Debian Bug report logs -
#737149
CVE-2014-1691: Remote code execution in horde < 5.1.1
Reported by: Micah Anderson <micah@debian.org>
Date: Thu, 30 Jan 2014 17:03:02 UTC
Severity: serious
Tags: security
Found in version horde3/3.3.8+debian0-2
Fixed in version horde3/3.3.8+debian0-3
Done: Micah Anderson <micah@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Horde Maintainers <pkg-horde-hackers@lists.alioth.debian.org>:
Bug#737149; Package horde3.
(Thu, 30 Jan 2014 17:03:06 GMT) (full text, mbox, link).
Acknowledgement sent
to Micah Anderson <micah@debian.org>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Horde Maintainers <pkg-horde-hackers@lists.alioth.debian.org>.
(Thu, 30 Jan 2014 17:03:06 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: horde3
Version: 3.3.8+debian0-2
Severity: serious
Tags: security
Justification: security issue
Hello,
As detailed on the debian security tracker[0] and reported on oss-sec[1] and assigned CVE 2014-1691, there is a remote code execution bug in horde affecting all versions from at least horde 3.1.x to 5.1.1.
That includes squeeze... I've got a patch that applies to the horde3 package in squeeze that resolves this issue, please find it attached[2]... I've built and tested these packages on Squeeze in an active environment. I am not certain where this particular code is used, so I wasn't sure if I was able to test exactly that code path.
If you would like, I can provide a package for squeeze for a DSA.
Micah
0. https://security-tracker.debian.org/tracker/CVE-2014-1691
1. http://seclists.org/oss-sec/2014/q1/153
2. https://gist.github.com/pietro/8712454/raw/b03bc5ecb7ec1f1f778b867ecd6d9d142d0ddaf7/gistfile1.diff
-- System Information:
Debian Release: jessie/sid
APT prefers unstable
APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 3.12-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages horde3 depends on:
ii apache2 2.4.7-1
ii apache2-bin [httpd] 2.4.7-1
ii libapache2-mod-php5 5.5.8+dfsg-3
ii libjs-scriptaculous 1.9.0-2
ii php-log 1.12.7-1
ii php-mail 1.2.0-5
ii php-mail-mime 1.8.8-1
ii php5-gd 5.5.8+dfsg-3
ii php5-mcrypt 5.5.8+dfsg-3
Versions of packages horde3 recommends:
pn fckeditor <none>
ii locales 2.17-97
ii logrotate 3.8.7-1
pn php-date <none>
ii php-db 1.7.14-2
pn php-file <none>
ii php-mdb2 2.5.0b5-1
pn php-mdb2-driver-mysql | php-mdb2-driver-pgsql | php-mdb2-driv <none>
pn php-services-weather <none>
ii php5-cli 5.5.8+dfsg-3
pn php5-mysql | php5-pgsql | php5-ldap <none>
pn tinymce2 | tinymce <none>
Versions of packages horde3 suggests:
pn chora2 <none>
pn enscript <none>
ii gettext 0.18.3.2-1
pn gollem <none>
pn imp4 <none>
pn kronolith4 <none>
ii libgeoip1 1.6.0-1
pn libwpd-tools <none>
pn mnemo2 <none>
pn php-net-imap <none>
pn php5-auth-pam <none>
ii php5-common [php5-mhash] 5.5.8+dfsg-3
pn ppthtml <none>
pn rpm <none>
pn source-highlight <none>
pn turba2 <none>
pn unrtf <none>
pn webcpp <none>
pn wv <none>
pn xlhtml <none>
-- Configuration Files:
/etc/horde/horde3/.htaccess [Errno 13] Permission denied: u'/etc/horde/horde3/.htaccess'
/etc/horde/horde3/conf.php [Errno 13] Permission denied: u'/etc/horde/horde3/conf.php'
/etc/horde/horde3/conf.xml [Errno 13] Permission denied: u'/etc/horde/horde3/conf.xml'
/etc/horde/horde3/hooks.php [Errno 13] Permission denied: u'/etc/horde/horde3/hooks.php'
/etc/horde/horde3/mime_drivers.php [Errno 13] Permission denied: u'/etc/horde/horde3/mime_drivers.php'
/etc/horde/horde3/motd.php [Errno 13] Permission denied: u'/etc/horde/horde3/motd.php'
/etc/horde/horde3/nls.php [Errno 13] Permission denied: u'/etc/horde/horde3/nls.php'
/etc/horde/horde3/prefs.php [Errno 13] Permission denied: u'/etc/horde/horde3/prefs.php'
/etc/horde/horde3/registry.d/README [Errno 13] Permission denied: u'/etc/horde/horde3/registry.d/README'
/etc/horde/horde3/registry.php [Errno 13] Permission denied: u'/etc/horde/horde3/registry.php'
-- no debconf information
Information forwarded
to debian-bugs-dist@lists.debian.org, Horde Maintainers <pkg-horde-hackers@lists.alioth.debian.org>:
Bug#737149; Package horde3.
