Debian Bug report logs - #396099
CVE-2006-5449: Ingo Folder Name Shell Command Injection Vulnerability

version graph

Package: ingo1; Maintainer for ingo1 is Horde Maintainers <pkg-horde-hackers@lists.alioth.debian.org>;

Reported by: Stefan Fritsch <sf@sfritsch.de>

Date: Sun, 29 Oct 2006 20:18:07 UTC

Severity: grave

Tags: security

Fixed in versions ingo1/1.1.2-1, ingo1/1.0.1-1sarge1

Done: Lionel Elie Mamane <lmamane@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Horde Maintainers <pkg-horde-hackers@lists.alioth.debian.org>:
Bug#396099; Package ingo1. Full text and rfc822 format available.

Acknowledgement sent to Stefan Fritsch <sf@sfritsch.de>:
New Bug report received and forwarded. Copy sent to Horde Maintainers <pkg-horde-hackers@lists.alioth.debian.org>. Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Stefan Fritsch <sf@sfritsch.de>
To: submit@bugs.debian.org
Subject: CVE-2006-5449: Ingo Folder Name Shell Command Injection Vulnerability
Date: Sun, 29 Oct 2006 21:03:29 +0100
package: ingo1
tags: security
severity: grave

A vulnerability has been found in ingo:

procmail in Ingo H3 before 1.1.2 Horde module allows remote
authenticated users to execute arbitrary commands via shell
metacharacters in the mailbox destination of a filter rule.


This is fixed in 1.1.2. See
http://secunia.com/advisories/22482
for details.

Please mention the CVE id in the changelog.



Reply sent to Lionel Elie Mamane <lmamane@debian.org>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Stefan Fritsch <sf@sfritsch.de>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #10 received at 396099-close@bugs.debian.org (full text, mbox):

From: Lionel Elie Mamane <lmamane@debian.org>
To: 396099-close@bugs.debian.org
Subject: Bug#396099: fixed in ingo1 1.1.2-1
Date: Tue, 31 Oct 2006 00:34:21 -0800
Source: ingo1
Source-Version: 1.1.2-1

We believe that the bug you reported is fixed in the latest version of
ingo1, which is due to be installed in the Debian FTP archive:

ingo1_1.1.2-1.diff.gz
  to pool/main/i/ingo1/ingo1_1.1.2-1.diff.gz
ingo1_1.1.2-1.dsc
  to pool/main/i/ingo1/ingo1_1.1.2-1.dsc
ingo1_1.1.2-1_all.deb
  to pool/main/i/ingo1/ingo1_1.1.2-1_all.deb
ingo1_1.1.2.orig.tar.gz
  to pool/main/i/ingo1/ingo1_1.1.2.orig.tar.gz



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 396099@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Lionel Elie Mamane <lmamane@debian.org> (supplier of updated ingo1 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: RIPEMD160

Format: 1.7
Date: Tue, 31 Oct 2006 09:24:02 +0100
Source: ingo1
Binary: ingo1
Architecture: source all
Version: 1.1.2-1
Distribution: unstable
Urgency: high
Maintainer: Horde Maintainers <pkg-horde-hackers@lists.alioth.debian.org>
Changed-By: Lionel Elie Mamane <lmamane@debian.org>
Description: 
 ingo1      - email filter component for Horde Framework
Closes: 396099
Changes: 
 ingo1 (1.1.2-1) unstable; urgency=high
 .
   * New upstream version:
     - Fix remote autenticated user arbitrary command execution
       via shell metacharacters in mailbox name (closes: #396099)
       This is CVE-2006-5449.
   * Bump up Standards-Version
Files: 
 cc2e3b1faf644d6e13b573ba5eea6f6b 679 web optional ingo1_1.1.2-1.dsc
 dc9dbfe52df5b922ec852b1267df5130 1342239 web optional ingo1_1.1.2.orig.tar.gz
 c02bc0bb40d27eea843aeff94320275b 5149 web optional ingo1_1.1.2-1.diff.gz
 187de2d65c81a44029fc91f460f62845 1394062 web optional ingo1_1.1.2-1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)

iEYEAREDAAYFAkVHCF0ACgkQscRzFz57S3O2WQCgwN/eOryNeDV58SXADC7BhJ8r
lJoAnAlurUYtj4jphPWp0bEqc/f6c8Tz
=S0PC
-----END PGP SIGNATURE-----




Reply sent to Lionel Elie Mamane <lmamane@debian.org>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Stefan Fritsch <sf@sfritsch.de>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #15 received at 396099-close@bugs.debian.org (full text, mbox):

From: Lionel Elie Mamane <lmamane@debian.org>
To: 396099-close@bugs.debian.org
Subject: Bug#396099: fixed in ingo1 1.0.1-1sarge1
Date: Sat, 17 Feb 2007 12:10:07 +0000
Source: ingo1
Source-Version: 1.0.1-1sarge1

We believe that the bug you reported is fixed in the latest version of
ingo1, which is due to be installed in the Debian FTP archive:

ingo1_1.0.1-1sarge1.diff.gz
  to pool/main/i/ingo1/ingo1_1.0.1-1sarge1.diff.gz
ingo1_1.0.1-1sarge1.dsc
  to pool/main/i/ingo1/ingo1_1.0.1-1sarge1.dsc
ingo1_1.0.1-1sarge1_all.deb
  to pool/main/i/ingo1/ingo1_1.0.1-1sarge1_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 396099@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Lionel Elie Mamane <lmamane@debian.org> (supplier of updated ingo1 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Wed,  1 Nov 2006 22:22:41 +0100
Source: ingo1
Binary: ingo1
Architecture: source all
Version: 1.0.1-1sarge1
Distribution: stable-security
Urgency: high
Maintainer: Horde Maintainers <pkg-horde-hackers@lists.alioth.debian.org>
Changed-By: Lionel Elie Mamane <lmamane@debian.org>
Description: 
 ingo1      - email filter component for Horde Framework
Closes: 396099
Changes: 
 ingo1 (1.0.1-1sarge1) stable-security; urgency=high
 .
   * Security update:
     - Fix remote autenticated user arbitrary command execution
       via shell metacharacters in mailbox name (closes: #396099)
       This is CVE-2006-5449.
   * Change maintainer to Horde team.
Files: 
 b8be1fc591da938deb08cb78a9d42f0d 683 web optional ingo1_1.0.1-1sarge1.dsc
 509bf92a2ee44597d6ffd9a0a9b4a039 733108 web optional ingo1_1.0.1.orig.tar.gz
 358e14a64fe43a56cc1b9742f271c3ec 5161 web optional ingo1_1.0.1-1sarge1.diff.gz
 83f7044a2861f8e6aaea0c684fb2f6e0 760018 web optional ingo1_1.0.1-1sarge1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iD8DBQFFSj8kXm3vHE4uyloRAnlLAJ47kwlCnyBZKGdzhVhmXJu6pZ70NACgnMK7
f+Qd0ESTqDnogSZBTh/EuPM=
=BMC2
-----END PGP SIGNATURE-----




Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Wed, 27 Jun 2007 09:22:39 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sat Apr 19 10:37:42 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.