Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 209960 (CVE-2008-0807) - www-apps/horde-turba < 2.1.7 Adress Book Access rights not checked properly (CVE-2008-0807)
Summary: www-apps/horde-turba < 2.1.7 Adress Book Access rights not checked properly (...
Status: RESOLVED FIXED
Alias: CVE-2008-0807
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High minor (vote)
Assignee: Gentoo Security
URL: https://bugzilla.redhat.com/show_bug....
Whiteboard: B3 [noglsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2008-02-13 04:55 UTC by Robert Buchholz (RETIRED)
Modified: 2008-02-26 21:12 UTC (History)
0 users

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Robert Buchholz (RETIRED) gentoo-dev 2008-02-13 04:55:08 UTC
Tomas Hoger from RedHat:
It was reported that turba does not properly check permissions on address books,
allowing users to modify addresses in other users' address books.  This problem
affects both shared and non-shared address books.  Knowing (or guessing) the
object_id seems to be sufficient to allow modification of other users' addresses.

More information can be found in Debian bug report, which also contains some
proposed patches:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=464058

Upstream bug report:
http://bugs.horde.org/ticket/?id=6208
Comment 1 Robert Buchholz (RETIRED) gentoo-dev 2008-02-16 01:51:39 UTC
Turba 2.1.7 is out with the patches, final versions can also be found at Debian's.

Please bump.
Comment 2 SpanKY gentoo-dev 2008-02-17 02:02:43 UTC
horde-turba-2.1.7 is in the tree
Comment 3 Robert Buchholz (RETIRED) gentoo-dev 2008-02-18 04:26:50 UTC
Arches, please test and mark stable:
=www-apps/horde-turba-2.1.7
Target keywords : "alpha amd64 hppa ppc release sparc x86"
Comment 4 Robert Buchholz (RETIRED) gentoo-dev 2008-02-19 09:42:21 UTC
Vapier, seems horde-webmail also ships a copy, please bump to 1.0.5.
http://cvs.horde.org/diff.php/groupware/docs/webmail/CHANGES?r1=1.12.2.1&r2=1.12.2.2&ty=h
Comment 5 Jorge Manuel B. S. Vicetto (RETIRED) Gentoo Infrastructure gentoo-dev 2008-02-20 19:27:56 UTC
sys-apps/baselayout-1.12.11.1 (unicode)

1. Emerges on SPARC64.
2. No collisions.
3. No tests

emerge --info:
Portage 2.1.3.19 (default-linux/sparc/sparc64/2007.0, gcc-4.1.2, glibc-2.6.1-r0, 2.6.17-gentoo-r8 sparc64)
=================================================================
System uname: 2.6.17-gentoo-r8 sparc64 sun4u
Timestamp of tree: Wed, 20 Feb 2008 01:16:01 +0000
app-shells/bash:     3.2_p17-r1
dev-lang/python:     2.4.4-r6
dev-python/pycrypto: 2.0.1-r6
sys-apps/baselayout: 1.12.11.1
sys-apps/sandbox:    1.2.18.1-r2
sys-devel/autoconf:  2.13, 2.61-r1
sys-devel/automake:  1.4_p6, 1.7.9-r1, 1.9.6-r2, 1.10
sys-devel/binutils:  2.18-r1
sys-devel/gcc-config: 1.4.0-r4
sys-devel/libtool:   1.5.24
virtual/os-headers:  2.6.23-r3
ACCEPT_KEYWORDS="sparc"
CBUILD="sparc-unknown-linux-gnu"
CFLAGS="-O2 -mcpu=ultrasparc3 -pipe"
CHOST="sparc-unknown-linux-gnu"
CONFIG_PROTECT="/etc /var/bind"
CONFIG_PROTECT_MASK="/etc/env.d /etc/fonts/fonts.conf /etc/gconf /etc/php/apache2-php5/ext-active/ /etc/php/cgi-php5/ext-active/ /etc/php/cli-php5/ext-active/ /etc/revdep-rebuild /etc/terminfo /etc/udev/rules.d"
CXXFLAGS="-O2 -mcpu=ultrasparc3 -pipe"
DISTDIR="/usr/portage/distfiles"
FEATURES="collision-protection distlocks fixpackages metadata-transfer parallel-fetch sandbox sfperms strict test unmerge-orphans userfetch"
GENTOO_MIRRORS="http://ftp.belnet.be/mirror/rsync.gentoo.org/gentoo/ ftp://ftp.gentoo-pt.org/pub/gentoo ftp://mirrors1.netvisao.pt/gentoo/ http://trumpetti.tut.atm.fi/gentoo"
MAKEOPTS="-j2"
PKGDIR="/usr/portage/packages"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --delete-after --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages --filter=H_**/files/digest-*"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
PORTDIR_OVERLAY="/usr/local/portage /home/overlays/genkde4svn-dev"
SYNC="rsync://atl64.acores.pt/gentoo-portage"
USE="bitmap-fonts cli cracklib crypt cups dri fortran gdbm gpm iconv isdnlog midi mudflap nls nptl nptlonly openmp pam pcre ppds pppd reflection session sparc spl tcpd test truetype-fonts type1-fonts unicode vhosts xorg" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="actions alias auth_basic auth_digest authn_anon authn_dbd authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache dav dav_fs dav_lock dbddeflate dir disk_cache env expires ext_filter file_cache filter headers ident imagemap include info log_config logio mem_cache mime mime_magic negotiation proxy proxy_ajp proxy_balancer proxy_connect proxy_http rewrite setenvif so speling status unique_id userdir usertrack vhost_alias" ELIBC="glibc" INPUT_DEVICES="keyboard mouse evdev" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" USERLAND="GNU" VIDEO_CARDS="dummy fbdev glint mach64 mga r128 radeon sunbw2 suncg14 suncg3 suncg6 sunffb sunleo tdfx v4l voodoo"
Unset:  CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LANG, LC_ALL, LDFLAGS, LINGUAS, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS
Comment 6 SpanKY gentoo-dev 2008-02-20 19:48:33 UTC
horde-webmail is updated in the tree now
Comment 7 Christian Faulhammer (RETIRED) gentoo-dev 2008-02-21 07:06:01 UTC
(In reply to comment #6)
> horde-webmail is updated in the tree now

 That is 1.0.5, only ~arch, so no need to mark stable.
Comment 8 Christian Faulhammer (RETIRED) gentoo-dev 2008-02-21 07:48:47 UTC
x86 stable
Comment 9 Raúl Porcel (RETIRED) gentoo-dev 2008-02-21 11:00:08 UTC
alpha/sparc stable
Comment 10 Jeroen Roovers (RETIRED) gentoo-dev 2008-02-21 16:51:58 UTC
Stable for HPPA.
Comment 11 Tobias Scherbaum (RETIRED) gentoo-dev 2008-02-22 13:59:33 UTC
ppc stable
Comment 12 Lars Hartmann 2008-02-24 09:07:11 UTC
can someone please add CVE-2008-0807 to the topic?
Comment 13 Steve Dibb (RETIRED) gentoo-dev 2008-02-25 19:34:51 UTC
amd64 stable
Comment 14 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2008-02-25 20:16:37 UTC
This one is ready for GLSA vote.
Comment 15 Peter Volkov (RETIRED) gentoo-dev 2008-02-25 20:49:32 UTC
Fixed in release snapshot
Comment 16 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2008-02-26 20:38:26 UTC
I tend to vote NO.
Comment 17 Pierre-Yves Rofes (RETIRED) gentoo-dev 2008-02-26 21:12:02 UTC
voting NO too, and closing.