Debian Bug report logs -
#484728
roundup: security hole: CVE-2008-1475
Reported by: Alvaro Herrera <alvherre@alvh.no-ip.org>
Date: Thu, 5 Jun 2008 22:33:02 UTC
Severity: grave
Tags: patch, security
Found in version 1.4.4
Fixed in version roundup/1.4.4-1.1
Done: Nico Golde <nion@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded to debian-bugs-dist@lists.debian.org, alvherre@alvh.no-ip.org, Debian Security Team <team@security.debian.org>, Debian Testing Security Team <secure-testing-team@lists.alioth.debian.org>, Toni Mueller <toni@debian.org>:
Bug#484728; Package roundup.
(full text, mbox, link).
Acknowledgement sent to Alvaro Herrera <alvherre@alvh.no-ip.org>:
New Bug report received and forwarded. Copy sent to alvherre@alvh.no-ip.org, Debian Security Team <team@security.debian.org>, Debian Testing Security Team <secure-testing-team@lists.alioth.debian.org>, Toni Mueller <toni@debian.org>.
(full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: roundup
Version: 1.4.4
Severity: grave
Tags: security
Justification: user security hole
I see that there isn't a fix for Debian for this bug:
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1475
http://sourceforge.net/tracker/index.php?func=detail&aid=1907211&group_id=31577&atid=402788
Apparently, the Debian version is thus vulnerable.
-- System Information:
Debian Release: lenny/sid
APT prefers testing
APT policy: (990, 'testing'), (500, 'unstable')
Architecture: amd64 (x86_64)
Kernel: Linux 2.6.24-1-amd64 (SMP w/1 CPU core)
Locale: LANG=es_CL.utf8, LC_CTYPE=es_CL.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
Information forwarded to debian-bugs-dist@lists.debian.org, Toni Mueller <toni@debian.org>:
Bug#484728; Package roundup.
(full text, mbox, link).
Acknowledgement sent to Thijs Kinkhorst <thijs@debian.org>:
Extra info received and forwarded to list. Copy sent to Toni Mueller <toni@debian.org>.
(full text, mbox, link).
Message #10 received at 484728@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Hi Alvaro,
On Friday 6 June 2008 00:27, Alvaro Herrera wrote:
> I see that there isn't a fix for Debian for this bug:
>
> http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1475
> http://sourceforge.net/tracker/index.php?func=detail&aid=1907211&group_id=3
>1577&atid=402788
>
> Apparently, the Debian version is thus vulnerable.
Thank you for this report.
The version in Debian stable is not vulnerable because the code was introduced
in 1.4.0.
However, the version in testing/sid has the most recent changelog entry
predating the report of the security bug you mention and I see no other
evidence that it has indeed been fixed, so I've marked it as unfixed in our
tracker and it will hopefully be dealt with soon.
cheers,
Thijs
[Message part 2 (application/pgp-signature, inline)]
Information forwarded to debian-bugs-dist@lists.debian.org, Toni Mueller <toni@debian.org>:
Bug#484728; Package roundup.
(full text, mbox, link).
Acknowledgement sent to Nico Golde <nion@debian.org>:
Extra info received and forwarded to list. Copy sent to Toni Mueller <toni@debian.org>.
(full text, mbox, link).
Message #15 received at 484728@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
tags 484728 + patch
thanks
Hi Alvaro,
* Alvaro Herrera <alvherre@alvh.no-ip.org> [2008-06-06 07:29]:
> Package: roundup
> Version: 1.4.4
> Severity: grave
> Tags: security
> Justification: user security hole
>
>
> I see that there isn't a fix for Debian for this bug:
>
> http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1475
> http://sourceforge.net/tracker/index.php?func=detail&aid=1907211&group_id=31577&atid=402788
>
> Apparently, the Debian version is thus vulnerable.
Confirmed. Toni, the previous NMU was not vulnerable to
this, please try to keep track of upstream vulnerabilities
so such things don't get overwritten introducing new
vulnerabilities. We already had this marked as not-affected
because the xml-rpc code was introduced in 1.4.0 and only
noticed this because of this mail now.
Here is a patch for this:
http://sourceforge.net/tracker/download.php?group_id=31577&atid=402788&file_id=269102&aid=1907211
Kind regards
Nico
--
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
[Message part 2 (application/pgp-signature, inline)]
Tags added: patch
Request was from Nico Golde <nion@debian.org>
to control@bugs.debian.org.
(Fri, 06 Jun 2008 05:54:03 GMT) (full text, mbox, link).
Information forwarded to debian-bugs-dist@lists.debian.org, Toni Mueller <toni@debian.org>:
Bug#484728; Package roundup.
(full text, mbox, link).
Acknowledgement sent to Nico Golde <nion@debian.org>:
Extra info received and forwarded to list. Copy sent to Toni Mueller <toni@debian.org>.
(full text, mbox, link).
Message #22 received at 484728@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Hi,
attached is a debdiff (dropped the .bzr stuff) for an NMU.
It's also archived on:
http://people.debian.org/~nion/nmu-diff/roundup-1.4.4-1_1.4.4-1.1.patch
Kind regards
Nico
--
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
[roundup-1.4.4-1_1.4.4-1.1.patch (text/x-diff, attachment)]
[Message part 3 (application/pgp-signature, inline)]
Reply sent to Nico Golde <nion@debian.org>:
You have taken responsibility.
(full text, mbox, link).
Notification sent to Alvaro Herrera <alvherre@alvh.no-ip.org>:
Bug acknowledged by developer.
(full text, mbox, link).
Message #27 received at 484728-close@bugs.debian.org (full text, mbox, reply):
Source: roundup
Source-Version: 1.4.4-1.1
We believe that the bug you reported is fixed in the latest version of
roundup, which is due to be installed in the Debian FTP archive:
roundup_1.4.4-1.1.dsc
to pool/main/r/roundup/roundup_1.4.4-1.1.dsc
roundup_1.4.4-1.1.tar.gz
to pool/main/r/roundup/roundup_1.4.4-1.1.tar.gz
roundup_1.4.4-1.1_all.deb
to pool/main/r/roundup/roundup_1.4.4-1.1_all.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 484728@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Nico Golde <nion@debian.org> (supplier of updated roundup package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Sat, 07 Jun 2008 10:02:05 +0200
Source: roundup
Binary: roundup
Architecture: source all
Version: 1.4.4-1.1
Distribution: unstable
Urgency: high
Maintainer: Toni Mueller <toni@debian.org>
Changed-By: Nico Golde <nion@debian.org>
Description:
roundup - an issue-tracking system
Closes: 484728
Changes:
roundup (1.4.4-1.1) unstable; urgency=high
.
* Non-maintainer upload by the Security Team.
* Fix privilege escalation leading to attackers being able to
edit or view restricted properties via the "list", "display"
and "set methods (10-CVE-2008-1475.dpatch; Closes: #484728).
Checksums-Sha1:
6e8f751998e9b61cc7ced5469296ace056c68310 799 roundup_1.4.4-1.1.dsc
3b87b0c423ac686d5ca121e7e59257462d40c2e1 1410348 roundup_1.4.4-1.1.tar.gz
21c6eb586480094172c5f9189f5fb9b1a711a55a 1277548 roundup_1.4.4-1.1_all.deb
Checksums-Sha256:
39068616c96b9b30559caff4879a31e8b4cbe97be8e244b9aaa1799891bda915 799 roundup_1.4.4-1.1.dsc
1b11f06bb12c0c928ee40c51551f0c92e13c8d0ae906c0ac8de5b220aad96c4e 1410348 roundup_1.4.4-1.1.tar.gz
7f27d4c46684b9c4697fc10bed291c5995eeab345d612016d8af37013c22bfcd 1277548 roundup_1.4.4-1.1_all.deb
Files:
7b7d36b0411ba5da96c9627dbf311301 799 web optional roundup_1.4.4-1.1.dsc
bafab7b7bee74e02751c03ff05d1e567 1410348 web optional roundup_1.4.4-1.1.tar.gz
bd720ec14f74507e7e184a4eb89a2fe9 1277548 web optional roundup_1.4.4-1.1_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iEYEARECAAYFAkhLtu0ACgkQHYflSXNkfP8XtwCeItALHxtCWSm3tstjEEYbU+RN
I38An0oLiIWGIMOuOkghuyYc7kZRCB6f
=cQ2/
-----END PGP SIGNATURE-----
Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#484728; Package roundup.
(full text, mbox, link).
Acknowledgement sent to Toni Mueller <toni@debian.org>:
Extra info received and forwarded to list.
(full text, mbox, link).
Message #32 received at 484728@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Hi,
On Fri, 06.06.2008 at 07:51:38 +0200, Nico Golde <nion@debian.org> wrote:
> Confirmed. Toni, the previous NMU was not vulnerable to
I'm quite sorry to say, but apparently, I have to throw up on roundup.
I did fetch what I saw as the latest... bummer!
Need to file an RFH or O...
Kind regards,
--Toni++
[signature.asc (application/pgp-signature, inline)]
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Wed, 16 Jul 2008 07:28:20 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 17:09:43 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon