Bug 126435 - www-apps/horde - Unauthenticated Arbitrary File Read
|
Bug#:
126435
|
Product: Gentoo Security
|
Version: unspecified
|
Platform: All
|
|
OS/Version: Linux
|
Status: RESOLVED
|
Severity: trivial
|
Priority: P2
|
|
Resolution: FIXED
|
Assigned To: security@gentoo.org
|
Reported By: carlo@gentoo.org
|
|
Component: Vulnerabilities
|
|
|
URL:
http://www.codescan.com/Advisories/CodeScanLabs_Horde.html
|
|
Summary: www-apps/horde - Unauthenticated Arbitrary File Read
|
|
Keywords:
|
|
Status Whiteboard: C4? [stable] DerCorny
|
|
Opened: 2006-03-16 08:29 0000
|
Although all versions of horde v3.09 and prior are vulnerable to this
attack, many distrubitions of PHP are not vulnerable by default.
This vulnerability was tested and exploited on a default Fedora Core 4
install, although several horde developers were unable to reproduce this
vulnerability on Debian based servers.
In the file /services/go.php, an insecure call is made to the readfile()
function.
http://www.codescan.com/Advisories/CodeScanLabs_Horde.html
arches, please test and mark stable - thank you.
What do you want stable?
Also switching from horde 2.x -> 3.x is a major upgrade, and all of the horde
framework apps must be upgraded as well since they won't work otherwise.
Damn, thanks for the headsup. Web-apps/vapier please comment what to do here:
Can you backport the fixes or should we go for a stable of the whole framework?
Removing arches until it's sure what needs to be done.
the next horde series was added about a week ago, but i if people are happy
with it, people can stabilize it
Ok arches, please try to stable the whole horde 3.1 framework, thanks.
i was asked which packages need to go stable at the same time, vapier/spanky
could you please provide a list? thx.
All of the latest www-apps/horde-* basically.
I'm already testing them, but it takes time to configure them from scratch.
horde-3.1, horde-chora-2.0.1, horde-gollem-1.0.2, horde-imp-4.1,
horde-ingo-1.1, horde-kronolith-2.1, horde-mnemo-2.1, horde-nag-2.1,
horde-passwd-3.0, horde-turba-2.1 all need to go stable at once. Some apps
weren't stable before since they didn't exist for horde-2 so choose yourself,
for consistency i'd say go for all of them - though that requires a big amount
of extra testing.
Two notes worth mention: There's no longer need to touch registry.php to
register apps, the GUI setup on horde does that nowadays (mentioned in the
horde eclass).
With respect to horde-turba, it has some sucky default for sources, namely
netcenter that doesn't exist any more and gets initialized every time turba is
called without regard for usage, thus tries to connect to a non-existant LDAP
server, thus takes aaages to timeout and makes it look like it's broken.
If someone could add a note to remove the netcenter source from
$WHERE_THINGS_ARE_INSTALLED/horde/turba/config/sources.php some people would be
grateful.
Had to bump gollem to 1.0.2 since the previous ones had some issues with horde
3.1 (and other bugs).
That being said, sparc stable.
/me rests.
I've been using these on both ppc and amd64, but I've only marked ppc stable
since I'm not on the amd64 team. :)
Works on x86 as best as I can tell. Stable on x86 :)
Ahem, just seeing the following on freshmeat:
Horde Application Framework 3.1.1
[..]
Release focus: Major security fixes
Changes:
A potential remote code execution hole has been fixed in the help viewer. This
hole is present in all Horde versions after 3.0. It is not present in 2.x and
earlier releases. Additional changes: export and synchronization of events
across daylight saving time changes has been fixed. The MySQL session handler
and support for Internet Explorer 7 and Opera Mini browsers have been improved.
Some minor bugs have been fixed.
We opened bug 127889 to track the Help Viewer vulnerability
Un-CC'ing the remaining arches because 3.1.1 is supposed to become stable.
Adding #127889 as blocker for this, so that I remember to close this one as
soon as 3.1.1 is stable on amd64 and alpha.
GLSA 200604-02
Thanks everybody!
