Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 651118

Summary: <net-analyzer/nmap-7.70: directory traversal vulnerability in the way the non-default http-fetch script sanitized URLs
Product: Gentoo Security Reporter: Jeroen Roovers (RETIRED) <jer>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: netmon
Priority: Normal Flags: stable-bot: sanity-check+
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: B3 [noglsa]
Package list:
net-analyzer/nmap-7.70
 Runtime testing required: ---

Description Jeroen Roovers (RETIRED) gentoo-dev 2018-03-21 21:00:10 UTC 
"
[NSE][SECURITY] Nmap developer nnposter found a security flaw (directory traversal vulnerability) in the way the non-default http-fetch script sanitized URLs. If a user manualy ran this NSE script with against a malicious web server, the server could potentially (depending on NSE arguments used) cause files to be saved outside the intended destination directory. Existing files couldn't be overwritten. We fixed http-fetch, audited our other scripts to ensure they didn't make this mistake, and we updated the httpspider library API to protect against this by default. [nnposter, Daniel Miller]
"

https://nmap.org/changelog#7.70
Comment 1 Jeroen Roovers (RETIRED) gentoo-dev 2018-03-21 21:02:22 UTC 
Arch teams, please test and mark stable:
=net-analyzer/nmap-7.70
Targeted stable KEYWORDS : alpha amd64 arm hppa ia64 ppc ppc64 sparc x86
Comment 2 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2018-03-22 14:25:29 UTC 
amd64 stable
Comment 3 Sergei Trofimovich (RETIRED) gentoo-dev 2018-03-22 23:01:16 UTC 
ia64 stable
Comment 4 Sergei Trofimovich (RETIRED) gentoo-dev 2018-03-24 19:33:25 UTC 
hppa stable
Comment 5 Sergei Trofimovich (RETIRED) gentoo-dev 2018-03-24 19:35:26 UTC 
commit 639b423b1c6c8d08a6f52041285bf531d7099478
Author: Rolf Eike Beer <eike@sf-mail.de>
Date:   Thu Mar 22 18:09:29 2018 +0100

    net-analyzer/nmap: stable 7.70 for sparc, bug #651118
Comment 6 Thomas Deutschmann (RETIRED) gentoo-dev 2018-03-25 22:45:58 UTC 
x86 stable
Comment 7 Tobias Klausmann (RETIRED) gentoo-dev 2018-04-01 10:01:14 UTC 
Stable on alpha.
Comment 8 Matt Turner gentoo-dev 2018-04-08 04:59:27 UTC 
ppc/ppc64 stable
Comment 9 Markus Meier gentoo-dev 2018-04-14 11:37:55 UTC 
arm stable, all arches done.
Comment 10 Aaron Bauman (RETIRED) gentoo-dev 2018-04-14 16:21:19 UTC 
GLSA Vote: No

@maintainer(s), please drop the vulnerable versions.
Comment 11 Aaron Bauman (RETIRED) gentoo-dev 2018-04-23 02:59:47 UTC 
tree is clean