181339 – www-apps/egroupware wz_tooltips and ADOdb Unspecified Vulnerabilities

Bug 181339 - www-apps/egroupware wz_tooltips and ADOdb Unspecified Vulnerabilities

Summary: www-apps/egroupware wz_tooltips and ADOdb Unspecified Vulnerabilities

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	High normal (vote)
Assignee:	Gentoo Security

URL:	http://secunia.com/advisories/25454/
Whiteboard:	B? [noglsa]
Keywords:

Depends on:	181529
Blocks:
	Show dependency tree

Reported:	2007-06-08 18:41 UTC by Lars Hartmann
Modified:	2007-07-14 21:24 UTC (History)
CC List:	1 user (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Lars Hartmann 2007-06-08 18:41:53 UTC

Description:
Some vulnerabilities with unknown impacts have been reported in eGroupWare.

The vulnerabilities are caused due to unknown errors in the wz_tooltips and ADOdb libraries. No further information is currently available.

The vulnerabilities are reported in version 1.2.106-2. Other versions may also be affected.

Solution:
Update to version 1.2.107-2 or 1.4.001.

Provided and/or discovered by:
Janosch Machowinski

Reproducible: Always

Comment 1 Lars Hartmann 2007-06-08 18:42:41 UTC

maintainers - please advice and bump as necessary

Comment 2 Renat Lumpau (RETIRED) gentoo-dev

2007-06-10 01:11:50 UTC

1.4.001 in the tree

Comment 3 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2007-06-10 07:54:59 UTC

Arches please test and mark stable. Target keywords are:

egroupware-1.4.001.ebuild:KEYWORDS="alpha amd64 hppa ppc ~sparc x86"

Comment 4 Jeroen Roovers (RETIRED) gentoo-dev

2007-06-10 14:52:49 UTC

I edited the reference to files/postinstall-en-1.2.txt in the ebuild so that the install doesn't fail (and committed the change to CVS) but I now find this in [Check installation] on the site:

PEAR::Net_Socket is needed by: FeLaMiMail. PEAR (pear.php.net) is a PHP repository and is usually in a package called php-pear.

However:

# qlop -lu PEAR-Net_Socket www-apps/egroupware-1.4
Sun Dec  3 23:38:02 2006 >>> dev-php/PEAR-Net_Socket-1.0.6-r1
Sun Jun 10 16:39:33 2007 >>> www-apps/egroupware-1.4.001
Sun Jun 10 16:46:56 2007 >>> dev-php/PEAR-Net_Socket-1.0.6-r1

http://pear.php.net/package/Net_Socket suggests there's a 1.0.8 with 1.0.6 being the latest in the tree. But maybe that doesn't solve the issue. I am just passing on the information as I find it.

Comment 5 Jeroen Roovers (RETIRED) gentoo-dev

2007-06-10 14:56:15 UTC

(In reply to comment #4)
> PEAR::Net_Socket is needed by: FeLaMiMail. PEAR (pear.php.net) is a PHP
> repository and is usually in a package called php-pear.

That's incomplete, sorry. The full error message is:

Checking PEAR::Net_Socket is installed: False
PEAR::Net_Socket is needed by: FeLaMiMail. PEAR (pear.php.net) is a PHP repository and is usually in a package called php-pear.

Comment 6 Jeroen Roovers (RETIRED) gentoo-dev

2007-06-10 15:27:53 UTC

(In reply to comment #5)
> Checking PEAR::Net_Socket is installed: False
> PEAR::Net_Socket is needed by: FeLaMiMail. PEAR (pear.php.net) is a PHP
> repository and is usually in a package called php-pear.

This problem seems to have fixed itself. Stable for HPPA. This problem sticks:

  IUSE.invalid                   1
   www-apps/egroupware/egroupware-1.4.001.ebuild: ical

Comment 7 Jeroen Roovers (RETIRED) gentoo-dev

2007-06-10 15:28:05 UTC

(In reply to comment #5)
> Checking PEAR::Net_Socket is installed: False
> PEAR::Net_Socket is needed by: FeLaMiMail. PEAR (pear.php.net) is a PHP
> repository and is usually in a package called php-pear.

This problem seems to have fixed itself. Stable for HPPA. This problem sticks:

  IUSE.invalid                   1
   www-apps/egroupware/egroupware-1.4.001.ebuild: ical

Comment 8 Raúl Porcel (RETIRED) gentoo-dev

2007-06-10 20:22:45 UTC

It doesn't depend on php either

alpha/x86 stable

Comment 9 Tobias Scherbaum (RETIRED) gentoo-dev

2007-06-13 19:10:28 UTC

ppc stable

Comment 10 Lars Hartmann 2007-06-19 16:55:24 UTC

amd64 - please advice

Comment 11 Christoph Mende (RETIRED) gentoo-dev

2007-06-22 13:38:35 UTC

amd64 stable

Comment 12 Lars Hartmann 2007-06-23 06:32:32 UTC

this here is ready for glsa decision

Comment 13 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2007-06-23 17:55:56 UTC

I tend to vote NO.

Comment 14 Raphael Marichez (Falco) (RETIRED) gentoo-dev

2007-06-25 17:06:46 UTC

Unspecified vulnerabilities with unknown impacts due to unknown errors

--> i vote no too. Feel freee to reopen if you disagree.