(Thu, 30 Jan 2014 17:21:08 GMT) (full text, mbox, link).
Acknowledgement sent
to Moritz Mühlenhoff <jmm@inutil.org>:
Extra info received and forwarded to list. Copy sent to Horde Maintainers <pkg-horde-hackers@lists.alioth.debian.org>.
(Thu, 30 Jan 2014 17:21:08 GMT) (full text, mbox, link).
Message #10 received at 737149@bugs.debian.org (full text, mbox, reply):
On Thu, Jan 30, 2014 at 12:00:10PM -0500, Micah Anderson wrote:
> Package: horde3
> Version: 3.3.8+debian0-2
> Severity: serious
> Tags: security
> Justification: security issue
>
> Hello,
>
> As detailed on the debian security tracker[0] and reported on oss-sec[1] and assigned CVE 2014-1691, there is a remote code execution bug in horde affecting all versions from at least horde 3.1.x to 5.1.1.
>
> That includes squeeze... I've got a patch that applies to the horde3 package in squeeze that resolves this issue, please find it attached[2]... I've built and tested these packages on Squeeze in an active environment. I am not certain where this particular code is used, so I wasn't sure if I was able to test exactly that code path.
>
> If you would like, I can provide a package for squeeze for a DSA.
2. https://gist.github.com/pietro/8712454/raw/b03bc5ecb7ec1f1f778b867ecd6d9d142d0ddaf7/gistfile1.diff
Yes, please upload a fixed oldstable package with the patch
Cheers,
Moritz
Information forwarded
to debian-bugs-dist@lists.debian.org, Horde Maintainers <pkg-horde-hackers@lists.alioth.debian.org>:
Bug#737149; Package horde3.
(Thu, 30 Jan 2014 17:51:08 GMT) (full text, mbox, link).
Acknowledgement sent
to micah <micah@riseup.net>:
Extra info received and forwarded to list. Copy sent to Horde Maintainers <pkg-horde-hackers@lists.alioth.debian.org>.
(Thu, 30 Jan 2014 17:51:08 GMT) (full text, mbox, link).
Message #15 received at 737149@bugs.debian.org (full text, mbox, reply):
Moritz Mühlenhoff <jmm@inutil.org> writes:
> On Thu, Jan 30, 2014 at 12:00:10PM -0500, Micah Anderson wrote:
>> Package: horde3
>> Version: 3.3.8+debian0-2
>> Severity: serious
>> Tags: security
>> Justification: security issue
>>
>> Hello,
>>
>> As detailed on the debian security tracker[0] and reported on oss-sec[1] and assigned CVE 2014-1691, there is a remote code execution bug in horde affecting all versions from at least horde 3.1.x to 5.1.1.
>>
>> That includes squeeze... I've got a patch that applies to the horde3 package in squeeze that resolves this issue, please find it attached[2]... I've built and tested these packages on Squeeze in an active environment. I am not certain where this particular code is used, so I wasn't sure if I was able to test exactly that code path.
>>
>> If you would like, I can provide a package for squeeze for a DSA.
>
> 2. https://gist.github.com/pietro/8712454/raw/b03bc5ecb7ec1f1f778b867ecd6d9d142d0ddaf7/gistfile1.diff
>
> Yes, please upload a fixed oldstable package with the patch
Done.
Reply sent
to Micah Anderson <micah@debian.org>:
You have taken responsibility.
(Sat, 08 Feb 2014 12:21:10 GMT) (full text, mbox, link).
Notification sent
to Micah Anderson <micah@debian.org>:
Bug acknowledged by developer.
(Sat, 08 Feb 2014 12:21:10 GMT) (full text, mbox, link).
Message #20 received at 737149-close@bugs.debian.org (full text, mbox, reply):
Source: horde3
Source-Version: 3.3.8+debian0-3
We believe that the bug you reported is fixed in the latest version of
horde3, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 737149@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Micah Anderson <micah@debian.org> (supplier of updated horde3 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Thu, 30 Jan 2014 11:43:09 -0500
Source: horde3
Binary: horde3 pear-horde-channel
Architecture: source all
Version: 3.3.8+debian0-3
Distribution: squeeze-security
Urgency: high
Maintainer: Horde Maintainers <pkg-horde-hackers@lists.alioth.debian.org>
Changed-By: Micah Anderson <micah@debian.org>
Description:
horde3 - horde web application framework
pear-horde-channel - pear.horde.org channel
Closes: 737149
Changes:
horde3 (3.3.8+debian0-3) squeeze-security; urgency=high
.
* Fix for CVE-2014-1691 (Closes: #737149)
Checksums-Sha1:
317fc812034106856ed78e273786b313d3cd2bf0 2188 horde3_3.3.8+debian0-3.dsc
abe1e1926a3abc5fb0fa1290101b31db34732870 7669669 horde3_3.3.8+debian0.orig.tar.gz
e9de20e633c1a39c25820a3aff2815d73d611496 30733 horde3_3.3.8+debian0-3.diff.gz
034d5a6c63dc5b5cacad50434370de883cb12cc9 7706792 horde3_3.3.8+debian0-3_all.deb
fca1b7d19503d940735c66d859625958bbd0e180 16664 pear-horde-channel_3.3.8+debian0-3_all.deb
Checksums-Sha256:
cf47380ad913bab77aca648d59b5698edaa4c06315b13c350880d3404ca90a24 2188 horde3_3.3.8+debian0-3.dsc
456f598e8fd46f622d0e33ea3da236d122795c6b1185d1185f0219a94f61528e 7669669 horde3_3.3.8+debian0.orig.tar.gz
c3a24684c517645d6ffb843d5f9a3e67aa38578533505b830889ffbb7113dd8f 30733 horde3_3.3.8+debian0-3.diff.gz
a1d910b1b5f7e9b64b770733338498faa43e8a2896178c080a8feee45f411730 7706792 horde3_3.3.8+debian0-3_all.deb
cd4a247b2664e997c50f81378a917709f55df86772d0baedb4bdf790be160c04 16664 pear-horde-channel_3.3.8+debian0-3_all.deb
Files:
098b6dea25e27142d12244b603e9fcf2 2188 web optional horde3_3.3.8+debian0-3.dsc
0372e36ffbce0a30c51e266ecd27195b 7669669 web optional horde3_3.3.8+debian0.orig.tar.gz
bea24d6587106235a5f226ee22e3b14b 30733 web optional horde3_3.3.8+debian0-3.diff.gz
1aa746a99bfed1ff3264ff0b1a9c784b 7706792 web optional horde3_3.3.8+debian0-3_all.deb
ba963ccd993bf4a9ad70384d166b890c 16664 web optional pear-horde-channel_3.3.8+debian0-3_all.deb
-----BEGIN PGP SIGNATURE-----
iQJ8BAEBCgBmBQJS6uk8XxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ0Nzc3NTM1RkU1NDcxNTYyNjI2MDc3QjU4
Q0JGOUEzMjI4NjFBNzkwAAoJEIy/mjIoYaeQ1iwP/irmMIATgaeffomLtjxTlt1G
/0UPGSpZlQb7n9U194W1n++bjyfkEvz5KpzfeayzOYwpjVS/143I0i8o9JLpkkXz
iyzj72FYeH0E7Ewq9OfY3OF0EG47jTAkfWDyQR1P7OHMzisIenfHbRj3ghJqpGc7
O6a1iu66I08CpLQyPjhAKhjNH9rrYQYu9mLUXQmEzxAZEdqdVIHQi/JQNjkHKsTV
5FYism539N9o6nblYSH/NXmbIdNuOghOIePfMIqIOyCzdZZuNYrVz5rLHDDRB3cw
A6ofks4Sj0OXrFCwu6/iXHVT7Yw02/HkM+ymnatJ0/4MmokHJXtWr8aLR6RWgomh
888sv1TiEKLp/y+3zi4VgGz6RIV8da9n/NDMhSimH+vHfC4B+N2BNWjQzuCdrxGk
ktZBbrLpBrpvckcfUL61SvR9Gd3tg/jb9ANh4F6z++vNvFewGT93YCFPtTEUb9L/
8RKSQIC9njbPq3hb/obVp8EcgpgxoaVyfS6cSO2VHTqCRmvp74OuZPvXrwBlLMKL
t42ejTXpYuvuawwJQU66NPjR46lFGDm2vOQMYa1SOT+RLfztp15LxkG8H2GOlHde
zPA4rB1y/M50TgoZ6bZ4Z/adIUthfZfNdMikt2YMAwYBjo2erjYNWhPGCT1jLJwS
Lf9gIuuTIwR3IePaSpZi
=BPaK
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Sun, 09 Mar 2014 07:30:20 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 17:34:50 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon