Debian Bug report logs - #349261
kronolith: Several Cross-Site-Scripting vulnerabilities

Package: kronolith; Maintainer for kronolith is (unknown);

Reported by: Moritz Muehlenhoff <jmm@inutil.org>

Date: Sun, 11 Dec 2005 21:18:04 UTC

Severity: important

Tags: help, security

Done: Ola Lundqvist <opal@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Debian Security Team <team@security.debian.org>, Ola Lundqvist <opal@debian.org>:
Bug#342943; Package kronolith. Full text and rfc822 format available.

Acknowledgement sent to Moritz Muehlenhoff <jmm@inutil.org>:
New Bug report received and forwarded. Copy sent to Debian Security Team <team@security.debian.org>, Ola Lundqvist <opal@debian.org>. Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Moritz Muehlenhoff <jmm@inutil.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: kronolith: Several Cross-Site-Scripting vulnerabilities
Date: Sun, 11 Dec 2005 21:59:53 +0100
Package: kronolith
Severity: important
Tags: security

Several cross-site-scripting vulnerabilities have been found in
Kronolith. Please see
http://lists.horde.org/archives/announce/2005/000234.html for
details. It's been fixed upstream in 2.0.5

Cheers,
        Moritz

-- System Information:
Debian Release: testing/unstable
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.14-2-686
Locale: LANG=C, LC_CTYPE=de_DE.ISO-8859-15@euro (charmap=ISO-8859-15)



Bug reassigned from package `kronolith' to `kronolith2'. Request was from Martin Lohmeier <martin@mein-horde.de> to control@bugs.debian.org. Full text and rfc822 format available.

Tags added: pending Request was from Jose Carlos Medeiros <jcnascimento@gmail.com> to control@bugs.debian.org. Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Jose Carlos Medeiros <debian@psabs.com.br>:
Bug#342943; Package kronolith2. Full text and rfc822 format available.

Acknowledgement sent to Moritz Muehlenhoff <jmm@inutil.org>:
Extra info received and forwarded to list. Copy sent to Jose Carlos Medeiros <debian@psabs.com.br>. Full text and rfc822 format available.

Message #14 received at 342943@bugs.debian.org (full text, mbox):

From: Moritz Muehlenhoff <jmm@inutil.org>
To: 342943@bugs.debian.org
Subject: CVE assignemnt
Date: Wed, 14 Dec 2005 10:45:47 +0100
Hi,
this has been assigned CVE-2005-4189, please mention it
in the changelog when fixing it.

Cheers,
        Moritz



Reply sent to Jose Carlos Medeiros <debian@psabs.com.br>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Moritz Muehlenhoff <jmm@inutil.org>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #19 received at 342943-close@bugs.debian.org (full text, mbox):

From: Jose Carlos Medeiros <debian@psabs.com.br>
To: 342943-close@bugs.debian.org
Subject: Bug#342943: fixed in kronolith2 2.0.6-1
Date: Sat, 24 Dec 2005 09:47:11 -0800
Source: kronolith2
Source-Version: 2.0.6-1

We believe that the bug you reported is fixed in the latest version of
kronolith2, which is due to be installed in the Debian FTP archive:

kronolith2_2.0.6-1.diff.gz
  to pool/main/k/kronolith2/kronolith2_2.0.6-1.diff.gz
kronolith2_2.0.6-1.dsc
  to pool/main/k/kronolith2/kronolith2_2.0.6-1.dsc
kronolith2_2.0.6-1_all.deb
  to pool/main/k/kronolith2/kronolith2_2.0.6-1_all.deb
kronolith2_2.0.6.orig.tar.gz
  to pool/main/k/kronolith2/kronolith2_2.0.6.orig.tar.gz



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 342943@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Jose Carlos Medeiros <debian@psabs.com.br> (supplier of updated kronolith2 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Wed, 14 Dec 2005 11:48:55 -0200
Source: kronolith2
Binary: kronolith2
Architecture: source all
Version: 2.0.6-1
Distribution: unstable
Urgency: low
Maintainer: Horde Maintainers <pkg-horde-hackers@lists.alioth.debian.org>
Changed-By: Jose Carlos Medeiros <debian@psabs.com.br>
Description: 
 kronolith2 - calendar component for Horde Framework
Closes: 342943
Changes: 
 kronolith2 (2.0.6-1) unstable; urgency=low
 .
   * New upstream release.
   * This release solved "Several Cross-Site-Scripting vulnerabilities"
     (CVE-2005-4189). (closes: #342943)
   * Set Maintainer to Debian Horde Team.
Files: 
 3a1bac1c03d5d24a8dc8e68e86ba14b2 742 web optional kronolith2_2.0.6-1.dsc
 c0c6bad037911ef689bc4f4da5be0047 1300965 web optional kronolith2_2.0.6.orig.tar.gz
 dd2d00eeb7eea4e50d1cd4466a2109ec 4675 web optional kronolith2_2.0.6-1.diff.gz
 b9aef4083f8c120df1175f50d01006e5 1311318 web optional kronolith2_2.0.6-1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)

iEYEARECAAYFAkOthv0ACgkQscRzFz57S3P1YwCeMQsXXSES09ks62UDxDownE5a
VPAAoKs964M+4r/S5jkwDvQ1ZXCvQaGQ
=oARZ
-----END PGP SIGNATURE-----




Information forwarded to debian-bugs-dist@lists.debian.org, Horde Maintainers <pkg-horde-hackers@lists.alioth.debian.org>:
Bug#342943; Package kronolith2. Full text and rfc822 format available.

Acknowledgement sent to Joey Hess <joeyh@debian.org>:
Extra info received and forwarded to list. Copy sent to Horde Maintainers <pkg-horde-hackers@lists.alioth.debian.org>. Full text and rfc822 format available.

Message #24 received at 342943@bugs.debian.org (full text, mbox):

From: Joey Hess <joeyh@debian.org>
To: control@bugs.debian.org, 342943@bugs.debian.org
Subject: only kronolith2 fixed
Date: Sat, 21 Jan 2006 15:56:30 -0500
[Message part 1 (text/plain, inline)]
clone 342943 -1
reassign -1 kronolith
thanks

This security hole was fixed in kronolith2, but the kronolith package is
still present in unstable and still, presumably, has this hole.

-- 
see shy jo
[signature.asc (application/pgp-signature, inline)]

Bug 342943 cloned as bug 349261. Request was from Joey Hess <joeyh@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Bug reassigned from package `kronolith2' to `kronolith'. Request was from Joey Hess <joeyh@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Bug reopened, originator not changed. Request was from Lionel Elie Mamane <lionel@mamane.lu> to control@bugs.debian.org. Full text and rfc822 format available.

Tags added: help Request was from Lionel Elie Mamane <lionel@mamane.lu> to control@bugs.debian.org. Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Ola Lundqvist <opal@debian.org>:
Bug#349261; Package kronolith. Full text and rfc822 format available.

Acknowledgement sent to Lionel Elie Mamane <lionel@mamane.lu>:
Extra info received and forwarded to list. Copy sent to Ola Lundqvist <opal@debian.org>. Full text and rfc822 format available.

Message #37 received at 349261@bugs.debian.org (full text, mbox):

From: Lionel Elie Mamane <lionel@mamane.lu>
To: Joey Hess <joeyh@debian.org>, 342943@bugs.debian.org
Cc: team@security.debian.org, secure-testing-team@lists.alioth.debian.org, control@bugs.debian.org
Subject: Re: Bug#342943: only kronolith2 fixed
Date: Sun, 22 Jan 2006 09:04:03 +0100
[Message part 1 (text/plain, inline)]
package kronolith
reopen 349261
tags 349261 +help
thanks

On Sat, Jan 21, 2006 at 03:56:30PM -0500, Joey Hess wrote:
> clone 342943 -1
> reassign -1 kronolith
> thanks

> This security hole was fixed in kronolith2, but the kronolith
> package is still present in unstable and still, presumably, has this
> hole.

Thank you for warning us. However, kronolith 1 is not maintained
upstream anymore and no patch for this issue is available from
upstream.

I've tried to backport the upstream patch for kronolith 2, but most
files touched don't actually exist in kronolith 1, as well as a
sizeable part of the code touched in the files that do exist. Here is
my measle backport attempt, but I'd really like someone that
understands the issue to review it and see if nothing has been left
out. Do we have someone of that calibre (and willing to do it)
available in Debian?


Maybe it is getting time to dump Horde2 from etch/sid, as the pain to
keeping it in has actually increased significantly. What do you think
about this Ola & Jose? The problem stays for sarge, though.


-- 
Lionel
[debian_342943.patch (text/plain, attachment)]

Information forwarded to debian-bugs-dist@lists.debian.org, Ola Lundqvist <opal@debian.org>:
Bug#349261; Package kronolith. Full text and rfc822 format available.

Acknowledgement sent to Martin Schulze <joey@infodrom.org>:
Extra info received and forwarded to list. Copy sent to Ola Lundqvist <opal@debian.org>. Full text and rfc822 format available.

Message #42 received at 349261@bugs.debian.org (full text, mbox):

From: Martin Schulze <joey@infodrom.org>
To: Lionel Elie Mamane <lionel@mamane.lu>
Cc: Joey Hess <joeyh@debian.org>, 342943@bugs.debian.org, team@security.debian.org, 349261@bugs.debian.org, secure-testing-team@lists.alioth.debian.org
Subject: Re: Bug#342943: only kronolith2 fixed
Date: Sun, 22 Jan 2006 11:35:15 +0100
[Message part 1 (text/plain, inline)]
Lionel Elie Mamane wrote:
> > This security hole was fixed in kronolith2, but the kronolith
> > package is still present in unstable and still, presumably, has this
> > hole.
> 
> Thank you for warning us. However, kronolith 1 is not maintained
> upstream anymore and no patch for this issue is available from
> upstream.

Thanks a lot.

> I've tried to backport the upstream patch for kronolith 2, but most
> files touched don't actually exist in kronolith 1, as well as a
> sizeable part of the code touched in the files that do exist. Here is
> my measle backport attempt, but I'd really like someone that
> understands the issue to review it and see if nothing has been left
> out. Do we have someone of that calibre (and willing to do it)
> available in Debian?

I've taken a look at the patch, and several lines contain changes not
suitable for a security update, i.e. fix different potential bugs or
change the code.  I'm attaching the patch.  More eyes checking would
be appreciated.

Regards,

	Joey

-- 
Have you ever noticed that "General Public Licence" contains the word "Pub"?

Please always Cc to me when replying to me on the lists.
[x (text/plain, attachment)]
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Ola Lundqvist <opal@debian.org>:
Bug#349261; Package kronolith. Full text and rfc822 format available.

Acknowledgement sent to Neil McGovern <neilm@debian.org>:
Extra info received and forwarded to list. Copy sent to Ola Lundqvist <opal@debian.org>. Full text and rfc822 format available.

Message #47 received at 349261@bugs.debian.org (full text, mbox):

From: Neil McGovern <neilm@debian.org>
To: Martin Schulze <joey@infodrom.org>
Cc: Lionel Elie Mamane <lionel@mamane.lu>, team@security.debian.org, 349261@bugs.debian.org, Joey Hess <joeyh@debian.org>, 342943@bugs.debian.org, secure-testing-team@lists.alioth.debian.org
Subject: Re: [Secure-testing-team] Re: Bug#342943: only kronolith2 fixed
Date: Sun, 22 Jan 2006 14:40:48 +0000
[Message part 1 (text/plain, inline)]
On Sun, Jan 22, 2006 at 11:35:15AM +0100, Martin Schulze wrote:
> Lionel Elie Mamane wrote:
> > I've tried to backport the upstream patch for kronolith 2, but most
> > files touched don't actually exist in kronolith 1, as well as a
> > sizeable part of the code touched in the files that do exist. Here is
> > my measle backport attempt, but I'd really like someone that
> > understands the issue to review it and see if nothing has been left
> > out. Do we have someone of that calibre (and willing to do it)
> > available in Debian?
> 
> I've taken a look at the patch, and several lines contain changes not
> suitable for a security update, i.e. fix different potential bugs or
> change the code.  I'm attaching the patch.  More eyes checking would
> be appreciated.
> 

A fairly odd bug. It only affects the app if REGISTER_GLOBALS is on,
however, the app requires REGISTER_GLOBALS :|

I'll do an audit of the code and try and find anything left over when I
get home later.

Neil
-- 
   __   
 .`  `. neilm@debian.org | Application Manager
 : :' ! ---------------- | Secure-Testing Team member
 '. `-  gpg: B345BDD3    | Webapps Team member
   `-   Please don't cc, I'm subscribed to the list
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Ola Lundqvist <opal@debian.org>:
Bug#349261; Package kronolith. Full text and rfc822 format available.

Acknowledgement sent to Anthony DeRobertis <anthony@derobert.net>:
Extra info received and forwarded to list. Copy sent to Ola Lundqvist <opal@debian.org>. Full text and rfc822 format available.

Message #52 received at 349261@bugs.debian.org (full text, mbox):

From: Anthony DeRobertis <anthony@derobert.net>
Cc: Martin Schulze <joey@infodrom.org>, team@security.debian.org, 342943@bugs.debian.org, Lionel Elie Mamane <lionel@mamane.lu>, Joey Hess <joeyh@debian.org>, secure-testing-team@lists.alioth.debian.org, 349261@bugs.debian.org
Subject: Re: [Secure-testing-team] Re: Bug#342943: only kronolith2 fixed
Date: Sun, 22 Jan 2006 10:10:55 -0500
Neil McGovern wrote:

> A fairly odd bug. It only affects the app if REGISTER_GLOBALS is on,
> however, the app requires REGISTER_GLOBALS :|

Isn't this in and of itself a problem due to CVE-2005-3390. Is that
finally going to be fixed in Sarge?
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=336645 certainly hinted
otherwise.



Information forwarded to debian-bugs-dist@lists.debian.org, Ola Lundqvist <opal@debian.org>:
Bug#349261; Package kronolith. Full text and rfc822 format available.

