Bugzilla Bug 156627

Horde-Kronolith has an error in lib/FBView.php that allows an authenticated
attacker to include any local file to be parsed as php.

2.0.7 and 2.1.4 are the fixes, we have only the 2.1 series in portage, so a
bump to 2.1.4 would be the ticket.

2.1.4 in portage

arches please test and stable 2.1.4, thanks. (in the past horde stuff was
always a bastard to stable due to a shitload of deps, so watch out - I have no
clue if something else needs to go stable at the same time)

Stable on x86.

Stable on SPARC

Stable for HPPA.

ppc stable

Stable on Alpha.

Kronolith merges fine on amd64, but Apache seems unwilling to run in my chroot
without
segfaulting (never mind PHP, and even less so kronolith), so I can't claim
this is fully tested.  My regular (non-chroot) web server is too ~amd'd to be
able to test
this decently.

Gentoo Base System version 1.12.5
Portage 2.1.1-r1 (default-linux/amd64/2006.1, gcc-4.1.1, glibc-2.4-r3,
2.6.15-gentoo-r72006040301 x86_64)
=================================================================
System uname: 2.6.15-gentoo-r72006040301 x86_64 AMD Athlon(tm) 64 Processor
3700+
Last Sync: Mon, 11 Dec 2006 21:50:01 +0000
app-admin/eselect-compiler: [Not Present]
dev-java/java-config: [Not Present]
dev-lang/python:     2.4.3-r4
dev-python/pycrypto: 2.0.1-r5
dev-util/ccache:     [Not Present]
dev-util/confcache:  [Not Present]
sys-apps/sandbox:    1.2.17
sys-devel/autoconf:  2.13, 2.60
sys-devel/automake:  1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2
sys-devel/binutils:  2.16.1-r3
sys-devel/gcc-config: 1.3.14
sys-devel/libtool:   1.5.22
virtual/os-headers:  2.6.11-r2
ACCEPT_KEYWORDS="amd64"
AUTOCLEAN="yes"
CBUILD="x86_64-pc-linux-gnu"
CFLAGS="-O2 -pipe"
CHOST="x86_64-pc-linux-gnu"
CONFIG_PROTECT="/etc"
CONFIG_PROTECT_MASK="/etc/env.d /etc/gconf /etc/revdep-rebuild /etc/terminfo"
CXXFLAGS="-O2 -pipe"
DISTDIR="/usr/portage/distfiles"
FEATURES="autoconfig collision-protect confcache digest distlocks
metadata-transfer multilib-strict sandbox sfperms strict test"
GENTOO_MIRRORS="http://gentoo.chem.wisc.edu/gentoo/"
PKGDIR="/usr/portage/packages"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress
--force --whole-file --delete --delete-after --stats --timeout=180
--exclude='/distfiles' --exclude='/local' --exclude='/packages'"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
PORTDIR_OVERLAY="/usr/local/portage"
SYNC="rsync://209.59.138.21/gentoo-portage"
USE="amd64 berkdb bitmap-fonts cli cracklib crypt cups dlloader dri elibc_glibc
fortran gdbm gpm iconv input_devices_evdev input_devices_keyboard
input_devices_mouse ipv6 isdnlog kernel_linux libg++ ncurses nls nptl nptlonly
pam pcre perl ppds pppd python readline reflection session spl ssl tcpd
truetype-fonts type1-fonts udev unicode userland_GNU video_cards_apm
video_cards_ark video_cards_ati video_cards_chips video_cards_cirrus
video_cards_cyrix video_cards_dummy video_cards_fbdev video_cards_glint
video_cards_i128 video_cards_i810 video_cards_mga video_cards_neomagic
video_cards_nv video_cards_rendition video_cards_s3 video_cards_s3virge
video_cards_savage video_cards_siliconmotion video_cards_sis video_cards_sisusb
video_cards_tdfx video_cards_tga video_cards_trident video_cards_tseng
video_cards_v4l video_cards_vesa video_cards_vga video_cards_via
video_cards_vmware video_cards_voodoo xorg zlib"
Unset:  CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LANG, LC_ALL, LDFLAGS,
LINGUAS, MAKEOPTS, PORTAGE_RSYNC_EXTRA_OPTS

Dustin, any progress on this?  Thanks.

amd64 marked stable

padawan /vote no, authenticated attacker, local file ... not likely.

I tend to vote YES.

it looks like a B2/C2, because of this from the original advisory:

"could allow an authenticated web mail user to execute arbitrary PHP"

"will include local files that are supplied via the 'view' HTTP GET request
parameter."

despite the needed authentication, i vote Yes.  --> [glsa]

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-6175

GLSA 200701-11