Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 154574 - www-apps/trac: <0.10.1 Cross-Site Request Forgery Vulnerability (CVE-2006-5878)
Summary: www-apps/trac: <0.10.1 Cross-Site Request Forgery Vulnerability (CVE-2006-5878)
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Gentoo Security
URL: http://secunia.com/advisories/22789/
Whiteboard: B4 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2006-11-09 08:34 UTC by Sune Kloppenborg Jeppesen
Modified: 2006-12-12 14:45 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Sune Kloppenborg Jeppesen gentoo-dev 2006-11-09 08:34:26 UTC
A vulnerability has been reported in Trac, which can be exploited by malicious people to conduct cross-site request forgery attacks.
 
 The vulnerability is caused due to the application allowing users to perform certain actions via HTTP requests without performing any validity checks to verify the user's request.
 
 The vulnerability is reported in versions prior to 0.10.1.
Comment 1 Michael Zanetta 2006-11-09 10:08:40 UTC
The trac-0.10.1 can be made based on the 0.10 ebuild. However, it depends on docutils>0.3.7 and it's keyword masked.

User just needs to follow the postinst.txt for upgrading.
Comment 2 Matthias Geerdsen (RETIRED) gentoo-dev 2006-11-09 11:59:14 UTC
dju, pls bump

see also
http://trac.edgewall.org/ticket/4049
Comment 3 Julien Allanos (RETIRED) gentoo-dev 2006-11-09 15:25:32 UTC
In CVS, thanks. For ppc & x86 stabilization:

>=dev-python/docutils-0.3.9 (required)
>=dev-python/mysql-python-1.2.1 (optional, USE mysql)
>=dev-python/psycopg-2 (optional, USE postgres)
Comment 4 Doug Goldstein (RETIRED) gentoo-dev 2006-11-09 15:32:49 UTC
I don't wanna touch the bug... but it'd be nice if it had the versions affected in the summary. "<www-apps/trac-0.10.1"
Comment 5 Markus Meier gentoo-dev 2006-11-10 13:41:31 UTC
www-apps/trac-0.10.1  USE="sqlite -cgi -enscript -fastcgi -mysql -postgres -silvercity -vhosts"
1. emerges on x86
2. passes collision test
3. works