Acknowledgement sent to Florian Weimer <fw@deneb.enyo.de>:
Extra info received and forwarded to list. Copy sent to Ola Lundqvist <opal@debian.org>. Full text and rfc822 format available.

Message #57 received at 349261@bugs.debian.org (full text, mbox):

From: Florian Weimer <fw@deneb.enyo.de>
To: Martin Schulze <joey@infodrom.org>
Cc: Lionel Elie Mamane <lionel@mamane.lu>, team@security.debian.org, 349261@bugs.debian.org, Joey Hess <joeyh@debian.org>, 342943@bugs.debian.org, secure-testing-team@lists.alioth.debian.org
Subject: Re: [Secure-testing-team] Re: Bug#342943: only kronolith2 fixed
Date: Sun, 22 Jan 2006 19:37:00 +0100
* Martin Schulze:

> I've taken a look at the patch, and several lines contain changes not
> suitable for a security update, i.e. fix different potential bugs or
> change the code.  I'm attaching the patch.  More eyes checking would
> be appreciated.

This one seems only safe when magic_quotes_gpc is enabled:

-  <input type="submit" [...] onclick="self.location = '<?php echo $url; ?>'; return false;" />
+  <input type="submit" [...] onclick="self.location = '<?php echo htmlspecialchars($url); ?>'; return false;" />

(htmlspecialchars does not quote single quotes, and even if it did, it
would not really help because the HTML should be reversed before the
JavaScript parser runs.)

It's probably not a real problem because everybody runs with
magic_quotes_gpc enabled, though.

Apart from the issues in your diff, there seem to be others.  Is
anybody familiar with the HORDE framework (at that version) and can
explain how variables are handled internal?  There seems to be some
kind of register_globals reimplementation.



Information forwarded to debian-bugs-dist@lists.debian.org, Ola Lundqvist <opal@debian.org>:
Bug#349261; Package kronolith. Full text and rfc822 format available.

Acknowledgement sent to Martin Schulze <joey@infodrom.org>:
Extra info received and forwarded to list. Copy sent to Ola Lundqvist <opal@debian.org>. Full text and rfc822 format available.

Message #62 received at 349261@bugs.debian.org (full text, mbox):

From: Martin Schulze <joey@infodrom.org>
To: Neil McGovern <neilm@debian.org>
Cc: Lionel Elie Mamane <lionel@mamane.lu>, team@security.debian.org, 349261@bugs.debian.org, Joey Hess <joeyh@debian.org>, 342943@bugs.debian.org, secure-testing-team@lists.alioth.debian.org
Subject: Re: [Secure-testing-team] Re: Bug#342943: only kronolith2 fixed
Date: Sat, 28 Jan 2006 21:23:31 +0100
Neil McGovern wrote:
> On Sun, Jan 22, 2006 at 11:35:15AM +0100, Martin Schulze wrote:
> > Lionel Elie Mamane wrote:
> > > I've tried to backport the upstream patch for kronolith 2, but most
> > > files touched don't actually exist in kronolith 1, as well as a
> > > sizeable part of the code touched in the files that do exist. Here is
> > > my measle backport attempt, but I'd really like someone that
> > > understands the issue to review it and see if nothing has been left
> > > out. Do we have someone of that calibre (and willing to do it)
> > > available in Debian?
> > 
> > I've taken a look at the patch, and several lines contain changes not
> > suitable for a security update, i.e. fix different potential bugs or
> > change the code.  I'm attaching the patch.  More eyes checking would
> > be appreciated.
> > 
> 
> A fairly odd bug. It only affects the app if REGISTER_GLOBALS is on,
> however, the app requires REGISTER_GLOBALS :|
> 
> I'll do an audit of the code and try and find anything left over when I
> get home later.

Any news on this?

Regards,

	Joey

-- 
Computers are not intelligent.  They only think they are.

Please always Cc to me when replying to me on the lists.



Information forwarded to debian-bugs-dist@lists.debian.org, Ola Lundqvist <opal@debian.org>:
Bug#349261; Package kronolith. Full text and rfc822 format available.

Acknowledgement sent to Neil McGovern <neilm@debian.org>:
Extra info received and forwarded to list. Copy sent to Ola Lundqvist <opal@debian.org>. Full text and rfc822 format available.

