Debian Bug report logs - #464058
turba2: Access rights not checked properly

version graph

Package: turba2; Maintainer for turba2 is Horde Maintainers <pkg-horde-hackers@lists.alioth.debian.org>;

Reported by: Peter Paul Elfferich <pp@dia.uva.nl>

Date: Mon, 4 Feb 2008 22:27:01 UTC

Severity: grave

Tags: security, upstream

Found in version turba2/2.1.3-1

Fixed in versions turba2/2.1.7-1, turba2/2.0.2-1sarge1, turba2/2.1.3-1etch1

Done: Gregory Colpart (evolix) <reg@evolix.fr>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Horde Maintainers <pkg-horde-hackers@lists.alioth.debian.org>:
Bug#464058; Package turba2. Full text and rfc822 format available.

Acknowledgement sent to Peter Paul Elfferich <pp@dia.uva.nl>:
New Bug report received and forwarded. Copy sent to Horde Maintainers <pkg-horde-hackers@lists.alioth.debian.org>. Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Peter Paul Elfferich <pp@dia.uva.nl>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: turba2: Access rights not checked properly
Date: Mon, 04 Feb 2008 23:23:50 +0100
Package: turba2
Version: 2.1.3-1
Severity: normal

Access rights do not seem to be checked properly before allowing a user 
to edit address data as illustrated in the following example:

A user adds an address from his or her personal addressbook to a contact 
list in a shared address book. Now anybody who has write access to the 
shared address book can also edit this person's address data in the 
user's personal addressbook.

In fact, after manually entering an object_id (which I looked up in the 
database) from somebody else's address book I found I could edit this 
data as well.

So it seems that when edit.php is passed an object_id, the owner_id and 
the requesting user's access rights to the addressbook that the owner_id 
refers to aren't checked. Apparantly knowing the object_id is enough to 
be able to edit any address! I guess this is left over from the time 
address books couldn't be shared yet, based on the assumption that 
people wouldn't be able to guess the pseudo random 32 character id's.


-- System Information:
Debian Release: 4.0
  APT prefers stable
  APT policy: (500, 'stable')
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.18
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)




Information forwarded to debian-bugs-dist@lists.debian.org, Horde Maintainers <pkg-horde-hackers@lists.alioth.debian.org>:
Bug#464058; Package turba2. Full text and rfc822 format available.

Acknowledgement sent to Gregory Colpart <reg@evolix.fr>:
Extra info received and forwarded to list. Copy sent to Horde Maintainers <pkg-horde-hackers@lists.alioth.debian.org>. Full text and rfc822 format available.

Message #10 received at 464058@bugs.debian.org (full text, mbox):

From: Gregory Colpart <reg@evolix.fr>
To: Peter Paul Elfferich <pp@dia.uva.nl>, 464058@bugs.debian.org
Subject: Re: [pkg-horde] Bug#464058: turba2: Access rights not checked properly
Date: Tue, 5 Feb 2008 03:05:28 +0100
tags 464058 upstream
thanks

Hello,

On Mon, Feb 04, 2008 at 11:23:50PM +0100, Peter Paul Elfferich wrote:
> 
> Access rights do not seem to be checked properly before allowing a user 
> to edit address data as illustrated in the following example [...]

Thanks for your report!

I ask Horde upstreams to see your request.
You can follow it on http://bugs.horde.org/ticket/?id=6208

Regards,
-- 
Gregory Colpart <reg@evolix.fr>  GnuPG:1024D/C1027A0E
Evolix - Informatique et Logiciels Libres http://www.evolix.fr/




Tags added: upstream Request was from Gregory Colpart <reg@evolix.fr> to control@bugs.debian.org. (Tue, 05 Feb 2008 02:09:05 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Horde Maintainers <pkg-horde-hackers@lists.alioth.debian.org>:
Bug#464058; Package turba2. Full text and rfc822 format available.

Acknowledgement sent to Gregory Colpart <reg@evolix.fr>:
Extra info received and forwarded to list. Copy sent to Horde Maintainers <pkg-horde-hackers@lists.alioth.debian.org>. Full text and rfc822 format available.

