Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 480474 (CVE-2013-4885) - <net-analyzer/nmap-6.47-r1: Arbitrary file upload flaw in http-domino-enum-passwords NSE script (CVE-2013-4885)
Summary: <net-analyzer/nmap-6.47-r1: Arbitrary file upload flaw in http-domino-enum-pa...
Status: RESOLVED FIXED
Alias: CVE-2013-4885
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: https://bugzilla.redhat.com/show_bug....
Whiteboard: B3 [noglsa]
Keywords:
Depends on: 512546 529244
Blocks:
  Show dependency tree
 
Reported: 2013-08-10 10:17 UTC by Agostino Sarubbo
Modified: 2015-03-18 22:10 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2013-08-10 10:17:37 UTC
From ${URL} :

A flaw in the http-domino-enum-password NSE script for Nmap was discovered [1].  If this script was 
run with the non-default domino-enum-passwords.idpath parameter against a malicious server, it 
could cause an arbitrarily named file to be written to the client system with the permissions of 
the user running the nmap client.

This was corrected in upstream version 6.40 [2] (svn r31576).  This svn revision also updates a few 
other NSE scripts for extra safety.


[1] http://packetstormsecurity.com/files/122719/TWSL2013-025.txt
[2] http://nmap.org/changelog.html


@maintainer(s): after the bump, in case we need to stabilize the package, please say explicitly if it is ready for the stabilization or not.
Comment 1 Jeroen Roovers gentoo-dev 2013-08-10 14:23:38 UTC
I had to mask ~net-analyzer/nmap-6.40 since it depends on >=dev-lang/lua-5.2 (bug #253269 is supposed to deal with the grander issues of nmap's bundled libraries, but has none of the details on liblua). Quite similar to bug #396353, using the bundled liblua.a causes the linker to fail on some systems ("ld: ./../liblua/liblua.a(loadlib.o): undefined reference to symbol 'dlopen@@GLIBC_2.1'")

I could remove the dependency and link in the bundled liblua.a and then we could unmask it again, but then we'd still have the QA issue.

Please advise.
Comment 2 Rick Farina (Zero_Chaos) gentoo-dev 2013-08-10 16:19:06 UTC
Would it be possible to break this into two revs maybe?  We could use the known bad bundled to get the security bug fixed, and then have an ~arch version that simply depends on the correct liblua?  It's been over a year since lua 5.2 was added to the tree as masked, if there hasn't been some movement on that then...sigh, I won't even go there.
Comment 3 Jeroen Roovers gentoo-dev 2013-08-10 17:10:33 UTC
We could backport the changes to 6.25, too.
Comment 4 Chris Reffett (RETIRED) gentoo-dev Security 2013-08-27 01:13:57 UTC
Backporting to 6.25 (if possible) sounds like a reasonable option to me.
Comment 5 Erwin 2014-02-22 13:41:34 UTC
The "undefined reference to symbol 'dlopen@@GLIBC_2.1" error is caused by the library order, which is known issue. Fix can be found here:
http://seclists.org/nmap-dev/2013/q3/att-216/nmap-6_40-fix-lib-order.patch

I've recently applied this fix to the pentoo overlay:
http://code.google.com/p/pentoo/source/browse/portage/trunk/net-analyzer/nmap/nmap-6.40-r3.ebuild
Comment 6 Jeroen Roovers gentoo-dev 2014-11-17 23:55:38 UTC
Arch teams, please test and mark stable:
=net-analyzer/nmap-6.47-r1
Targeted stable KEYWORDS : alpha amd64 arm hppa ia64 ppc ppc64 sparc x86

PPC and PPC64 will of course need to address bug #512546 first.
Comment 7 Agostino Sarubbo gentoo-dev 2014-11-18 10:04:24 UTC
amd64 stable
Comment 8 Agostino Sarubbo gentoo-dev 2014-11-18 10:04:56 UTC
x86 stable
Comment 9 Jeroen Roovers gentoo-dev 2014-11-18 16:11:14 UTC
Stable for HPPA.
Comment 10 Tobias Klausmann gentoo-dev 2014-11-20 13:07:47 UTC
Stable on alpha.
Comment 11 Agostino Sarubbo gentoo-dev 2014-11-20 15:48:07 UTC
ia64 stable
Comment 12 Mikle Kolyada archtester Gentoo Infrastructure gentoo-dev Security 2014-11-23 11:20:43 UTC
we can't proceed, since newer nmap versions have dependency on dev-libs/liblinear, which isn't keyworded for ppc*

(arm stable)
Comment 13 Jeroen Roovers gentoo-dev 2014-11-23 21:48:46 UTC
(In reply to Mikle Kolyada from comment #12)
> we can't proceed, since newer nmap versions have dependency on
> dev-libs/liblinear, which isn't keyworded for ppc*

That's why this bug depends on bug #512546.
Comment 14 Agostino Sarubbo gentoo-dev 2014-11-29 13:29:17 UTC
ppc64 stable
Comment 15 Agostino Sarubbo gentoo-dev 2014-12-01 09:17:23 UTC
sparc stable
Comment 16 Agostino Sarubbo gentoo-dev 2014-12-03 09:58:14 UTC
ppc stable.

Maintainer(s), please cleanup.
Security, please vote.
Comment 17 Kristian Fiskerstrand gentoo-dev Security 2015-03-18 22:09:09 UTC
GLSA Vote: No
Comment 18 Mikle Kolyada archtester Gentoo Infrastructure gentoo-dev Security 2015-03-18 22:10:27 UTC
GLSA vote: no.

Closing as [noglsa]