Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 53494 - net-www/roundup directory traversal
Summary: net-www/roundup directory traversal
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: New packages (show other bugs)
Hardware: All Linux
: High enhancement (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B4 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2004-06-10 02:14 UTC by Allan Graves
Modified: 2004-08-11 15:01 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Allan Graves 2004-06-10 02:14:42 UTC
The net-www/roundup needs updating from 0.5.6 to the newer 0.7.4 version available.  All versions less than the 0.6.11 version have been shown to have a directory traversal security hole: http://secunia.com/advisories/11801/



Reproducible: Always
Steps to Reproduce:
1.
2.
3.
Comment 1 Kurt Lieber (RETIRED) gentoo-dev 2004-06-10 09:26:22 UTC
Daniel/Martin --

You two are the only people who have ever touched this ebuild.  Can one of you please update it to the newest version?
Comment 2 Kurt Lieber (RETIRED) gentoo-dev 2004-06-22 10:49:06 UTC
Masked in package.mask due to lack of ownership.
Comment 3 Thierry Carrez (RETIRED) gentoo-dev 2004-06-22 10:51:21 UTC
I don't think this mask deserves a temporary GLSA.
Comment 4 Fernando Serboncini (RETIRED) gentoo-dev 2004-06-29 11:26:00 UTC
I've managed to install roundup 0.7.4 by simple copying it as roundup-0.7.4.
The security issues, I think, are fixed in this version and the ebuild goes perfectly (the installation script is as simple as "python setup.py").

I think this should be updated and unmasked.
Comment 5 Kurt Lieber (RETIRED) gentoo-dev 2004-06-29 11:35:37 UTC
It will only be unmasked if a Gentoo dev steps up and agrees to take over maintenance of it.
Comment 6 Chris White (RETIRED) gentoo-dev 2004-08-08 14:16:42 UTC
I'm a gentoo dev, this package is mine.

I'll take care of this when I get off of work.
Comment 7 Chris White (RETIRED) gentoo-dev 2004-08-09 00:55:13 UTC
ebuild in cvs, please remove the package.mask to test. Plan is:

ppc, sparc, amd64 mark stable.

This package was marked stable on x86 through the following test case:

1) emerge =roundup-0.7.6
2) chdir to the home of a non-privileged user (in my case /home/chris)
3) mkdir roundup
4) roundup-admin install
   - answered 'roundup' for the first question
   - hit enter to accept the defaults for the rest
5) used the config at:
   - http://dev.gentoo.org/~chriswhite/config.py
6) placed that in the roundup directory to replace the one there
7) roundup-admin initialise
   - answered 'roundup' for the first question
   - entered in an admin password
8) roundup start 8080 localhost roundup
9) pointed my browser at http://localhost:8080/support
10) logged in as 'admin' with my admin password set ealier
11) created a bug, attached the file at:
   - http://dev.gentoo.org/~chriswhite/roundup_test.txt
   - and commited the bug
12) used the Show Issue dialog and entered one for the first issue
13) resolved the issue and commited with a message
14) closed the browser
15) chdir back to the unprivleged users home dir
16) ran 
    - roundup stop roundup
    - in that directory to kill the server and remove the .pid file
17) checked the roundup directory to make sure the .pid file was removed

end of test.
Please use this same test case to stable mark the build.
Comment 8 Travis Tilley (RETIRED) gentoo-dev 2004-08-09 09:03:39 UTC
i'm not marking this stable. there isnt a current version in amd64 stable anyways, so there is no reason to bypass normal quality assurance. the same goes for ppc...

an app should be in ~arch for a while before being marked stable. it has to be tested. the only exception is when something needs to be pushed to stable for a security fix... since we have no insecure version in stable bypassing QA makes no sense. this should have been on your dev quiz, please dont CC amd64 for stuff like this in the future.
Comment 9 Chris White (RETIRED) gentoo-dev 2004-08-09 09:06:53 UTC
As per discussion with Lv, the plan will be changed to:

sparc stable
x86 stable

Sorry for any trouble/confusion.  PPC removed.
Comment 10 Gustavo Zacarias (RETIRED) gentoo-dev 2004-08-09 11:03:51 UTC
Sparc stable.
Comment 11 Chris White (RETIRED) gentoo-dev 2004-08-09 11:14:02 UTC
Fixed the B3 error (urg).  Working on the glsa now.
Comment 12 Kurt Lieber (RETIRED) gentoo-dev 2004-08-11 15:01:54 UTC
glsa 200408-09.  mad props to chriswhite for resurrecting this from the dead.