Fwd: security bugfix in PET r743

Thu Sep 3 20:25:51 UTC 2009

On Thu, 03 Sep 2009 12:23:28 +0200, Holger Levsen wrote:

> > I saw you were owners of  PET installations in alioth, so please see
> > this mail below.
> I had no idea I was?!

I hope you like the good news :)

> > If you happen to run a PET instance that is not automatically synched
> > with the main Subversion repository, please take the necessary steps
> > to secure it.
> what do I have to do?

TBH, I'm also always a bit confused about which PET installations are
updated automatically and how.

What I see is /srv/alioth.debian.org/chroot/home/groups/pet/PET/debian-edu
which probably means that the debian-edu installation is
auto-updated, and I don't see anything PET-related in
/home/groups/debian-edu.

*a bit later*

Oh, but, OTOH:

$ ll /home/groups/debian-edu/qa         
total 68
-rw-r--r-- 1 holger debian-edu  796 2007-11-08 12:23 commoncheck
-rw-r--r-- 1 holger debian-edu 1450 2007-11-08 18:47 DebianEdu.conf
drwxr-sr-x 3 holger debian-edu 4096 2007-11-08 18:45 DebianQA
-rw-r--r-- 1 holger debian-edu 1395 2007-11-08 12:23 DebianQA.conf-sample
-rwxr-xr-x 1 holger debian-edu 3770 2007-11-08 12:23 fetchdata
-rw-r--r-- 1 holger debian-edu   73 2007-11-08 12:23 htaccess
-rwxr-xr-x 1 holger debian-edu  507 2007-11-08 12:23 maintainercheck
drwxr-sr-x 3 holger debian-edu 4096 2007-11-08 12:23 oldscripts
-rwxr-xr-x 1 holger debian-edu 4787 2007-11-08 12:23 packagecheck
-rwxr-xr-x 1 holger debian-edu 3482 2007-11-08 12:23 qareport
-rwxr-xr-x 1 holger debian-edu 4788 2007-11-08 18:44 qareport.cgi
-rw-r--r-- 1 holger debian-edu 4533 2007-11-08 18:44 README
drwxr-sr-x 3 holger debian-edu 4096 2007-11-08 18:44 templates
-rwxr-xr-x 1 holger debian-edu  667 2007-11-08 12:23 wnppcheck

$ ll /home/groups/debian-edu/qa/DebianQA
total 64
-rw-r--r-- 1 holger debian-edu  6763 2007-11-08 12:23 Archive.pm
-rw-r--r-- 1 holger debian-edu  4093 2007-11-08 12:23 BTS.pm
-rw-r--r-- 1 holger debian-edu  7124 2007-11-08 12:23 Cache.pm
-rw-r--r-- 1 holger debian-edu  1005 2007-11-08 12:23 Common.pm
-rw-r--r-- 1 holger debian-edu  4370 2007-11-08 12:23 Config.pm
-rw-r--r-- 1 holger debian-edu  2377 2007-11-08 12:23 DebVersions.pm
-rw-r--r-- 1 holger debian-edu 10390 2007-11-08 12:51 Svn.pm
-rw-r--r-- 1 holger debian-edu 12338 2007-11-08 18:44 Watch.pm

$ ll /home/groups/debian-edu/cgi-bin/qareport.cgi 
lrwxrwxrwx 1 holger debian-edu 18 2007-11-08 13:00 /home/groups/debian-edu/cgi-bin/qareport.cgi -> ../qa/qareport.cgi

DebianQA was the first name of PET, and it seems that some 'holger'
has installed it almost two years ago :)
(And some non-PET scripts in qa/ are also from the pk-perl group from
years ago.)

And http://debian-edu.alioth.debian.org/cgi-bin/qareport.cgi still
works! (Even with my very ugly 'lightsalmon' and 'lightseagreen'
colours in the CSS that only survived a few days.)

/srv/alioth.debian.org/chroot/home/groups/debian-edu/qa/DebianQA/Watch.pm
indeed contains the vulnerability that was (tried to) address in the
patch Tincho mentioned.

If you don't use it (which I assume since the version is ancient and
manually installed, and you don't remember it) I suppose to just rm
the qa/ directory.

(Tincho will surely feed in details in case I'm missing something.)

Cheers,
gregor
-- 
 .''`.   http://info.comodo.priv.at/ -- GPG Key IDs: 0x00F3CFE4, 0x8649AA06
 : :' :  Debian GNU/Linux user, admin, & developer - http://www.debian.org/
 `. `'   Member of VIBE!AT, SPI Inc., fellow of FSFE | http://got.to/quote/
   `-    NP: Arlo Guthrie & Pete Seeger: Arlo Guthrie - Amazing Grace
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: Digital signature
URL: <http://lists.alioth.debian.org/pipermail/pet-devel/attachments/20090903/074587c4/attachment.pgp>