Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 261194 - net-dns/noip-updater Information Disclosure
Summary: net-dns/noip-updater Information Disclosure
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High minor (vote)
Assignee: Gentoo Security
URL: http://secunia.com/advisories/33687/
Whiteboard: B4 [noglsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2009-03-04 17:15 UTC by Robert Buchholz (RETIRED)
Modified: 2016-03-01 09:29 UTC (History)
6 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Robert Buchholz (RETIRED) gentoo-dev 2009-03-04 17:15:06 UTC
A security issue has been reported in No-IP Dynamic Update Client,
which can be exploited by malicious people to disclose sensitive
information.

The security issue is caused due to the application submitting user
credentials over HTTP when sending a status update to the hosted
service.

The security issue is confirmed in No-IP Linux Dynamic Update Client
2.1.9. Other versions may also be affected.

SOLUTION:
No solution is currently available.

PROVIDED AND/OR DISCOVERED BY:
Fabio Pinheiro
Comment 1 Daniel Black (RETIRED) gentoo-dev 2009-04-29 01:00:42 UTC
no upstream release yet. just checked. I'm really not willing to rewrite their http code in C to support https.
Comment 2 Chris Reffett gentoo-dev Security 2013-09-03 02:50:35 UTC
No upstream fix available. Package is m-n. @security team: p.mask? remove?
Comment 3 Francis Booth 2015-04-17 23:52:20 UTC
I created a ticket upstream and they say that an update is on its way however they cannot give an estimated time of when they were going to release it.. I currently have no knowledge of C as to attempt to create a fix myself and probably would be doing more harm than good without the proper knowledge.
Comment 4 Francis Booth 2015-04-18 00:46:19 UTC
I did some research into it and the best solution is to remove the package from the portage tree, even if as Daniel suggested we rewrote the client to support https it would not work as NoIP does not have https enabled on the server that receives the requests so essentially the problem is on NoIP's side at this point.
Comment 5 Markos Chandras (RETIRED) gentoo-dev 2015-04-18 09:12:42 UTC
Lets remove it then
Comment 6 ChaosEngine 2016-01-03 12:18:29 UTC
For what it matters they do have an somewhat open API:

https://www.noip.com/integrate/request

Looks straightforward; if all fails I will try to use it.
Some HTTPS POST curl-ing should suffice.
Comment 7 Fabio Rossi 2016-01-09 21:05:27 UTC
(In reply to Francis Booth from comment #3)
> I created a ticket upstream and they say that an update is on its way
> however they cannot give an estimated time of when they were going to
> release it.. I currently have no knowledge of C as to attempt to create a
> fix myself and probably would be doing more harm than good without the
> proper knowledge.

is the ticket public?
Comment 8 Francis Booth 2016-01-14 11:18:49 UTC
(In reply to Fabio Rossi from comment #7)
> (In reply to Francis Booth from comment #3)
> > I created a ticket upstream and they say that an update is on its way
> > however they cannot give an estimated time of when they were going to
> > release it.. I currently have no knowledge of C as to attempt to create a
> > fix myself and probably would be doing more harm than good without the
> > proper knowledge.
> 
> is the ticket public?

Sadly no, and I don't have the ticket ID anymore since its been 9 months since that ticket had been created but I'm willing to bet if I opened another one they would say the same thing. Doesn't hurt to try though.
Comment 9 Chris Mansfield 2016-01-16 06:19:20 UTC
(In reply to Francis Booth from comment #8)
> (In reply to Fabio Rossi from comment #7)
> > (In reply to Francis Booth from comment #3)
> > > I created a ticket upstream and they say that an update is on its way
> > > however they cannot give an estimated time of when they were going to
> > > release it.. I currently have no knowledge of C as to attempt to create a
> > > fix myself and probably would be doing more harm than good without the
> > > proper knowledge.
> > 
> > is the ticket public?
> 
> Sadly no, and I don't have the ticket ID anymore since its been 9 months
> since that ticket had been created but I'm willing to bet if I opened
> another one they would say the same thing. Doesn't hurt to try though.

I opened a ticket the other day and got the same answer.
Comment 10 Pacho Ramos gentoo-dev 2016-02-20 17:20:14 UTC
removed
Comment 11 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2016-02-21 04:00:36 UTC
Package removed per previous comments.  GLSA needed?
Comment 12 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2016-03-01 09:29:17 UTC
GLSA Vote: No