answered 'roundup' for the first question - hit enter to accept the defaults for the rest 5) used the config at: - http://dev.gentoo.org/~chriswhite/config.py 6) placed that in the roundup directory to replace the one there 7) roundup-admin initialise - answered 'roundup' for the first question - entered in an admin password 8) roundup start 8080 localhost roundup 9) pointed my browser at http://localhost:8080/support 10) logged in as 'admin' with my admin password set ealier 11) created a bug, attached the file at: - http://dev.gentoo.org/~chriswhite/roundup_test.txt - and commited the bug 12) used the Show Issue dialog and entered one for the first issue 13) resolved the issue and commited with a message 14) closed the browser 15) chdir back to the unprivleged users home dir 16) ran - roundup stop roundup - in that directory to kill the server and remove the .pid file 17) checked the roundup directory to make sure the .pid file was removed end of test. Please use this same test case to stable mark the build. i'm not marking this stable. there isnt a current version in amd64 stable anyways, so there is no reason to bypass normal quality assurance. the same goes for ppc... an app should be in ~arch for a while before being marked stable. it has to be tested. the only exception is when something needs to be pushed to stable for a security fix... since we have no insecure version in stable bypassing QA makes no sense. this should have been on your dev quiz, please dont CC amd64 for stuff like this in the future. As per discussion with Lv, the plan will be changed to: sparc stable x86 stable Sorry for any trouble/confusion. PPC removed. Sparc stable. Fixed the B3 error (urg). Working on the glsa now. glsa 200408-09. mad props to chriswhite for resurrecting this from the dead. |