Message #67 received at 349261@bugs.debian.org (full text, mbox):

From: Neil McGovern <neilm@debian.org>
To: Martin Schulze <joey@infodrom.org>
Cc: Lionel Elie Mamane <lionel@mamane.lu>, team@security.debian.org, 349261@bugs.debian.org, Joey Hess <joeyh@debian.org>, 342943@bugs.debian.org, secure-testing-team@lists.alioth.debian.org
Subject: Re: [Secure-testing-team] Re: Bug#342943: only kronolith2 fixed
Date: Sun, 29 Jan 2006 18:15:23 +0000
On Sat, Jan 28, 2006 at 09:23:31PM +0100, Martin Schulze wrote:
> Neil McGovern wrote:
> > On Sun, Jan 22, 2006 at 11:35:15AM +0100, Martin Schulze wrote:
> > > Lionel Elie Mamane wrote:
> > > > I've tried to backport the upstream patch for kronolith 2, but most
> > > > files touched don't actually exist in kronolith 1, as well as a
> > > > sizeable part of the code touched in the files that do exist. Here is
> > > > my measle backport attempt, but I'd really like someone that
> > > > understands the issue to review it and see if nothing has been left
> > > > out. Do we have someone of that calibre (and willing to do it)
> > > > available in Debian?
> > > 
> > > I've taken a look at the patch, and several lines contain changes not
> > > suitable for a security update, i.e. fix different potential bugs or
> > > change the code.  I'm attaching the patch.  More eyes checking would
> > > be appreciated.
> > > 
> > 
> > A fairly odd bug. It only affects the app if REGISTER_GLOBALS is on,
> > however, the app requires REGISTER_GLOBALS :|
> > 
> > I'll do an audit of the code and try and find anything left over when I
> > get home later.
> 
> Any news on this?
> 

Sorry for the delay.

I haven't managed to find any more bugs relating to this particular
security hole that isn't fixed by the previous patch in this bug report.
kronolith seems to be fairly badly coded wrt security issues though. I'd
suggest depreciating kronolith1 and forcing people on to kronolith2,
whcih although only a little better, is actually supported upstream.

Cheers,
Neil
-- 
   __   
 .`  `. neilm@debian.org | Application Manager
 : :' ! ---------------- | Secure-Testing Team member
 '. `-  gpg: B345BDD3    | Webapps Team member
   `-   Please don't cc, I'm subscribed to the list



Information forwarded to debian-bugs-dist@lists.debian.org, Ola Lundqvist <opal@debian.org>:
Bug#349261; Package kronolith. Full text and rfc822 format available.

Acknowledgement sent to Lionel Elie Mamane <lionel@mamane.lu>:
Extra info received and forwarded to list. Copy sent to Ola Lundqvist <opal@debian.org>. Full text and rfc822 format available.

Message #72 received at 349261@bugs.debian.org (full text, mbox):

From: Lionel Elie Mamane <lionel@mamane.lu>
To: Neil McGovern <neilm@debian.org>
Cc: Martin Schulze <joey@infodrom.org>, team@security.debian.org, 349261@bugs.debian.org, Joey Hess <joeyh@debian.org>, 342943@bugs.debian.org, secure-testing-team@lists.alioth.debian.org
Subject: Bug#342943: only kronolith2 fixed
Date: Sun, 29 Jan 2006 21:33:12 +0100
On Sun, Jan 29, 2006 at 06:15:23PM +0000, Neil McGovern wrote:
> On Sat, Jan 28, 2006 at 09:23:31PM +0100, Martin Schulze wrote:
>> Neil McGovern wrote:

>>> A fairly odd bug. It only affects the app if REGISTER_GLOBALS is
>>> on, however, the app requires REGISTER_GLOBALS :|

>>> I'll do an audit of the code and try and find anything left over
>>> when I get home later.

>> Any news on this?

> Sorry for the delay.

> I haven't managed to find any more bugs relating to this particular
> security hole that isn't fixed by the previous patch in this bug
> report.  kronolith seems to be fairly badly coded wrt security
> issues though. I'd suggest depreciating kronolith1 and forcing
> people on to kronolith2, whcih although only a little better, is
> actually supported upstream.

The problem is that kronolith2 depends on version 3 of the horde
framework (rather than version 2), that the two versions of horde
cannot meaningfully cooperate and there are still some horde2
applications that have not been ported to horde3. Basically, upstream
has abandoned horde2 before they ported all their OWN code to horde3.

So dropping horde2 is a regression, which explains why we haven't done
it yet. But I'm toying with the idea, as we cannot meaningfully
support it anyway. Ola, your opinion?

-- 
Lionel



Information forwarded to debian-bugs-dist@lists.debian.org, Ola Lundqvist <opal@debian.org>:
Bug#349261; Package kronolith. Full text and rfc822 format available.

Acknowledgement sent to opal@debian.org:
Extra info received and forwarded to list. Copy sent to Ola Lundqvist <opal@debian.org>. Full text and rfc822 format available.

