Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 646786 (CVE-2017-1000501) - <www-misc/awstats-7.8: Two path traversal issues in awstat.pl (CVE-2017-1000501)
Summary: <www-misc/awstats-7.8: Two path traversal issues in awstat.pl (CVE-2017-1000501)
Status: RESOLVED FIXED
Alias: CVE-2017-1000501
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High major (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B1 [glsa+ cve]
Keywords:
: 642428 (view as bug list)
Depends on:
Blocks: EAPI4Removal
  Show dependency tree
 
Reported: 2018-02-06 17:13 UTC by GLSAMaker/CVETool Bot
Modified: 2020-07-27 00:39 UTC (History)
3 users (show)

See Also:
Package list:
=www-misc/awstats-7.8 amd64 ppc x86
Runtime testing required: ---
nattka: sanity-check-


Attachments
awstats-7.8-mime.patch (awstats-7.8-mime.patch,366 bytes, patch)
2020-05-13 08:35 UTC, Tobias Sager
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description GLSAMaker/CVETool Bot gentoo-dev 2018-02-06 17:13:50 UTC
CVE-2017-1000501 (https://nvd.nist.gov/vuln/detail/CVE-2017-1000501):
  Awstats version 7.6 and earlier is vulnerable to a path traversal flaw in
  the handling of the "config" and "migrate" parameters resulting in
  unauthenticated remote code execution.
Comment 1 Thomas Deutschmann gentoo-dev Security 2018-02-21 23:24:06 UTC
*** Bug 642428 has been marked as a duplicate of this bug. ***
Comment 2 Sam James gentoo-dev Security 2020-03-15 03:35:37 UTC
(In reply to GLSAMaker/CVETool Bot from comment #0)
> CVE-2017-1000501 (https://nvd.nist.gov/vuln/detail/CVE-2017-1000501):
>   Awstats version 7.6 and earlier is vulnerable to a path traversal flaw in
>   the handling of the "config" and "migrate" parameters resulting in
>   unauthenticated remote code execution.

Patches:
https://github.com/eldy/awstats/commit/06c0ab29c1e5059d9e0279c6b64d573d619e1651
https://github.com/eldy/awstats/commit/cf219843a74c951bf5986f3a7fffa3dcf99c3899

Both are included in 7.7.
Comment 3 Sam James gentoo-dev Security 2020-04-22 01:25:07 UTC
@maintainer(s): please bump soon.
Comment 4 Larry the Git Cow gentoo-dev 2020-05-12 11:06:27 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=22812026e7262e3f7fc4cd5243df30c023b97133

commit 22812026e7262e3f7fc4cd5243df30c023b97133
Author:     Jorge Manuel B. S. Vicetto (jmbsvicetto) <jmbsvicetto@gentoo.org>
AuthorDate: 2020-05-12 11:06:09 +0000
Commit:     Jorge Manuel B. S. Vicetto (jmbsvicetto) <jmbsvicetto@gentoo.org>
CommitDate: 2020-05-12 11:06:09 +0000

    www-misc/awstats: Security bump to 7.8 release (CVE-2017-1000501).
    
    Bug: https://bugs.gentoo.org/646786
    Fixes: https://bugs.gentoo.org/604548
    Package-Manager: Portage-2.3.96, Repoman-2.3.22
    Signed-off-by: Jorge Manuel B. S. Vicetto (jmbsvicetto) <jmbsvicetto@gentoo.org>

 www-misc/awstats/Manifest           |   1 +
 www-misc/awstats/awstats-7.8.ebuild | 111 ++++++++++++++++++++++++++++++++++++
 2 files changed, 112 insertions(+)
Comment 5 Jorge Manuel B. S. Vicetto Gentoo Infrastructure gentoo-dev 2020-05-12 11:10:16 UTC
@arch teams, please mark stable www-misc/awstats-7.8
Desired keywords are:

KEYWORDS="~alpha amd64 hppa ppc ~sparc x86"
Comment 6 Larry the Git Cow gentoo-dev 2020-05-12 11:12:32 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=03088da8cd72c72fb977622fb3a28028a2e7887c

commit 03088da8cd72c72fb977622fb3a28028a2e7887c
Author:     Jorge Manuel B. S. Vicetto (jmbsvicetto) <jmbsvicetto@gentoo.org>
AuthorDate: 2020-05-12 11:12:23 +0000
Commit:     Jorge Manuel B. S. Vicetto (jmbsvicetto) <jmbsvicetto@gentoo.org>
CommitDate: 2020-05-12 11:12:23 +0000

    www-misc/awstats: Drop old and vulnerable releases.
    
