Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 53800

Summary: <=net-www/horde-chora-1.2.1 - vulnerability within Chora allows remote shell command injection
Product: Gentoo Security Reporter: Carsten Lohrke (RETIRED) <carlo>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: major CC: vapier
Priority: Highest    
Version: unspecified   
Hardware: All   
OS: All   
Whiteboard: B1 [glsa]
Package list:
Runtime testing required: ---

Description Carsten Lohrke (RETIRED) gentoo-dev 2004-06-13 06:26:13 UTC 
During a security audit of Chora a vulnerability within the diff viewing functionality was discovered. This hole allows arbitrary shellcode injection. Combined with PHP's file upload functionality this gives the opportunity to upload arbitrary binaries and to execute them. (In default configurations) Concurrent Versions System (CVS) is the dominant open-source version control software that allows developers to access the latest code using a network connection. 

http://security.e-matters.de/advisories/102004.html
Comment 1 Kurt Lieber (RETIRED) gentoo-dev 2004-06-13 06:40:32 UTC 
Mike -- can you please review/patch as needed?
Comment 2 SpanKY gentoo-dev 2004-06-13 10:47:15 UTC 
1.2.1 removed from cvs and 1.2.2 added (stable on all arches)
Comment 3 Thierry Carrez (RETIRED) gentoo-dev 2004-06-14 09:19:53 UTC 
GLSA ready
Comment 4 Thierry Carrez (RETIRED) gentoo-dev 2004-06-15 12:08:55 UTC 
GLSA 200406-09