Debian Bug report logs -
#859635
php-horde-crypt: CVE-2017-7413 CVE-2017-7414
Reported by: Salvatore Bonaccorso <carnil@debian.org>
Date: Wed, 5 Apr 2017 12:30:02 UTC
Severity: grave
Tags: security, upstream
Found in version php-horde-crypt/2.7.5-1
Fixed in version php-horde-crypt/2.7.5-2
Done: Mathieu Parent <sathieu@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Horde Maintainers <pkg-horde-hackers@lists.alioth.debian.org>:
Bug#859635; Package src:php-horde-crypt.
(Wed, 05 Apr 2017 12:30:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Horde Maintainers <pkg-horde-hackers@lists.alioth.debian.org>.
(Wed, 05 Apr 2017 12:30:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: php-horde-crypt
Version: 2.7.5-1
Severity: grave
Tags: security upstream
Justification: user security hole
Hi,
the following vulnerabilities were published for php-horde-crypt.
CVE-2017-7413[0]:
| In Horde_Crypt before 2.7.6, as used in Horde Groupware Webmail Edition
| through 5.2.17, OS Command Injection can occur if the attacker is an
| authenticated Horde Webmail user, has PGP features enabled in their
| preferences, and attempts to encrypt an email addressed to a
| maliciously crafted email address.
CVE-2017-7414[1]:
| In Horde_Crypt before 2.7.6, as used in Horde Groupware Webmail Edition
| 5.x through 5.2.17, OS Command Injection can occur if the user has PGP
| features enabled in the user's preferences, and has enabled the "Should
| PGP signed messages be automatically verified when viewed?" preference.
| To exploit this vulnerability, an attacker can send a PGP signed email
| (that is maliciously crafted) to the Horde user, who then must either
| view or preview it.
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2017-7413
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7413
[1] https://security-tracker.debian.org/tracker/CVE-2017-7414
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7414
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
Reply sent
to Mathieu Parent <sathieu@debian.org>:
You have taken responsibility.
(Wed, 03 May 2017 05:51:06 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Wed, 03 May 2017 05:51:06 GMT) (full text, mbox, link).
Message #10 received at 859635-close@bugs.debian.org (full text, mbox, reply):
Source: php-horde-crypt
Source-Version: 2.7.5-2
We believe that the bug you reported is fixed in the latest version of
php-horde-crypt, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 859635@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Mathieu Parent <sathieu@debian.org> (supplier of updated php-horde-crypt package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Wed, 03 May 2017 07:15:32 +0200
Source: php-horde-crypt
Binary: php-horde-crypt
Architecture: source all
Version: 2.7.5-2
Distribution: unstable
Urgency: medium
Maintainer: Horde Maintainers <pkg-horde-hackers@lists.alioth.debian.org>
Changed-By: Mathieu Parent <sathieu@debian.org>
Description:
php-horde-crypt - ${phppear:summary}
Closes: 859635
Changes:
php-horde-crypt (2.7.5-2) unstable; urgency=medium
.
* Escape user provided recipients and charset data. Fixes CVE-2017-7413 and
CVE-2017-7414 (Closes: #859635)
Checksums-Sha1:
6440ba3bbe64b6c7fe3a27a036535c6732d8525a 2113 php-horde-crypt_2.7.5-2.dsc
c997ede496d161dd5ea7723620f204dca6b0d6a7 3516 php-horde-crypt_2.7.5-2.debian.tar.xz
08dc3d3d3380cc23c25633eaf54ca27c243320e7 111882 php-horde-crypt_2.7.5-2_all.deb
215cc74074f098742812c0cc22374fd19b808b47 6225 php-horde-crypt_2.7.5-2_amd64.buildinfo
Checksums-Sha256:
8f98db7d046de2ed8b0f4372e074d6d1de9fd1e64ddf940021f787816bf01c85 2113 php-horde-crypt_2.7.5-2.dsc
7d8f0be8e7aa45d5f6fe2a0a1bf47c525a1593098cfa893db4bb4e53ae6e41f0 3516 php-horde-crypt_2.7.5-2.debian.tar.xz
85f4eedea48712e8c878454a3d1fbcbd9869c22887ca4c8bdf7f516ad8b3938b 111882 php-horde-crypt_2.7.5-2_all.deb
389d9c679971c780ed9b0c1bc382c5d222eeb2231e193851605e4fdfcce8e4bc 6225 php-horde-crypt_2.7.5-2_amd64.buildinfo
Files:
39dc9ebd1654a6f8e7f57743dc4e03f1 2113 php extra php-horde-crypt_2.7.5-2.dsc
693d7743709c91d5f0a0ca693d467f8d 3516 php extra php-horde-crypt_2.7.5-2.debian.tar.xz
6ce6614c053bee5891b51b9e51a38c14 111882 php extra php-horde-crypt_2.7.5-2_all.deb
01d61d04a68b34c9555029f3d8167b42 6225 php extra php-horde-crypt_2.7.5-2_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQJHBAEBCAAxFiEEqIGbPTP9weQZ135HrgOYBGZoH6UFAlkJanUTHHNhdGhpZXVA
ZGViaWFuLm9yZwAKCRCuA5gEZmgfpc31D/94r9BScMKPvOdb8wuMRzH5y17IQHBR
n/qicGLLtaMBPcsat98CSVDv+ereIuX6+lVp+AQXU0e3WgY4tbRHNCLdVn6p8rdB
INpI8tmqZyYbuHK9e4NtDRfhRuGCpBu0R/VSNUp8KK4vY9gW3V8Mkgaev5CR1rzX
1PUVrNPI0cjN1J6t2+gInpKkFvv2j6IOcMeC71Gb57QkpCbAbEZlm756jQVb1JUx
dmE45N5stSZ8szuxJdZF8ppJlHo9jbMrxENGw2g4qQ2fTvdESFEUI6qKGRSJx9xM
FexuT6z9QIRXeWhxtrw8GnnqWWZTpPBR/wt9rgTr4s2OE9lbd5CQwR/v9CXMeMVM
GztzemNm+yP84HnlVHiNug5qHzNs8LaV6Q+9MjbAJZDaYvChQw2lOq3L3O8DJ/n/
qViOzuRLTbGriERnGDNpWYog9rUadVgT+QuYrZt9PhFDWVmtUPYwbzbHM94fl+bP
0FF6kX2gUK1hgR6N1745EiXTkoeWytA6FzOsLC6NrDaBctPl8YqwdgbXH/eyKGBf
TgjpCx/5okaU2pIAw55s7IIi7F+3Dww6PIMHYRYouNaBOSed0TeoQFFgKOxx+hMV
0rL9T4Zja+7H+QmjSzd2phApDZ06KmZlekrqGoDEC+fEpUPV40y5wWWD9YF9ZcJF
21XHjGzxY8uO+g==
=AIMW
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Wed, 31 May 2017 07:25:38 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 17:57:40 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon