Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 126435 - www-apps/horde - Unauthenticated Arbitrary File Read
Summary: www-apps/horde - Unauthenticated Arbitrary File Read
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High trivial (vote)
Assignee: Gentoo Security
Whiteboard: C4? [stable] DerCorny
Depends on: 127889
  Show dependency tree
Reported: 2006-03-16 08:29 UTC by Carsten Lohrke (RETIRED)
Modified: 2006-04-04 11:54 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Carsten Lohrke (RETIRED) gentoo-dev 2006-03-16 08:29:30 UTC
Although all versions of horde v3.09 and prior are vulnerable to this
attack, many distrubitions of PHP are not vulnerable by default.
This vulnerability was tested and exploited on a default Fedora Core 4
install, although several horde developers were unable to reproduce this
vulnerability on Debian based servers.

In the file /services/go.php, an insecure call is made to the readfile()
Comment 1 Stefan Cornelius (RETIRED) gentoo-dev 2006-03-16 08:39:43 UTC
arches, please test and mark stable - thank you.
Comment 2 Gustavo Zacarias (RETIRED) gentoo-dev 2006-03-16 09:11:25 UTC
What do you want stable?
Also switching from horde 2.x -> 3.x is a major upgrade, and all of the horde framework apps must be upgraded as well since they won't work otherwise.
Comment 3 Stefan Cornelius (RETIRED) gentoo-dev 2006-03-16 09:18:00 UTC
Damn, thanks for the headsup. Web-apps/vapier please comment what to do here: Can you backport the fixes or should we go for a stable of the whole framework?

Removing arches until it's sure what needs to be done.
Comment 4 SpanKY gentoo-dev 2006-03-16 20:30:52 UTC
the next horde series was added about a week ago, but i if people are happy with it, people can stabilize it
Comment 5 Stefan Cornelius (RETIRED) gentoo-dev 2006-03-17 02:08:00 UTC
Ok arches, please try to stable the whole horde 3.1 framework, thanks.
Comment 6 Stefan Cornelius (RETIRED) gentoo-dev 2006-03-20 09:56:36 UTC
i was asked which packages need to go stable at the same time, vapier/spanky could you please provide a list? thx.
Comment 7 Gustavo Zacarias (RETIRED) gentoo-dev 2006-03-20 09:59:22 UTC
All of the latest www-apps/horde-* basically.
I'm already testing them, but it takes time to configure them from scratch.
Comment 8 Gustavo Zacarias (RETIRED) gentoo-dev 2006-03-20 14:16:25 UTC
horde-3.1, horde-chora-2.0.1, horde-gollem-1.0.2, horde-imp-4.1, horde-ingo-1.1, horde-kronolith-2.1, horde-mnemo-2.1, horde-nag-2.1, horde-passwd-3.0, horde-turba-2.1 all need to go stable at once. Some apps weren't stable before since they didn't exist for horde-2 so choose yourself, for consistency i'd say go for all of them - though that requires a big amount of extra testing.
Two notes worth mention: There's no longer need to touch registry.php to register apps, the GUI setup on horde does that nowadays (mentioned in the horde eclass).
With respect to horde-turba, it has some sucky default for sources, namely netcenter that doesn't exist any more and gets initialized every time turba is called without regard for usage, thus tries to connect to a non-existant LDAP server, thus takes aaages to timeout and makes it look like it's broken.
If someone could add a note to remove the netcenter source from $WHERE_THINGS_ARE_INSTALLED/horde/turba/config/sources.php some people would be grateful.
Had to bump gollem to 1.0.2 since the previous ones had some issues with horde 3.1 (and other bugs).
That being said, sparc stable.
/me rests.
Comment 9 Joe Jezak (RETIRED) gentoo-dev 2006-03-24 22:21:33 UTC
I've been using these on both ppc and amd64, but I've only marked ppc stable since I'm not on the amd64 team. :)
Comment 10 Mark Loeser (RETIRED) gentoo-dev 2006-03-27 18:36:12 UTC
Works on x86 as best as I can tell.  Stable on x86 :)
Comment 11 Gustavo Zacarias (RETIRED) gentoo-dev 2006-03-28 09:38:31 UTC
hppa stable.
Comment 12 Carsten Lohrke (RETIRED) gentoo-dev 2006-03-28 11:54:51 UTC
Ahem, just seeing the following on freshmeat:

Horde Application Framework 3.1.1


Release focus: Major security fixes

A potential remote code execution hole has been fixed in the help viewer. This hole is present in all Horde versions after 3.0. It is not present in 2.x and earlier releases. Additional changes: export and synchronization of events across daylight saving time changes has been fixed. The MySQL session handler and support for Internet Explorer 7 and Opera Mini browsers have been improved. Some minor bugs have been fixed.

Comment 13 Jule Slootbeek 2006-03-28 11:57:45 UTC
We opened bug 127889 to track the Help Viewer vulnerability
Comment 14 Stefan Cornelius (RETIRED) gentoo-dev 2006-03-28 17:08:12 UTC
Un-CC'ing the remaining arches because 3.1.1 is supposed to become stable. Adding #127889 as blocker for this, so that I remember to close this one as soon as 3.1.1 is stable on amd64 and alpha.
Comment 15 Stefan Cornelius (RETIRED) gentoo-dev 2006-04-04 11:54:23 UTC
GLSA 200604-02

Thanks everybody!