Portage 2.1.1-r1 (default-linux/x86/2006.1/desktop, gcc-4.1.1, glibc-2.4-r3, 2.6.17.13 i686)
=================================================================
System uname: 2.6.17.13 i686 AMD Athlon(TM) XP1800+
Gentoo Base System version 1.12.6
Last Sync: Fri, 10 Nov 2006 19:30:01 +0000
ccache version 2.3 [enabled]
app-admin/eselect-compiler: [Not Present]
dev-java/java-config: 1.3.7, 2.0.30
dev-lang/python:     2.3.5-r3, 2.4.3-r4
dev-python/pycrypto: 2.0.1-r5
dev-util/ccache:     2.3
dev-util/confcache:  [Not Present]
sys-apps/sandbox:    1.2.17
sys-devel/autoconf:  2.13, 2.60
sys-devel/automake:  1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2
sys-devel/binutils:  2.16.1-r3
sys-devel/gcc-config: 1.3.13-r4
sys-devel/libtool:   1.5.22
virtual/os-headers:  2.6.17-r1
ACCEPT_KEYWORDS="x86"
AUTOCLEAN="yes"
CBUILD="i686-pc-linux-gnu"
CFLAGS="-O2 -march=i686 -fomit-frame-pointer -pipe"
CHOST="i686-pc-linux-gnu"
CONFIG_PROTECT="/etc /usr/kde/3.5/env /usr/kde/3.5/share/config /usr/kde/3.5/shutdown /usr/share/X11/xkb /usr/share/config /usr/share/texmf/dvipdfm/config/ /usr/share/texmf/dvips/config/ /usr/share/texmf/tex/generic/config/ /usr/share/texmf/tex/platex/config/ /usr/share/texmf/xdvi/"
CONFIG_PROTECT_MASK="/etc/env.d /etc/env.d/java/ /etc/gconf /etc/java-config/vms/ /etc/revdep-rebuild /etc/terminfo"
CXXFLAGS="-O2 -march=i686 -fomit-frame-pointer -pipe"
DISTDIR="/usr/portage/distfiles"
EMERGE_DEFAULT_OPTS="--nospinner"
FEATURES="autoconfig ccache collision-protect distlocks fixpackages metadata-transfer parallel-fetch sandbox sfperms strict test userfetch userpriv usersandbox"
GENTOO_MIRRORS="http://mirror.switch.ch/mirror/gentoo/ http://gentoo.inode.at/"
LANG="en_GB.utf8"
LINGUAS="en de en_GB"
PKGDIR="/usr/portage/packages"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --delete-after --stats --timeout=180 --exclude='/distfiles' --exclude='/local' --exclude='/packages'"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
PORTDIR_OVERLAY="/usr/local/portage/normal"
SYNC="rsync://192.168.2.1/gentoo-portage"
USE="x86 3dnow 3dnowext X a52 aac acpi alsa apache2 bash-completion berkdb bitmap-fonts bzip2 cairo cdr cli cracklib crypt css cups dbus divx4linux dlloader dri dts dvd dvdr dvdread elibc_glibc emboss exif fam ffmpeg firefox font-server fortran gdbm gif gnome gphoto2 gpm gstreamer gtk gtk2 gtkhtml hal iconv input_devices_keyboard input_devices_mouse ipv6 isdnlog java jpeg kde kernel_linux ldap libclamav libg++ linguas_de linguas_en linguas_en_GB logitech-mouse mad mikmod mmx mmxext mono mozcalendar mozdevelop mozsvg mp3 mpeg ncurses network nls nptl nptlonly nvidia oav ogg opengl oss pam pcre perl png ppds pppd python qt qt3 qt4 quicktime readline reflection samba sdl seamonkey session spell spl ssl tcltk tcpd test tetex tiff truetype truetype-fonts type1-fonts udev unicode usb userland_GNU vcd video_cards_none video_cards_nv vorbis win32codecs xine xinerama xml xorg xorg-x11 xprint xv xvg xvid zlib"
Unset:  CTARGET, INSTALL_MASK, LC_ALL, LDFLAGS, MAKEOPTS, PORTAGE_RSYNC_EXTRA_OPTS
Comment 6 Andrej Kacian (RETIRED) gentoo-dev 2006-11-10 16:22:56 UTC
Tested and marked stable on x86:

=dev-python/docutils-0.3.9
=dev-python/mysql-python-1.2.1_p2
=dev-python/psycopg-2.0.2

...and last but not least:

=www-apps/trac-0.10.1

Have a nice day.
Comment 7 Tobias Scherbaum (RETIRED) gentoo-dev 2006-11-13 09:43:52 UTC
ppc stable
Comment 8 Sune Kloppenborg Jeppesen gentoo-dev 2006-11-13 15:20:49 UTC
I tend to vote YES.
Comment 9 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2006-11-20 13:20:52 UTC
i tend to vote no
Comment 10 Matthias Geerdsen (RETIRED) gentoo-dev 2006-11-23 13:40:06 UTC
tend to vote yes too (tiny bit)
Comment 11 Matt Drew (RETIRED) gentoo-dev 2006-12-05 12:24:58 UTC
apprentice - yes on GLSA - likely to be production and public in some instances.
Comment 12 Wolf Giesen (RETIRED) gentoo-dev 2006-12-05 21:20:06 UTC
Yes in this case.
Comment 13 Sune Kloppenborg Jeppesen gentoo-dev 2006-12-05 22:01:35 UTC
2 YES votes. Let's have a GLSA then.
Comment 14 Sune Kloppenborg Jeppesen gentoo-dev 2006-12-12 14:45:39 UTC
GLSA 200612-14