Report forwarded
to debian-bugs-dist@lists.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Thomas Goirand <zigo@debian.org>: Bug#637632; Package src:dtc.
(Sat, 13 Aug 2011 09:06:10 GMT) (full text, mbox, link).
Acknowledgement sent
to Ansgar Burchardt <ansgar@debian.org>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Thomas Goirand <zigo@debian.org>.
(Sat, 13 Aug 2011 09:06:20 GMT) (full text, mbox, link).
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: sql injection in package installer
Date: Sat, 13 Aug 2011 11:02:29 +0200
Package: src:dtc
Version: 0.32.10-2
Severity: critical
Tags: security upstream
SQL injection in the package installer:
$q = "SELECT DISTINCT db.Db,db.User FROM mysql.user,mysql.db WHERE user.dtcowner='$adm_login' AND db .User=user.User AND db.Db='".$_REQUEST["database_name"]."';";
Ansgar
Information forwarded
to debian-bugs-dist@lists.debian.org, Thomas Goirand <zigo@debian.org>: Bug#637632; Package src:dtc.
(Sat, 13 Aug 2011 14:57:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Thomas Goirand <thomas@goirand.fr>:
Extra info received and forwarded to list. Copy sent to Thomas Goirand <zigo@debian.org>.
(Sat, 13 Aug 2011 14:57:05 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Thomas Goirand <zigo@debian.org>: Bug#637632; Package src:dtc.
(Sat, 13 Aug 2011 15:09:05 GMT) (full text, mbox, link).
To: 637630@bugs.debian.org, 637632@bugs.debian.org
Subject: Re: Bug#637630: shell injection in package installer
Date: Sat, 13 Aug 2011 17:04:45 +0200
Thomas Goirand <thomas@goirand.fr> writes:
> I'm surprised to see both #637630 #637632, because they've been fixed a
> long time ago (the same file in the git has the necessary input checking).
I did look at the sources currently in unstable, not the Git repository.
Ansgar
Information forwarded
to debian-bugs-dist@lists.debian.org, Thomas Goirand <zigo@debian.org>: Bug#637632; Package src:dtc.
(Sat, 13 Aug 2011 15:45:04 GMT) (full text, mbox, link).
To: 637630@bugs.debian.org, 637632@bugs.debian.org
Subject: Re: Bug#637630: shell injection in package installer
Date: Sat, 13 Aug 2011 17:40:44 +0200
found 637630 0.29.17-1+lenny1
tag 637630 fixed-upstream
found 637632 0.29.17-1+lenny1
tag 637632 fixed-upstream
thanks
Ansgar Burchardt <ansgar@debian.org> writes:
> Thomas Goirand <thomas@goirand.fr> writes:
>> I'm surprised to see both #637630 #637632, because they've been fixed a
>> long time ago (the same file in the git has the necessary input checking).
>
> I did look at the sources currently in unstable, not the Git repository.
Indeed there seems to be a patch in Git for these issues[1]. If they
are known since April, why have they been fixed in neither unstable nor
oldstable?
Ansgar
[1] <http://git.gplhost.com/gitweb/?p=dtc.git;a=commitdiff;h=541d8457a6989a1a925bb866ed972a5f07c2de64>
Bug Marked as found in versions dtc/0.29.17-1+lenny1.
Request was from Ansgar Burchardt <ansgar@debian.org>
to control@bugs.debian.org.
(Sat, 13 Aug 2011 15:45:07 GMT) (full text, mbox, link).
Added tag(s) fixed-upstream.
Request was from Ansgar Burchardt <ansgar@debian.org>
to control@bugs.debian.org.
(Sat, 13 Aug 2011 15:45:08 GMT) (full text, mbox, link).
Bug Marked as fixed in versions dtc/0.34.1.
Request was from Thomas Goirand <thomas@goirand.fr>
to control@bugs.debian.org.
(Wed, 14 Sep 2011 16:21:11 GMT) (full text, mbox, link).
Reply sent
to Thomas Goirand <thomas@goirand.fr>:
You have taken responsibility.
(Mon, 19 Dec 2011 02:57:14 GMT) (full text, mbox, link).
Notification sent
to Ansgar Burchardt <ansgar@debian.org>:
Bug acknowledged by developer.
