Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 136830 - www-apps/horde: 3.x, 2.x, XSS vuln (CVE-2006-2195)
Summary: www-apps/horde: 3.x, 2.x, XSS vuln (CVE-2006-2195)
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High minor (vote)
Assignee: Gentoo Security
URL: http://cve.mitre.org/cgi-bin/cvename....
Whiteboard: B4 [glsa] Falco
Keywords:
Depends on:
Blocks:
 
Reported: 2006-06-14 15:43 UTC by Raphael Marichez (Falco) (RETIRED)
Modified: 2006-07-03 12:08 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Raphael Marichez (Falco) (RETIRED) gentoo-dev 2006-06-14 15:43:26 UTC
see DSA 1098-1 & DSA 1099-1
Michael Marek discovered that the Horde web application framework performs
insufficient input sanitising, which might lead to the injection of web
script code through cross-site scripting.

i don't know if there is a similar bug in the secret area, but there was no movement since the DSA was emitted, so maybe not, so i have decided to fill it.

There is not any upstream official fixed version, but a debian patch is avaible: (careful, the patch also concerns other bugfixes, included bug 127889 ).
http://security.debian.org/pool/updates/main/h/horde3/horde3_3.0.4-4sarge4.diff.gz
http://security.debian.org/pool/updates/main/h/horde2/horde2_2.2.8-1sarge3.diff.gz
Comment 1 Luca Longinotti (RETIRED) gentoo-dev 2006-06-15 08:44:53 UTC
I've made a patch, based off the Debian 3.1.1-3 patchset (where they fixed it) and checked Horde's CVS too for confirmation.
Patch available at http://overlays.gentoo.org/dev/chtekk/browser/horde/www-apps/horde/files/horde-3.1.1-xss.diff?rev=4&format=txt
Updated ebuild available at http://overlays.gentoo.org/dev/chtekk/browser/horde/www-apps/horde/horde-3.1.1-r1.ebuild?format=raw
This also requires a minor change to the horde.eclass, since it patches test.php, in the horde.eclass test.php is chmod'ed 000 before the patches are applied, which leads epatch to fail with a permissions error. The simple solution is just to invert the order: first apply all needed patches, then chmod 000 test.php.
Updated eclass can be found at http://overlays.gentoo.org/dev/chtekk/browser/horde/eclass/horde.eclass?format=raw
Best regards, CHTEKK.
Comment 2 Luca Longinotti (RETIRED) gentoo-dev 2006-06-15 08:47:51 UTC
Added vapier (the maintainer) to CC.
Best regards, CHTEKK.
Comment 3 Luca Longinotti (RETIRED) gentoo-dev 2006-06-15 11:43:28 UTC
Updated ebuild is in the tree as www-apps/horde-3.1.1-r1, ready to be marked stable.
Best regards, CHTEKK.
Comment 4 Sune Kloppenborg Jeppesen gentoo-dev 2006-06-15 11:49:43 UTC
Thx Luca.

Arches please test and mark stable.
Comment 5 Tobias Scherbaum (RETIRED) gentoo-dev 2006-06-15 12:08:58 UTC
ppc stable
Comment 6 Gustavo Zacarias (RETIRED) gentoo-dev 2006-06-16 15:08:46 UTC
sparc stable.
Comment 7 René Nussbaumer (RETIRED) gentoo-dev 2006-06-17 02:18:47 UTC
stable on hppa
Comment 8 Joshua Jackson (RETIRED) gentoo-dev 2006-06-19 21:55:19 UTC
x86 done
Comment 9 Thomas Cort (RETIRED) gentoo-dev 2006-06-20 10:29:17 UTC
alpha and amd64 stable.
Comment 10 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2006-06-21 05:03:38 UTC
Heya it's done then, time to make a glsa decision. Find a voting booth and then insert your ballot in the urn :

__|__
|   |
|___|

I vote a half-yes-ballot and i won't be worried if you vote no.
Comment 11 Wolf Giesen (RETIRED) gentoo-dev 2006-06-21 05:14:44 UTC
Unless we somehow agree to put a marker "web apps are generally unsafe" somewhere prominent and change policy accordingly, I vote 'yes', too, without enthusiasm, of course.
Comment 12 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2006-06-21 05:16:43 UTC
> Unless we somehow agree to put a marker "web apps are generally unsafe"
> somewhere prominent and change policy accordingly, 

that sounds a rather good idea as for me

Comment 13 Wolf Giesen (RETIRED) gentoo-dev 2006-06-21 05:47:17 UTC
Alternate solution (I _guess_ that's how it was done with phpBB) is to hardmask stuff that hits > n GLSAs per 3 months, where n needs to be determined.
Comment 14 Stefan Cornelius (RETIRED) gentoo-dev 2006-06-21 09:22:47 UTC
i hate XSS stuff - but we issued a GLSA for something like this in the past and debian issued an advisory, too: So i tend to a very weak yes here
Comment 15 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2006-06-22 04:17:11 UTC
let's have a glsa then :(
Comment 16 Sune Kloppenborg Jeppesen gentoo-dev 2006-06-28 21:56:21 UTC
GLSA 200606-28