Message #17 received at 464058@bugs.debian.org (full text, mbox):

From: Gregory Colpart <reg@evolix.fr>
To: Chuck Hagenbuch <chuck@horde.org>
Cc: core@horde.org, 464058@bugs.debian.org, 464058-submitter@bugs.debian.org
Subject: Re: turba access checking issue
Date: Thu, 7 Feb 2008 02:37:55 +0100
Hi Chuck,

On Tue, Feb 05, 2008 at 03:25:10PM -0500, Chuck Hagenbuch wrote:
> Hi Gregory.
> 
> Can you please test this patch on Turba 2.1.x?
> 
> I have a more comprehensive update for Turba 2.2.x and HEAD which  
> cleans up the _read() function's API a bit more but has the same  
> effect. In my tests it denies access properly now.
> 
> Also, if you're curious: the issue is that you can access other user's  
> contacts in the same database table ("source") by specifying your own  
> source id in the URL, but a contact id of another user's contact. I  
> can't reproduce or find any issues other than that - can you confirm?
> 
> Thanks,
> -chuck
> 
> 
> Index: lib/Driver/sql.php
> ===================================================================
> RCS file: /repository/turba/lib/Driver/sql.php,v
> retrieving revision 1.59.10.17
> diff -u -r1.59.10.17 sql.php
> --- lib/Driver/sql.php	30 Nov 2006 21:33:47 -0000	1.59.10.17
> +++ lib/Driver/sql.php	5 Feb 2008 20:35:43 -0000
> @@ -182,6 +182,15 @@
>              $where = $criteria . ' = ?';
>              $values[] = $this->_convertToDriver($id);
>          }
> +        if (isset($this->map['__owner'])) {
> +            if ($this->usingShares) {
> +                $owner = $this->share->get('uid');
> +            } else {
> +                $owner = Auth::getAuth();
> +            }
> +            $where .= ' AND ' . $this->map['__owner'] . ' = ?';
> +            $values[] = $this->_convertToDriver($owner);
> +        }
>          if (!empty($this->_params['filter'])) {
>              $where .= ' AND ' . $this->_params['filter'];
>          }
> 

I test your patch with success. I have now a "no results" message
when I try to edit a contact owned by a different user.

(Note: I Cc: Debian BTS because it's an unembargoed bug ;)

Regards,
-- 
Gregory Colpart <reg@evolix.fr>  GnuPG:1024D/C1027A0E
Evolix - Informatique et Logiciels Libres http://www.evolix.fr/




Message sent on to Peter Paul Elfferich <pp@dia.uva.nl>:
Bug#464058. Full text and rfc822 format available.

Severity set to `grave' from `normal' Request was from Gregory Colpart <reg@evolix.fr> to control@bugs.debian.org. (Thu, 07 Feb 2008 11:24:03 GMT) Full text and rfc822 format available.

Tags added: security, pending Request was from Gregory Colpart <reg@evolix.fr> to control@bugs.debian.org. (Thu, 07 Feb 2008 11:24:04 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Horde Maintainers <pkg-horde-hackers@lists.alioth.debian.org>:
Bug#464058; Package turba2. Full text and rfc822 format available.

Acknowledgement sent to "Peter Paul Elfferich" <pp@dia.uva.nl>:
Extra info received and forwarded to list. Copy sent to Horde Maintainers <pkg-horde-hackers@lists.alioth.debian.org>. Full text and rfc822 format available.

Message #29 received at 464058@bugs.debian.org (full text, mbox):

From: "Peter Paul Elfferich" <pp@dia.uva.nl>
To: "Chuck Hagenbuch" <chuck@horde.org>, "Gregory Colpart" <reg@evolix.fr>
Cc: 464058@bugs.debian.org
Subject: Re: Bug#464058: turba access checking issue
Date: Thu, 7 Feb 2008 12:32:06 +0100
[Message part 1 (text/plain, inline)]
Hey Chuck, Gregory,

I've also tested the patch. It successfully secures the data, but it also
silently removes the non editable contacts from contact lists as the list is
viewed.  Are you or are you not supposed to be able to add contacts from one
address book to a contact list in another address book? If not then users
should also no longer be able to add contacts to contact lists from other
address books.

Regards,

Peter Paul

On Feb 7, 2008 2:37 AM, Gregory Colpart <reg@evolix.fr> wrote:

