Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 640548 (CVE-2017-16854, CVE-2017-16921) - <www-apps/otrs-5.0.25: Multiple vulnerabilities (CVE-2017-{16854,16921})
Summary: <www-apps/otrs-5.0.25: Multiple vulnerabilities (CVE-2017-{16854,16921})
Status: RESOLVED FIXED
Alias: CVE-2017-16854, CVE-2017-16921
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal trivial (vote)
Assignee: Gentoo Security
URL:
Whiteboard: ~2 [noglsa cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2017-12-10 16:30 UTC by GLSAMaker/CVETool Bot
Modified: 2018-01-02 19:12 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description GLSAMaker/CVETool Bot gentoo-dev 2017-12-10 16:30:10 UTC
CVE-2017-16921 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-16921):
  In OTRS 6.0.x up to and including 6.0.1, OTRS 5.0.x up to and including
  5.0.24, and OTRS 4.0.x up to and including 4.0.26, an attacker who is logged
  into OTRS as an agent can manipulate form parameters (related to PGP) and
  execute arbitrary shell commands with the permissions of the OTRS or web
  server user.

CVE-2017-16854 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-16854):
  In Open Ticket Request System (OTRS) through 3.3.20, 4 through 4.0.26, 5
  through 5.0.24, and 6 through 6.0.1, an attacker who is logged in as a
  customer can use the ticket search form to disclose internal article
  information of their customer tickets.
Comment 1 Christopher Díaz Riveros (RETIRED) gentoo-dev Security 2017-12-10 16:31:00 UTC
@Maintainers please let us know when tree is clean.

Thank you
Comment 2 Stefan G. Weichinger 2018-01-02 16:44:25 UTC
I don't see otrs-packages smaller than www-apps/otrs-5.0.25 in portage right now.

I have a working otrs-5.0.26.ebuild here (same as 5.0.25) and I am preparing a first otrs-6.0.3.ebuild. Unfortunately the upgrade from 5.x to 6.x needs some steps that I still have to script in a way.
Comment 3 Thomas Deutschmann gentoo-dev Security 2018-01-02 19:10:15 UTC
CVE-2017-16854 is fixed via https://github.com/OTRS/otrs/commit/8748d040058695fda5c9cfcb2a78d8947ed4188d which is present in >=www-apps/otrs-5.0.25.

CVE-2017-16921 is fixed via https://github.com/OTRS/otrs/commit/d433518d7bd8e9e079af67ef9ea7079cd2f59646 which is present in >=www-apps/otrs-5.0.25.
Comment 4 Larry the Git Cow gentoo-dev 2018-01-02 19:12:00 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=b65a13b5515413ad93155a165a9029a884804eef

commit b65a13b5515413ad93155a165a9029a884804eef
Author:     Thomas Deutschmann <whissi@gentoo.org>
AuthorDate: 2018-01-02 19:11:16 +0000
Commit:     Thomas Deutschmann <whissi@gentoo.org>
CommitDate: 2018-01-02 19:11:52 +0000

    www-apps/otrs: Security cleanup
    
    Bug: https://bugs.gentoo.org/640548
    Package-Manager: Portage-2.3.19, Repoman-2.3.6

 www-apps/otrs/Manifest           |   1 -
 www-apps/otrs/otrs-5.0.23.ebuild | 154 ---------------------------------------
 2 files changed, 155 deletions(-)}
Comment 5 Thomas Deutschmann gentoo-dev Security 2018-01-02 19:12:40 UTC
Repository is now clean, all done.