Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 701832 (CVE-2019-10751)

Summary: <net-misc/httpie-1.0.3: url redirection vulnerability allows attacker to write arbitrary file (CVE-2019-10751)
Product: Gentoo Security Reporter: GLSAMaker/CVETool Bot <glsamaker>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: gentoo, proxy-maint
Priority: Normal Flags: stable-bot: sanity-check+
Version: unspecified   
Hardware: All   
OS: Linux   
See Also: https://github.com/gentoo/gentoo/pull/13844
Whiteboard: B4 [noglsa cve]
Package list:
net-misc/httpie-1.0.3
 Runtime testing required: ---

Description GLSAMaker/CVETool Bot gentoo-dev 2019-12-02 22:58:01 UTC 
CVE-2019-10751 (https://nvd.nist.gov/vuln/detail/CVE-2019-10751):
  All versions of the HTTPie package prior to version 1.0.3 are vulnerable to
  Open Redirect that allows an attacker to write an arbitrary file with
  supplied filename and content to the current directory, by redirecting a
  request from HTTP to a crafted URL pointing to a server in his or hers
  control.
Comment 1 Agostino Sarubbo gentoo-dev 2019-12-03 10:03:53 UTC 
amd64 stable
Comment 2 Agostino Sarubbo gentoo-dev 2019-12-03 10:06:59 UTC 
x86 stable.

Maintainer(s), please cleanup.
Security, please vote.
Comment 3 Ralph Seichter 2019-12-03 14:10:35 UTC 
> Maintainer(s), please cleanup.
Cleanup will be done once the attached pull request is merged by either proxy-maint or the security team.
Comment 4 Larry the Git Cow gentoo-dev 2019-12-03 14:17:28 UTC 
The bug has been closed via the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=4a609fc4607b39c0b6634724e30abf7a59e57cff

commit 4a609fc4607b39c0b6634724e30abf7a59e57cff
Author:     Ralph Seichter <github@seichter.de>
AuthorDate: 2019-12-02 23:20:43 +0000
Commit:     Joonas Niilola <juippis@gentoo.org>
CommitDate: 2019-12-03 14:17:18 +0000

    net-misc/httpie: Remove vulnerable ebuild
    
    Closes: https://bugs.gentoo.org/701832
    Package-Manager: Portage-2.3.79, Repoman-2.3.16
    Signed-off-by: Ralph Seichter <gentoo@seichter.de>
    Bug: https://github.com/gentoo/gentoo/pull/13844
    Signed-off-by: Joonas Niilola <juippis@gentoo.org>

 net-misc/httpie/Manifest               |  1 -
 net-misc/httpie/httpie-1.0.2-r1.ebuild | 43 ----------------------------------
 2 files changed, 44 deletions(-)
Comment 5 Joonas Niilola gentoo-dev 2019-12-03 14:18:59 UTC 
Woops.
Comment 6 Thomas Deutschmann (RETIRED) gentoo-dev 2020-03-25 20:05:17 UTC 
GLSA Vote: No

Repository is clean, all done!