Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 372905 (CVE-2012-3313)

Summary: <www-apps/egroupware-1.8.004.20120613: multiple vulnerabilities (CVE-2010-{3313,3314})
Product: Gentoo Security Reporter: GLSAMaker/CVETool Bot <glsamaker>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: major CC: web-apps
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: B1 [glsa]
Package list:
Runtime testing required: ---
Bug Depends on: 434040    
Bug Blocks: 284536    

Description GLSAMaker/CVETool Bot gentoo-dev 2011-06-24 20:50:18 UTC 
CVE-2010-3314 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3314):
  Cross-site scripting (XSS) vulnerability in login.php in EGroupware
  1.4.001+.002; 1.6.001+.002 and possibly other versions before 1.6.003; and
  EPL 9.1 before 9.1.20100309 and 9.2 before 9.2.20100309; allows remote
  attackers to inject arbitrary web script or HTML via the lang parameter.


Please punt the ancient 1.4.004 and provide an ebuild for the newest version which is already 1.8.001.
Comment 1 GLSAMaker/CVETool Bot gentoo-dev 2011-06-24 20:56:57 UTC 
CVE-2010-3313 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3313):
  phpgwapi/js/fckeditor/editor/dialog/fck_spellerpages/spellerpages/serverscripts/spellchecker.php
  in EGroupware 1.4.001+.002; 1.6.001+.002 and possibly other versions before
  1.6.003; and EPL 9.1 before 9.1.20100309 and 9.2 before 9.2.20100309; allows
  remote attackers to execute arbitrary commands via shell metacharacters in
  the (1) aspell_path or (2) spellchecker_lang parameters.
Comment 2 Thomas Raschbacher gentoo-dev 2012-09-05 18:59:35 UTC 
None of those ebuilds are in the tree anymore (and have been for a while).

Imho you can close this bug.
Comment 3 Sean Amoss (RETIRED) gentoo-dev Security 2012-09-08 18:48:51 UTC 
Stabilization is being performed in bug 434040.
Comment 4 Sean Amoss (RETIRED) gentoo-dev Security 2012-10-15 01:06:24 UTC 
It looks like this was never re-rated after the addition of CVE-2010-3313. 

Filing a new GLSA request for this and bug 284536.
Comment 5 J. Roeleveld 2014-07-30 06:36:44 UTC 
This version is obsolete and no longer maintained by upstream.
Comment 6 Sean Amoss (RETIRED) gentoo-dev Security 2014-12-12 00:42:18 UTC 
This issue was resolved and addressed in
 GLSA 201412-10 at http://security.gentoo.org/glsa/glsa-201412-10.xml
by GLSA coordinator Sean Amoss (ackle).