Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 576868 (CVE-2014-6276) - <www-apps/roundup-1.5.1: Information leak due to incorrect permissions
Summary: <www-apps/roundup-1.5.1: Information leak due to incorrect permissions
Alias: CVE-2014-6276
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
Whiteboard: B4 [noglsa cve]
Depends on:
Blocks: 593182 609674
  Show dependency tree
Reported: 2016-03-09 15:13 UTC by Agostino Sarubbo
Modified: 2017-07-09 21:09 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2016-03-09 15:13:57 UTC
From ${URL} :

An information leak in roundup, allowing authenticated attackers to see sensitive details about 
other users, including their hashed password.

External Reference:

@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Aaron Bauman (RETIRED) gentoo-dev 2016-11-20 11:55:23 UTC
Per the CVE:

" in Roundup before 1.5.1 does not properly limit attributes included in default user permissions, which might allow remote authenticated users to obtain sensitive user information by viewing user details."

@maintainer(s), please bump package to >=www-apps/roundup-1.5.1

Additional python notes from upstream:

"**IMPORTANT** The v1.5.x releases of Roundup were the last to support
Python v2.5. Support for Python v2.5 is dropped starting with the v1.6.x
releases of Roundup, at which point either Python v2.6 or v2.7 is
required to run those releases of Roundup."
Comment 2 Aaron Bauman (RETIRED) gentoo-dev 2016-11-28 08:14:01 UTC
No rdeps... I figured this would be a popular one, but apparently not.
Comment 3 Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2017-02-17 19:17:54 UTC
Treeclean then? If so, I'd rather do it today, and get rid of it along with distutils.eclass 30 days from now.
Comment 4 Thomas Deutschmann (RETIRED) gentoo-dev 2017-02-17 19:22:08 UTC
(In reply to Michał Górny from comment #3)
> Treeclean then? If so, I'd rather do it today, and get rid of it along with
> distutils.eclass 30 days from now.

Yes, please proceed. Maybe someone who cares will respond when the mask appear...
Comment 5 Thomas Deutschmann (RETIRED) gentoo-dev 2017-02-17 20:23:59 UTC
# Thomas Deutschmann <> (17 Feb 2017)
# Unpatched security vulnerability per bug #576868
# Removal in 30 days.
Comment 6 Cédric Krier gentoo-dev 2017-02-17 22:20:32 UTC
Indeed I care about it. I have two installations running it.
I'm going to work on bumping to 1.5.1.
Comment 7 Cédric Krier gentoo-dev 2017-02-17 23:33:00 UTC
Bumped to 1.5.1
Comment 8 Cédric Krier gentoo-dev 2017-03-11 20:38:16 UTC
Stabilization requested at #593182
Comment 9 Cédric Krier gentoo-dev 2017-04-16 08:30:19 UTC
What should I do to remove the mask? There is a stable request at bug #593182 but it seems in conflict with the package mask. Is not the security team allowed to stabilize for such case?
Comment 10 Thomas Deutschmann (RETIRED) gentoo-dev 2017-04-16 12:43:06 UTC
To my knowledge, the mask was removed last month via

# emerge --info | grep -i timestam
Timestamp of repository gentoo: Sun, 16 Apr 2017 05:03:19 +0000

# eshowkw roundup
Keywords for www-apps/roundup:
      |                                 |   u   |
      | a a         p s   a     n r     |   n   |
      | l m   h i   p p   r m m i i s   | e u s | r
      | p d a p a p c a x m i 6 o s 3   | a s l | e
      | h 6 r p 6 p 6 r 8 6 p 8 s c 9 s | p e o | p
      | a 4 m a 4 c 4 c 6 4 s k 2 v 0 h | i d t | o
1.5.1 | o ~ o o o + o ~ ~ o o o o o o o | 6 o 0 | gentoo

Ignore the result from -- the web application is known for showing invalid and or outdated information.
Comment 11 Aaron Bauman (RETIRED) gentoo-dev 2017-07-09 21:09:48 UTC
GLSA Vote: No.

Package has a stable call in another bug and no vulnerable versions remain.