Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 214666 (CVE-2008-1475) - www-apps/roundup < 1.4.4-r1 does not check property permissions (CVE-2008-1475)
Summary: www-apps/roundup < 1.4.4-r1 does not check property permissions (CVE-2008-1475)
Status: RESOLVED FIXED
Alias: CVE-2008-1475
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High minor (vote)
Assignee: Gentoo Security
URL: http://secunia.com/advisories/29336
Whiteboard: B4 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2008-03-25 10:20 UTC by Lars Hartmann
Modified: 2008-05-29 19:16 UTC (History)
0 users

See Also:
Package list:
Runtime testing required: ---

Attachments
patch (xmlrpc_property_permissions.patch,7.73 KB, patch)
2008-03-25 10:21 UTC, Lars Hartmann 		no flags Details | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Lars Hartmann 2008-03-25 10:20:26 UTC 
The xml-rpc server in Roundup 1.4.4 does not check property permissions, which
allows attackers to bypass restrictions and edit or read restricted properties
via the (1) list, (2) display, and (3) set methods.
Comment 1 Lars Hartmann 2008-03-25 10:21:27 UTC 
Created attachment 147233 [details, diff]
patch
Comment 2 Lars Hartmann 2008-03-25 10:22:53 UTC 
maintainers - please provide an updated ebuild
Comment 3 Benedikt Böhm (RETIRED) gentoo-dev 2008-04-03 10:43:10 UTC 
1.4.4-r1 in cvs
Comment 4 Pierre-Yves Rofes (RETIRED) gentoo-dev 2008-05-12 11:54:46 UTC 
Arches, please test and mark stable www-apps/roundup-1.4.4-r1
target : "amd64 ppc release sparc x86"
Comment 5 Christian Faulhammer (RETIRED) gentoo-dev 2008-05-12 13:31:02 UTC 
x86 stable
Comment 6 Markus Meier gentoo-dev 2008-05-12 15:38:17 UTC 
amd64 stable
Comment 7 Ferris McCormick (RETIRED) gentoo-dev 2008-05-12 20:12:53 UTC 
Sparc stable.
Comment 8 Tobias Scherbaum (RETIRED) gentoo-dev 2008-05-16 18:33:14 UTC 
ppc stable
Comment 9 Gunnar Wrobel (RETIRED) gentoo-dev 2008-05-17 07:32:52 UTC 
Removed vulnerable version. webapps done.
Comment 10 Pierre-Yves Rofes (RETIRED) gentoo-dev 2008-05-17 09:43:06 UTC 
Time for GLSA decision. I vote YES.
Comment 11 Peter Volkov (RETIRED) gentoo-dev 2008-05-18 15:19:02 UTC 
Fixed in release snapshot.
Comment 12 Tobias Heinlein (RETIRED) gentoo-dev 2008-05-19 15:24:23 UTC 
Voting YES and filing request.
Comment 13 Tobias Heinlein (RETIRED) gentoo-dev 2008-05-29 19:16:08 UTC 
GLSA 200805-21