Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 351087 (CVE-2010-4225) - <dev-lang/mono-2.8.2: ASP.NET Source Code Disclosure Vulnerability (CVE-2010-4225)
Summary: <dev-lang/mono-2.8.2: ASP.NET Source Code Disclosure Vulnerability (CVE-2010-...
Alias: CVE-2010-4225
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Gentoo Security
Whiteboard: B3 [glsa]
Depends on: 352808 359651
  Show dependency tree
Reported: 2011-01-08 06:20 UTC by Paweł Hajdan, Jr. (RETIRED)
Modified: 2012-06-21 20:53 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Paweł Hajdan, Jr. (RETIRED) gentoo-dev 2011-01-08 06:20:12 UTC
An unloading bug can, under some circumstances, let ASP.NET applications misbehave and return the source code (.aspx) of the application or any other file in the web application directory.

A vulnerability has been reported in Mono, which can be exploited by malicious people to disclose potentially sensitive information.

The vulnerability is caused due to an unspecified error within the "mod_mono" module and can be exploited to disclose the source code of ASPX scripts.

The vulnerability is reported in versions prior to 2.8.2.
Comment 1 Pacho Ramos gentoo-dev 2011-01-25 17:49:27 UTC
+*mono-2.8.2 (25 Jan 2011)
+  25 Jan 2011; Pacho Ramos <> -mono-2.8.1-r1.ebuild,
+  +mono-2.8.2.ebuild, -mono-9999.ebuild, -files/mono-9999-libdir.patch:
+  Version bump, remove old testing and 9999 version since it's not really
+  maintained downstream.

But I am still unable to bump moonlight to a working version with mono-2.8 :-S (bug #340375)
Comment 2 Paweł Hajdan, Jr. (RETIRED) gentoo-dev 2011-01-25 18:00:36 UTC
Okay, our stabilization target is =dev-lang/mono-2.8.2

Bug #340375 is probably going to block this, but there might be more, so CC-ing arches now.
Comment 3 Pacho Ramos gentoo-dev 2011-01-26 08:43:44 UTC
Can we wait a bit more for getting it stabilized or is this a too major security problem? 

I will probably open a bug with a list of dotnet related things to stabilize (including mono-2.8.2 and others), but I would like to wait a bit also for bug 346135 (and will probably hardmask moonlight until they release a fixed tarball for 2.99.x)
Comment 4 Pacho Ramos gentoo-dev 2011-01-26 10:42:25 UTC
This and other security problems will be solved with bug 351087
Comment 5 Tim Sammut (RETIRED) gentoo-dev 2011-03-22 22:03:12 UTC
Fixed packages have been stabilized via 352808 and, for ppc only, 359651.

GLSA Vote: yes.
Comment 6 GLSAMaker/CVETool Bot gentoo-dev 2011-06-24 00:37:42 UTC
CVE-2010-4225 (
  Unspecified vulnerability in the mod_mono module for XSP in Mono 2.8.x
  before 2.8.2 allows remote attackers to obtain the source code for .aspx
  (ASP.NET) applications via unknown vectors related to an "unloading bug."
Comment 7 Stefan Behte (RETIRED) gentoo-dev Security 2011-10-08 22:04:01 UTC
Vote: YES. Added to pending GLSA request.
Comment 8 GLSAMaker/CVETool Bot gentoo-dev 2012-06-21 20:53:45 UTC
This issue was resolved and addressed in
 GLSA 201206-13 at
by GLSA coordinator Tobias Heinlein (keytoaster).