Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 749345 (CVE-2020-25623)

Summary: <dev-lang/erlang-23.1.1: httpd directory traversal (CVE-2020-25623)
Product: Gentoo Security Reporter: John Helmert III <ajak>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: IN_PROGRESS ---    
Severity: trivial CC: jpds, matthew
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://github.com/erlang/otp/releases/tag/OTP-23.1
See Also: https://bugs.gentoo.org/show_bug.cgi?id=740894
Whiteboard: C4 [glsa? cve]
Package list:
Runtime testing required: ---
Bug Depends on: 765796, 755236    
Bug Blocks:    

Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2020-10-15 18:57:08 UTC
CVE-2020-25623:

Erlang/OTP 22.3.x before 22.3.4.6 and 23.x before 23.1 allows Directory Traversal. An attacker can send a crafted HTTP request to read arbitrary files, if httpd in the inets application is used.

Cleanup appears to be partially addressed by bug 740894, otherwise we need to stabilize a fixed version. Maintainers, please call for stabilization when ready.
Comment 1 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-10-23 04:11:55 UTC
(Shifting the blocker because it'll be a pain for stabilisation).

Maintainer: ping. ready?
Comment 2 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-11-16 19:01:27 UTC
(In reply to Sam James from comment #1)
> (Shifting the blocker because it'll be a pain for stabilisation).
> 
> Maintainer: ping. ready?

It was since done in bug 753464. Please cleanup.
Comment 3 NATTkA bot gentoo-dev 2021-01-09 11:57:01 UTC Comment hidden (obsolete)
Comment 4 Larry the Git Cow gentoo-dev 2021-04-28 18:16:26 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=f06f1d7a8d16f0c9730128c56f2a8e22e88b42a3

commit f06f1d7a8d16f0c9730128c56f2a8e22e88b42a3
Author:     Sergei Trofimovich <slyfox@gentoo.org>
AuthorDate: 2021-04-28 18:16:02 +0000
Commit:     Sergei Trofimovich <slyfox@gentoo.org>
CommitDate: 2021-04-28 18:16:23 +0000

    dev-lang/erlang: drop old
    
    Bug: https://bugs.gentoo.org/749345
    Bug: https://bugs.gentoo.org/765796
    Package-Manager: Portage-3.0.18, Repoman-3.0.3
    Signed-off-by: Sergei Trofimovich <slyfox@gentoo.org>

 dev-lang/erlang/Manifest             |   3 -
 dev-lang/erlang/erlang-23.0.4.ebuild | 158 -----------------------------------
 2 files changed, 161 deletions(-)
Comment 5 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-07-25 02:12:58 UTC
GLSA request filed.
Comment 6 NATTkA bot gentoo-dev 2021-07-29 17:25:45 UTC
Package list is empty or all packages have requested keywords.
Comment 7 Matthew Smith gentoo-dev 2022-03-12 08:10:13 UTC
Affected versions no longer in tree.