    Leave last stable release pending stabilization of the 7.8 release.
    Bug: https://bugs.gentoo.org/646786
    Package-Manager: Portage-2.3.96, Repoman-2.3.22
    Signed-off-by: Jorge Manuel B. S. Vicetto (jmbsvicetto) <jmbsvicetto@gentoo.org>

 www-misc/awstats/Manifest                     |   2 -
 www-misc/awstats/awstats-7.1_p20121017.ebuild | 110 ------------------------
 www-misc/awstats/awstats-7.5.ebuild           | 115 --------------------------
 3 files changed, 227 deletions(-)
Comment 7 Rolf Eike Beer 2020-05-12 19:59:42 UTC
~hppa is fine.
Comment 8 Tobias Sager 2020-05-13 08:35:51 UTC
Created attachment 638556 [details, diff]
awstats-7.8-mime.patch

awstats 7.8 is broken, this commit is not included in the release: https://github.com/eldy/awstats/commit/e5c32dd55ff7995933d84bd45076b09bba400986

awstats 7.7 works fine and fixes CVE-2017-1000501.

Attaching the patch to go with 7.8.
Comment 9 Larry the Git Cow gentoo-dev 2020-05-13 09:43:21 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/dev/jmbsvicetto.git/commit/?id=4b9fab2bfd33337f0de0dacafd3f861d9355c4b2

commit 4b9fab2bfd33337f0de0dacafd3f861d9355c4b2
Author:     Jorge Manuel B. S. Vicetto (jmbsvicetto) <jmbsvicetto@gentoo.org>
AuthorDate: 2020-05-13 09:43:08 +0000
Commit:     Jorge Manuel B. S. Vicetto (jmbsvicetto) <jmbsvicetto@gentoo.org>
CommitDate: 2020-05-13 09:43:08 +0000

    www-misc/awstats: Fix mime.pm - thanks to Tobias Sager.
    
    Bug: https://bugs.gentoo.org/646786
    Package-Manager: Portage-2.3.96, Repoman-2.3.22
    Signed-off-by: Jorge Manuel B. S. Vicetto (jmbsvicetto) <jmbsvicetto@gentoo.org>

 www-misc/awstats/awstats-7.8-r1.ebuild        | 112 ++++++++++++++++++++++++++
 www-misc/awstats/files/awstats-7.8-mime.patch |  12 +++
 2 files changed, 124 insertions(+)
Comment 10 Larry the Git Cow gentoo-dev 2020-05-13 09:47:44 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=4d4f49ad2dc855a31f482ba521c05f15a1753d61

commit 4d4f49ad2dc855a31f482ba521c05f15a1753d61
Author:     Jorge Manuel B. S. Vicetto (jmbsvicetto) <jmbsvicetto@gentoo.org>
AuthorDate: 2020-05-13 09:47:35 +0000
Commit:     Jorge Manuel B. S. Vicetto (jmbsvicetto) <jmbsvicetto@gentoo.org>
CommitDate: 2020-05-13 09:47:35 +0000

    www-misc/awstats: Fix mime.pm - thanks to Tobias Sager.
    
    Bug: https://bugs.gentoo.org/646786
    Package-Manager: Portage-2.3.96, Repoman-2.3.22
    Signed-off-by: Jorge Manuel B. S. Vicetto (jmbsvicetto) <jmbsvicetto@gentoo.org>

 www-misc/awstats/awstats-7.8-r1.ebuild        | 112 ++++++++++++++++++++++++++
 www-misc/awstats/files/awstats-7.8-mime.patch |  12 +++
 2 files changed, 124 insertions(+)
Comment 11 Agostino Sarubbo gentoo-dev 2020-05-13 17:12:49 UTC
ppc stable
Comment 12 Thomas Deutschmann gentoo-dev Security 2020-05-14 21:30:04 UTC
x86 stable
Comment 13 Sam James gentoo-dev Security 2020-06-08 04:04:17 UTC
@amd64: ping
Comment 14 Sam James gentoo-dev Security 2020-07-17 00:03:13 UTC
(In reply to Sam James from comment #13)
> @amd64: ping

ping
Comment 15 Sam James gentoo-dev Security 2020-07-17 19:39:20 UTC
amd64 stable.

----

Please cleanup.
Comment 16 Larry the Git Cow gentoo-dev 2020-07-18 00:00:57 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=f127f5c766759209adde243ec01d4d4d4d1cab16

commit f127f5c766759209adde243ec01d4d4d4d1cab16
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2020-07-17 20:58:12 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2020-07-17 23:59:47 +0000

    www-misc/awstats: security cleanup
    
    Bug: https://bugs.gentoo.org/646786
    Package-Manager: Portage-2.3.103, Repoman-2.3.23
    Signed-off-by: Sam James <sam@gentoo.org>

 www-misc/awstats/Manifest           |   1 -
 www-misc/awstats/awstats-7.4.ebuild | 111 ------------------------------------
 www-misc/awstats/awstats-7.8.ebuild | 111 ------------------------------------
 3 files changed, 223 deletions(-)
Comment 17 NATTkA bot gentoo-dev 2020-07-18 00:05:53 UTC
Unable to check for sanity:

> no match for package: =www-misc/awstats-7.8
Comment 18 GLSAMaker/CVETool Bot gentoo-dev 2020-07-27 00:39:10 UTC
This issue was resolved and addressed in
 GLSA 202007-37 at https://security.gentoo.org/glsa/202007-37
by GLSA coordinator Sam James (sam_c).