Summary: | app-admin/usermin & webmin: Usermin Remote Arbitrary Shell Command Execution Vulnerability | ||||||
---|---|---|---|---|---|---|---|
Product: | Gentoo Security | Reporter: | Alin Năstac (RETIRED) <mrness> | ||||
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> | ||||
Status: | RESOLVED FIXED | ||||||
Severity: | major | CC: | eradicator | ||||
Priority: | Highest | ||||||
Version: | unspecified | ||||||
Hardware: | All | ||||||
OS: | All | ||||||
URL: | http://www.lac.co.jp/security/csl/intelligence/SNSadvisory_e/77_e.html | ||||||
Whiteboard: | B2 [glsa] jaervosz | ||||||
Package list: | Runtime testing required: | --- | |||||
Attachments: |
|
Description
Alin Năstac (RETIRED)
2004-09-07 14:45:01 UTC
eradicator, please bump to 1.090. thanks! ppc needs to mark stable before GLSA can be issued. alpha & ppc64 should mark stable to benefit from this GLSA. ppc is now stable Seems to be some confusion about what issues where fixed. From http://www.webmin.com/uchanges.html Fixed a security problem that can occur at installation time only, if the /tmp/.webmin directory has already been created by a malicious user. From http://www.webmin.com/uchanges-1.090.html Fixed a security hole in the maketemp.pl script, used to create the /tmp/.usermin directory at install time. If an un-trusted user creates this directory before Webmin is installed, he could create in it a symbolic link pointing to a critical file on the system, which would be overwritten when Usermin writes to the link filename (CVE bug CAN-2004-0559). forgot to put app-admin/webmin on the spot as well, since it contains usermin ;) should be bumped to 1.160 Back to ebuild status. Eradicator please bump webmin as well. Also if anyone can clear up what issues this actually fixes. The advisory seems to be coordinated with webmin, however the changelog mentions another security issue that was fixed. Secunia has issued an announcement regarding this issue - http://secunia.com/advisories/12488/ I tried to figure it out where was the problem but the diff is just too big (~1M) to understand it few minutes. I think that we need to update webmin/usermin right away even if we don't understand the problem. The maintainer updated his packages on Sept the 5th, you know? In addition, the original announcement is ambiguous to say the least. Seems pretty big hole to me... Created attachment 39217 [details, diff]
usage of quotemeta
The inserted line which contain quotemeta call is, without a doubt, a security
update.
ok, so what packages/versions need to get tested in stable ? reply to comment #9: app-admin/usermin-1.090 app-admin/webmin-1.160 app-admin/webmin-1.160 is not in the tree yet. Eradicator please bump. UnCC'ing arches until we get a bumped build for webmin. ok, webmin has been bumped now too... not too many of the sf mirrors have it yet, so it may take a couple tries to get it... amd64, sparc, and x86 were marked by me ppc hppa ppc64 alpha: you need to mark either usermin, webmin, or both stable. ppc stable Confirmation from Webmin's Jamie Cameron :
-------------------------------------------------------------------------
> Your ChangeLog says it solves CAN-2004-0559 (the installation-time
> local symlink vulnerability), but a SNS Advisory (and a Secunia
> reference) disclose a remote arbitrary shell execution vulnerability
> that would also be solved by the latest release.
>
> Could you confirm if that second vulnerability was also solved in
> release 1.090 ? [...]
Yes, all those vulnerabilities are addressed in the latest release. [...]
-------------------------------------------------------------------------
Alpha is stable. GLSA 200409-15 Stable on hppa. stable on ppc64 |