> Hi Chuck,
>
> On Tue, Feb 05, 2008 at 03:25:10PM -0500, Chuck Hagenbuch wrote:
> > Hi Gregory.
> >
> > Can you please test this patch on Turba 2.1.x?
> >
> > I have a more comprehensive update for Turba 2.2.x and HEAD which
> > cleans up the _read() function's API a bit more but has the same
> > effect. In my tests it denies access properly now.
> >
> > Also, if you're curious: the issue is that you can access other user's
> > contacts in the same database table ("source") by specifying your own
> > source id in the URL, but a contact id of another user's contact. I
> > can't reproduce or find any issues other than that - can you confirm?
> >
> > Thanks,
> > -chuck
> >
> >
> > Index: lib/Driver/sql.php
> > ===================================================================
> > RCS file: /repository/turba/lib/Driver/sql.php,v
> > retrieving revision 1.59.10.17
> > diff -u -r1.59.10.17 sql.php
> > --- lib/Driver/sql.php        30 Nov 2006 21:33:47 -0000      1.59.10.17
> > +++ lib/Driver/sql.php        5 Feb 2008 20:35:43 -0000
> > @@ -182,6 +182,15 @@
> >              $where = $criteria . ' = ?';
> >              $values[] = $this->_convertToDriver($id);
> >          }
> > +        if (isset($this->map['__owner'])) {
> > +            if ($this->usingShares) {
> > +                $owner = $this->share->get('uid');
> > +            } else {
> > +                $owner = Auth::getAuth();
> > +            }
> > +            $where .= ' AND ' . $this->map['__owner'] . ' = ?';
> > +            $values[] = $this->_convertToDriver($owner);
> > +        }
> >          if (!empty($this->_params['filter'])) {
> >              $where .= ' AND ' . $this->_params['filter'];
> >          }
> >
>
> I test your patch with success. I have now a "no results" message
> when I try to edit a contact owned by a different user.
>
> (Note: I Cc: Debian BTS because it's an unembargoed bug ;)
>
> Regards,
> --
> Gregory Colpart <reg@evolix.fr>  GnuPG:1024D/C1027A0E
> Evolix - Informatique et Logiciels Libres http://www.evolix.fr/
>
>
>
> --
> To unsubscribe, send mail to 464058-unsubscribe@bugs.debian.org.
>
[Message part 2 (text/html, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Horde Maintainers <pkg-horde-hackers@lists.alioth.debian.org>:
Bug#464058; Package turba2. Full text and rfc822 format available.

Acknowledgement sent to Gregory Colpart <reg@evolix.fr>:
Extra info received and forwarded to list. Copy sent to Horde Maintainers <pkg-horde-hackers@lists.alioth.debian.org>. Full text and rfc822 format available.

Message #34 received at 464058@bugs.debian.org (full text, mbox):

From: Gregory Colpart <reg@evolix.fr>
To: Peter Paul Elfferich <pp@dia.uva.nl>
Cc: Chuck Hagenbuch <chuck@horde.org>, 464058@bugs.debian.org
Subject: Re: Bug#464058: turba access checking issue
Date: Thu, 7 Feb 2008 16:39:03 +0100
Hi,

On Thu, Feb 07, 2008 at 12:32:06PM +0100, Peter Paul Elfferich wrote:
> 
> I've also tested the patch. It successfully secures the data, but it also
> silently removes the non editable contacts from contact lists as the list is
> viewed.  Are you or are you not supposed to be able to add contacts from one
> address book to a contact list in another address book? If not then users
> should also no longer be able to add contacts to contact lists from other
> address books.

Could you give more details (sources.php, etc.) on this problem ?

Regards,
-- 
Gregory Colpart <reg@evolix.fr>  GnuPG:1024D/C1027A0E
Evolix - Informatique et Logiciels Libres http://www.evolix.fr/




Information forwarded to debian-bugs-dist@lists.debian.org, Horde Maintainers <pkg-horde-hackers@lists.alioth.debian.org>:
Bug#464058; Package turba2. Full text and rfc822 format available.

Acknowledgement sent to Chuck Hagenbuch <chuck@horde.org>:
Extra info received and forwarded to list. Copy sent to Horde Maintainers <pkg-horde-hackers@lists.alioth.debian.org>. Full text and rfc822 format available.

Message #39 received at 464058@bugs.debian.org (full text, mbox):

From: Chuck Hagenbuch <chuck@horde.org>
To: Peter Paul Elfferich <pp@dia.uva.nl>
Cc: Gregory Colpart <reg@evolix.fr>, 464058@bugs.debian.org
Subject: Re: Bug#464058: turba access checking issue
Date: Thu, 07 Feb 2008 12:06:09 -0500
Quoting Peter Paul Elfferich <pp@dia.uva.nl>:

> We just use a single, default, 'localsql' configuration (with use_shares =>
> true).
>
> Steps to reproduce this:
> - Login as user A
> - Select an entry from your private address book
> - Select a contact list that is stored in a shared address book and click
> 'Add'
> - You can view the contact list to check the address was added
> - Logout and log back in as user B with access to the shared address book,
> but not to user A's private address book
> - View the same contact list and the address will have disappeared
> - Logout and log back in as user A
> - View the same contact list and the address to check the address has really
> disappeared
>
> I also verified this by looking at the entry data in the database. The entry
> key is removed from the serialized object_members array of the shared
> contact list at the moment user B views the contact list.
>
> This wouldn't be a problem if it wouldn't be possible to add entries from
> (in this case) your private address book to a contact list in a shared
> address book. So I figure that should be patched as well.

Thanks for the detailed description. I think the simplest fix here is  
to just not remove people from the shared list. If someone in a  
contact list is not in an addressbook you're allowed to see, then I  
don't think you should see them.

Does that sound reasonable?

-chuck




Information forwarded to debian-bugs-dist@lists.debian.org, Horde Maintainers <pkg-horde-hackers@lists.alioth.debian.org>:
Bug#464058; Package turba2. Full text and rfc822 format available.

Acknowledgement sent to Chuck Hagenbuch <chuck@horde.org>:
Extra info received and forwarded to list. Copy sent to Horde Maintainers <pkg-horde-hackers@lists.alioth.debian.org>. Full text and rfc822 format available.

Message #44 received at 464058@bugs.debian.org (full text, mbox):

From: Chuck Hagenbuch <chuck@horde.org>
To: Peter Paul Elfferich <pp@dia.uva.nl>
Cc: Gregory Colpart <reg@evolix.fr>, 464058@bugs.debian.org
Subject: Re: Bug#464058: turba access checking issue
Date: Thu, 07 Feb 2008 12:38:51 -0500
Quoting Peter Paul Elfferich <pp@dia.uva.nl>:

> That would perhaps be a simpler fix, but I think it will be confusing to
> users.
> If you really want to allow this cross-address-book adding then I'd suggest
> showing warning messages detailing why a number of contacts could not be
> displayed.

That seems possible - "This list contains X contacts that you do not  
have permission to view. Contact the list's owner if you have  
questions." or something like that?

-chuck




Information forwarded to debian-bugs-dist@lists.debian.org, Horde Maintainers <pkg-horde-hackers@lists.alioth.debian.org>:
Bug#464058; Package turba2. Full text and rfc822 format available.

Acknowledgement sent to "Peter Paul Elfferich" <pp@dia.uva.nl>:
Extra info received and forwarded to list. Copy sent to Horde Maintainers <pkg-horde-hackers@lists.alioth.debian.org>. Full text and rfc822 format available.

Message #49 received at 464058@bugs.debian.org (full text, mbox):

From: "Peter Paul Elfferich" <pp@dia.uva.nl>
To: "Gregory Colpart" <reg@evolix.fr>
Cc: "Chuck Hagenbuch" <chuck@horde.org>, 464058@bugs.debian.org
Subject: Re: Bug#464058: turba access checking issue
Date: Thu, 7 Feb 2008 18:03:44 +0100
[Message part 1 (text/plain, inline)]
Hey,

We just use a single, default, 'localsql' configuration (with use_shares =>
true).

Steps to reproduce this:
- Login as user A
- Select an entry from your private address book
- Select a contact list that is stored in a shared address book and click
'Add'
- You can view the contact list to check the address was added
- Logout and log back in as user B with access to the shared address book,
but not to user A's private address book
- View the same contact list and the address will have disappeared
- Logout and log back in as user A
- View the same contact list and the address to check the address has really
disappeared

I also verified this by looking at the entry data in the database. The entry
key is removed from the serialized object_members array of the shared
contact list at the moment user B views the contact list.

This wouldn't be a problem if it wouldn't be possible to add entries from
(in this case) your private address book to a contact list in a shared
address book. So I figure that should be patched as well.

Regards,

Peter Paul


On Feb 7, 2008 4:39 PM, Gregory Colpart <reg@evolix.fr> wrote:

> Hi,
>
> Could you give more details (sources.php, etc.) on this problem ?
>
> Regards,
> --
> Gregory Colpart <reg@evolix.fr>  GnuPG:1024D/C1027A0E
> Evolix - Informatique et Logiciels Libres http://www.evolix.fr/
>
[Message part 2 (text/html, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Horde Maintainers <pkg-horde-hackers@lists.alioth.debian.org>:
Bug#464058; Package turba2. Full text and rfc822 format available.

Acknowledgement sent to "Peter Paul Elfferich" <pp@dia.uva.nl>:
Extra info received and forwarded to list. Copy sent to Horde Maintainers <pkg-horde-hackers@lists.alioth.debian.org>. Full text and rfc822 format available.

Message #54 received at 464058@bugs.debian.org (full text, mbox):

From: "Peter Paul Elfferich" <pp@dia.uva.nl>
To: "Chuck Hagenbuch" <chuck@horde.org>
Cc: "Gregory Colpart" <reg@evolix.fr>, 464058@bugs.debian.org
Subject: Re: Bug#464058: turba access checking issue
Date: Thu, 7 Feb 2008 18:18:25 +0100
[Message part 1 (text/plain, inline)]
That would perhaps be a simpler fix, but I think it will be confusing to
users.
If you really want to allow this cross-address-book adding then I'd suggest
showing warning messages detailing why a number of contacts could not be
displayed. Or, at the moment of adding an entry to a list in another address
book, create a copy of the entry in that address book and add the copy to
the list instead.

Regards,

Peter Paul

On Feb 7, 2008 6:06 PM, Chuck Hagenbuch <chuck@horde.org> wrote:

> Thanks for the detailed description. I think the simplest fix here is
> to just not remove people from the shared list. If someone in a
> contact list is not in an addressbook you're allowed to see, then I
> don't think you should see them.
>
> Does that sound reasonable?
>
> -chuck
>
[Message part 2 (text/html, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Horde Maintainers <pkg-horde-hackers@lists.alioth.debian.org>:
Bug#464058; Package turba2. Full text and rfc822 format available.

Acknowledgement sent to "Peter Paul Elfferich" <pp@dia.uva.nl>:
Extra info received and forwarded to list. Copy sent to Horde Maintainers <pkg-horde-hackers@lists.alioth.debian.org>. Full text and rfc822 format available.

Message #59 received at 464058@bugs.debian.org (full text, mbox):

From: "Peter Paul Elfferich" <pp@dia.uva.nl>
To: "Chuck Hagenbuch" <chuck@horde.org>
Cc: "Gregory Colpart" <reg@evolix.fr>, 464058@bugs.debian.org
Subject: Re: Bug#464058: turba access checking issue
Date: Thu, 7 Feb 2008 23:32:21 +0100
[Message part 1 (text/plain, inline)]
It's not so much the list's owner as the entry's owner, which could be
another shared address book, so that would turn into:
"This list contains X1 contacts from address book 'Y1' that you do not have
permission to view. Contact the owner (Z1) if you have questions." And so
forth for X2, Y2 and Z2 etc. Where X is the number of contacts, Y is the
name of the source address book and Z1 is the owner of the address book or
share.

Peter Paul

PS: I did another test with an interesting outcome by the way: if the
address added to a list is from a shared address book that another user can
not see/read, then it isn't shown, but it's not removed. So the silent
removal only seems to take place with addresses from private address books.

On Feb 7, 2008 6:38 PM, Chuck Hagenbuch <chuck@horde.org> wrote:

> Quoting Peter Paul Elfferich <pp@dia.uva.nl>:
>
> > That would perhaps be a simpler fix, but I think it will be confusing to
> > users.
> > If you really want to allow this cross-address-book adding then I'd
> suggest
> > showing warning messages detailing why a number of contacts could not be
> > displayed.
>
> That seems possible - "This list contains X contacts that you do not
> have permission to view. Contact the list's owner if you have
> questions." or something like that?
>
> -chuck
>
[Message part 2 (text/html, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Horde Maintainers <pkg-horde-hackers@lists.alioth.debian.org>:
Bug#464058; Package turba2. Full text and rfc822 format available.

Acknowledgement sent to Chuck Hagenbuch <chuck@horde.org>:
Extra info received and forwarded to list. Copy sent to Horde Maintainers <pkg-horde-hackers@lists.alioth.debian.org>. Full text and rfc822 format available.

Message #64 received at 464058@bugs.debian.org (full text, mbox):

From: Chuck Hagenbuch <chuck@horde.org>
To: Peter Paul Elfferich <pp@dia.uva.nl>
Cc: Gregory Colpart <reg@evolix.fr>, 464058@bugs.debian.org
Subject: Re: Bug#464058: turba access checking issue
Date: Thu, 07 Feb 2008 22:25:47 -0500
[Message part 1 (text/plain, inline)]
Quoting Peter Paul Elfferich <pp@dia.uva.nl>:

> It's not so much the list's owner as the entry's owner, which could be
> another shared address book, so that would turn into:
> "This list contains X1 contacts from address book 'Y1' that you do not have
> permission to view. Contact the owner (Z1) if you have questions." And so
> forth for X2, Y2 and Z2 etc. Where X is the number of contacts, Y is the
> name of the source address book and Z1 is the owner of the address book or
> share.

New patch attached from Michael Rubinsky. That wording is a bit  
verbose and also intensive on the list code. I'd prefer to provide a  
general help link to a description of share permissions.

-chuck
[turba.diff (text/x-patch, attachment)]

Information forwarded to debian-bugs-dist@lists.debian.org, Horde Maintainers <pkg-horde-hackers@lists.alioth.debian.org>:
Bug#464058; Package turba2. Full text and rfc822 format available.

