675039 – (CVE-2011-0467) VUL-0: CVE-2011-0467: Studio: SQL injections

Bug 675039 (CVE-2011-0467) - VUL-0: CVE-2011-0467: Studio: SQL injections

Summary: VUL-0: CVE-2011-0467: Studio: SQL injections

Status:	RESOLVED FIXED

Alias:	CVE-2011-0467

Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	General (show other bugs)
Version:	unspecified
Hardware:	Other Other

Priority:	P3 - Medium Severity: Major
Target Milestone:	---
Deadline:	2011-03-02
Assignee:	Security Team bot
QA Contact:	Security Team bot

URL:
Whiteboard:	maint:released:sle11:39125 maint:rele...
Keywords:	security

Depends on:
Blocks:

Clone This Bug

Reported:	2011-02-25 12:32 UTC by Thomas Biege
Modified:	2018-03-05 15:29 UTC (History)
CC List:	3 users (show)

See Also:
Found By:	Other
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Thomas Biege 2011-02-25 12:32:10 UTC

from bnc#571584

Matthias Weckbecker 2011-02-25 09:43:05 UTC

Andre, I haven't looked into the code in-depth, but doesn't

" +      SELECT #{options[:select]}"

... allow (if options[:select] is user-controllable) remote SQL-injections?
We could not see it getting sanitized anywhere at the first glance..
Thank you in advance.

Comment 1 Andre Duffeck 2011-02-25 13:59:39 UTC

Fixed with commit 4793c80965

Comment 4 Stanislav Visnovsky 2011-02-28 09:58:44 UTC

submitted request id 10919

Comment 6 Thomas Biege 2011-02-28 14:17:16 UTC

CVE-2011-0467

Comment 15 Swamp Workflow Management 2011-03-10 12:48:46 UTC

Update released for: kiwi, kiwi-debuginfo, kiwi-debugsource, kiwi-desc-isoboot, kiwi-desc-netboot, kiwi-desc-oemboot, kiwi-desc-usbboot, kiwi-desc-vmxboot, kiwi-desc-xenboot, kiwi-doc, kiwi-instsource, kiwi-pxeboot, kiwi-pxeboot-prebuild, kiwi-tools, susestudio, susestudio-clicfs, susestudio-common, susestudio-debuginfo, susestudio-debugsource, susestudio-kiwi-runner, susestudio-masquerade, susestudio-rmds, susestudio-testdrive, susestudio-thoth, susestudio-ui-server
Products:
SLE-STUDIOONSITE 1.0 (x86_64)

Comment 16 Swamp Workflow Management 2011-03-10 12:54:08 UTC

Update released for: susestudio, susestudio-clicfs, susestudio-common, susestudio-debuginfo, susestudio-debugsource, susestudio-kiwi-runner, susestudio-masquerade, susestudio-rmds, susestudio-testdrive, susestudio-thoth, susestudio-ui-server
Products:
SLE-STUDIOONSITE 1.1 (x86_64)

Comment 17 Ludwig Nussel 2011-03-10 16:10:33 UTC

all released