Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 214666 (CVE-2008-1475) - www-apps/roundup < 1.4.4-r1 does not check property permissions (CVE-2008-1475)
Summary: www-apps/roundup < 1.4.4-r1 does not check property permissions (CVE-2008-1475)
Alias: CVE-2008-1475
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High minor (vote)
Assignee: Gentoo Security
Whiteboard: B4 [glsa]
Depends on:
Reported: 2008-03-25 10:20 UTC by Lars Hartmann
Modified: 2008-05-29 19:16 UTC (History)
0 users

See Also:
Package list:
Runtime testing required: ---

patch (xmlrpc_property_permissions.patch,7.73 KB, patch)
2008-03-25 10:21 UTC, Lars Hartmann
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Lars Hartmann 2008-03-25 10:20:26 UTC
The xml-rpc server in Roundup 1.4.4 does not check property permissions, which
allows attackers to bypass restrictions and edit or read restricted properties
via the (1) list, (2) display, and (3) set methods.
Comment 1 Lars Hartmann 2008-03-25 10:21:27 UTC
Created attachment 147233 [details, diff]
Comment 2 Lars Hartmann 2008-03-25 10:22:53 UTC
maintainers - please provide an updated ebuild
Comment 3 Benedikt Böhm (RETIRED) gentoo-dev 2008-04-03 10:43:10 UTC
1.4.4-r1 in cvs
Comment 4 Pierre-Yves Rofes (RETIRED) gentoo-dev 2008-05-12 11:54:46 UTC
Arches, please test and mark stable www-apps/roundup-1.4.4-r1
target : "amd64 ppc release sparc x86"
Comment 5 Christian Faulhammer (RETIRED) gentoo-dev 2008-05-12 13:31:02 UTC
x86 stable
Comment 6 Markus Meier gentoo-dev 2008-05-12 15:38:17 UTC
amd64 stable
Comment 7 Ferris McCormick (RETIRED) gentoo-dev 2008-05-12 20:12:53 UTC
Sparc stable.
Comment 8 Tobias Scherbaum (RETIRED) gentoo-dev 2008-05-16 18:33:14 UTC
ppc stable
Comment 9 Gunnar Wrobel (RETIRED) gentoo-dev 2008-05-17 07:32:52 UTC
Removed vulnerable version. webapps done.
Comment 10 Pierre-Yves Rofes (RETIRED) gentoo-dev 2008-05-17 09:43:06 UTC
Time for GLSA decision. I vote YES.
Comment 11 Peter Volkov (RETIRED) gentoo-dev 2008-05-18 15:19:02 UTC
Fixed in release snapshot.
Comment 12 Tobias Heinlein (RETIRED) gentoo-dev 2008-05-19 15:24:23 UTC
Voting YES and filing request.
Comment 13 Tobias Heinlein (RETIRED) gentoo-dev 2008-05-29 19:16:08 UTC
GLSA 200805-21