Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 501908 (CVE-2014-2027) - <www-apps/egroupware-1.8.004.20120613: remote code execution via php unserialize (CVE-2014-2027)
Summary: <www-apps/egroupware-1.8.004.20120613: remote code execution via php unserial...
Status: RESOLVED FIXED
Alias: CVE-2014-2027
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Deadline: 2017-07-05
Assignee: Gentoo Security
URL: http://www.openwall.com/lists/oss-sec...
Whiteboard: B2 [glsa cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2014-02-20 16:07 UTC by Agostino Sarubbo
Modified: 2017-11-14 15:33 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2014-02-20 16:07:07 UTC
From ${URL} :

I have discovered a remote code execution via php unserialize in egroupware
<= 1.8.005.
Can you please assign a CVE for this vulnerability?

The full report can be obtained from my repo in
https://github.com/pedrib/PoC/raw/master/egroupware-1.8.005.txt

The changelog can be seen at http://www.egroupware.org/changelog and new
versions can be obtained from http://www.egroupware.org/download



@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 J. Roeleveld 2014-07-30 06:38:00 UTC
This version is obsolete and no longer maintained by upstream.
Comment 2 J. Roeleveld 2015-01-22 13:39:36 UTC
There is no version available in Portage that matches ">1.8.005"

Also:
1.8 is old and EOL.

14.1 has been out for a while and 14.2 RC1 has just been released.
Comment 3 GLSAMaker/CVETool Bot gentoo-dev 2015-06-17 17:29:21 UTC
CVE-2014-2027 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-2027):
  eGroupware before 1.8.006.20140217 allows remote attackers to conduct PHP
  object injection attacks, delete arbitrary files, and possibly execute
  arbitrary code via the (1) addr_fields or (2) trans parameter to
  addressbook/csv_import.php, (3) cal_fields or (4) trans parameter to
  calendar/csv_import.php, (5) info_fields or (6) trans parameter to
  csv_import.php in (a) projectmanager/ or (b) infolog/, or (7) processed
  parameter to preferences/inc/class.uiaclprefs.inc.php.
Comment 4 Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2017-06-05 16:21:31 UTC
# Michał Górny <mgorny@gentoo.org> (05 Jun 2017)
# (on behalf of Treecleaner project)
# Unmaintained in Gentoo. Multiple versions behind upstream. Multiple
# security vulnerabilities. Removal in 30 days. Bug #509920.
www-apps/egroupware
Comment 5 Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2017-07-05 10:45:40 UTC
commit 828139076827f50e43b62a88d038d1b092371618
Author:     Michał Górny <mgorny@gentoo.org>
AuthorDate: Wed Jul 5 12:23:14 2017
Commit:     Michał Górny <mgorny@gentoo.org>
CommitDate: Wed Jul 5 12:35:17 2017

    www-apps/egroupware: Remove last-rited pkg, #509920
Comment 6 GLSAMaker/CVETool Bot gentoo-dev 2017-11-12 22:41:34 UTC
This issue was resolved and addressed in
 GLSA 201711-12 at https://security.gentoo.org/glsa/201711-12
by GLSA coordinator Christopher Diaz Riveros (chrisadr).
Comment 7 Tomáš Mózes 2017-11-13 05:14:06 UTC
# glsa-check -v -t all
Traceback (most recent call last):
  File "/usr/lib/python-exec/python3.4/glsa-check", line 345, in <module>
    if myglsa.isVulnerable():
  File "/usr/lib64/python3.4/site-packages/gentoolkit/glsa/__init__.py", line 683, in isVulnerable
    or (None != getMinUpgrade([v,], path["unaff_atoms"]))
  File "/usr/lib64/python3.4/site-packages/gentoolkit/glsa/__init__.py", line 411, in getMinUpgrade
    u_installed = reduce(operator.add, [match(u, "vartree") for u in unaffectedList], [])
  File "/usr/lib64/python3.4/site-packages/gentoolkit/glsa/__init__.py", line 411, in <listcomp>
    u_installed = reduce(operator.add, [match(u, "vartree") for u in unaffectedList], [])
  File "/usr/lib64/python3.4/site-packages/gentoolkit/glsa/__init__.py", line 347, in match
    return db.match(atom)
  File "/usr/lib64/python3.4/site-packages/portage/dbapi/vartree.py", line 574, in match
    origdep, mydb=self, use_cache=use_cache, settings=self.settings)
  File "/usr/lib64/python3.4/site-packages/portage/dbapi/dep_expand.py", line 35, in dep_expand
    mydep = Atom(mydep, allow_repo=True)
  File "/usr/lib64/python3.4/site-packages/portage/dep/__init__.py", line 1270, in __init__
    raise InvalidAtom(self)
portage.exception.InvalidAtom: >=www-apps/egroupware-
Comment 8 Thomas Deutschmann (RETIRED) gentoo-dev 2017-11-14 15:33:24 UTC
In future we'd like to ask you to file an own bug for problems with GLSAs (we have an own component for that and tracking comments in already closed bugs have a chance to stay undetected).

The reported problem was fixed via https://gitweb.gentoo.org/data/glsa.git/commit/?id=5734ba55387c6cf49565c6c096a4be4ee2b65de5