Description: Gilberto Ficara has reported a security issue and some vulnerabilities in TeamSpeak, which can be exploited by malicious users to gain escalated privileges and by malicious people to conduct cross-site scripting attacks. 1) The problem is that it is possible for a Server Admin to grant certain privileges like "AccessWebAdminServer", "AdminAddServer", "AdminDeleteServer", "AdminStartServer", and "AdminStopServer" to registered users. This can be exploited to create, start, stop, or delete servers by creating a user and accessing certain administrative pages as this user directly. Successful exploitation requires Server Admin access to the application. 2) Input passed to the "error_title" and "error_text" parameters in error_box.html and to the "ok_title" parameter in ok_box.html is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site. Successful exploitation requires that the user is currently logged in. The vulnerabilities are confirmed in version 2.0.20.1. Other versions may also be affected. Solution: The vulnerabilities have reportedly been fixed in version 2.0.23.15 BETA. Filter malicious characters and character sequences in a web proxy. Grant only trusted users Super Admin privileges. Reproducible: Always
maintainers - please provide an updated ebuild
maintainers - please advice
maintainers please advice
maintainers - please advise and bump as necessary
No answer from maintainers. I propose we mask this one. Security what is your opinion?
it is definitely unmantained so lets mask it. maybe we can open a "who wants to mantain that package"-bug
I vote mask GLSA.
I'm ok with masking - the product is definitely maintained, but it's closed source, so unless someone on our side is willing to handle it ...
Sound, last chance for a comment.
i think they got their chance
Someone with the magic powers, please use them.
*** Bug 184926 has been marked as a duplicate of this bug. ***
from http://www.goteamspeak.com/: TeamSpeak 2.0.23.19 with Security Patches Now Available Written by Florence on August 02, 2007 21:29 CEST Is that one also vulnerable?
http://www.teamspeak.com/index.php?page=newsarchive&id=18 According to this link, the most serious problem (privilege escalation) is fixed in the 2.0.23.19 release. I am a teamspeak user (I run a teamspeak server for a group of my friends), so I can bump and validate. I will work on it today/tomorrow as I can.
Bumped to 2.0.23.19 in CVS. I have also taken ownership of the package.
Someone with powers should release a GLSA
There is another release upcoming in a few days, which fixes more security issues - to be designated 2.0.23.22. I will bump in CVS when the package is released. See http://forum.teamspeak.com/showthread.php?t=38801 for details.
Martin any news on the new version or should we just get arches to mark the current one stable?
The new version hasn't been officially released yet. I'll check the forum and see if they've announced when they will; one possibility is that I could add the updated binary as a patch.
OK, my best reading of the situation is as follows: The issue originally reported is fixed in 2.0.23.19 (the version I bumped to), so there would be some value in stabilizing that. *HOWEVER*, they found another vulnerability (cross-site scripting, it seems) that potentially allows reading of arbitrary files on the server's filesystem, if the web management interface is enabled. So there's a 2.0.23.22 that should be officially packaged (it was released Aug 11), but I'm not sure when. The binaries have been published but not as an "official" release as of yet. If there is not an official release tomorrow (Aug 15), I'll work on an ebuild based on 2.0.23.19 that uses the official binary from 2.0.23.22. The binary is the only difference between the two releases.
Thx for the status Martin.
I have bumped to 2.0.23.22. This is not an official release, but this method of updating was recommended to their newsletter members. The ebuild downloads 2.0.23.19 (the last official packaged version) and overlays it with the 2.0.23.22 binary (which I hand-copied to distfiles-local). When an official 2.0.23.22 (or later) is released, I'll update the ebuild. Meanwhile, I think we should start testing/stabling this one.
Note: I have committed a 2.0.23.22-r1 which includes changelog.txt from the 2.0.23.22 directory for #189097. This replaces the previous 2.0.23.22 ebuild but the addition of changelog.txt is the only difference.
Thx Martin. x86 and amd64 please test and mark stable.
x86 stable
amd64 stable
This one is ready for GLSA vote. I vote NO.
IMHO The priv. esacalation is not a real problem. As I understand it, it states that a Super admin has the power to screw up the system. I wouldn't call that a "vulnerability", but a rather normal behaviour on almost every system :) And the resolution says "Grant only trusted users Super Admin privileges." Oh, really? :) the other vuln is a classic XSS, so voting NO too and closing without glsa. feel free to reopen if you disagree.