Your message dated Fri, 27 Jul 2007 15:32:03 +0000 with message-id <[EMAIL PROTECTED]> and subject line Bug#423441: fixed in blosxom 2.0-15 has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what I am talking about this indicates a serious mail system misconfiguration somewhere. Please contact me immediately.) Debian bug tracking system administrator (administrator, Debian Bugs database)
--- Begin Message ---Package: blosxom Version: 2.0-14 Severity: grave Tags: security Justification: user security hole On line 69, param("-f") is used as a potential configuration file: for $rcfile ("/etc/blosxom/blosxom.conf", "/etc/blosxom.conf", param("-f")) { if (-r $rcfile) { open (RC, "< $rcfile") or die "Cannot open $rcfile: $!"; while (<RC>) { eval("$_"); } close (RC); } } This means (among other things) that a malicios user can use a URL like: http://mycomputer/cgi-bin/blosxom?-f=/home/malicioususer/exploit.pl to execute arbitrary code as whomever runs cgi scripts. I emailed the credited author of this debian-specific chunk of code, who said he wrote it to be used from the command-line. Indeed, when run from the command-line, you can use $ blosxom -f=/path/to/blosxom.conf but this is just passing URL-encoded form data on the command line and IMHO is an abuse of a feature in the CGI module to make testing easier. As debian installs blosxom into /usr/lib/cgi-bin/ it is clearly going to be run by many people as a CGI. In fact there are inappropriate calls to param() all over the place. This one just happens to introduce a security hole. I think I'll use pyblosxom instead. :) Sorry, no patches, perl scares me. -- System Information: Debian Release: 4.0 APT prefers stable APT policy: (990, 'stable') Architecture: i386 (i686) Shell: /bin/sh linked to /bin/bash Kernel: Linux 2.6.20-linode28 Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Versions of packages blosxom depends on: ii debconf [debconf-2.0] 1.5.11 Debian configuration management sy ii perl 5.8.8-7 Larry Wall's Practical Extraction Versions of packages blosxom recommends: ii apache2-mpm-prefork [httpd] 2.2.3-4 Traditional model for Apache HTTPD -- debconf information: blosxom/breakage: blosxom/old_cgi_file: false
--- End Message ---
--- Begin Message ---Source: blosxom Source-Version: 2.0-15 We believe that the bug you reported is fixed in the latest version of blosxom, which is due to be installed in the Debian FTP archive: blosxom_2.0-15.diff.gz to pool/main/b/blosxom/blosxom_2.0-15.diff.gz blosxom_2.0-15.dsc to pool/main/b/blosxom/blosxom_2.0-15.dsc blosxom_2.0-15_all.deb to pool/main/b/blosxom/blosxom_2.0-15_all.deb A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to [EMAIL PROTECTED], and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Gerfried Fuchs <[EMAIL PROTECTED]> (supplier of updated blosxom package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing [EMAIL PROTECTED]) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Format: 1.7 Date: Fri, 27 Jul 2007 16:53:14 +0200 Source: blosxom Binary: blosxom Architecture: source all Version: 2.0-15 Distribution: unstable Urgency: low Maintainer: Gerfried Fuchs <[EMAIL PROTECTED]> Changed-By: Gerfried Fuchs <[EMAIL PROTECTED]> Description: blosxom - light, feature-packed weblog app with plugin extensibility Closes: 233403 234309 280912 313164 372480 388830 406445 420956 422247 423441 Changes: blosxom (2.0-15) unstable; urgency=low . * The "is it this time of the year again..." release. * Set myself as lone maintainer. * Remove debhelper stuff. * Remove debconf handling for upgrades since before sarge release (closes: #388830, #313164, #422247, #420956) * Fixed image URL in cgi script (closes: #406445) * Pulled fix for xml breakage from new sf.net upstream release (closes: #280912) * Fixed postrm (closes: #372480) * debian/rules: Removed some cruft. * Use ctime from POSIX instead of Time::localtime which seems to break localtime()'s $isdst which is needed to fix the timezone handling for nice_date (closes: #233403) * Get rid of param("-f") and replace it by more flexible useable $ENV{BLOSXOM_CONFIG_FILE} (closes: #423441, #234309) * Add a NEWS.Debian file about these changes. Files: 7b07e85c28e461588bcff0727d22b522 521 web optional blosxom_2.0-15.dsc fe36c4be3300d927761c838674eb3361 12269 web optional blosxom_2.0-15.diff.gz c3d1d9f8c7ed00f3452aea0fef89a328 24706 web optional blosxom_2.0-15_all.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFGqgyrELuA/Ba9d8YRAg4pAKCDXKIX/FVnn6ojJ9TUwkxMQ/A6dACdHWPo 4NpSiQMHT872j7boWb3dEPA= =KQsk -----END PGP SIGNATURE-----
--- End Message ---
