Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 509920

Summary: www-apps/egroupware: Cross-Site Request Forgery Vulnerability (CVE-2014-{2987,2988})
Product: Gentoo Security Reporter: Agostino Sarubbo <ago>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: joost, web-apps
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://secunia.com/advisories/58346/
Whiteboard: B4 [noglsa cve]
Package list:
Runtime testing required: ---
Deadline: 2017-07-05   

Description Agostino Sarubbo gentoo-dev 2014-05-09 15:30:19 UTC 
From ${URL} :

Description

A vulnerability has been reported in eGroupWare, which can be exploited by malicious people to conduct 
cross-site request forgery attacks.

The application allows users to perform certain actions via HTTP requests without performing proper 
validity checks to verify the requests. This can be exploited to e.g. create new admin users when a 
logged-in administrator visits a specially crafted web page.

Note: This further can be exploited to execute arbitrary commands.

The vulnerability is reported in versions prior to 1.8.007.20140506.


Solution:
Update to version 1.8.007.20140506.

Provided and/or discovered by:
The vendor credits High-Tech Bridge SA.

Original Advisory:
http://www.egroupware.org/changelog


@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 GLSAMaker/CVETool Bot gentoo-dev 2015-01-03 22:47:04 UTC 
CVE-2014-2988 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-2988):
  EGroupware Enterprise Line (EPL) before 1.1.20140505, EGroupware Community
  Edition before 1.8.007.20140506, and EGroupware before 14.1 beta allows
  remote authenticated administrators to execute arbitrary PHP code via
  crafted callback values to the call_user_func PHP function, as demonstrated
  using the newsettings[system] parameter. NOTE: this can be exploited by
  remote attackers by leveraging CVE-2014-2987.

CVE-2014-2987 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-2987):
  Multiple cross-site request forgery (CSRF) vulnerabilities in EGroupware
  Enterprise Line (EPL) before 1.1.20140505, EGroupware Community Edition
  before 1.8.007.20140506, and EGroupware before 14.1 beta allow remote
  attackers to hijack the authentication of administrators for requests that
  (1) create an administrator user via an admin.uiaccounts.add_user action to
  index.php or (2) modify settings via the newsettings parameter in an
  admin.uiconfig.index action to index.php.  NOTE: vector 2 can be used to
  execute arbitrary PHP code by leveraging CVE-2014-2988.
Comment 2 J. Roeleveld 2015-01-22 13:37:44 UTC 
The mentioned version is not available in Portage.

Also:
1.8 is old and EOL.

14.1 has been out for a while and 14.2 RC1 has just been released.
Comment 3 Aaron Bauman (RETIRED) gentoo-dev 2016-06-30 13:35:08 UTC 
# Aaron Bauman <bman@gentoo.org> (30 Jun 2016)
# Unpatched security vulnerability per bug #509920.
# Removal in 30 days
www-apps/egroupware
Comment 4 J. Roeleveld 2016-07-06 18:13:06 UTC 
Why are ALL egroupware versions now masked and marked for removal?

What is the reason for simply treecleaning egroupware when multiple version-bumps have been ignored for the past few years?

I stopped adding new versions to bug 461212 as there wasn't a single developer interested in adding them to the tree or even responding.
Comment 5 Aaron Bauman (RETIRED) gentoo-dev 2016-07-07 12:03:59 UTC 
No longer masked for removal, but retaining security mask.  No response from media-video project for updated ebuild or patches.
Comment 6 Aaron Bauman (RETIRED) gentoo-dev 2016-07-07 12:04:24 UTC 
(In reply to Aaron Bauman from comment #5)
> No longer masked for removal, but retaining security mask.  No response from
> media-video project for updated ebuild or patches.

web-apps project that is.
Comment 7 Aaron Bauman (RETIRED) gentoo-dev 2016-07-17 12:27:32 UTC 
(In reply to J. Roeleveld from comment #4)
> Why are ALL egroupware versions now masked and marked for removal?
> 
> What is the reason for simply treecleaning egroupware when multiple
> version-bumps have been ignored for the past few years?
> 
> I stopped adding new versions to bug 461212 as there wasn't a single
> developer interested in adding them to the tree or even responding.

Please have a look at the proxy-maintainer project.

https://wiki.gentoo.org/wiki/Project:Proxy_Maintainers
Comment 8 Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2017-06-05 16:21:29 UTC 
# Michał Górny <mgorny@gentoo.org> (05 Jun 2017)
# (on behalf of Treecleaner project)
# Unmaintained in Gentoo. Multiple versions behind upstream. Multiple
# security vulnerabilities. Removal in 30 days. Bug #509920.
www-apps/egroupware
Comment 9 Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2017-07-05 10:45:42 UTC 
commit 828139076827f50e43b62a88d038d1b092371618
Author:     Michał Górny <mgorny@gentoo.org>
AuthorDate: Wed Jul 5 12:23:14 2017
Commit:     Michał Górny <mgorny@gentoo.org>
CommitDate: Wed Jul 5 12:35:17 2017

    www-apps/egroupware: Remove last-rited pkg, #509920
Comment 10 Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2017-08-03 16:56:28 UTC 
Nothing more for us to do here, unCC-ing to avoid cluttering search results.
Comment 11 Aaron Bauman (RETIRED) gentoo-dev 2017-08-06 17:29:34 UTC 
GLSA Vote: No