Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 538360 (CVE-2015-1431)

Summary: <www-apps/phpBB-3.1.10: two vulnerabilities (CVE-2015-{1431,1432})
Product: Gentoo Security Reporter: Agostino Sarubbo <ago>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: chewi, gentoo-bugzilla, kripton, web-apps
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://wiki.phpbb.com/Release_Highlights/3.0.13
Whiteboard: B4 [glsa cve]
Package list:
Runtime testing required: ---

Description Agostino Sarubbo gentoo-dev 2015-01-31 16:02:02 UTC
From ${URL} :

Security (CVE-2015-1431): CSS Injection via Relative Path Overwrite. Thanks to James Kettle for bringing this to our attention. See 
PHPBB3-13531.
Security (CVE-2015-1432): The ucp_pm_options form key is now properly validated. Thanks to FBNeal and lampsys who reported this 
independently. See PHPBB3-13526.


@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 GLSAMaker/CVETool Bot gentoo-dev 2015-02-11 18:25:48 UTC
CVE-2015-1432 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-1432):
  The message_options function in includes/ucp/ucp_pm_options.php in phpBB
  before 3.0.13 does not properly validate the form key, which allows remote
  attackers to conduct CSRF attacks and change the full folder setting via
  unspecified vectors.

CVE-2015-1431 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-1431):
  Cross-site scripting (XSS) vulnerability in includes/startup.php in phpBB
  before 3.0.13 allows remote attackers to inject arbitrary web script or HTML
  via vectors related to "Relative Path Overwrite."
Comment 2 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2015-07-15 22:50:04 UTC
web-apps: Can we get an updated ebuild please?
Comment 3 Aaron Bauman (RETIRED) gentoo-dev 2016-10-22 13:16:15 UTC
Latest release upstream: 3.1.10 (2016-10-12)
Latest release currently in tree: 3.0.12

Seems the package is no longer maintained and hasn't been touched since Git migration.
Comment 4 James Le Cuirot gentoo-dev 2016-11-27 21:12:12 UTC
I've just seen the p.mask mail about this one. I think removing this would be very unfortunate. 3.1.10 is the latest but the 3.0 series is still maintained upstream, the latest being 3.0.14, which isn't far off 3.0.12. The three ebuilds currently in the tree are practically identical because 3.0 only sees security fixes now. A simple rename bump would almost certainly be sufficient.

It's worth noting that although the 3.1 series obviously hasn't been addressed, it's a bit late in the day to add it now. 3.2.0 is at RC1 so any renewed Gentoo effort may as well start there.

I still use 3.0 myself but unlike the other two web-apps I manage through Portage, this is one I handle manually. It's for a forum that sees less than one post a month now and I only keep it going for nostalgia. I'm therefore not looking to take this package on and I'm already swamped. I just thought I should speak up.
Comment 5 Pacho Ramos gentoo-dev 2016-11-28 21:27:10 UTC
Personally, I don't think web-apps people will oppose to you taking it and updating the version :/
Comment 6 Thomas Deutschmann (RETIRED) gentoo-dev 2016-12-04 00:40:06 UTC
There's a PR which adds https://github.com/gentoo/gentoo/pull/2969 v3.1.10. I talked with the user and he isn't really interested in proxy-maintaining this package (he doesn't even use it). So I am suggesting to reject the PR and continue with the scheduled removal.

BTW: v3.0.x will be EOL from 2017-01-01, see https://www.phpbb.com/community/viewtopic.php?f=14&t=2373956 ... so our scheduled removal date will match.
Comment 7 Jorge Manuel B. S. Vicetto (RETIRED) Gentoo Infrastructure gentoo-dev 2016-12-04 01:15:11 UTC
(In reply to Thomas Deutschmann from comment #6)
> There's a PR which adds https://github.com/gentoo/gentoo/pull/2969 v3.1.10.
> I talked with the user and he isn't really interested in proxy-maintaining
> this package (he doesn't even use it). So I am suggesting to reject the PR
> and continue with the scheduled removal.

I'm going to have a look at that. If I can setup a test environment, I'll push a new version and take over maintenance.
Comment 8 Pacho Ramos gentoo-dev 2016-12-31 13:50:09 UTC
any updates on this?
Comment 9 James Le Cuirot gentoo-dev 2016-12-31 16:59:19 UTC
(In reply to Pacho Ramos from comment #8)
> any updates on this?

I spent 10 minutes just now installing 3.1.10 from the PR, configuring with PostgreSQL, and making a post. It all worked fine. Is that enough to keep it? It's evidently a very low maintenance package if it required literally no changes (aside from EAPI) between 3.0 and 3.1.
Comment 10 Pacho Ramos gentoo-dev 2017-01-02 16:26:54 UTC
Simply go ahead, push the PR to the main tree to get this bug solved and that will be more than enough for keeping it ;)
Comment 11 Thomas Deutschmann (RETIRED) gentoo-dev 2017-01-02 17:01:17 UTC
(In reply to Pacho Ramos from comment #10)
> Simply go ahead, push the PR to the main tree to get this bug solved and
> that will be more than enough for keeping it ;)

NO! Please see my comment #6. This bug is taking already 2y and nobody fixed it. The user who submitted the PR has no interests in proxy-maintaining the package.

We should stop giving potential users the wrong feeling that this package is somehow maintained in Gentoo.

So please only take action if you are really going to care. Otherwise please continue with tree cleaning...
Comment 12 James Le Cuirot gentoo-dev 2017-01-02 21:57:37 UTC
I'll take it on if I have to. But you'll need to wait a few days, I'm away right now.
Comment 13 James Le Cuirot gentoo-dev 2017-01-07 21:34:41 UTC
3.1.10 is now in the tree and 3.0.x is now removed. Security team, please do your thing.
Comment 14 Thomas Deutschmann (RETIRED) gentoo-dev 2017-01-08 20:59:19 UTC
New GLSA request to inform users about dropping package to ~ARCH created.
Comment 15 GLSAMaker/CVETool Bot gentoo-dev 2017-01-11 12:26:42 UTC
This issue was resolved and addressed in
 GLSA 201701-25 at https://security.gentoo.org/glsa/201701-25
by GLSA coordinator Aaron Bauman (b-man).