Report forwarded to debian-bugs-dist@lists.debian.org, Debian Security Team <team@security.debian.org>, Daniel Glassey <wdg@debian.org>: Bug#466449; Package diatheke.
(full text, mbox, link).
Acknowledgement sent to Dan Dennison <dan@thedennisons.org>:
New Bug report received and forwarded. Copy sent to Debian Security Team <team@security.debian.org>, Daniel Glassey <wdg@debian.org>.
(full text, mbox, link).
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: diatheke: Diatheke allows arbitrary command execution using the range
parameter
Date: Mon, 18 Feb 2008 15:35:20 -0500
Package: diatheke
Severity: critical
Tags: security
Justification: root security hole
The Diatheke CGI allows arbitrary command execution in the context of
the webserver, e.g. www-data by simply abusing the range parameter.
For example, &range=`yes` will consume tons of resources on the affected
webserver. Escalation of privleges and command shells are left as an
exercise to the reader.
-- System Information:
Debian Release: lenny/sid
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)
Kernel: Linux 2.6
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh
Versions of packages diatheke depends on:
ii libc6 2.7-8 GNU C Library: Shared libraries
ii libcomerr2 1.40.6-1 common error description library
ii libgcc1 1:4.3-20080202-1 GCC support library
ii libkrb53 1.6.dfsg.3~beta1-2 MIT Kerberos runtime libraries
ii libldap-2.4-2 2.4.7-5 OpenLDAP libraries
ii libstdc++6 4.3-20080202-1 The GNU Standard C++ Library v3
ii libsword6 1.5.9-7.1 API/library for bible software
ii zlib1g 1:1.2.3.3.dfsg-11 compression library - runtime
Versions of packages diatheke recommends:
ii apache2 2.2.8-1 Next generation, scalable, extenda
ii apache2-mpm-prefork [httpd] 2.2.8-1 Traditional model for Apache HTTPD
Reply sent to Daniel Glassey <wdg@debian.org>:
You have taken responsibility.
(full text, mbox, link).
Notification sent to Dan Dennison <dan@thedennisons.org>:
Bug acknowledged by developer.
(full text, mbox, link).
Source: sword
Source-Version: 1.5.9-8
We believe that the bug you reported is fixed in the latest version of
sword, which is due to be installed in the Debian FTP archive:
diatheke_1.5.9-8_i386.deb
to pool/main/s/sword/diatheke_1.5.9-8_i386.deb
libsword-dev_1.5.9-8_i386.deb
to pool/main/s/sword/libsword-dev_1.5.9-8_i386.deb
libsword6_1.5.9-8_i386.deb
to pool/main/s/sword/libsword6_1.5.9-8_i386.deb
sword_1.5.9-8.diff.gz
to pool/main/s/sword/sword_1.5.9-8.diff.gz
sword_1.5.9-8.dsc
to pool/main/s/sword/sword_1.5.9-8.dsc
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 466449@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Daniel Glassey <wdg@debian.org> (supplier of updated sword package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Mon, 18 Feb 2008 22:57:25 +0000
Source: sword
Binary: libsword6 libsword-dev diatheke
Architecture: source i386
Version: 1.5.9-8
Distribution: unstable
Urgency: high
Maintainer: Daniel Glassey <wdg@debian.org>
Changed-By: Daniel Glassey <wdg@debian.org>
Description:
diatheke - CGI script for making bible website
libsword-dev - Development files for libsword
libsword6 - API/library for bible software
Closes: 466449
Changes:
sword (1.5.9-8) unstable; urgency=high
.
* diatheke failed to use shell_escape for the range parameter
properly, Closes: #466449
Files:
d213fb9ac2386e698fea2b02b6978851 709 libs optional sword_1.5.9-8.dsc
d2a89c7f46b5b39d51034ea607be58b5 100567 libs optional sword_1.5.9-8.diff.gz
1f0c6259a54dfe5fb5edf522eb7eec9f 529646 libs optional libsword6_1.5.9-8_i386.deb
307a45596ca46eaaa9d1ad864fa7ff80 678664 libdevel optional libsword-dev_1.5.9-8_i386.deb
8bf1c18a75a0738c0a1226d1743d545c 60998 web optional diatheke_1.5.9-8_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
iD8DBQFHuhlP/offrSwPzRoRAuS9AKC9pAaiNSE530tcVDCFabSZVyOcpQCg7jx2
oER4VELqtW8FIrsrWWpIvVM=
=69iZ
-----END PGP SIGNATURE-----
Reply sent to Thijs Kinkhorst <thijs@debian.org>:
You have taken responsibility.
(full text, mbox, link).
Notification sent to Dan Dennison <dan@thedennisons.org>:
Bug acknowledged by developer.
(full text, mbox, link).
Source: sword
Source-Version: 1.5.7-7sarge1
We believe that the bug you reported is fixed in the latest version of
sword, which is due to be installed in the Debian FTP archive:
diatheke_1.5.7-7sarge1_i386.deb
to pool/main/s/sword/diatheke_1.5.7-7sarge1_i386.deb
libsword-dev_1.5.7-7sarge1_i386.deb
to pool/main/s/sword/libsword-dev_1.5.7-7sarge1_i386.deb
libsword4_1.5.7-7sarge1_i386.deb
to pool/main/s/sword/libsword4_1.5.7-7sarge1_i386.deb
sword_1.5.7-7sarge1.diff.gz
to pool/main/s/sword/sword_1.5.7-7sarge1.diff.gz
sword_1.5.7-7sarge1.dsc
to pool/main/s/sword/sword_1.5.7-7sarge1.dsc
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 466449@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Thijs Kinkhorst <thijs@debian.org> (supplier of updated sword package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Thu, 21 Feb 2008 23:45:32 +0100
Source: sword
Binary: libsword4 libsword-dev diatheke
Architecture: source i386
Version: 1.5.7-7sarge1
Distribution: oldstable-security
Urgency: high
Maintainer: Daniel Glassey <wdg@debian.org>
Changed-By: Thijs Kinkhorst <thijs@debian.org>
Description:
diatheke - CGI script for making bible website
libsword-dev - Development files for libsword
libsword4 - API/library for bible software
Closes: 466449
Changes:
sword (1.5.7-7sarge1) oldstable-security; urgency=high
.
* Non-maintainer upload by the security team.
* Fix remote command execution in diatheke.pl (Closes: #466449)
with maintainer-supplied patch.
Files:
4f7872250c457ac36f0b20b4be235647 938 libs optional sword_1.5.7-7sarge1.dsc
369f09068839c646aeab691c63a40d67 1482711 libs optional sword_1.5.7.orig.tar.gz
f8993cddacdac25ca55b7e99ced8ff49 277640 libs optional sword_1.5.7-7sarge1.diff.gz
4dabb05ea1d6b72ba61e8877cbad1544 388072 libs optional libsword4_1.5.7-7sarge1_i386.deb
f04d2f9bc41e5703967630adf4e12754 556994 libdevel optional libsword-dev_1.5.7-7sarge1_i386.deb
665ce388ee9a74a0d850007beae3051a 58108 web optional diatheke_1.5.7-7sarge1_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
iQEVAwUBR74IYWz0hbPcukPfAQJSPwf9FGg4WMaBQurWVna+xkNHblnqh49TNoww
0J2Zk7rWLIyUudLfTh/x6IB4OtsExY3gBZwi/Dxlh7OTUU0rVwJKAbfkEwcFgltS
4sLEdOX1OQXA4BcgDjn6/MLNf8EF64KmRfaFWX8jgERU0AsNsfLYRYGdk3qDQzXA
mDpBcegA0qwsgyv8bNG7EWNacimnnRNdGFe2Gx3Lxcij9414TwtxAMShHEfks/t+
kf6V3+NLkjYcxWoAn9WPcrnL6VG6DFOojB3xB2fZHy8BBGD6TINm6/1rmzuxwBwI
FWvC3Ljp1I20bSwj5kGCX/aIvQ/G0bnD0SsnmdRuv8C5mvNVN75CNA==
=iCgh
-----END PGP SIGNATURE-----
Reply sent to Thijs Kinkhorst <thijs@debian.org>:
You have taken responsibility.
(full text, mbox, link).
Notification sent to Dan Dennison <dan@thedennisons.org>:
Bug acknowledged by developer.
(full text, mbox, link).
Source: sword
Source-Version: 1.5.9-2etch1
We believe that the bug you reported is fixed in the latest version of
sword, which is due to be installed in the Debian FTP archive:
diatheke_1.5.9-2etch1_i386.deb
to pool/main/s/sword/diatheke_1.5.9-2etch1_i386.deb
libsword-dev_1.5.9-2etch1_i386.deb
to pool/main/s/sword/libsword-dev_1.5.9-2etch1_i386.deb
libsword6_1.5.9-2etch1_i386.deb
to pool/main/s/sword/libsword6_1.5.9-2etch1_i386.deb
sword_1.5.9-2etch1.diff.gz
to pool/main/s/sword/sword_1.5.9-2etch1.diff.gz
sword_1.5.9-2etch1.dsc
to pool/main/s/sword/sword_1.5.9-2etch1.dsc
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 466449@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Thijs Kinkhorst <thijs@debian.org> (supplier of updated sword package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Thu, 21 Feb 2008 23:35:10 +0100
Source: sword
Binary: libsword-dev libsword6 diatheke
Architecture: source i386
Version: 1.5.9-2etch1
Distribution: stable-security
Urgency: high
Maintainer: Daniel Glassey <wdg@debian.org>
Changed-By: Thijs Kinkhorst <thijs@debian.org>
Description:
diatheke - CGI script for making bible website
libsword-dev - Development files for libsword
libsword6 - API/library for bible software
Closes: 466449
Changes:
sword (1.5.9-2etch1) stable-security; urgency=high
.
