Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 138552 - app-admin/{webmin|usermin} Arbitrary remote file access (CVE-2006-3392)
Summary: app-admin/{webmin|usermin} Arbitrary remote file access (CVE-2006-3392)
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High minor (vote)
Assignee: Gentoo Security
Whiteboard: B4 [glsa] jaervosz
: 138815 140118 (view as bug list)
Depends on:
Reported: 2006-06-29 22:46 UTC by Andres Pereira (RETIRED)
Modified: 2006-11-11 20:27 UTC (History)
5 users (show)

See Also:
Package list:
Runtime testing required: ---

webmin-1.290.ebuild (webmin-1.290.ebuild,4.02 KB, text/plain)
2006-07-02 02:57 UTC, Conrad Kostecki
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Andres Pereira (RETIRED) gentoo-dev 2006-06-29 22:46:41 UTC
Arbitrary remote file access

Effects Webmin versions below 1.290, and Usermin versions below 1.220, on any operating system.
An attacker without a login to Webmin can read the contents of any file on the server using a specially crafted URL. All users should upgrade to version 1.290 as soon as possible, or setup IP access control in Webmin.
Credit: Kenny Chen
Comment 1 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2006-06-30 09:11:59 UTC
Jeremy please provide updated ebuilds.
Comment 2 Jakub Moc (RETIRED) gentoo-dev 2006-07-02 02:27:44 UTC
*** Bug 138815 has been marked as a duplicate of this bug. ***
Comment 3 Conrad Kostecki gentoo-dev 2006-07-02 02:57:43 UTC
Created attachment 90678 [details]

webmin-1.290.ebuild (Just renamed from 1.280)
Comment 4 Jakub Moc (RETIRED) gentoo-dev 2006-07-12 08:00:40 UTC
*** Bug 140118 has been marked as a duplicate of this bug. ***
Comment 5 Caleb Cushing 2006-07-14 00:34:16 UTC
the ebuild going to get commited to portage?
Comment 6 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2006-07-24 06:53:41 UTC
Maintainer mia:

[15:52] <jaervosz> !seen eradicator
[15:52] <glbt> eradicator (n=Jeremy@gentoo/developer/eradicator) was last seen quitting from #gentoo-commits 45 days, 4 hours, 44 minutes ago stating (Remote closed the connection).

Security patchers could you try a bump or should we ask for a new maintainer on -dev?
Comment 7 solar (RETIRED) gentoo-dev 2006-07-24 07:00:48 UTC
Being that eradicator is MIA again. Stuart said he would look into this when 
he gets home from work today.
Comment 8 Stuart Herbert (RETIRED) gentoo-dev 2006-07-24 11:21:37 UTC
Okay, webmin-1.290 is in the tree.  It installs, but I've done no testing to be sure that webmin itself works (it's not a package I know well, or use myself).

Best regards,
Comment 9 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2006-07-24 11:36:50 UTC
Thx Stuart,

According to upstream we also need usermin 1.220.
Comment 10 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2006-07-24 11:40:27 UTC
Woops removing arches from CC.

Sorry for the spam.
Comment 11 Jakub Moc (RETIRED) gentoo-dev 2006-07-25 02:51:02 UTC
(In reply to comment #8)
> Okay, webmin-1.290 is in the tree.  It installs, but I've done no testing to be
> sure that webmin itself works (it's not a package I know well, or use myself).

Stuart, you forgot to stick pam flag into IUSE... ;)

Comment 12 Conrad Kostecki gentoo-dev 2006-07-25 03:18:08 UTC
Which USE Flag do you mean? What is this USE Flag doing?
Comment 13 Stuart Herbert (RETIRED) gentoo-dev 2006-07-26 23:57:19 UTC

usermin is now bumped (thanks Sune), and the PAM USE flag is back in IUSE (thanks Jakob).

The only testing I've done is to ensure that it installs.

Best regards,
Comment 14 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2006-07-27 02:28:11 UTC
Thx Stuart.

Arhces please test and mark stable.
Comment 15 Tobias Scherbaum (RETIRED) gentoo-dev 2006-07-27 13:11:17 UTC
ppc stable
Comment 16 Paul Varner (RETIRED) gentoo-dev 2006-07-27 14:09:40 UTC
Stable on x86
Comment 17 Jason Wever (RETIRED) gentoo-dev 2006-07-27 15:44:23 UTC
Stable on SPARC.  Just a note that at least SPARC was auto-stablized on the usermin bump.  Other arches may have been as well (not sure).
Comment 18 René Nussbaumer (RETIRED) gentoo-dev 2006-07-29 02:26:20 UTC
stable on hppa
Comment 19 Jose Luis Rivero (yoswink) (RETIRED) gentoo-dev 2006-08-01 05:26:03 UTC
webmin and usermin marked stable on alpha.
Comment 20 Markus Rothe (RETIRED) gentoo-dev 2006-08-01 23:18:26 UTC
ppc64 stable
Comment 21 Markus Rothe (RETIRED) gentoo-dev 2006-08-01 23:19:32 UTC
never click on the wrong place...
Comment 22 Thierry Carrez (RETIRED) gentoo-dev 2006-08-02 06:38:27 UTC
Missing amd64 keyword on webmin
Comment 23 Michael Weyershäuser 2006-08-04 09:48:28 UTC
working fine on amd64...

emerge --info
Portage 2.1-r1 (default-linux/amd64/2006.0, gcc-3.4.6, glibc-2.3.6-r4, 2.6.17-suspend2-r3-Dudebox-Edition x86_64)
System uname: 2.6.17-suspend2-r3-Dudebox-Edition x86_64 AMD Athlon(tm) 64 Processor 3200+
Gentoo Base System version 1.6.15
ccache version 2.3 [enabled]
app-admin/eselect-compiler: [Not Present]
dev-lang/python:     2.4.3-r1
dev-python/pycrypto: 2.0.1-r5
dev-util/ccache:     2.3
dev-util/confcache:  [Not Present]
sys-apps/sandbox:    1.2.17
sys-devel/autoconf:  2.13, 2.59-r7
sys-devel/automake:  1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2
sys-devel/binutils:  2.16.1-r3
sys-devel/gcc-config: 1.3.13-r3
sys-devel/libtool:   1.5.22
virtual/os-headers:  2.6.11-r2
CFLAGS="-march=k8 -O2 -pipe -msse3"
CONFIG_PROTECT="/etc /usr/kde/3.5/env /usr/kde/3.5/share/config /usr/kde/3.5/shutdown /usr/share/X11/xkb /usr/share/config /var/qmail/control"
CONFIG_PROTECT_MASK="/etc/env.d /etc/gconf /etc/revdep-rebuild /etc/terminfo"
CXXFLAGS="-march=k8 -O2 -pipe -msse3"
FEATURES="autoconfig ccache collision-protect distlocks metadata-transfer multilib-strict parallel-fetch sandbox sfperms strict test userfetch userpriv usersandbox"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --delete-after --stats --timeout=180 --exclude='/distfiles' --exclude='/local' --exclude='/packages'"
USE="amd64 X alsa arts avi berkdb bitmap-fonts cli crypt cups dlloader dri eds emboss encode foomaticdb fortran gif gnome gpm gstreamer gtk gtk2 imlib ipv6 isdnlog jpeg kde kdeenablefinal lzw lzw-tiff mp3 mpeg ncurses nls nptl opengl pam pcre pdflib perl png pppd python qt qt3 qt4 quicktime readline reflection sdl session spell spl ssl tcpd tiff truetype-fonts type1-fonts unicode usb userlocales xorg xpm xv zlib elibc_glibc input_devices_keyboard input_devices_mouse input_devices_evdev kernel_linux linguas_de userland_GNU video_cards_dummy"
Comment 24 Thomas Cort (RETIRED) gentoo-dev 2006-08-04 09:56:42 UTC
amd64 stable.
Comment 25 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2006-08-05 04:11:32 UTC
This one is ready for GLSA decision.
Comment 26 Thierry Carrez (RETIRED) gentoo-dev 2006-08-05 09:43:45 UTC
I vote yes for unlimited file disclosure.
Comment 27 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2006-08-05 09:59:01 UTC
i vote a week yes. But running a webmin on the internet-side is always unsecure and i hope it's rare.
Comment 28 Wolf Giesen (RETIRED) gentoo-dev 2006-08-06 03:33:59 UTC
Thinkng of half-trusted LANs, another yes.
Comment 29 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2006-08-06 05:02:06 UTC
Ok, lets have a GLSA.
Comment 30 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2006-08-07 00:30:03 UTC
GLSA 200608-11

arm, s390 don't forget to mark stable to benifit from the GLSA.