Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 537528 - app-admin/usermin: Read Mail Module Vulnerability
Summary: app-admin/usermin: Read Mail Module Vulnerability
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal trivial (vote)
Assignee: Gentoo Security
URL: http://www.openwall.com/lists/oss-sec...
Whiteboard: ~4 [noglsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2015-01-24 09:42 UTC by Agostino Sarubbo
Modified: 2016-04-02 23:26 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2015-01-24 09:42:56 UTC
From ${URL} :

I need to request 2 CVE's; one for Usermin and one for Webmin.

Both of them are vulnerable to a hardlink arbitrary file access within 
the Read Mail Module. The end result is the ability to open any file on 
the server, including root owned files, which could lead to a privilege 
escalation.

Reference: http://www.webmin.com/index.html

"January 1: Webmin 1.730 and Usermin 1.640 released - This update 
includes security fixes to produce against malicious links in the Read 
Mail module..."



@maintainer(s): since the package or the affected version has never been marked as stable, we don't need to stabilize it. After the bump, please remove the affected versions from the tree.
Comment 1 Pacho Ramos gentoo-dev 2015-11-05 16:13:16 UTC
Either someone volunteers for maintaining this (and taking care of bumping it soon enough for getting security bugs fixed) or this is treecleaned
Comment 2 Pacho Ramos gentoo-dev 2016-02-20 18:08:38 UTC
removed
Comment 3 Aaron Bauman (RETIRED) gentoo-dev 2016-03-29 08:40:48 UTC
@Pacho, what exactly was removed here?  Vulnerable versions are still in tree.
Comment 4 Pacho Ramos gentoo-dev 2016-04-02 12:31:34 UTC
$ git commit -m "app-admin/usermin: remove masked for removal package (#537528)"

Necesita una contraseña para desbloquear la clave secreta
del usuario: "Pacho Ramos (pacho) <pacho@condmat1.ciencias.uniovi.es>"
clave DSA de 1024 bits, ID A188FBD4, creada el 2009-07-21

[master 22d71b0] app-admin/usermin: remove masked for removal package (#537528)
 8 files changed, 222 deletions(-)
 delete mode 100644 app-admin/usermin/Manifest
 delete mode 100644 app-admin/usermin/files/init.d.usermin
 delete mode 100644 app-admin/usermin/files/usermin-1.080-safestop.patch
 delete mode 100644 app-admin/usermin/files/usermin-1.150-setup-nocheck.patch
 delete mode 100644 app-admin/usermin/files/usermin-1.540-r1.init
 delete mode 100644 app-admin/usermin/files/usermin.pam-include.1
 delete mode 100644 app-admin/usermin/metadata.xml
 delete mode 100644 app-admin/usermin/usermin-1.600.ebuild

Looks like I forgot to finally commit it