Debian Bug report logs - #332289
permissions on /etc/horde/horde3/* are too lax

version graph

Package: horde3; Maintainer for horde3 is Horde Maintainers <pkg-horde-hackers@lists.alioth.debian.org>;

Reported by: Mike O'Connor <stew@vireo.org>

Date: Wed, 5 Oct 2005 17:33:02 UTC

Severity: critical

Tags: security

Found in version horde3/3.0.5-1

Fixed in versions horde3/3.0.5-2, horde3/3.0.4-4sarge1

Done: Ola Lundqvist <opal@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Debian Security Team <team@security.debian.org>, Ola Lundqvist <opal@debian.org>:
Bug#332289; Package horde3. Full text and rfc822 format available.

Acknowledgement sent to Mike O'Connor <stew@vireo.org>:
New Bug report received and forwarded. Copy sent to Debian Security Team <team@security.debian.org>, Ola Lundqvist <opal@debian.org>. Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Mike O'Connor <stew@vireo.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: permissions on /etc/horde/horde3/* are too lax
Date: Wed, 5 Oct 2005 13:16:23 -0400
Package: horde3
Version: 3.0.5-1
Severity: critical
Tags: security
Justification: root security hole

In the README.Debian, in section 6.  it is recommended that the end
user executes:

         chown root.www config/*
         chmod 0440 config/*

becuase the "Some of Horde's configuration files contain passwords which
local users could use to access your database".

This is somehting that should be done by the maintainer scripts and not
left up to the end user to do.


-- System Information:
Debian Release: testing/unstable
  APT prefers testing
  APT policy: (990, 'testing'), (500, 'unstable')
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.12-1-686
Locale: LANG=en_US, LC_CTYPE=en_US (charmap=ISO-8859-1)

Versions of packages horde3 depends on:
ii  apache [httpd]               1.3.33-7    versatile, high-performance HTTP s
ii  libapache-mod-php4 [phpapi-2 4:4.3.10-15 server-side, HTML-embedded scripti
ii  php4                         4:4.3.10-15 server-side, HTML-embedded scripti
ii  php4-cli [phpapi-20020918]   4:4.3.10-15 command-line interpreter for the p
ii  php4-domxml                  4:4.3.10-15 XMLv2 module for php4
ii  php4-pear                    4:4.3.10-15 PEAR - PHP Extension and Applicati
ii  php4-pear-log                1.6.0-1.1   Log module for PEAR

Versions of packages horde3 recommends:
ii  logrotate                     3.7.1-2    Log rotation utility
pn  php-date                      <none>     (no description available)
pn  php-file                      <none>     (no description available)
pn  php-mail-mime                 <none>     (no description available)
pn  php-services-weather          <none>     (no description available)
pn  php4-gd | php4-gd2            <none>     (no description available)
pn  php4-mcrypt                   <none>     (no description available)
pn  php4-mysql | php4-pgsql | php <none>     (no description available)

-- no debconf information



Information forwarded to debian-bugs-dist@lists.debian.org, Ola Lundqvist <opal@debian.org>:
Bug#332289; Package horde3. Full text and rfc822 format available.

Acknowledgement sent to Martin Lohmeier <martin@mein-horde.de>:
Extra info received and forwarded to list. Copy sent to Ola Lundqvist <opal@debian.org>. Full text and rfc822 format available.

Message #10 received at 332289@bugs.debian.org (full text, mbox):

From: Martin Lohmeier <martin@mein-horde.de>
To: Mike O'Connor <stew@vireo.org>, 332289@bugs.debian.org
Subject: Re: Bug#332289: permissions on /etc/horde/horde3/* are too lax
Date: Thu, 06 Oct 2005 23:41:33 +0200
[Message part 1 (text/plain, inline)]
Mike O'Connor wrote:
> Package: horde3
> Version: 3.0.5-1
> Severity: critical
> Tags: security
> Justification: root security hole
> 
> In the README.Debian, in section 6.  it is recommended that the end
> user executes:
> 
>          chown root.www config/*
>          chmod 0440 config/*
> 
> becuase the "Some of Horde's configuration files contain passwords which
> local users could use to access your database".
> 
> This is somehting that should be done by the maintainer scripts and not
> left up to the end user to do.

Hi Mike,

this is done for security reasons (don't let someone configure horde who
points his / her browser to www.example.com/horde; this should only
happen if YOU want this). Browse the BTS archiv of horde3, I think I've
submitted something similar a few month ago.

bye, Martin

-- 

Powered by Debian GNU / Linux
[signature.asc (application/pgp-signature, attachment)]

Information forwarded to debian-bugs-dist@lists.debian.org, Ola Lundqvist <opal@debian.org>:
Bug#332289; Package horde3. Full text and rfc822 format available.

Acknowledgement sent to Mike O'Connor <stew@vireo.org>:
Extra info received and forwarded to list. Copy sent to Ola Lundqvist <opal@debian.org>. Full text and rfc822 format available.

Message #15 received at 332289@bugs.debian.org (full text, mbox):

From: Mike O'Connor <stew@vireo.org>
To: Martin Lohmeier <martin@mein-horde.de>
Cc: 332289@bugs.debian.org
Subject: Re: Bug#332289: permissions on /etc/horde/horde3/* are too lax
Date: Thu, 06 Oct 2005 19:56:35 -0400
On Thu, 2005-10-06 at 23:41 +0200, Martin Lohmeier wrote:
> Mike O'Connor wrote:
> > Package: horde3
> > Version: 3.0.5-1
> > Severity: critical
> > Tags: security
> > Justification: root security hole
> > 
> > In the README.Debian, in section 6.  it is recommended that the end
> > user executes:
> > 
> >          chown root.www config/*
> >          chmod 0440 config/*
> > 
> > becuase the "Some of Horde's configuration files contain passwords which
> > local users could use to access your database".
> > 
> > This is somehting that should be done by the maintainer scripts and not
> > left up to the end user to do.
> 
> Hi Mike,
> 
> this is done for security reasons (don't let someone configure horde who
> points his / her browser to www.example.com/horde; this should only
> happen if YOU want this). Browse the BTS archiv of horde3, I think I've
> submitted something similar a few month ago.
> 
> bye, Martin
> 

I don't understand you explaination.  the files are installed as 0644
meaning that they are worl readable.  I don't understand why they would
be installed as 0644 instead of 0440 for security reasons.

stew




Information forwarded to debian-bugs-dist@lists.debian.org, Ola Lundqvist <opal@debian.org>:
Bug#332289; Package horde3. Full text and rfc822 format available.

Acknowledgement sent to opal@debian.org:
Extra info received and forwarded to list. Copy sent to Ola Lundqvist <opal@debian.org>. Full text and rfc822 format available.

Message #20 received at 332289@bugs.debian.org (full text, mbox):

From: Ola Lundqvist <opal@debian.org>
To: Mike O'Connor <stew@vireo.org>, 332289@bugs.debian.org
Subject: Re: Bug#332289: permissions on /etc/horde/horde3/* are too lax
Date: Sat, 8 Oct 2005 20:30:38 +0200
Hello

On Wed, Oct 05, 2005 at 01:16:23PM -0400, Mike O'Connor wrote:
> Package: horde3
> Version: 3.0.5-1
> Severity: critical
> Tags: security
> Justification: root security hole
> 
> In the README.Debian, in section 6.  it is recommended that the end
> user executes:
> 
>          chown root.www config/*
>          chmod 0440 config/*
> 
> becuase the "Some of Horde's configuration files contain passwords which
> local users could use to access your database".
> 
> This is somehting that should be done by the maintainer scripts and not
> left up to the end user to do.

I'm not sure that I agree with you here. In order to add a password there
you have to change the permissions of these files anyway.

Regards,

// Ola

> 
> -- System Information:
> Debian Release: testing/unstable
>   APT prefers testing
>   APT policy: (990, 'testing'), (500, 'unstable')
> Architecture: i386 (i686)
> Shell:  /bin/sh linked to /bin/bash
> Kernel: Linux 2.6.12-1-686
> Locale: LANG=en_US, LC_CTYPE=en_US (charmap=ISO-8859-1)
> 
> Versions of packages horde3 depends on:
> ii  apache [httpd]               1.3.33-7    versatile, high-performance HTTP s
> ii  libapache-mod-php4 [phpapi-2 4:4.3.10-15 server-side, HTML-embedded scripti
> ii  php4                         4:4.3.10-15 server-side, HTML-embedded scripti
> ii  php4-cli [phpapi-20020918]   4:4.3.10-15 command-line interpreter for the p
> ii  php4-domxml                  4:4.3.10-15 XMLv2 module for php4
> ii  php4-pear                    4:4.3.10-15 PEAR - PHP Extension and Applicati
> ii  php4-pear-log                1.6.0-1.1   Log module for PEAR
> 
> Versions of packages horde3 recommends:
> ii  logrotate                     3.7.1-2    Log rotation utility
> pn  php-date                      <none>     (no description available)
> pn  php-file                      <none>     (no description available)
> pn  php-mail-mime                 <none>     (no description available)
> pn  php-services-weather          <none>     (no description available)
> pn  php4-gd | php4-gd2            <none>     (no description available)
> pn  php4-mcrypt                   <none>     (no description available)
> pn  php4-mysql | php4-pgsql | php <none>     (no description available)
> 
> -- no debconf information
> 
> 

-- 
 --------------------- Ola Lundqvist ---------------------------
/  opal@debian.org                     Annebergsslingan 37      \
|  opal@lysator.liu.se                 654 65 KARLSTAD          |
|  +46 (0)54-10 14 30                  +46 (0)70-332 1551       |
|  http://www.opal.dhs.org             UIN/icq: 4912500         |
\  gpg/f.p.: 7090 A92B 18FE 7994 0C36  4FE4 18A1 B1CF 0FE5 3DD9 /
 ---------------------------------------------------------------



Reply sent to Ola Lundqvist <opal@debian.org>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Mike O'Connor <stew@vireo.org>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #25 received at 332289-close@bugs.debian.org (full text, mbox):

From: Ola Lundqvist <opal@debian.org>
To: 332289-close@bugs.debian.org
Subject: Bug#332289: fixed in horde3 3.0.5-2
Date: Sat, 08 Oct 2005 13:02:29 -0700
Source: horde3
Source-Version: 3.0.5-2

We believe that the bug you reported is fixed in the latest version of
horde3, which is due to be installed in the Debian FTP archive:

horde3_3.0.5-2.diff.gz
  to pool/main/h/horde3/horde3_3.0.5-2.diff.gz
horde3_3.0.5-2.dsc
  to pool/main/h/horde3/horde3_3.0.5-2.dsc
horde3_3.0.5-2_all.deb
  to pool/main/h/horde3/horde3_3.0.5-2_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 332289@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Ola Lundqvist <opal@debian.org> (supplier of updated horde3 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Sat,  8 Oct 2005 21:10:48 +0200
Source: horde3
Binary: horde3
Architecture: source all
Version: 3.0.5-2
Distribution: unstable
Urgency: high
Maintainer: Ola Lundqvist <opal@debian.org>
Changed-By: Ola Lundqvist <opal@debian.org>
Description: 
 horde3     - horde web application framework
Closes: 332276 332289 332290
Changes: 
 horde3 (3.0.5-2) unstable; urgency=high
 .
   * Configuration disabled by default, closes: #332290, #332289.
   * Removed some crap from the README.Debian file, closes: #332276.
Files: 
 162aafc9623c3254790b319196c40c8d 615 web optional horde3_3.0.5-2.dsc
 09a724e4437c94a7df9d7991d7b7b60c 7062 web optional horde3_3.0.5-2.diff.gz
 b7fd825f055fdcc159385ff3e0143a91 3597976 web optional horde3_3.0.5-2_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)

iD8DBQFDSB3XGKGxzw/lPdkRAtQeAKCBw/1B2tkcPZw9rHKL6VL1B58UmgCgmvf0
T+irgbIC29mwYzrYSyWdwhs=
=1A30
-----END PGP SIGNATURE-----




Reply sent to Ola Lundqvist <opal@debian.org>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Mike O'Connor <stew@vireo.org>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #30 received at 332289-close@bugs.debian.org (full text, mbox):

From: Ola Lundqvist <opal@debian.org>
To: 332289-close@bugs.debian.org
Subject: Bug#332289: fixed in horde3 3.0.4-4sarge1
Date: Mon, 07 Nov 2005 01:02:07 -0800
Source: horde3
Source-Version: 3.0.4-4sarge1

We believe that the bug you reported is fixed in the latest version of
horde3, which is due to be installed in the Debian FTP archive:

horde3_3.0.4-4sarge1.diff.gz
  to pool/main/h/horde3/horde3_3.0.4-4sarge1.diff.gz
horde3_3.0.4-4sarge1.dsc
  to pool/main/h/horde3/horde3_3.0.4-4sarge1.dsc
horde3_3.0.4-4sarge1_all.deb
  to pool/main/h/horde3/horde3_3.0.4-4sarge1_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 332289@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Ola Lundqvist <opal@debian.org> (supplier of updated horde3 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Sat,  8 Oct 2005 21:33:40 +0200
Source: horde3
Binary: horde3
Architecture: source all
Version: 3.0.4-4sarge1
Distribution: stable-security
Urgency: high
Maintainer: Ola Lundqvist <opal@debian.org>
Changed-By: Ola Lundqvist <opal@debian.org>
Description: 
 horde3     - horde web application framework
Closes: 332276 332289 332290
Changes: 
 horde3 (3.0.4-4sarge1) stable-security; urgency=high
 .
   * Horde3 disabled by default as the administration/install wizard is a
     security hole, closes: #332290, #332289.
     CVE-2005-3344
   * Removed some crap from the README.Debian file and documented that
     horde3 is now disabled by default, closes: #332276.
Files: 
 cc9b46f4b5a4f4a514ecbc51d9eb3a58 627 web optional horde3_3.0.4-4sarge1.dsc
 b0e7fb95efe86aeb42cfd0b478dd312b 6751 web optional horde3_3.0.4-4sarge1.diff.gz
 671d10d028345c0cfc133cc0504a2d50 3432038 web optional horde3_3.0.4-4sarge1_all.deb
 e2221d409ba1c8841ce4ecee981d7b61 3378143 web optional horde3_3.0.4.orig.tar.gz

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)

iD8DBQFDbw3cW5ql+IAeqTIRAhtGAKCt1+ooh6nhSISehEuaESv2ug/PKwCfYyib
pflIHuaZYuu7sy1XX7fXGZM=
=yUvi
-----END PGP SIGNATURE-----




Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Wed, 27 Jun 2007 00:51:33 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Mon Apr 21 16:30:14 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.