[diatheke] [CVE-2008-0932] insufficient input sanitising

Bug #195696 reported by disabled.user
256
Affects Status Importance Assigned to Milestone
sword (Debian)
Fix Released
Unknown
sword (Ubuntu)
Fix Released
Undecided
William Grant
Dapper
Won't Fix
Undecided
Unassigned
Edgy
Won't Fix
Undecided
Unassigned
Feisty
Won't Fix
Undecided
Unassigned
Gutsy
Won't Fix
Undecided
Unassigned
Hardy
Fix Released
Undecided
William Grant

Bug Description

Binary package hint: diatheke

References:
DSA-1508-1 (http://www.debian.org/security/2008/dsa-1508)

Quoting:
"Dan Dennison discovered that Diatheke, a CGI program to make a bible
website, performs insufficient sanitising of a parameter, allowing a
remote attacker to execute arbitrary shell commands as the web server
user."

CVE References

Changed in sword:
status: Unknown → Fix Released
William Grant (wgrant)
Changed in sword:
assignee: nobody → fujitsu
status: New → In Progress
William Grant (wgrant)
Changed in sword:
assignee: nobody → fujitsu
status: New → In Progress
assignee: nobody → fujitsu
status: New → In Progress
assignee: nobody → fujitsu
status: New → In Progress
assignee: nobody → fujitsu
status: New → In Progress
William Grant (wgrant)
Changed in sword:
assignee: fujitsu → nobody
status: In Progress → Confirmed
assignee: fujitsu → nobody
status: In Progress → Confirmed
assignee: fujitsu → nobody
status: In Progress → Confirmed
assignee: fujitsu → nobody
status: In Progress → Confirmed
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package sword - 1.5.9-8ubuntu1

---------------
sword (1.5.9-8ubuntu1) hardy; urgency=low

  * Fakesync from Debian unstable.
  * Fixes CVE-2008-0932. (LP: #195696)

sword (1.5.9-8) unstable; urgency=high

  * diatheke failed to use shell_escape for the range parameter
    properly, Closes: #466449

sword (1.5.9-7.1) unstable; urgency=medium

  [ Luk Claes ]
  * Non-maintainer upload.
  * Don't ship the libsword.la file anymore (Closes: #444562).
  * Don't rely on libclucene.la anymore (Closes: #445776).

sword (1.5.9-7) unstable; urgency=low

  * libsword-dev should not depend on libclucene-dev
    or libc6-dev, libz-dev, libcurl4-gnutls-dev
  * patch 09_pcfile.diff don't link apps to all these libs
  * update patch 02_libver.diff link lib to clucene

 -- William Grant <email address hidden> Sun, 16 Mar 2008 20:59:00 +1100

Changed in sword:
status: In Progress → Fix Released
Revision history for this message
Hew (hew) wrote :

Ubuntu Edgy Eft is no longer supported, so a SRU will not be issued for this release. Marking Edgy as Won't Fix.

Changed in sword:
status: Confirmed → Won't Fix
Revision history for this message
LumpyCustard (orangelumpycustard) wrote :

Please close for Feisty as Won't Fix? This goes for all the other Feisty bugs. I'm getting bored of writing this, please could someone go through and clear the rest???

Revision history for this message
Hew (hew) wrote :

Ubuntu Feisty Fawn is no longer supported, so a SRU will not be issued for this release. Marking Feisty as Won't Fix.

Changed in sword:
status: Confirmed → Won't Fix
Revision history for this message
Sergio Zanchetta (primes2h) wrote :

The 18 month support period for Gutsy Gibbon 7.10 has reached its end of life -
http://www.ubuntu.com/news/ubuntu-7.10-eol . As a result, we are closing the
Gutsy task.

Changed in sword (Ubuntu Gutsy):
status: Confirmed → Won't Fix
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Thank you for reporting this bug to Ubuntu. dapper has reached EOL
(End of Life) and is no longer supported. As a result, this bug
against dapper is being marked "Won't Fix". Please see
https://wiki.ubuntu.com/Releases for currently supported Ubuntu
releases.

Please feel free to report any other bugs you may find.

Changed in sword (Ubuntu Dapper):
status: Confirmed → Won't Fix
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.