Acknowledgement sent to Chuck Hagenbuch <chuck@horde.org>:
Extra info received and forwarded to list. Copy sent to Horde Maintainers <pkg-horde-hackers@lists.alioth.debian.org>. Full text and rfc822 format available.

Message #69 received at 464058@bugs.debian.org (full text, mbox):

From: Chuck Hagenbuch <chuck@horde.org>
To: Peter Paul Elfferich <pp@dia.uva.nl>
Cc: Gregory Colpart <reg@evolix.fr>, 464058@bugs.debian.org, vendor@lists.horde.org
Subject: Re: Bug#464058: turba access checking issue
Date: Mon, 11 Feb 2008 16:47:25 -0500
Hi Peter - any feedback on the latest patch? Or Gregory, any feedback  
from the debian team? I'd like to get this resolved soon.

Quoting Peter Paul Elfferich <pp@dia.uva.nl>:

> It's not so much the list's owner as the entry's owner, which could be
> another shared address book, so that would turn into:
> "This list contains X1 contacts from address book 'Y1' that you do not have
> permission to view. Contact the owner (Z1) if you have questions." And so
> forth for X2, Y2 and Z2 etc. Where X is the number of contacts, Y is the
> name of the source address book and Z1 is the owner of the address book or
> share.
>
> Peter Paul
>
> PS: I did another test with an interesting outcome by the way: if the
> address added to a list is from a shared address book that another user can
> not see/read, then it isn't shown, but it's not removed. So the silent
> removal only seems to take place with addresses from private address books.
>
> On Feb 7, 2008 6:38 PM, Chuck Hagenbuch <chuck@horde.org> wrote:
>
>> Quoting Peter Paul Elfferich <pp@dia.uva.nl>:
>>
>> > That would perhaps be a simpler fix, but I think it will be confusing to
>> > users.
>> > If you really want to allow this cross-address-book adding then I'd
>> suggest
>> > showing warning messages detailing why a number of contacts could not be
>> > displayed.
>>
>> That seems possible - "This list contains X contacts that you do not
>> have permission to view. Contact the list's owner if you have
>> questions." or something like that?
>>
>> -chuck
>>
>



-chuck




Information forwarded to debian-bugs-dist@lists.debian.org, Horde Maintainers <pkg-horde-hackers@lists.alioth.debian.org>:
Bug#464058; Package turba2. Full text and rfc822 format available.

Acknowledgement sent to Gregory Colpart <reg@evolix.fr>:
Extra info received and forwarded to list. Copy sent to Horde Maintainers <pkg-horde-hackers@lists.alioth.debian.org>. Full text and rfc822 format available.

Message #74 received at 464058@bugs.debian.org (full text, mbox):

From: Gregory Colpart <reg@evolix.fr>
To: Chuck Hagenbuch <chuck@horde.org>
Cc: Peter Paul Elfferich <pp@dia.uva.nl>, 464058@bugs.debian.org, vendor@lists.horde.org
Subject: Re: Bug#464058: turba access checking issue
Date: Wed, 13 Feb 2008 03:17:19 +0100
Hi Chuck,

On Mon, Feb 11, 2008 at 04:47:25PM -0500, Chuck Hagenbuch wrote:
> Hi Peter - any feedback on the latest patch? Or Gregory, any feedback  
> from the debian team? I'd like to get this resolved soon.

I don't use use_shares anywhere then I can't do a fast test now.
I was waiting a feedback from Peter, original bug submitter.
If not, I will test your patch, but probably not before thursday.

Regards,
-- 
Gregory Colpart <reg@evolix.fr>  GnuPG:1024D/C1027A0E
Evolix - Informatique et Logiciels Libres http://www.evolix.fr/




Information forwarded to debian-bugs-dist@lists.debian.org, Horde Maintainers <pkg-horde-hackers@lists.alioth.debian.org>:
Bug#464058; Package turba2. Full text and rfc822 format available.

Acknowledgement sent to Chuck Hagenbuch <chuck@horde.org>:
Extra info received and forwarded to list. Copy sent to Horde Maintainers <pkg-horde-hackers@lists.alioth.debian.org>. Full text and rfc822 format available.

Message #79 received at 464058@bugs.debian.org (full text, mbox):

From: Chuck Hagenbuch <chuck@horde.org>
To: Gregory Colpart <reg@evolix.fr>
Cc: Peter Paul Elfferich <pp@dia.uva.nl>, 464058@bugs.debian.org, vendor@lists.horde.org
Subject: Re: Bug#464058: turba access checking issue
Date: Tue, 12 Feb 2008 22:36:07 -0500
Quoting Gregory Colpart <reg@evolix.fr>:

> I don't use use_shares anywhere then I can't do a fast test now.
> I was waiting a feedback from Peter, original bug submitter.
> If not, I will test your patch, but probably not before thursday.