Message #77 received at 349261@bugs.debian.org (full text, mbox):

From: Ola Lundqvist <opal@debian.org>
To: Lionel Elie Mamane <lionel@mamane.lu>, 349261@bugs.debian.org, Martin Schulze <joey@infodrom.org>, team@security.debian.org, Joey Hess <joeyh@debian.org>, secure-testing-team@lists.alioth.debian.org
Subject: Re: Bug#349261: Bug#342943: only kronolith2 fixed
Date: Mon, 30 Jan 2006 06:53:11 +0100
Hello

On Sun, Jan 29, 2006 at 09:33:12PM +0100, Lionel Elie Mamane wrote:
> On Sun, Jan 29, 2006 at 06:15:23PM +0000, Neil McGovern wrote:
> > On Sat, Jan 28, 2006 at 09:23:31PM +0100, Martin Schulze wrote:
> >> Neil McGovern wrote:
> 
> >>> A fairly odd bug. It only affects the app if REGISTER_GLOBALS is
> >>> on, however, the app requires REGISTER_GLOBALS :|
> 
> >>> I'll do an audit of the code and try and find anything left over
> >>> when I get home later.
> 
> >> Any news on this?
> 
> > Sorry for the delay.
> 
> > I haven't managed to find any more bugs relating to this particular
> > security hole that isn't fixed by the previous patch in this bug
> > report.  kronolith seems to be fairly badly coded wrt security
> > issues though. I'd suggest depreciating kronolith1 and forcing
> > people on to kronolith2, whcih although only a little better, is
> > actually supported upstream.
> 
> The problem is that kronolith2 depends on version 3 of the horde
> framework (rather than version 2), that the two versions of horde
> cannot meaningfully cooperate and there are still some horde2
> applications that have not been ported to horde3. Basically, upstream
> has abandoned horde2 before they ported all their OWN code to horde3.
> 
> So dropping horde2 is a regression, which explains why we haven't done
> it yet. But I'm toying with the idea, as we cannot meaningfully
> support it anyway. Ola, your opinion?

If kronolith1 (named kronolith) can not be fixed, and is not supported
at all by upstream I think we should drop it.

Regards,

// Ola 

> -- 
> Lionel
> 
> 

-- 
 --------------------- Ola Lundqvist ---------------------------
/  opal@debian.org                     Annebergsslingan 37      \
|  opal@lysator.liu.se                 654 65 KARLSTAD          |
|  +46 (0)54-10 14 30                  +46 (0)70-332 1551       |
|  http://www.opal.dhs.org             UIN/icq: 4912500         |
\  gpg/f.p.: 7090 A92B 18FE 7994 0C36  4FE4 18A1 B1CF 0FE5 3DD9 /
 ---------------------------------------------------------------



Reply sent to opal@debian.org:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Moritz Muehlenhoff <jmm@inutil.org>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #82 received at 349261-done@bugs.debian.org (full text, mbox):

From: Ola Lundqvist <opal@debian.org>
To: 160787-done@bugs.debian.org, 218183-done@bugs.debian.org, 269432-done@bugs.debian.org, 294265-done@bugs.debian.org, 309688-done@bugs.debian.org, 294910-done@bugs.debian.org, 300259-done@bugs.debian.org, 234881-done@bugs.debian.org, 341690-done@bugs.debian.org, 311900-done@bugs.debian.org, 237179-done@bugs.debian.org, 260554-done@bugs.debian.org, 293575-done@bugs.debian.org, 298037-done@bugs.debian.org, 235568-done@bugs.debian.org, 251272-done@bugs.debian.org, 254841-done@bugs.debian.org, 202092-done@bugs.debian.org, 234883-done@bugs.debian.org, 282935-done@bugs.debian.org, 131986-done@bugs.debian.org, 162118-done@bugs.debian.org, 162119-done@bugs.debian.org, 163151-done@bugs.debian.org, 178036-done@bugs.debian.org, 187037-done@bugs.debian.org, 256020-done@bugs.debian.org, 291344-done@bugs.debian.org, 225533-done@bugs.debian.org, 296334-done@bugs.debian.org, 330810-done@bugs.debian.org, 261608-done@bugs.debian.org, 264768-done@bugs.debian.org, 193851-done@bugs.debian.org, 230271-done@bugs.debian.org, 272075-done@bugs.debian.org, 254981-done@bugs.debian.org, 340900-done@bugs.debian.org, 349261-done@bugs.debian.org, 221433-done@bugs.debian.org, 338522-done@bugs.debian.org, 345044-done@bugs.debian.org, 312174-done@bugs.debian.org, 166717-done@bugs.debian.org
Subject: [ftpmaster@ftp-master.debian.org: Bug#350630: fixed]
Date: Sat, 4 Feb 2006 16:38:33 +0100
Closing the bugs now as the packages have been removed from Debian.

----- Forwarded message from Debian Archive Maintenance <ftpmaster@ftp-master.debian.org> -----

Envelope-to: ola@opalsys.net
Delivery-date: Thu, 02 Feb 2006 16:12:02 +0100
From: Debian Archive Maintenance <ftpmaster@ftp-master.debian.org>
To: 350630-close@bugs.debian.org
X-Katie: melanie $Revision: 1.44 $
Cc: horde2@packages.debian.org, horde2@packages.qa.debian.org,
	turba@packages.debian.org, turba@packages.qa.debian.org,
	sork-vacation@packages.debian.org,
	sork-vacation@packages.qa.debian.org,
	sork-passwd@packages.debian.org, sork-passwd@packages.qa.debian.org,
	sork-forwards@packages.debian.org,
	sork-forwards@packages.qa.debian.org,
	sork-accounts@packages.debian.org,
	sork-accounts@packages.qa.debian.org, nag@packages.debian.org,
	nag@packages.qa.debian.org, mnemo@packages.debian.org,
	mnemo@packages.qa.debian.org, kronolith@packages.debian.org,
	kronolith@packages.qa.debian.org, imp3@packages.debian.org,
	imp3@packages.qa.debian.org
Subject: Bug#350630: fixed
X-Spam-Score: -2.5 (--)
X-Spamcheck-provider: Checked for spam by opalsys.net, postmaster@opalsys.net

We believe that the bug you reported is now fixed; the following
package(s) have been removed from unstable:

    horde2 |    2.2.9-1 | source, all
      imp3 |    3.2.8-3 | source, all
 kronolith |    1.1.4-4 | source, all
     mnemo |    1.1.4-1 | source, all
       nag |    1.1.3-1 | source, all
sork-accounts |    2.1.2-2 | source, all
sork-forwards |    2.2.2-2 | source, all
sork-passwd |    2.2.2-2 | source, all
sork-vacation |    2.2.2-3 | source, all
     turba |    1.2.5-3 | source, all

Note that the package(s) have simply been removed from the tag
database and may (or may not) still be in the pool; this is not a bug.
The package(s) will be physically removed automatically when no suite
references them (and in the case of source, when no binary references
it).  Please also remember that the changes have been done on the
master archive (ftp-master.debian.org) and will not propagate to any
mirrors (ftp.debian.org included) until the next cron.daily run at the
earliest.

Packages are never removed from testing by hand.  Testing tracks
unstable and will automatically remove packages which were removed
from unstable when removing them from testing causes no dependency
problems.

Bugs which have been reported against this package are not automatically
removed from the Bug Tracking System.  Please check all open bugs and
close them or re-assign them to another package if the removed package
was superseded by another one.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 350630@bugs.debian.org.

This message was generated automatically; if you believe that there is
a problem with it please contact the archive administrators by mailing
ftpmaster@debian.org.

Debian distribution maintenance software
pp.
Joerg Jaspert (the ftpmaster behind the curtain)


----- End forwarded message -----

-- 
 --------------------- Ola Lundqvist ---------------------------
/  opal@debian.org                     Annebergsslingan 37      \
|  opal@lysator.liu.se                 654 65 KARLSTAD          |
|  +46 (0)54-10 14 30                  +46 (0)70-332 1551       |
|  http://www.opal.dhs.org             UIN/icq: 4912500         |
\  gpg/f.p.: 7090 A92B 18FE 7994 0C36  4FE4 18A1 B1CF 0FE5 3DD9 /
 ---------------------------------------------------------------



Information forwarded to debian-bugs-dist@lists.debian.org, Ola Lundqvist <opal@debian.org>:
Bug#349261; Package kronolith. Full text and rfc822 format available.

Acknowledgement sent to Martin Schulze <joey@infodrom.org>:
Extra info received and forwarded to list. Copy sent to Ola Lundqvist <opal@debian.org>. Full text and rfc822 format available.

Message #87 received at 349261@bugs.debian.org (full text, mbox):

From: Martin Schulze <joey@infodrom.org>
To: Ola Lundqvist <opal@debian.org>
Cc: Lionel Elie Mamane <lionel@mamane.lu>, 349261@bugs.debian.org, Debian Security Team <team@security.debian.org>, Joey Hess <joeyh@debian.org>, secure-testing-team@lists.alioth.debian.org
Subject: Re: Bug#349261: Bug#342943: only kronolith2 fixed
Date: Thu, 9 Feb 2006 10:47:28 +0100
Ola Lundqvist wrote:
> > > I haven't managed to find any more bugs relating to this particular
> > > security hole that isn't fixed by the previous patch in this bug
> > > report.  kronolith seems to be fairly badly coded wrt security
> > > issues though. I'd suggest depreciating kronolith1 and forcing
> > > people on to kronolith2, whcih although only a little better, is
> > > actually supported upstream.
> > 
> > The problem is that kronolith2 depends on version 3 of the horde
> > framework (rather than version 2), that the two versions of horde
> > cannot meaningfully cooperate and there are still some horde2
> > applications that have not been ported to horde3. Basically, upstream
> > has abandoned horde2 before they ported all their OWN code to horde3.
> > 
> > So dropping horde2 is a regression, which explains why we haven't done
> > it yet. But I'm toying with the idea, as we cannot meaningfully
> > support it anyway. Ola, your opinion?
> 
> If kronolith1 (named kronolith) can not be fixed, and is not supported
> at all by upstream I think we should drop it.

