Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 209960 (CVE-2008-0807)

Summary: www-apps/horde-turba < 2.1.7 Adress Book Access rights not checked properly (CVE-2008-0807)
Product: Gentoo Security Reporter: Robert Buchholz (RETIRED) <rbu>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Severity: minor    
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: B3 [noglsa]
Package list:
Runtime testing required: ---

Description Robert Buchholz (RETIRED) gentoo-dev 2008-02-13 04:55:08 UTC
Tomas Hoger from RedHat:
It was reported that turba does not properly check permissions on address books,
allowing users to modify addresses in other users' address books.  This problem
affects both shared and non-shared address books.  Knowing (or guessing) the
object_id seems to be sufficient to allow modification of other users' addresses.

More information can be found in Debian bug report, which also contains some
proposed patches:

Upstream bug report:
Comment 1 Robert Buchholz (RETIRED) gentoo-dev 2008-02-16 01:51:39 UTC
Turba 2.1.7 is out with the patches, final versions can also be found at Debian's.

Please bump.
Comment 2 SpanKY gentoo-dev 2008-02-17 02:02:43 UTC
horde-turba-2.1.7 is in the tree
Comment 3 Robert Buchholz (RETIRED) gentoo-dev 2008-02-18 04:26:50 UTC
Arches, please test and mark stable:
Target keywords : "alpha amd64 hppa ppc release sparc x86"
Comment 4 Robert Buchholz (RETIRED) gentoo-dev 2008-02-19 09:42:21 UTC
Vapier, seems horde-webmail also ships a copy, please bump to 1.0.5.
Comment 5 Jorge Manuel B. S. Vicetto Gentoo Infrastructure gentoo-dev 2008-02-20 19:27:56 UTC
sys-apps/baselayout- (unicode)

1. Emerges on SPARC64.
2. No collisions.
3. No tests

emerge --info:
Portage (default-linux/sparc/sparc64/2007.0, gcc-4.1.2, glibc-2.6.1-r0, 2.6.17-gentoo-r8 sparc64)
System uname: 2.6.17-gentoo-r8 sparc64 sun4u
Timestamp of tree: Wed, 20 Feb 2008 01:16:01 +0000
app-shells/bash:     3.2_p17-r1
dev-lang/python:     2.4.4-r6
dev-python/pycrypto: 2.0.1-r6
sys-devel/autoconf:  2.13, 2.61-r1
sys-devel/automake:  1.4_p6, 1.7.9-r1, 1.9.6-r2, 1.10
sys-devel/binutils:  2.18-r1
sys-devel/gcc-config: 1.4.0-r4
sys-devel/libtool:   1.5.24
virtual/os-headers:  2.6.23-r3
CFLAGS="-O2 -mcpu=ultrasparc3 -pipe"
CONFIG_PROTECT="/etc /var/bind"
CONFIG_PROTECT_MASK="/etc/env.d /etc/fonts/fonts.conf /etc/gconf /etc/php/apache2-php5/ext-active/ /etc/php/cgi-php5/ext-active/ /etc/php/cli-php5/ext-active/ /etc/revdep-rebuild /etc/terminfo /etc/udev/rules.d"
CXXFLAGS="-O2 -mcpu=ultrasparc3 -pipe"
FEATURES="collision-protection distlocks fixpackages metadata-transfer parallel-fetch sandbox sfperms strict test unmerge-orphans userfetch"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --delete-after --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages --filter=H_**/files/digest-*"
PORTDIR_OVERLAY="/usr/local/portage /home/overlays/genkde4svn-dev"
USE="bitmap-fonts cli cracklib crypt cups dri fortran gdbm gpm iconv isdnlog midi mudflap nls nptl nptlonly openmp pam pcre ppds pppd reflection session sparc spl tcpd test truetype-fonts type1-fonts unicode vhosts xorg" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="actions alias auth_basic auth_digest authn_anon authn_dbd authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache dav dav_fs dav_lock dbddeflate dir disk_cache env expires ext_filter file_cache filter headers ident imagemap include info log_config logio mem_cache mime mime_magic negotiation proxy proxy_ajp proxy_balancer proxy_connect proxy_http rewrite setenvif so speling status unique_id userdir usertrack vhost_alias" ELIBC="glibc" INPUT_DEVICES="keyboard mouse evdev" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" USERLAND="GNU" VIDEO_CARDS="dummy fbdev glint mach64 mga r128 radeon sunbw2 suncg14 suncg3 suncg6 sunffb sunleo tdfx v4l voodoo"
Comment 6 SpanKY gentoo-dev 2008-02-20 19:48:33 UTC
horde-webmail is updated in the tree now
Comment 7 Christian Faulhammer (RETIRED) gentoo-dev 2008-02-21 07:06:01 UTC
(In reply to comment #6)
> horde-webmail is updated in the tree now

 That is 1.0.5, only ~arch, so no need to mark stable.
Comment 8 Christian Faulhammer (RETIRED) gentoo-dev 2008-02-21 07:48:47 UTC
x86 stable
Comment 9 Raúl Porcel (RETIRED) gentoo-dev 2008-02-21 11:00:08 UTC
alpha/sparc stable
Comment 10 Jeroen Roovers (RETIRED) gentoo-dev 2008-02-21 16:51:58 UTC
Stable for HPPA.
Comment 11 Tobias Scherbaum (RETIRED) gentoo-dev 2008-02-22 13:59:33 UTC
ppc stable
Comment 12 Lars Hartmann 2008-02-24 09:07:11 UTC
can someone please add CVE-2008-0807 to the topic?
Comment 13 Steve Dibb (RETIRED) gentoo-dev 2008-02-25 19:34:51 UTC
amd64 stable
Comment 14 Sune Kloppenborg Jeppesen gentoo-dev 2008-02-25 20:16:37 UTC
This one is ready for GLSA vote.
Comment 15 Peter Volkov (RETIRED) gentoo-dev 2008-02-25 20:49:32 UTC
Fixed in release snapshot
Comment 16 Sune Kloppenborg Jeppesen gentoo-dev 2008-02-26 20:38:26 UTC
I tend to vote NO.
Comment 17 Pierre-Yves Rofes (RETIRED) gentoo-dev 2008-02-26 21:12:02 UTC
voting NO too, and closing.