(Mon, 19 Dec 2011 02:57:15 GMT) (full text, mbox, link).
Subject: Bug#637632: fixed in dtc 0.29.18-1+lenny2
Date: Mon, 19 Dec 2011 20:04:29 +0000
Source: dtc
Source-Version: 0.29.18-1+lenny2
We believe that the bug you reported is fixed in the latest version of
dtc, which is due to be installed in the Debian FTP archive:
dtc-common_0.29.18-1+lenny2_all.deb
to main/d/dtc/dtc-common_0.29.18-1+lenny2_all.deb
dtc-core_0.29.18-1+lenny2_all.deb
to main/d/dtc/dtc-core_0.29.18-1+lenny2_all.deb
dtc-cyrus_0.29.18-1+lenny2_all.deb
to main/d/dtc/dtc-cyrus_0.29.18-1+lenny2_all.deb
dtc-postfix-courier_0.29.18-1+lenny2_all.deb
to main/d/dtc/dtc-postfix-courier_0.29.18-1+lenny2_all.deb
dtc-stats-daemon_0.29.18-1+lenny2_all.deb
to main/d/dtc/dtc-stats-daemon_0.29.18-1+lenny2_all.deb
dtc-toaster_0.29.18-1+lenny2_all.deb
to main/d/dtc/dtc-toaster_0.29.18-1+lenny2_all.deb
dtc_0.29.18-1+lenny2.diff.gz
to main/d/dtc/dtc_0.29.18-1+lenny2.diff.gz
dtc_0.29.18-1+lenny2.dsc
to main/d/dtc/dtc_0.29.18-1+lenny2.dsc
dtc_0.29.18.orig.tar.gz
to main/d/dtc/dtc_0.29.18.orig.tar.gz
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 637632@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Thomas Goirand <zigo@debian.org> (supplier of updated dtc package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: RIPEMD160
Format: 1.8
Date: Sun, 11 Sep 2011 05:15:26 +0000
Source: dtc
Binary: dtc-common dtc-core dtc-cyrus dtc-postfix-courier dtc-stats-daemon dtc-toaster
Architecture: source all
Version: 0.29.18-1+lenny2
Distribution: lenny-security
Urgency: low
Maintainer: Thomas Goirand <zigo@debian.org>
Changed-By: Thomas Goirand <zigo@debian.org>
Description:
dtc-common - web control panel for admin and accounting hosting services (comm
dtc-core - web control panel for admin and accounting hosting services (fewe
dtc-cyrus - web control panel for admin and accounting hosting services (cyru
dtc-postfix-courier - web control panel for admin and accounting hosting services (more
dtc-stats-daemon - dtc-xen VM statistics for the dtc web control panel
dtc-toaster - web control panel for admin and accounting hosting services (meta
Closes: 637469637477637485637487637537637584637618637629637630637632637669
Changes:
dtc (0.29.18-1+lenny2) lenny-security; urgency=low
.
* QA upload fixing:
- Removed old iGlobalWall folder which included unwanted information.
- Removed sourceless OSX mod_log_sql.so files (Closes: #637469).
- Fixes lists shell injection issue (Closes: #637477).
- Sets unix rights to non-world readable for the apache2.conf file,
since it contains SQL access password (Closes: #637485).
- Now htmlspecialchars() the output of DNS & MX, preventing a possible
HTML injection issue (Closes: #637584).
- Fixes "package installer includes php files in untrusted directories"
if some package install packages are installed (Closes: #637629, #637630).
- Adds htmlspecialchars() in the ticket display.
- Fixes sudo access to chrootuid is giving access to root using the new
dtc-chroot-wrapper (Closes: #637618).
- Not using htpasswd -b to create .htpasswd files (Closes: #637537).
- Checks $_SERVER["addrlink"] input correctly, since it could lead to very
bad SQL insertion (Closes: #637487 ).
- Fixes an SQL injection in package installer (Closes: #637632).
- Fixes an SQL injection in the draw_user_admin.php (Closes: #637669).