It seems to be removed already.

Regards,

	Joey

-- 
Everybody talks about it, but nobody does anything about it!  -- Mark Twain

Please always Cc to me when replying to me on the lists.



Information forwarded to debian-bugs-dist@lists.debian.org, Ola Lundqvist <opal@debian.org>:
Bug#349261; Package kronolith. Full text and rfc822 format available.

Acknowledgement sent to Lionel Elie Mamane <lionel@mamane.lu>:
Extra info received and forwarded to list. Copy sent to Ola Lundqvist <opal@debian.org>. Full text and rfc822 format available.

Message #92 received at 349261@bugs.debian.org (full text, mbox):

From: Lionel Elie Mamane <lionel@mamane.lu>
To: Martin Schulze <joey@infodrom.org>
Cc: Ola Lundqvist <opal@debian.org>, 349261@bugs.debian.org, Debian Security Team <team@security.debian.org>, Joey Hess <joeyh@debian.org>, secure-testing-team@lists.alioth.debian.org
Subject: Re: Bug#349261: Bug#342943: only kronolith2 fixed
Date: Thu, 9 Feb 2006 11:15:23 +0100
On Thu, Feb 09, 2006 at 10:47:28AM +0100, Martin Schulze wrote:
> Ola Lundqvist wrote:

>>>> I'd suggest depreciating kronolith1 and forcing people on to
>>>> kronolith2, whcih although only a little better, is actually
>>>> supported upstream.

>>> The problem is that kronolith2 depends on version 3 of the horde
>>> framework (rather than version 2), that the two versions of horde
>>> cannot meaningfully cooperate and there are still some horde2
>>> applications that have not been ported to horde3. Basically,
>>> upstream has abandoned horde2 before they ported all their OWN
>>> code to horde3.

>>> So dropping horde2 is a regression, which explains why we haven't
>>> done it yet. But I'm toying with the idea, as we cannot
>>> meaningfully support it anyway. Ola, your opinion?

>> If kronolith1 (named kronolith) can not be fixed, and is not
>> supported at all by upstream I think we should drop it.

> It seems to be removed already.

Yes, that story spurred us into requesting removal from unstable of
the whole horde2 suite. This still leaves the security update to
stable, though.

-- 
Lionel



Information forwarded to debian-bugs-dist@lists.debian.org, Ola Lundqvist <opal@debian.org>:
Bug#349261; Package kronolith. Full text and rfc822 format available.

Acknowledgement sent to Martin Schulze <joey@infodrom.org>:
Extra info received and forwarded to list. Copy sent to Ola Lundqvist <opal@debian.org>. Full text and rfc822 format available.

Message #97 received at 349261@bugs.debian.org (full text, mbox):

From: Martin Schulze <joey@infodrom.org>
To: Lionel Elie Mamane <lionel@mamane.lu>
Cc: Ola Lundqvist <opal@debian.org>, 349261@bugs.debian.org, Debian Security Team <team@security.debian.org>
Subject: Re: Bug#349261: Bug#342943: only kronolith2 fixed
Date: Thu, 9 Feb 2006 11:30:29 +0100
Lionel Elie Mamane wrote:
> >>> The problem is that kronolith2 depends on version 3 of the horde
> >>> framework (rather than version 2), that the two versions of horde
> >>> cannot meaningfully cooperate and there are still some horde2
> >>> applications that have not been ported to horde3. Basically,
> >>> upstream has abandoned horde2 before they ported all their OWN
> >>> code to horde3.
> 
> >>> So dropping horde2 is a regression, which explains why we haven't
> >>> done it yet. But I'm toying with the idea, as we cannot
> >>> meaningfully support it anyway. Ola, your opinion?
> 
> >> If kronolith1 (named kronolith) can not be fixed, and is not
> >> supported at all by upstream I think we should drop it.
> 
> > It seems to be removed already.
> 
> Yes, that story spurred us into requesting removal from unstable of
> the whole horde2 suite. This still leaves the security update to
> stable, though.

Which I've held off until further advice, I've already pushed the
source into the buildd network.

Regards,

	Joey

-- 
Everybody talks about it, but nobody does anything about it!  -- Mark Twain

Please always Cc to me when replying to me on the lists.



Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Mon, 18 Jun 2007 11:57:15 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Mon Apr 21 16:43:15 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.