* Non-maintainer upload by the security team.
* Fix remote command execution in diatheke.pl (Closes: #466449)
with maintainer-supplied patch.
Files:
d93f49c3798272c9de84ec6ae5d1cbed 1026 libs optional sword_1.5.9-2etch1.dsc
346539f31b41015161d8dd0d2f035243 1806178 libs optional sword_1.5.9.orig.tar.gz
c39c316e9c81e54136eb02f68292c09d 82071 libs optional sword_1.5.9-2etch1.diff.gz
95b5aaff3ccec4dcd1f77e95f6bf2da0 526314 libs optional libsword6_1.5.9-2etch1_i386.deb
e3c8ec3d6dcfcfae0cddbb618353db36 701078 libdevel optional libsword-dev_1.5.9-2etch1_i386.deb
0a384fecde3e4492fda105eb9d82ce35 62206 web optional diatheke_1.5.9-2etch1_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
iQEVAwUBR74B9mz0hbPcukPfAQK1vQgAslglZdmw1KrpxLpOGJFk9mPJDzX6lTDa
xL0r/4/IxFapDxUoxD0Yk/wOsVltChGM8e8Ro4955sWKabR/s0vw1mJg08l9cGy4
sk9JUsfTuQ5PhhsgqHFjZW3SZuoOdRnrGWHQtAKTxbVQ57t4RxYJvcnKRbMN3E3g
WZimOoxEPFoI9qK4zAj6b0DMKdqJmxeD6n3UO62B1CUZEmbU78XSYrEDtrsqgmZv
1V9MNzaVo4cqY8NPlKMWQ07R7/biw9IRrRGNHuqivsvdwcdinFEJ6afhwfbigX6F
M1NfKM/YmXGUWZk9mFp8hoKnTd6tpq4AMK4wWkrBrRBQOsj7Lvbayw==
=DYIY
-----END PGP SIGNATURE-----
Reply sent to Thijs Kinkhorst <thijs@debian.org>:
You have taken responsibility.
(full text, mbox, link).
Notification sent to Dan Dennison <dan@thedennisons.org>:
Bug acknowledged by developer.
(full text, mbox, link).
Source: sword
Source-Version: 1.5.7-7sarge1
We believe that the bug you reported is fixed in the latest version of
sword, which is due to be installed in the Debian FTP archive:
diatheke_1.5.7-7sarge1_i386.deb
to pool/main/s/sword/diatheke_1.5.7-7sarge1_i386.deb
libsword-dev_1.5.7-7sarge1_i386.deb
to pool/main/s/sword/libsword-dev_1.5.7-7sarge1_i386.deb
libsword4_1.5.7-7sarge1_i386.deb
to pool/main/s/sword/libsword4_1.5.7-7sarge1_i386.deb
sword_1.5.7-7sarge1.diff.gz
to pool/main/s/sword/sword_1.5.7-7sarge1.diff.gz
sword_1.5.7-7sarge1.dsc
to pool/main/s/sword/sword_1.5.7-7sarge1.dsc
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 466449@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Thijs Kinkhorst <thijs@debian.org> (supplier of updated sword package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Thu, 21 Feb 2008 23:45:32 +0100
Source: sword
Binary: libsword4 libsword-dev diatheke
Architecture: source i386
Version: 1.5.7-7sarge1
Distribution: oldstable-security
Urgency: high
Maintainer: Daniel Glassey <wdg@debian.org>
Changed-By: Thijs Kinkhorst <thijs@debian.org>
Description:
diatheke - CGI script for making bible website
libsword-dev - Development files for libsword
libsword4 - API/library for bible software
Closes: 466449
Changes:
sword (1.5.7-7sarge1) oldstable-security; urgency=high
.
* Non-maintainer upload by the security team.
* Fix remote command execution in diatheke.pl (Closes: #466449)
with maintainer-supplied patch.
