149578 – <app-text/hyperestraier-1.3.3 has CSRF vulnerability (CVE-2006-3671)

Bug 149578 - <app-text/hyperestraier-1.3.3 has CSRF vulnerability (CVE-2006-3671)

Summary: <app-text/hyperestraier-1.3.3 has CSRF vulnerability (CVE-2006-3671)

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	High normal (vote)
Assignee:	Gentoo Security

URL:
Whiteboard:	B4? [noglsa]
Keywords:

Depends on:
Blocks:

Reported:	2006-09-29 20:10 UTC by MATSUU Takuto (RETIRED)
Modified:	2006-10-24 03:12 UTC (History)
CC List:	2 users (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description MATSUU Takuto (RETIRED) gentoo-dev

2006-09-29 20:10:50 UTC

see http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3671

ppc and x86 archs: mark stable 1.4.0.

Comment 1 Andrej Kacian (RETIRED) gentoo-dev

2006-09-30 02:29:10 UTC

!!! All ebuilds that could satisfy ">=dev-db/qdbm-1.8.68" have been masked.

There is a security bug #140295 open for earlier versions of qdbm.

Also, qdbm has had a new release, which has been added to portage on Sep 3rd, which (judging from version range in the description of above bug) fixes that bug. 
I assume that under weight of two security bugs, you'll want qdbm-1.8.70 stabilized, to clear way for hyperestraier-1.4.0.

Security, can you confirm?

Comment 2 Akinori Hattori gentoo-dev

2006-09-30 05:00:49 UTC

dev-db/qdbm-1.8.70 and app-text/hyperestraier-1.4.0 use generation-2 (java-pkg-opt-2.eclass) for building java binding.
I'll modify them to use generation-1, please wait a moment.

Comment 3 Akinori Hattori gentoo-dev

2006-09-30 07:47:30 UTC

dev-db/qdbm and app-text/hyperestraier are ready.

generation-1:
  dev-db/qdbm-1.8.70-r1.ebuild
  app-text/hyperestraier-1.4.0-r1.ebuild

generation-2:
  dev-db/qdbm-1.8.70-r2.ebuild
  app-text/hyperestraier-1.4.0-r2.ebuild

-r1 for stabilization.

Comment 4 Markus Meier gentoo-dev

2006-10-01 05:39:45 UTC

dev-db/qdbm-1.8.70-r1
1.) emerges fine on x86
2.) passes collision test
3.) passes test suite

app-text/hyperestraier-1.4.0-r1
1.) emerges fine on x86
2.) passes collision test
3.) passes come kind of self checking
didn't do any further tests

emerge --info
Portage 2.1.1 (default-linux/x86/2006.1/desktop, gcc-4.1.1, glibc-2.4-r3, 2.6.17.13 i686)
=================================================================
System uname: 2.6.17.13 i686 AMD Athlon(TM) XP1800+
Gentoo Base System version 1.12.5
Last Sync: Sat, 30 Sep 2006 22:50:01 +0000
ccache version 2.3 [enabled]
app-admin/eselect-compiler: [Not Present]
dev-java/java-config: 1.2.11-r1
dev-lang/python:     2.3.5-r3, 2.4.3-r4
dev-python/pycrypto: 2.0.1-r5
dev-util/ccache:     2.3
dev-util/confcache:  [Not Present]
sys-apps/sandbox:    1.2.17
sys-devel/autoconf:  2.13, 2.59-r7
sys-devel/automake:  1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2
sys-devel/binutils:  2.16.1-r3
sys-devel/gcc-config: 1.3.13-r3
sys-devel/libtool:   1.5.22
virtual/os-headers:  2.6.17-r1
ACCEPT_KEYWORDS="x86"
AUTOCLEAN="yes"
CBUILD="i686-pc-linux-gnu"
CFLAGS="-O2 -march=i686 -fomit-frame-pointer -pipe"
CHOST="i686-pc-linux-gnu"
CONFIG_PROTECT="/etc /usr/kde/3.5/env /usr/kde/3.5/share/config /usr/kde/3.5/shutdown /usr/share/X11/xkb /usr/share/config"
CONFIG_PROTECT_MASK="/etc/env.d /etc/gconf /etc/revdep-rebuild /etc/terminfo /etc/texmf/web2c"
CXXFLAGS="-O2 -march=i686 -fomit-frame-pointer -pipe"
DISTDIR="/usr/portage/distfiles"
FEATURES="autoconfig ccache collision-protect distlocks fixpackages metadata-transfer parallel-fetch sandbox sfperms strict test userfetch userpriv usersandbox"
GENTOO_MIRRORS="http://mirror.switch.ch/mirror/gentoo/ http://gentoo.inode.at/"
LANG="en_GB.utf8"
LINGUAS="en de en_GB"
PKGDIR="/usr/portage/packages"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --delete-after --stats --timeout=180 --exclude='/distfiles' --exclude='/local' --exclude='/packages'"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
PORTDIR_OVERLAY="/usr/local/portage/normal /usr/local/portage/testing"
SYNC="rsync://192.168.2.1/gentoo-portage"
USE="x86 3dnow 3dnowext X a52 aac acpi alsa apache2 bash-completion berkdb bitmap-fonts bzip2 cairo cdr cli crypt css cups dbus divx4linux dlloader dri dts dvd dvdr dvdread elibc_glibc emboss exif fam ffmpeg firefox font-server fortran gdbm gif gnome gphoto2 gpm gstreamer gtk gtk2 gtkhtml hal input_devices_keyboard input_devices_mouse ipv6 isdnlog java jpeg kde kernel_linux ldap libclamav libg++ linguas_de linguas_en linguas_en_GB logitech-mouse mad mikmod mmx mmxext mono mozcalendar mozdevelop mozsvg mp3 mpeg ncurses network nls nptl nptlonly nvidia oav ogg opengl oss pam pcre perl png ppds pppd python qt qt3 qt4 quicktime readline reflection samba sdl seamonkey session spell spl ssl tcltk tcpd test tetex tiff truetype truetype-fonts type1-fonts udev unicode usb userland_GNU vcd video_cards_none video_cards_nv vorbis win32codecs xine xinerama xml xorg xorg-x11 xprint xv xvg xvid zlib"
Unset:  CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LC_ALL, LDFLAGS, MAKEOPTS, PORTAGE_RSYNC_EXTRA_OPTS

Comment 5 Joshua Jackson (RETIRED) gentoo-dev

2006-10-02 21:03:10 UTC

x86 stable ^.^

Comment 6 Tobias Scherbaum (RETIRED) gentoo-dev

2006-10-05 10:40:26 UTC

ppc stable

Comment 7 Matthias Geerdsen (RETIRED) gentoo-dev

2006-10-19 05:52:57 UTC

oops... this went under our radar

security please vote on GLSA publication

/me votes no

Comment 8 Raphael Marichez (Falco) (RETIRED) gentoo-dev

2006-10-24 03:12:01 UTC

no too and closing feelfreetoreopenifyoudisagree