Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 156627 - www-apps/horde-kronolith Local file inclusion (CVE-2006-6175)
Summary: www-apps/horde-kronolith Local file inclusion (CVE-2006-6175)
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Gentoo Security
Whiteboard: B4/2? [glsa] DerCorny
Depends on:
Reported: 2006-11-29 09:00 UTC by Matt Drew (RETIRED)
Modified: 2007-01-17 21:48 UTC (History)
0 users

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Matt Drew (RETIRED) gentoo-dev 2006-11-29 09:00:44 UTC
Horde-Kronolith has an error in lib/FBView.php that allows an authenticated attacker to include any local file to be parsed as php.
Comment 1 Matt Drew (RETIRED) gentoo-dev 2006-11-29 09:03:26 UTC
2.0.7 and 2.1.4 are the fixes, we have only the 2.1 series in portage, so a bump to 2.1.4 would be the ticket.
Comment 2 SpanKY gentoo-dev 2006-12-02 11:50:28 UTC
2.1.4 in portage
Comment 3 Stefan Cornelius (RETIRED) gentoo-dev 2006-12-03 04:01:29 UTC
arches please test and stable 2.1.4, thanks. (in the past horde stuff was always a bastard to stable due to a shitload of deps, so watch out - I have no clue if something else needs to go stable at the same time)
Comment 4 Andrej Kacian (RETIRED) gentoo-dev 2006-12-03 06:42:38 UTC
Stable on x86.
Comment 5 Jason Wever (RETIRED) gentoo-dev 2006-12-03 16:04:05 UTC
Stable on SPARC
Comment 6 Jeroen Roovers (RETIRED) gentoo-dev 2006-12-03 21:00:50 UTC
Stable for HPPA.
Comment 7 Tobias Scherbaum (RETIRED) gentoo-dev 2006-12-04 10:26:49 UTC
ppc stable
Comment 8 Bryan Østergaard (RETIRED) gentoo-dev 2006-12-11 14:55:45 UTC
Stable on Alpha.
Comment 9 Dustin J. Mitchell 2006-12-11 17:50:21 UTC
Kronolith merges fine on amd64, but Apache seems unwilling to run in my chroot without
segfaulting (never mind PHP, and even less so kronolith), so I can't claim
this is fully tested.  My regular (non-chroot) web server is too ~amd'd to be able to test
this decently.

Gentoo Base System version 1.12.5
Portage 2.1.1-r1 (default-linux/amd64/2006.1, gcc-4.1.1, glibc-2.4-r3, 2.6.15-gentoo-r72006040301 x86_64)
System uname: 2.6.15-gentoo-r72006040301 x86_64 AMD Athlon(tm) 64 Processor 3700+
Last Sync: Mon, 11 Dec 2006 21:50:01 +0000
app-admin/eselect-compiler: [Not Present]
dev-java/java-config: [Not Present]
dev-lang/python:     2.4.3-r4
dev-python/pycrypto: 2.0.1-r5
dev-util/ccache:     [Not Present]
dev-util/confcache:  [Not Present]
sys-apps/sandbox:    1.2.17
sys-devel/autoconf:  2.13, 2.60
sys-devel/automake:  1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2
sys-devel/binutils:  2.16.1-r3
sys-devel/gcc-config: 1.3.14
sys-devel/libtool:   1.5.22
virtual/os-headers:  2.6.11-r2
CFLAGS="-O2 -pipe"
CONFIG_PROTECT_MASK="/etc/env.d /etc/gconf /etc/revdep-rebuild /etc/terminfo"
CXXFLAGS="-O2 -pipe"
FEATURES="autoconfig collision-protect confcache digest distlocks metadata-transfer multilib-strict sandbox sfperms strict test"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --delete-after --stats --timeout=180 --exclude='/distfiles' --exclude='/local' --exclude='/packages'"
USE="amd64 berkdb bitmap-fonts cli cracklib crypt cups dlloader dri elibc_glibc fortran gdbm gpm iconv input_devices_evdev input_devices_keyboard input_devices_mouse ipv6 isdnlog kernel_linux libg++ ncurses nls nptl nptlonly pam pcre perl ppds pppd python readline reflection session spl ssl tcpd truetype-fonts type1-fonts udev unicode userland_GNU video_cards_apm video_cards_ark video_cards_ati video_cards_chips video_cards_cirrus video_cards_cyrix video_cards_dummy video_cards_fbdev video_cards_glint video_cards_i128 video_cards_i810 video_cards_mga video_cards_neomagic video_cards_nv video_cards_rendition video_cards_s3 video_cards_s3virge video_cards_savage video_cards_siliconmotion video_cards_sis video_cards_sisusb video_cards_tdfx video_cards_tga video_cards_trident video_cards_tseng video_cards_v4l video_cards_vesa video_cards_vga video_cards_via video_cards_vmware video_cards_voodoo xorg zlib"

Comment 10 Matt Drew (RETIRED) gentoo-dev 2007-01-12 18:31:18 UTC
Dustin, any progress on this?  Thanks.
Comment 11 Simon Stelling (RETIRED) gentoo-dev 2007-01-14 02:31:53 UTC
amd64 marked stable
Comment 12 Matt Drew (RETIRED) gentoo-dev 2007-01-14 17:28:27 UTC
padawan /vote no, authenticated attacker, local file ... not likely.
Comment 13 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2007-01-14 17:36:04 UTC
I tend to vote YES.
Comment 14 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2007-01-14 17:57:56 UTC
it looks like a B2/C2, because of this from the original advisory:

"could allow an authenticated web mail user to execute arbitrary PHP"

"will include local files that are supplied via the 'view' HTTP GET request parameter."

despite the needed authentication, i vote Yes.  --> [glsa]
Comment 15 Matt Drew (RETIRED) gentoo-dev 2007-01-15 12:42:04 UTC
Comment 16 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2007-01-17 21:48:26 UTC
GLSA 200701-11