Checksums-Sha1:
9e7675783f6ac3070dc332da98febc2af28894b6 1250 dtc_0.29.18-1+lenny2.dsc
bdf1bef7c5d7e9d61892bc3875925503363354f5 7301006 dtc_0.29.18.orig.tar.gz
b5e77fbbae9e27735c82751abc1ac0077146a002 78746 dtc_0.29.18-1+lenny2.diff.gz
4445b341c0a0566e1f93325712fbd807bed799ab 1912204 dtc-common_0.29.18-1+lenny2_all.deb
79612b46702ccd4823e1d8060eea8497cbe83d72 70510 dtc-core_0.29.18-1+lenny2_all.deb
7456c345f99006e82795eb718e5d249606e8ddcd 70626 dtc-cyrus_0.29.18-1+lenny2_all.deb
9edf5d6c9463161b49431da1a9ea8a65fd146cf0 72150 dtc-postfix-courier_0.29.18-1+lenny2_all.deb
e145c361efd75c81675bdbd92c98eee47b2365af 31420 dtc-stats-daemon_0.29.18-1+lenny2_all.deb
6f4e57a97ea09e1c647225199c0c2b6fa693a965 25814 dtc-toaster_0.29.18-1+lenny2_all.deb
Checksums-Sha256:
0205a5938ae0faee16d2d3d8df2d6fa9b311aae37c906c854ef585a981b8d3af 1250 dtc_0.29.18-1+lenny2.dsc
4c6c116a378641114310bfa4c0595945f8077e222292577d060f0d7f32be37b9 7301006 dtc_0.29.18.orig.tar.gz
e6741fced0c57c63d3b64dfc86c4b78361bd28c0b21c47b739fa8e478612dcca 78746 dtc_0.29.18-1+lenny2.diff.gz
aad9db66e62d2f24c3b56d35a6c46d553f52a6361d82db873aecfaed65dcf124 1912204 dtc-common_0.29.18-1+lenny2_all.deb
6574b290ee7ef3a68487bc6adf9be43ef10cf753bbbec0eea4ee6c0e2dfc2414 70510 dtc-core_0.29.18-1+lenny2_all.deb
ae3ce5943e2b9cec34fa1b6c6f77cd1e035992e844ed890432a34338fc15091d 70626 dtc-cyrus_0.29.18-1+lenny2_all.deb
a0988321c1edca4e4f68ecce6250cd404e84286f430007e90a94c3928acf9293 72150 dtc-postfix-courier_0.29.18-1+lenny2_all.deb
2b5e79c3bf8972499b1640e905068efdee6a67edbd713d2b5f8f95949d8c1c0a 31420 dtc-stats-daemon_0.29.18-1+lenny2_all.deb
e88ef80dedf21e996b36328a27a5be300c3b4fdeaedfe5781dc3d4ac17b3e617 25814 dtc-toaster_0.29.18-1+lenny2_all.deb
Files:
a3f3e14f6ea3d0cdceec1c80727160e8 1250 admin extra dtc_0.29.18-1+lenny2.dsc
a974267096479c55720c8d7e3c00ae6d 7301006 admin extra dtc_0.29.18.orig.tar.gz
79129db9e54025fe4a08f590249caf3c 78746 admin extra dtc_0.29.18-1+lenny2.diff.gz
351c2f7d94f8fa02cc6fc85f7ecdc3a9 1912204 admin extra dtc-common_0.29.18-1+lenny2_all.deb
eaaa9dfc160479f3a8cb4662087cf4dc 70510 admin extra dtc-core_0.29.18-1+lenny2_all.deb
517eedc29e40d13333d713245e0435aa 70626 admin extra dtc-cyrus_0.29.18-1+lenny2_all.deb
b46683262492c05b7096e4f81322fb56 72150 admin extra dtc-postfix-courier_0.29.18-1+lenny2_all.deb
30edcbb544f59beb9e0949c6836a0380 31420 admin extra dtc-stats-daemon_0.29.18-1+lenny2_all.deb
0434325a71c5fa9f6e174ac89f2085b8 25814 admin extra dtc-toaster_0.29.18-1+lenny2_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iEYEAREDAAYFAk5sVVUACgkQl4M9yZjvmkkv1QCffTfT59yeRRJPOunBaCKGLLpT
MowAnR2XE3OKrUWUAuwvJm/6kyhuwPxJ
=J5w+
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Tue, 17 Jan 2012 07:36:43 GMT) (full text, mbox, link).
Debbugs is free software and licensed under the terms of the GNU General
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.