Bug 646786 (CVE-2017-1000501)

Summary:

<www-misc/awstats-7.8: Two path traversal issues in awstat.pl (CVE-2017-1000501)

Product:

Gentoo Security

Reporter:

GLSAMaker/CVETool Bot <glsamaker>

Component:

Vulnerabilities

Assignee:

Gentoo Security <security>

Status:

RESOLVED FIXED

Severity:

major

CC:

hanno, moixa, web-apps

Priority:

High

Flags:

nattka: sanity-check-

Version:

unspecified

Hardware:

All

OS:

Linux

See Also:

https://bugs.gentoo.org/show_bug.cgi?id=759544

Whiteboard:

B1 [glsa+ cve]

Package list:

=www-misc/awstats-7.8 amd64 ppc x86

Runtime testing required:

---

Bug Depends on:

Bug Blocks:

656140

Attachments:

Description	Flags
awstats-7.8-mime.patch	none

Description GLSAMaker/CVETool Bot gentoo-dev

2018-02-06 17:13:50 UTC

CVE-2017-1000501 (https://nvd.nist.gov/vuln/detail/CVE-2017-1000501):
  Awstats version 7.6 and earlier is vulnerable to a path traversal flaw in
  the handling of the "config" and "migrate" parameters resulting in
  unauthenticated remote code execution.

Comment 1 Thomas Deutschmann (RETIRED) gentoo-dev

2018-02-21 23:24:06 UTC

*** Bug 642428 has been marked as a duplicate of this bug. ***

Comment 2 Sam James archtester

2020-03-15 03:35:37 UTC

(In reply to GLSAMaker/CVETool Bot from comment #0)
> CVE-2017-1000501 (https://nvd.nist.gov/vuln/detail/CVE-2017-1000501):
>   Awstats version 7.6 and earlier is vulnerable to a path traversal flaw in
>   the handling of the "config" and "migrate" parameters resulting in
>   unauthenticated remote code execution.

Patches:
https://github.com/eldy/awstats/commit/06c0ab29c1e5059d9e0279c6b64d573d619e1651
https://github.com/eldy/awstats/commit/cf219843a74c951bf5986f3a7fffa3dcf99c3899

Both are included in 7.7.

Comment 3 Sam James archtester

2020-04-22 01:25:07 UTC

@maintainer(s): please bump soon.

Comment 4 Larry the Git Cow gentoo-dev

2020-05-12 11:06:27 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=22812026e7262e3f7fc4cd5243df30c023b97133

commit 22812026e7262e3f7fc4cd5243df30c023b97133
Author:     Jorge Manuel B. S. Vicetto (jmbsvicetto) <jmbsvicetto@gentoo.org>
AuthorDate: 2020-05-12 11:06:09 +0000
Commit:     Jorge Manuel B. S. Vicetto (jmbsvicetto) <jmbsvicetto@gentoo.org>
CommitDate: 2020-05-12 11:06:09 +0000

    www-misc/awstats: Security bump to 7.8 release (CVE-2017-1000501).
    
    Bug: https://bugs.gentoo.org/646786
    Fixes: https://bugs.gentoo.org/604548
    Package-Manager: Portage-2.3.96, Repoman-2.3.22
    Signed-off-by: Jorge Manuel B. S. Vicetto (jmbsvicetto) <jmbsvicetto@gentoo.org>

 www-misc/awstats/Manifest           |   1 +
 www-misc/awstats/awstats-7.8.ebuild | 111 ++++++++++++++++++++++++++++++++++++
 2 files changed, 112 insertions(+)

Comment 5 Jorge Manuel B. S. Vicetto (RETIRED) gentoo-dev

2020-05-12 11:10:16 UTC

@arch teams, please mark stable www-misc/awstats-7.8
Desired keywords are:

KEYWORDS="~alpha amd64 hppa ppc ~sparc x86"

Comment 6 Larry the Git Cow gentoo-dev

2020-05-12 11:12:32 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=03088da8cd72c72fb977622fb3a28028a2e7887c

commit 03088da8cd72c72fb977622fb3a28028a2e7887c
Author:     Jorge Manuel B. S. Vicetto (jmbsvicetto) <jmbsvicetto@gentoo.org>
AuthorDate: 2020-05-12 11:12:23 +0000
Commit:     Jorge Manuel B. S. Vicetto (jmbsvicetto) <jmbsvicetto@gentoo.org>
CommitDate: 2020-05-12 11:12:23 +0000

    www-misc/awstats: Drop old and vulnerable releases.
    
    Leave last stable release pending stabilization of the 7.8 release.
    Bug: https://bugs.gentoo.org/646786
    Package-Manager: Portage-2.3.96, Repoman-2.3.22
    Signed-off-by: Jorge Manuel B. S. Vicetto (jmbsvicetto) <jmbsvicetto@gentoo.org>

 www-misc/awstats/Manifest                     |   2 -
 www-misc/awstats/awstats-7.1_p20121017.ebuild | 110 ------------------------
 www-misc/awstats/awstats-7.5.ebuild           | 115 --------------------------
 3 files changed, 227 deletions(-)

Comment 7 Rolf Eike Beer archtester

2020-05-12 19:59:42 UTC

~hppa is fine.