Okay, well, let us know.

-chuck




Information forwarded to debian-bugs-dist@lists.debian.org, Horde Maintainers <pkg-horde-hackers@lists.alioth.debian.org>:
Bug#464058; Package turba2. Full text and rfc822 format available.

Acknowledgement sent to "Peter Paul Elfferich" <pp@dia.uva.nl>:
Extra info received and forwarded to list. Copy sent to Horde Maintainers <pkg-horde-hackers@lists.alioth.debian.org>. Full text and rfc822 format available.

Message #84 received at 464058@bugs.debian.org (full text, mbox):

From: "Peter Paul Elfferich" <pp@dia.uva.nl>
To: "Chuck Hagenbuch" <chuck@horde.org>
Cc: "Gregory Colpart" <reg@evolix.fr>, 464058@bugs.debian.org, vendor@lists.horde.org
Subject: Re: Bug#464058: turba access checking issue
Date: Thu, 14 Feb 2008 17:28:46 +0100
[Message part 1 (text/plain, inline)]
Sorry, got a little sidetracked with other stuff.

I tested Rubinsky's patch and it seems to work fine. I'd still prefer to be
able to find who I'd have to contact to be able to see these invisible
entries though. I already know I'm going to get support requests about this
and right now the only way to find out who's responsible is for me to dive
into the database and figure it out manually.

Regards,

Peter Paul

On Wed, Feb 13, 2008 at 4:36 AM, Chuck Hagenbuch <chuck@horde.org> wrote:

> Quoting Gregory Colpart <reg@evolix.fr>:
>
> > I don't use use_shares anywhere then I can't do a fast test now.
> > I was waiting a feedback from Peter, original bug submitter.
> > If not, I will test your patch, but probably not before thursday.
>
> Okay, well, let us know.
>
> -chuck
>
[Message part 2 (text/html, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Horde Maintainers <pkg-horde-hackers@lists.alioth.debian.org>:
Bug#464058; Package turba2. Full text and rfc822 format available.

Acknowledgement sent to Chuck Hagenbuch <chuck@horde.org>:
Extra info received and forwarded to list. Copy sent to Horde Maintainers <pkg-horde-hackers@lists.alioth.debian.org>. Full text and rfc822 format available.

Message #89 received at 464058@bugs.debian.org (full text, mbox):

From: Chuck Hagenbuch <chuck@horde.org>
To: Peter Paul Elfferich <pp@dia.uva.nl>
Cc: Gregory Colpart <reg@evolix.fr>, 464058@bugs.debian.org, vendor@lists.horde.org
Subject: Re: Bug#464058: turba access checking issue
Date: Thu, 14 Feb 2008 14:32:39 -0500
Quoting Peter Paul Elfferich <pp@dia.uva.nl>:

> I tested Rubinsky's patch and it seems to work fine. I'd still prefer to be
> able to find who I'd have to contact to be able to see these invisible
> entries though. I already know I'm going to get support requests about this
> and right now the only way to find out who's responsible is for me to dive
> into the database and figure it out manually.

I agree it would be nice, but that's more in the realm of an  
enhancement than a security fix. We'll consider it for Turba 2.2, but  
I'd like to get 2.1.7 out with the fixes now.

Thanks,
-chuck




Information forwarded to debian-bugs-dist@lists.debian.org, Horde Maintainers <pkg-horde-hackers@lists.alioth.debian.org>:
Bug#464058; Package turba2. Full text and rfc822 format available.

Acknowledgement sent to Chuck Hagenbuch <chuck@horde.org>:
Extra info received and forwarded to list. Copy sent to Horde Maintainers <pkg-horde-hackers@lists.alioth.debian.org>. Full text and rfc822 format available.

Message #94 received at 464058@bugs.debian.org (full text, mbox):

From: Chuck Hagenbuch <chuck@horde.org>
To: Chuck Hagenbuch <chuck@horde.org>
Cc: Peter Paul Elfferich <pp@dia.uva.nl>, 464058@bugs.debian.org, vendor@lists.horde.org
Subject: Re: [horde-vendor] Bug#464058: turba access checking issue
Date: Fri, 15 Feb 2008 00:42:56 -0500
[Message part 1 (text/plain, inline)]
Quoting Chuck Hagenbuch <chuck@horde.org>:

> I agree it would be nice, but that's more in the realm of an
> enhancement than a security fix. We'll consider it for Turba 2.2, but
> I'd like to get 2.1.7 out with the fixes now.

