Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 391259 (CVE-2011-4345) - <app-text/namazu-2.0.21: multiple vulnerabilities (CVE-2009-5028, CVE-2011-{4345,4711})
Summary: <app-text/namazu-2.0.21: multiple vulnerabilities (CVE-2009-5028, CVE-2011-{4...
Status: RESOLVED FIXED
Alias: CVE-2011-4345
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: http://www.namazu.org/security.html.en
Whiteboard: B4 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2011-11-21 16:31 UTC by df
Modified: 2013-11-28 09:21 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description df 2011-11-21 16:31:30 UTC
app-text/namazu-2.0.21 has been released and was already in portage main tree. 

In http://www.namazu.org/security.html.en , <app-text/namazu-2.0.21 have several security issues.

I propose to remove <app-text/namazu-2.0.21 in main portage tree.

Reproducible: Always
Comment 1 Agostino Sarubbo gentoo-dev 2011-11-21 18:23:58 UTC
Thanks for report.

@Maintainer, can 2.0.21 goes to stable?
Comment 2 Naohiro Aota gentoo-dev 2011-11-23 13:43:23 UTC
(In reply to comment #1)
> Thanks for report.
> 
> @Maintainer, can 2.0.21 goes to stable?

It pass the tests and no bugs about -2.0.21 but it doesn't spend 30days yet.
I've added it 30 Oct. I think a few more days or tests needed to be stable.
Comment 3 Agostino Sarubbo gentoo-dev 2011-11-27 11:53:19 UTC
Arches, please test and mark stable:
=app-text/namazu-2.0.21
Target keywords : "amd64 ppc64 x86"
Comment 4 Agostino Sarubbo gentoo-dev 2011-11-27 17:06:25 UTC
amd64 ok
Comment 5 Elijah "Armageddon" El Lazkani (amd64 AT) 2011-11-27 19:37:46 UTC
amd64: pass
Comment 6 Tony Vroon gentoo-dev 2011-11-28 23:12:41 UTC
+  28 Nov 2011; Tony Vroon <chainsaw@gentoo.org> -namazu-2.0.18.ebuild,
+  namazu-2.0.21.ebuild, metadata.xml:
+  Marked stable on AMD64 based on arch testing by Agostino "ago" Sarubbo &
+  Elijah "Armageddon" El Lazkani in security bug #391259. Removed 2.0.18 with
+  problematic dependencies so the arch teams can commit without --force. Remove
+  now-unused kakasi USE-flag.
Comment 7 Paweł Hajdan, Jr. (RETIRED) gentoo-dev 2011-12-01 19:54:25 UTC
x86 stable
Comment 8 df 2011-12-02 16:31:10 UTC
This bug has two security issues not only CVE-2011-4345 but CVE-2009-5028 in <app-text/namazu-2.0.20.

http://www.openwall.com/lists/oss-security/2011/11/23/8
# Thanks Jan iankko Lieskovsky @ Red Hat Security Response Team
Comment 9 GLSAMaker/CVETool Bot gentoo-dev 2011-12-13 00:38:13 UTC
CVE-2011-4711 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-4711):
  Multiple directory traversal vulnerabilities in namazu.cgi in Namazu before
  2.0.16 allow remote attackers to read arbitrary files via a .. (dot dot) in
  the (1) lang or (2) result parameter.

CVE-2011-4345 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-4345):
  Cross-site scripting (XSS) vulnerability in Namazu before 2.0.21, when
  Internet Explorer 6 or 7 is used, allows remote attackers to inject
  arbitrary web script or HTML via a cookie.

CVE-2009-5028 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-5028):
  Stack-based buffer overflow in Namazu before 2.0.20 allows remote attackers
  to cause a denial of service (daemon crash) or possibly execute arbitrary
  code via a crafted request containing an empty uri field.
Comment 10 df 2011-12-13 14:22:35 UTC
(In reply to comment #9)
> CVE-2011-4711 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-4711):
>   Multiple directory traversal vulnerabilities in namazu.cgi in Namazu before
>   2.0.16 allow remote attackers to read arbitrary files via a .. (dot dot) in
>   the (1) lang or (2) result parameter.

I guess CVE-2011-4711 does not affect on this bug. because affected version has been removed sevral years ago.
Comment 11 Tim Sammut (RETIRED) gentoo-dev 2011-12-18 22:05:13 UTC
(In reply to comment #10)
> 
> I guess CVE-2011-4711 does not affect on this bug. because affected version has
> been removed sevral years ago.

Thanks, that may be true. We'll need to look at the issue to see if a GLSA should be published however.
Comment 12 Mark Loeser (RETIRED) gentoo-dev 2011-12-23 00:26:54 UTC
no more stable ppc64 versions; done
Comment 13 Sean Amoss gentoo-dev Security 2011-12-23 01:38:47 UTC
Thanks everyone. 

@security: please vote for GLSA.
Comment 14 Tim Sammut (RETIRED) gentoo-dev 2011-12-23 06:14:23 UTC
Thanks, folks. GLSA Vote: yes.
Comment 15 Stefan Behte (RETIRED) gentoo-dev Security 2012-03-06 01:13:41 UTC
Vote: Yes. GLSA request filed.
Comment 16 Naohiro Aota gentoo-dev 2012-05-27 03:22:53 UTC
Nothing to do left as cjk side. Removing CC.
Comment 17 GLSAMaker/CVETool Bot gentoo-dev 2013-11-28 09:21:26 UTC
This issue was resolved and addressed in
 GLSA 201311-22 at http://security.gentoo.org/glsa/glsa-201311-22.xml
by GLSA coordinator Sergey Popov (pinkbyte).