Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 156627

Summary: www-apps/horde-kronolith Local file inclusion (CVE-2006-6175)
Product: Gentoo Security Reporter: Matt Drew (RETIRED) <aetius>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal    
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=445
Whiteboard: B4/2? [glsa] DerCorny
Package list:
Runtime testing required: ---

Description Matt Drew (RETIRED) gentoo-dev 2006-11-29 09:00:44 UTC 
Horde-Kronolith has an error in lib/FBView.php that allows an authenticated attacker to include any local file to be parsed as php.
Comment 1 Matt Drew (RETIRED) gentoo-dev 2006-11-29 09:03:26 UTC 
2.0.7 and 2.1.4 are the fixes, we have only the 2.1 series in portage, so a bump to 2.1.4 would be the ticket.
Comment 2 SpanKY gentoo-dev 2006-12-02 11:50:28 UTC 
2.1.4 in portage
Comment 3 Stefan Cornelius (RETIRED) gentoo-dev 2006-12-03 04:01:29 UTC 
arches please test and stable 2.1.4, thanks. (in the past horde stuff was always a bastard to stable due to a shitload of deps, so watch out - I have no clue if something else needs to go stable at the same time)
Comment 4 Andrej Kacian (RETIRED) gentoo-dev 2006-12-03 06:42:38 UTC 
Stable on x86.
Comment 5 Jason Wever (RETIRED) gentoo-dev 2006-12-03 16:04:05 UTC 
Stable on SPARC
Comment 6 Jeroen Roovers (RETIRED) gentoo-dev 2006-12-03 21:00:50 UTC 
Stable for HPPA.
Comment 7 Tobias Scherbaum (RETIRED) gentoo-dev 2006-12-04 10:26:49 UTC 
ppc stable
Comment 8 Bryan Østergaard (RETIRED) gentoo-dev 2006-12-11 14:55:45 UTC 
Stable on Alpha.
Comment 9 Dustin J. Mitchell 2006-12-11 17:50:21 UTC 
Kronolith merges fine on amd64, but Apache seems unwilling to run in my chroot without
segfaulting (never mind PHP, and even less so kronolith), so I can't claim
this is fully tested.  My regular (non-chroot) web server is too ~amd'd to be able to test
this decently.

Gentoo Base System version 1.12.5
Portage 2.1.1-r1 (default-linux/amd64/2006.1, gcc-4.1.1, glibc-2.4-r3, 2.6.15-gentoo-r72006040301 x86_64)
=================================================================
System uname: 2.6.15-gentoo-r72006040301 x86_64 AMD Athlon(tm) 64 Processor 3700+
Last Sync: Mon, 11 Dec 2006 21:50:01 +0000
app-admin/eselect-compiler: [Not Present]
dev-java/java-config: [Not Present]
dev-lang/python:     2.4.3-r4
dev-python/pycrypto: 2.0.1-r5
dev-util/ccache:     [Not Present]
dev-util/confcache:  [Not Present]
sys-apps/sandbox:    1.2.17
sys-devel/autoconf:  2.13, 2.60
sys-devel/automake:  1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2
sys-devel/binutils:  2.16.1-r3
sys-devel/gcc-config: 1.3.14
sys-devel/libtool:   1.5.22
virtual/os-headers:  2.6.11-r2
ACCEPT_KEYWORDS="amd64"
AUTOCLEAN="yes"
CBUILD="x86_64-pc-linux-gnu"
CFLAGS="-O2 -pipe"
CHOST="x86_64-pc-linux-gnu"
CONFIG_PROTECT="/etc"
CONFIG_PROTECT_MASK="/etc/env.d /etc/gconf /etc/revdep-rebuild /etc/terminfo"
CXXFLAGS="-O2 -pipe"
DISTDIR="/usr/portage/distfiles"
FEATURES="autoconfig collision-protect confcache digest distlocks metadata-transfer multilib-strict sandbox sfperms strict test"
GENTOO_MIRRORS="http://gentoo.chem.wisc.edu/gentoo/"
PKGDIR="/usr/portage/packages"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --delete-after --stats --timeout=180 --exclude='/distfiles' --exclude='/local' --exclude='/packages'"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
PORTDIR_OVERLAY="/usr/local/portage"
SYNC="rsync://209.59.138.21/gentoo-portage"
USE="amd64 berkdb bitmap-fonts cli cracklib crypt cups dlloader dri elibc_glibc fortran gdbm gpm iconv input_devices_evdev input_devices_keyboard input_devices_mouse ipv6 isdnlog kernel_linux libg++ ncurses nls nptl nptlonly pam pcre perl ppds pppd python readline reflection session spl ssl tcpd truetype-fonts type1-fonts udev unicode userland_GNU video_cards_apm video_cards_ark video_cards_ati video_cards_chips video_cards_cirrus video_cards_cyrix video_cards_dummy video_cards_fbdev video_cards_glint video_cards_i128 video_cards_i810 video_cards_mga video_cards_neomagic video_cards_nv video_cards_rendition video_cards_s3 video_cards_s3virge video_cards_savage video_cards_siliconmotion video_cards_sis video_cards_sisusb video_cards_tdfx video_cards_tga video_cards_trident video_cards_tseng video_cards_v4l video_cards_vesa video_cards_vga video_cards_via video_cards_vmware video_cards_voodoo xorg zlib"
Unset:  CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LANG, LC_ALL, LDFLAGS, LINGUAS, MAKEOPTS, PORTAGE_RSYNC_EXTRA_OPTS
Comment 10 Matt Drew (RETIRED) gentoo-dev 2007-01-12 18:31:18 UTC 
Dustin, any progress on this?  Thanks.
Comment 11 Simon Stelling (RETIRED) gentoo-dev 2007-01-14 02:31:53 UTC 
amd64 marked stable
Comment 12 Matt Drew (RETIRED) gentoo-dev 2007-01-14 17:28:27 UTC 
padawan /vote no, authenticated attacker, local file ... not likely.
Comment 13 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2007-01-14 17:36:04 UTC 
I tend to vote YES.
Comment 14 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2007-01-14 17:57:56 UTC 
it looks like a B2/C2, because of this from the original advisory:

"could allow an authenticated web mail user to execute arbitrary PHP"

"will include local files that are supplied via the 'view' HTTP GET request parameter."

despite the needed authentication, i vote Yes.  --> [glsa]
Comment 15 Matt Drew (RETIRED) gentoo-dev 2007-01-15 12:42:04 UTC 
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-6175
Comment 16 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2007-01-17 21:48:26 UTC 
GLSA 200701-11