Gentoo Bug 213493 - www-apps/horde+horde-groupware+horde-webmail Local File Inclusion (CVE-2008-1284)

First Last Prev Next No search results available Search page Enter new bug

Bug#:	213493
Alias:
Product:
Component:
Status:	RESOLVED
Resolution:	FIXED
Assigned To:	Gentoo Security <security@gentoo.org>

Hardware:
OS:
Version:
Priority:
Severity:

Reporter:	Robert Buchholz <rbu@gentoo.org>
Add CC:
CC:

URL:
Summary:
Status Whiteboard:
Keywords:

Flags:			Requestee:
	Pending
	Approved
	Assigned_To		()

Filename	Description	Type	Creator	Created	Size	Actions
Create a New Attachment (proposed patch, testcase, etc.)						View All

Bug 213493 depends on:			Show dependency tree
Bug 213493 blocks:			Show dependency tree

Additional Comments: (this is where you put emerge --info)

Add to CC list

Not eligible to see or edit group visibility for this bug.

Leave as RESOLVED FIXED
Reopen bug
Mark bug as VERIFIED
Mark bug as CLOSED

View Bug Activity | Format For Printing | XML | Clone This Bug

Description:

Opened: 2008-03-15 13:59 0000

CVE-2008-1284 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-1284):
  Directory traversal vulnerability in Horde 3.1.6, Groupware before 1.0.5, and
  Groupware Webmail Edition before 1.0.6, when running with certain
  configurations, allows remote authenticated users to read and execute
  arbitrary files via ".." sequences and a null byte in the theme name.

------- Comment #1 From Robert Buchholz 2008-03-15 14:03:07 0000 -------

=www-apps/horde-groupware-1.0.5 : In tree, ~arch only.
=www-apps/horde-webmail-1.0.6   : In tree, ~arch only.
=www-apps/horde-3.1.7           : In tree, we need this stable.

vapier, is that ok with you?

------- Comment #2 From SpanKY 2008-03-15 23:55:37 0000 -------

it's fine

------- Comment #3 From Tobias Scherbaum 2008-03-18 18:34:10 0000 -------

ppc stable, and adding arches ;)

------- Comment #4 From Jeroen Roovers 2008-03-18 19:19:42 0000 -------

Stable for HPPA.

------- Comment #5 From Raúl Porcel 2008-03-18 19:38:58 0000 -------

alpha/sparc/x86 stable

------- Comment #6 From Markus Meier 2008-03-21 11:44:14 0000 -------

amd64 stable (last arch)

------- Comment #7 From Peter Volkov 2008-03-21 20:34:12 0000 -------

Fixed in release shapshot.

------- Comment #8 From Robert Buchholz 2008-03-24 19:47:31 0000 -------

I vote yes together with bug 212635.

------- Comment #9 From Tobias Heinlein 2008-03-29 20:23:10 0000 -------

Voting YES, too.

------- Comment #10 From Pierre-Yves Rofes 2008-05-05 21:21:01 0000 -------

GLSA 200805-01

First Last Prev Next No search results available Search page Enter new bug

Bugzilla Bug 213493

www-apps/horde+horde-groupware+horde-webmail Local File Inclusion (CVE-2008-1284)

Last modified: 2008-05-05 21:21:01 0000