Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 285052

Summary: <www-apps/horde-3.3.5, <www-apps/horde{-webmail,-groupware}-1.2.4: Multiple vulnerabilities (CVE-2009-{3236,3237})
Product: Gentoo Security Reporter: Alex Legler (RETIRED) <a3li>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: web-apps, wrobel
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://secunia.com/advisories/36665/
Whiteboard: B3 [glsa]
Package list:
Runtime testing required: ---

Description Alex Legler (RETIRED) archtester gentoo-dev Security 2009-09-15 06:45:45 UTC 
From Secunia:

Some vulnerabilities have been reported in the Horde Application Framework, which can be exploited by malicious people to conduct script insertion and cross-site scripting attacks and by malicious users to compromise a vulnerable system.

1) An error within the form library when handling image form fields can be exploited to overwrite arbitrary local files.

Successful exploitation requires that an application uses the affected image fields (e.g. Ansel or Turba) and that the attacker has write permissions.

2) An error exists within the MIME Viewer library when rendering unknown text parts. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site if malicious data is viewed.

3) The preferences system does not properly sanitise numeric preference types. This can be exploited to execute arbitrary HTML and script code in a user's browser session in contact of an affected site.

Webmail and Groupware are affected by #2 and #3.
Comment 1 Alex Legler (RETIRED) archtester gentoo-dev Security 2009-09-15 07:36:42 UTC 
(In reply to comment #0)
> Webmail and Groupware are affected by #2 and #3.
> 

Cancel that. Both are vulnerable to all three issues.

+*horde-3.3.5 (15 Sep 2009)
+
+  15 Sep 2009; Alex Legler <a3li@gentoo.org> +horde-3.3.5.ebuild:
+  Non-maintainer commit: Version bump for security bug 285052.
+
Comment 2 Alex Legler (RETIRED) archtester gentoo-dev Security 2009-09-15 07:37:23 UTC 
Arches, please test and mark stable:
=www-apps/horde-3.3.5
Target keywords : "alpha amd64 hppa ppc sparc x86"
Comment 3 Jeroen Roovers (RETIRED) gentoo-dev 2009-09-15 14:15:46 UTC 
Stable for HPPA.
Comment 4 Alex Legler (RETIRED) archtester gentoo-dev Security 2009-09-16 15:02:56 UTC 
+*horde-webmail-1.2.4 (16 Sep 2009)
+
+  16 Sep 2009; Alex Legler <a3li@gentoo.org> -horde-webmail-1.0.8.ebuild,
+  -horde-webmail-1.1.3.ebuild, -horde-webmail-1.2.ebuild,
+  +horde-webmail-1.2.4.ebuild:
+  Non-maintainer commit: Version bump for security bug 285052. Removing
+  vulnerable versions. Adding USE condition on the patch in SRC_URI. Fixing
+  homepage, closes bug 257694.
+

+*horde-groupware-1.2.4 (16 Sep 2009)
+
+  16 Sep 2009; Alex Legler <a3li@gentoo.org> -horde-groupware-1.2.3.ebuild,
+  +horde-groupware-1.2.4.ebuild:
+  Non-maintainer commit: Version bump for security bug 285052. Removing
+  vulnerable version.
+
Comment 5 Christian Faulhammer (RETIRED) gentoo-dev 2009-09-16 17:05:14 UTC 
x86 stable
Comment 6 Alex Legler (RETIRED) archtester gentoo-dev Security 2009-09-18 14:29:00 UTC 
CVE-2009-3236 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-3236):
  Unspecified vulnerability in the form library in Horde Application
  Framework 3.2 before 3.2.5 and 3.3 before 3.3.5; Groupware 1.1 before
  1.1.6 and 1.2 before 1.2.4; and Groupware Webmail Edition 1.1 before
  1.1.6 and 1.2 before 1.2.4; allows remote attackers, with privileges
  to write to the address book, to overwrite arbitrary files via
  crafted "image form fields."

CVE-2009-3237 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-3237):
  Multiple cross-site scripting (XSS) vulnerabilities in Horde
  Application Framework 3.2 before 3.2.5 and 3.3 before 3.3.5;
  Groupware 1.1 before 1.1.6 and 1.2 before 1.2.4; and Groupware
  Webmail Edition 1.1 before 1.1.6 and 1.2 before 1.2.4; allow remote
  attackers to inject arbitrary web script or HTML via the (1) crafted
  number preferences that are not properly handled in the preference
  system (services/prefs.php), as demonstrated by the sidebar_width
  parameter; or (2) crafted unknown MIME "text parts" that are not
  properly handled in the MIME viewer library (config/mime_drivers.php).
Comment 7 Markus Meier gentoo-dev 2009-09-19 09:47:44 UTC 
amd64 stable
Comment 8 Raúl Porcel (RETIRED) gentoo-dev 2009-09-22 14:02:06 UTC 
alpha/sparc stable
Comment 9 nixnut (RETIRED) gentoo-dev 2009-10-18 17:28:23 UTC 
ppc stable
Comment 10 Alex Legler (RETIRED) archtester gentoo-dev Security 2009-10-18 17:34:33 UTC 
GLSA voting: yes
Comment 11 Tobias Heinlein (RETIRED) gentoo-dev 2009-10-20 19:13:44 UTC 
YES too, request filed.
Comment 12 Tony Vroon (RETIRED) gentoo-dev 2009-11-06 13:38:32 UTC 
GLSA 200911-01