Comment 8 Tobias Sager 2020-05-13 08:35:51 UTC

Created attachment 638556 [details, diff]
awstats-7.8-mime.patch

awstats 7.8 is broken, this commit is not included in the release: https://github.com/eldy/awstats/commit/e5c32dd55ff7995933d84bd45076b09bba400986

awstats 7.7 works fine and fixes CVE-2017-1000501.

Attaching the patch to go with 7.8.

Comment 9 Larry the Git Cow gentoo-dev

2020-05-13 09:43:21 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/dev/jmbsvicetto.git/commit/?id=4b9fab2bfd33337f0de0dacafd3f861d9355c4b2

commit 4b9fab2bfd33337f0de0dacafd3f861d9355c4b2
Author:     Jorge Manuel B. S. Vicetto (jmbsvicetto) <jmbsvicetto@gentoo.org>
AuthorDate: 2020-05-13 09:43:08 +0000
Commit:     Jorge Manuel B. S. Vicetto (jmbsvicetto) <jmbsvicetto@gentoo.org>
CommitDate: 2020-05-13 09:43:08 +0000

    www-misc/awstats: Fix mime.pm - thanks to Tobias Sager.
    
    Bug: https://bugs.gentoo.org/646786
    Package-Manager: Portage-2.3.96, Repoman-2.3.22
    Signed-off-by: Jorge Manuel B. S. Vicetto (jmbsvicetto) <jmbsvicetto@gentoo.org>

 www-misc/awstats/awstats-7.8-r1.ebuild        | 112 ++++++++++++++++++++++++++
 www-misc/awstats/files/awstats-7.8-mime.patch |  12 +++
 2 files changed, 124 insertions(+)

Comment 10 Larry the Git Cow gentoo-dev

2020-05-13 09:47:44 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=4d4f49ad2dc855a31f482ba521c05f15a1753d61

commit 4d4f49ad2dc855a31f482ba521c05f15a1753d61
Author:     Jorge Manuel B. S. Vicetto (jmbsvicetto) <jmbsvicetto@gentoo.org>
AuthorDate: 2020-05-13 09:47:35 +0000
Commit:     Jorge Manuel B. S. Vicetto (jmbsvicetto) <jmbsvicetto@gentoo.org>
CommitDate: 2020-05-13 09:47:35 +0000

    www-misc/awstats: Fix mime.pm - thanks to Tobias Sager.
    
    Bug: https://bugs.gentoo.org/646786
    Package-Manager: Portage-2.3.96, Repoman-2.3.22
    Signed-off-by: Jorge Manuel B. S. Vicetto (jmbsvicetto) <jmbsvicetto@gentoo.org>

 www-misc/awstats/awstats-7.8-r1.ebuild        | 112 ++++++++++++++++++++++++++
 www-misc/awstats/files/awstats-7.8-mime.patch |  12 +++
 2 files changed, 124 insertions(+)

Comment 11 Agostino Sarubbo gentoo-dev

2020-05-13 17:12:49 UTC

ppc stable

Comment 12 Thomas Deutschmann (RETIRED) gentoo-dev

2020-05-14 21:30:04 UTC

x86 stable

Comment 13 Sam James archtester

2020-06-08 04:04:17 UTC

@amd64: ping

Comment 14 Sam James archtester

2020-07-17 00:03:13 UTC

(In reply to Sam James from comment #13)
> @amd64: ping

ping

Comment 15 Sam James archtester

2020-07-17 19:39:20 UTC

amd64 stable.

----

Please cleanup.

Comment 16 Larry the Git Cow gentoo-dev

2020-07-18 00:00:57 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=f127f5c766759209adde243ec01d4d4d4d1cab16

commit f127f5c766759209adde243ec01d4d4d4d1cab16
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2020-07-17 20:58:12 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2020-07-17 23:59:47 +0000

    www-misc/awstats: security cleanup
    
    Bug: https://bugs.gentoo.org/646786
    Package-Manager: Portage-2.3.103, Repoman-2.3.23
    Signed-off-by: Sam James <sam@gentoo.org>

 www-misc/awstats/Manifest           |   1 -
 www-misc/awstats/awstats-7.4.ebuild | 111 ------------------------------------
 www-misc/awstats/awstats-7.8.ebuild | 111 ------------------------------------
 3 files changed, 223 deletions(-)

Comment 17 NATTkA bot gentoo-dev

2020-07-18 00:05:53 UTC

Unable to check for sanity:

> no match for package: =www-misc/awstats-7.8

Comment 18 GLSAMaker/CVETool Bot gentoo-dev

2020-07-27 00:39:10 UTC

This issue was resolved and addressed in
 GLSA 202007-37 at https://security.gentoo.org/glsa/202007-37
by GLSA coordinator Sam James (sam_c).