Files:
4f7872250c457ac36f0b20b4be235647 938 libs optional sword_1.5.7-7sarge1.dsc
369f09068839c646aeab691c63a40d67 1482711 libs optional sword_1.5.7.orig.tar.gz
f8993cddacdac25ca55b7e99ced8ff49 277640 libs optional sword_1.5.7-7sarge1.diff.gz
4dabb05ea1d6b72ba61e8877cbad1544 388072 libs optional libsword4_1.5.7-7sarge1_i386.deb
f04d2f9bc41e5703967630adf4e12754 556994 libdevel optional libsword-dev_1.5.7-7sarge1_i386.deb
665ce388ee9a74a0d850007beae3051a 58108 web optional diatheke_1.5.7-7sarge1_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
iQEVAwUBR74IYWz0hbPcukPfAQJSPwf9FGg4WMaBQurWVna+xkNHblnqh49TNoww
0J2Zk7rWLIyUudLfTh/x6IB4OtsExY3gBZwi/Dxlh7OTUU0rVwJKAbfkEwcFgltS
4sLEdOX1OQXA4BcgDjn6/MLNf8EF64KmRfaFWX8jgERU0AsNsfLYRYGdk3qDQzXA
mDpBcegA0qwsgyv8bNG7EWNacimnnRNdGFe2Gx3Lxcij9414TwtxAMShHEfks/t+
kf6V3+NLkjYcxWoAn9WPcrnL6VG6DFOojB3xB2fZHy8BBGD6TINm6/1rmzuxwBwI
FWvC3Ljp1I20bSwj5kGCX/aIvQ/G0bnD0SsnmdRuv8C5mvNVN75CNA==
=iCgh
-----END PGP SIGNATURE-----
Reply sent to Thijs Kinkhorst <thijs@debian.org>:
You have taken responsibility.
(full text, mbox, link).
Notification sent to Dan Dennison <dan@thedennisons.org>:
Bug acknowledged by developer.
(full text, mbox, link).
Source: sword
Source-Version: 1.5.9-2etch1
We believe that the bug you reported is fixed in the latest version of
sword, which is due to be installed in the Debian FTP archive:
diatheke_1.5.9-2etch1_i386.deb
to pool/main/s/sword/diatheke_1.5.9-2etch1_i386.deb
libsword-dev_1.5.9-2etch1_i386.deb
to pool/main/s/sword/libsword-dev_1.5.9-2etch1_i386.deb
libsword6_1.5.9-2etch1_i386.deb
to pool/main/s/sword/libsword6_1.5.9-2etch1_i386.deb
sword_1.5.9-2etch1.diff.gz
to pool/main/s/sword/sword_1.5.9-2etch1.diff.gz
sword_1.5.9-2etch1.dsc
to pool/main/s/sword/sword_1.5.9-2etch1.dsc
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 466449@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Thijs Kinkhorst <thijs@debian.org> (supplier of updated sword package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Thu, 21 Feb 2008 23:35:10 +0100
Source: sword
Binary: libsword-dev libsword6 diatheke
Architecture: source i386
Version: 1.5.9-2etch1
Distribution: stable-security
Urgency: high
Maintainer: Daniel Glassey <wdg@debian.org>
Changed-By: Thijs Kinkhorst <thijs@debian.org>
Description:
diatheke - CGI script for making bible website
libsword-dev - Development files for libsword
libsword6 - API/library for bible software
Closes: 466449
Changes:
sword (1.5.9-2etch1) stable-security; urgency=high
.
* Non-maintainer upload by the security team.
* Fix remote command execution in diatheke.pl (Closes: #466449)
with maintainer-supplied patch.
Files:
d93f49c3798272c9de84ec6ae5d1cbed 1026 libs optional sword_1.5.9-2etch1.dsc
346539f31b41015161d8dd0d2f035243 1806178 libs optional sword_1.5.9.orig.tar.gz
c39c316e9c81e54136eb02f68292c09d 82071 libs optional sword_1.5.9-2etch1.diff.gz
95b5aaff3ccec4dcd1f77e95f6bf2da0 526314 libs optional libsword6_1.5.9-2etch1_i386.deb
e3c8ec3d6dcfcfae0cddbb618353db36 701078 libdevel optional libsword-dev_1.5.9-2etch1_i386.deb
0a384fecde3e4492fda105eb9d82ce35 62206 web optional diatheke_1.5.9-2etch1_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
iQEVAwUBR74B9mz0hbPcukPfAQK1vQgAslglZdmw1KrpxLpOGJFk9mPJDzX6lTDa
xL0r/4/IxFapDxUoxD0Yk/wOsVltChGM8e8Ro4955sWKabR/s0vw1mJg08l9cGy4
sk9JUsfTuQ5PhhsgqHFjZW3SZuoOdRnrGWHQtAKTxbVQ57t4RxYJvcnKRbMN3E3g
WZimOoxEPFoI9qK4zAj6b0DMKdqJmxeD6n3UO62B1CUZEmbU78XSYrEDtrsqgmZv
1V9MNzaVo4cqY8NPlKMWQ07R7/biw9IRrRGNHuqivsvdwcdinFEJ6afhwfbigX6F
M1NfKM/YmXGUWZk9mFp8hoKnTd6tpq4AMK4wWkrBrRBQOsj7Lvbayw==
=DYIY
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Thu, 02 Jul 2009 07:42:05 GMT) (full text, mbox, link).
Debbugs is free software and licensed under the terms of the GNU General
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.