Gentoo Archives: gentoo-announce

From: Raphael Marichez <falco@g.o>
To: gentoo-announce@g.o
Cc: bugtraq@×××××××××××××.com, full-disclosure@××××××××××××××.uk, security-alerts@×××××××××××××.com
Subject: [gentoo-announce] [ GLSA 200701-12 ] Mono: Information disclosure
Date: Tue, 16 Jan 2007 23:30:00
Message-Id: 20070116230749.GC28822@falco.falcal.net
1 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2 Gentoo Linux Security Advisory GLSA 200701-12
3 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
4 http://security.gentoo.org/
5 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
6
7 Severity: Low
8 Title: Mono: Information disclosure
9 Date: January 16, 2007
10 Bugs: #159886
11 ID: 200701-12
12
13 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
14
15 Synopsis
16 ========
17
18 Mono does not properly sanitize pathnames allowing unauthorized
19 information disclosure.
20
21 Background
22 ==========
23
24 Mono provides the necessary software to develop and run .NET client and
25 server applications on various platforms.
26
27 Affected packages
28 =================
29
30 -------------------------------------------------------------------
31 Package / Vulnerable / Unaffected
32 -------------------------------------------------------------------
33 1 dev-lang/mono < 1.2.2.1 >= 1.2.2.1
34
35 Description
36 ===========
37
38 José Ramón Palanco has discovered that the System.Web class in the
39 XSP for the ASP.NET server 1.1 through 2.0 in Mono does not properly
40 validate or sanitize local pathnames which could allow server-side file
41 content disclosure.
42
43 Impact
44 ======
45
46 An attacker could append a space character to a URI and obtain
47 unauthorized access to the source code of server-side files. An
48 attacker could also read credentials by requesting Web.Config%20 from a
49 Mono server.
50
51 Workaround
52 ==========
53
54 There is no known workaround at this time.
55
56 Resolution
57 ==========
58
59 All Mono users should upgrade to the latest version:
60
61 # emerge --sync
62 # emerge --ask --oneshot --verbose ">=dev-lang/mono-1.2.2.1"
63
64 References
65 ==========
66
67 [ 1 ] CVE-2006-6104
68 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-6104
69
70 Availability
71 ============
72
73 This GLSA and any updates to it are available for viewing at
74 the Gentoo Security Website:
75
76 http://security.gentoo.org/glsa/glsa-200701-12.xml
77
78 Concerns?
79 =========
80
81 Security is a primary focus of Gentoo Linux and ensuring the
82 confidentiality and security of our users machines is of utmost
83 importance to us. Any security concerns should be addressed to
84 security@g.o or alternatively, you may file a bug at
85 http://bugs.gentoo.org.
86
87 License
88 =======
89
90 Copyright 2007 Gentoo Foundation, Inc; referenced text
91 belongs to its owner(s).
92
93 The contents of this document are licensed under the
94 Creative Commons - Attribution / Share Alike license.
95
96 http://creativecommons.org/licenses/by-sa/2.5