Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 699834 (CVE-2019-12385, CVE-2019-12386) - www-apps/ampache: multiple vulnerabilities (CVE-2019-{12385,12386})
Summary: www-apps/ampache: multiple vulnerabilities (CVE-2019-{12385,12386})
Status: RESOLVED OBSOLETE
Alias: CVE-2019-12385, CVE-2019-12386
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal major (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B1 [glsa? masked cve]
Keywords: PMASKED, PullRequest
Depends on:
Blocks:
 
Reported: 2019-11-11 16:41 UTC by GLSAMaker/CVETool Bot
Modified: 2023-10-07 05:51 UTC (History)
6 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description GLSAMaker/CVETool Bot gentoo-dev 2019-11-11 16:41:36 UTC
CVE-2019-12385 (https://nvd.nist.gov/vuln/detail/CVE-2019-12385):
  An issue was discovered in Ampache through 3.9.1. The search engine is
  affected by a SQL Injection, so any user able to perform
  lib/class/search.class.php searches (even guest users) can dump any data
  contained in the database (sessions, hashed passwords, etc.). This may lead
  to a full compromise of admin accounts, when combined with the weak password
  generator algorithm used in the lostpassword functionality.

CVE-2019-12386 (https://nvd.nist.gov/vuln/detail/CVE-2019-12386):
  An issue was discovered in Ampache through 3.9.1. A stored XSS exists in the
  localplay.php LocalPlay "add instance" functionality. The injected code is
  reflected in the instances menu. This vulnerability can be abused to force
  an admin to create a new privileged user whose credentials are known by the
  attacker.
Comment 1 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-03-18 17:50:30 UTC
@maintainer(s): please create an appropriate ebuild, and call for stabilization when ready.
Comment 2 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-04-22 01:26:30 UTC
@maintainer(s): ping
Comment 3 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-06-20 01:57:40 UTC
ping
Comment 4 Larry the Git Cow gentoo-dev 2020-08-30 03:27:46 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=0ef446edb1a0c915f8b7007be0ae51ffe3e6398f

commit 0ef446edb1a0c915f8b7007be0ae51ffe3e6398f
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2020-08-30 03:26:41 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2020-08-30 03:26:59 +0000

    profiles/package.mask: last-rite www-apps/ampache
    
    Bug: https://bugs.gentoo.org/645886
    Bug: https://bugs.gentoo.org/655558
    Bug: https://bugs.gentoo.org/699834
    Signed-off-by: Sam James <sam@gentoo.org>

 profiles/package.mask | 5 +++++
 1 file changed, 5 insertions(+)
Comment 5 Bearcat M. Şándor 2020-08-31 18:45:10 UTC
The bug where this is referenced (https://github.com/ampache/ampache/issues/1872) is marked as fixed, isn't it?
Comment 6 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-08-31 18:54:15 UTC
(In reply to Bearcat M. Sandor from comment #5)
> The bug where this is referenced
> (https://github.com/ampache/ampache/issues/1872) is marked as fixed, isn't
> it?

Somebody needs to take care of this package in Gentoo though.
Comment 7 Larry the Git Cow gentoo-dev 2020-10-01 15:13:07 UTC
The bug has been closed via the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=82d2c7a010372b49b3d22bd673c5c20b24705efd

commit 82d2c7a010372b49b3d22bd673c5c20b24705efd
Author:     Michał Górny <mgorny@gentoo.org>
AuthorDate: 2020-10-01 15:07:14 +0000
Commit:     Michał Górny <mgorny@gentoo.org>
CommitDate: 2020-10-01 15:12:52 +0000

    www-apps/ampache: Remove last-rited pkg
    
    Closes: https://bugs.gentoo.org/699834
    Signed-off-by: Michał Górny <mgorny@gentoo.org>

 profiles/package.mask                    |  5 ----
 www-apps/ampache/Manifest                |  2 --
 www-apps/ampache/ampache-3.8.3-r1.ebuild | 51 --------------------------------
 www-apps/ampache/ampache-3.8.8-r1.ebuild | 51 --------------------------------
 www-apps/ampache/files/installdoc.txt    |  6 ----
 www-apps/ampache/metadata.xml            | 11 -------
 6 files changed, 126 deletions(-)
Comment 8 Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2020-10-01 15:13:34 UTC
Sorry, my bad.
Comment 9 Hans de Graaff gentoo-dev Security 2023-10-07 05:51:23 UTC
commit 82d2c7a010372b49b3d22bd673c5c20b24705efd
Author: Michał Górny <mgorny@gentoo.org>
Date:   Thu Oct 1 17:07:14 2020 +0200

    www-apps/ampache: Remove last-rited pkg