Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 81775 - net-www/awstats More problems (CAN-2005-036{2,3})
Summary: net-www/awstats More problems (CAN-2005-036{2,3})
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All All
: High major (vote)
Assignee: Gentoo Security
URL: http://packetstormsecurity.nl/0501-ex...
Whiteboard: B1 [glsa] koon
Keywords:
Depends on:
Blocks:
 
Reported: 2005-02-12 12:25 UTC by Sune Kloppenborg Jeppesen (RETIRED)
Modified: 2005-02-16 06:32 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments
awstats-6.3-r1.ebuild (awstats-6.3-r1.ebuild,3.72 KB, text/plain)
2005-02-12 13:03 UTC, Aaron Walker (RETIRED)
no flags Details
awstats-6.3-CAN-2005-0016.diff (awstats-6.3-CAN-2005-0016.diff,2.83 KB, patch)
2005-02-12 13:04 UTC, Aaron Walker (RETIRED)
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-02-12 12:25:36 UTC
Patches are here:
http://patches.ubuntu.com/patches/awstats.more-CAN-2005-0016.diff
Comment 1 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-02-12 12:32:40 UTC
Aaron please attach on updated ebuild. I'm not sure of the confidentiality status yet, so filing as restricted. 
Comment 2 Aaron Walker (RETIRED) gentoo-dev 2005-02-12 13:03:24 UTC
Created attachment 51079 [details]
awstats-6.3-r1.ebuild
Comment 3 Aaron Walker (RETIRED) gentoo-dev 2005-02-12 13:04:42 UTC
Created attachment 51080 [details, diff]
awstats-6.3-CAN-2005-0016.diff

Had to modify the patch as it is for 6.2 which is no longer in portage.
Comment 4 Aaron Walker (RETIRED) gentoo-dev 2005-02-12 13:10:30 UTC
I just noticed after looking at the patch that the lines being patched out are not the same as in the 6.2 patch... this looks like it only affects 6.2.  6.3 uses a Sanitize subroutine which looks to do the same thing:

#------------------------------------------------------------------------------
# Function:     Clean a string of all chars that are not char or _ - \ / . \s
# Parameters:   stringtoclean
# Input:        None
# Output:       None
# Return:		cleanedstring
#------------------------------------------------------------------------------
sub Sanitize {
	my $stringtoclean=shift;
	$stringtoclean =~ s/[^\w_\-\\\/\.\s]//g;
	return $stringtoclean;
}
Comment 5 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-02-12 13:43:45 UTC
Thx for the swift reaction.

Aaron this is at least semi-public. Please commit the reduced patch.
Comment 6 Aaron Walker (RETIRED) gentoo-dev 2005-02-12 13:55:39 UTC
Committed.  Kept keywords.
Comment 7 Thierry Carrez (RETIRED) gentoo-dev 2005-02-13 06:15:26 UTC
CAN-2005-0016 configdir,pluginmode variable, fixed in 6.3
CAN-2005-0362 [no]loadplugin,pluginmode variables, fixed in 6.3
CAN-2005-0363 config variable, fixed in the latest patch

Development version 6.4 contains :
- Fix security hole that allowed a user to read log file content even
  when plugin rawlog was not enabled.

That may also require additional patching...
Comment 8 Aaron Walker (RETIRED) gentoo-dev 2005-02-13 08:14:40 UTC
I've backported all the bugfixes from 6.4 to 6.3. I also renamed the current patch as I thought CAN-2005-0016 covered all of the variables.

I uploaded the patch to the mirrors so I'll commit the revbump in a few hours.
Comment 9 Thierry Carrez (RETIRED) gentoo-dev 2005-02-13 09:56:18 UTC
This is all public from awstats changelogs and te PDF analysis.
Not sure if we should release this as an update to the old GLSA or a brand-new one.
Comment 10 Aaron Walker (RETIRED) gentoo-dev 2005-02-13 11:34:51 UTC
Committed.
Comment 11 Thierry Carrez (RETIRED) gentoo-dev 2005-02-14 12:33:39 UTC
UPDATE to GLSA 200501-36 sent
Comment 12 Thierry Carrez (RETIRED) gentoo-dev 2005-02-15 13:51:45 UTC
We should doublecheck that everything in http://www.securityfocus.com/archive/1/390368/2005-02-12/2005-02-18/0 has been covered.
Comment 13 Thierry Carrez (RETIRED) gentoo-dev 2005-02-16 06:32:10 UTC
These mails are about CAN-2005-0362 and -363, so this is covered.