Finally, these should be the patches for the upcoming Turba 2.1.7 and  
Turba 2.2-RC3 releases. I plan to roll them tomorrow (Friday) morning,  
U.S Eastern time. I'm also attaching a patch for HEAD for anyone who  
wants/needs it.

Thanks to Peter, and also Michael R. for the count checks.

-chuck
[turba_head.patch (text/x-patch, attachment)]
[turba_2.2.patch (text/x-patch, attachment)]
[turba_2.1.7.patch (text/x-patch, attachment)]

Reply sent to Gregory Colpart (evolix) <reg@evolix.fr>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Peter Paul Elfferich <pp@dia.uva.nl>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #99 received at 464058-close@bugs.debian.org (full text, mbox):

From: Gregory Colpart (evolix) <reg@evolix.fr>
To: 464058-close@bugs.debian.org
Subject: Bug#464058: fixed in turba2 2.1.7-1
Date: Sun, 17 Feb 2008 11:32:07 +0000
Source: turba2
Source-Version: 2.1.7-1

We believe that the bug you reported is fixed in the latest version of
turba2, which is due to be installed in the Debian FTP archive:

turba2_2.1.7-1.diff.gz
  to pool/main/t/turba2/turba2_2.1.7-1.diff.gz
turba2_2.1.7-1.dsc
  to pool/main/t/turba2/turba2_2.1.7-1.dsc
turba2_2.1.7-1_all.deb
  to pool/main/t/turba2/turba2_2.1.7-1_all.deb
turba2_2.1.7.orig.tar.gz
  to pool/main/t/turba2/turba2_2.1.7.orig.tar.gz



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 464058@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Gregory Colpart (evolix) <reg@evolix.fr> (supplier of updated turba2 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Sat, 16 Feb 2008 22:12:25 +0100
Source: turba2
Binary: turba2
Architecture: source all
Version: 2.1.7-1
Distribution: unstable
Urgency: high
Maintainer: Horde Maintainers <pkg-horde-hackers@lists.alioth.debian.org>
Changed-By: Gregory Colpart (evolix) <reg@evolix.fr>
Description: 
 turba2     - contact management component for horde framework
Closes: 464058
Changes: 
 turba2 (2.1.7-1) unstable; urgency=high
 .
   * New upstream release.
   * This release adds restrictions to ensure you can't edit another user's
     contact in the same SQL backend table if you guess the id. (Closes:
     #464058).
   * Use now Vcs-* fields in debian/control.
   * Put the CREDITS file where the online help viewer expects it (See
     #357377).
   * Update to standards version 3.7.3, no further required changes.
   * Bump debhelper compat level to 5.
   * Add Homepage field.
Files: 
 44b6b2ced9d91a8f5d04da290b50d1df 933 web optional turba2_2.1.7-1.dsc
 9cde9a44239c852211204112f3d6edfe 1868115 web optional turba2_2.1.7.orig.tar.gz
 f6cbcffb54481db79f6176ced24a83b7 6528 web optional turba2_2.1.7-1.diff.gz
 d9448f11c1f8615a29af9222d3e17ba8 1928648 web optional turba2_2.1.7-1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFHuBn3GKGxzw/lPdkRAm6OAJ4qywxIYZBGcsyTmkVXZFKvCaGyBQCfacXt
UdqLgy5ir1FdSkwwlyoT/+I=
=4uE1
-----END PGP SIGNATURE-----





Information forwarded to debian-bugs-dist@lists.debian.org, Horde Maintainers <pkg-horde-hackers@lists.alioth.debian.org>:
Bug#464058; Package turba2. Full text and rfc822 format available.

Acknowledgement sent to Gregory Colpart <reg@evolix.fr>:
Extra info received and forwarded to list. Copy sent to Horde Maintainers <pkg-horde-hackers@lists.alioth.debian.org>. Full text and rfc822 format available.

Message #104 received at 464058@bugs.debian.org (full text, mbox):

From: Gregory Colpart <reg@evolix.fr>
To: Chuck Hagenbuch <chuck@horde.org>
Cc: 464058@bugs.debian.org, vendor@lists.horde.org, Peter Paul Elfferich <pp@dia.uva.nl>
Subject: Re: [horde-vendor] Bug#464058: turba access checking issue
Date: Mon, 18 Feb 2008 23:29:29 +0100
Hi Chuck,

On Fri, Feb 15, 2008 at 12:42:56AM -0500, Chuck Hagenbuch wrote:
> 
> Finally, these should be the patches for the upcoming Turba 2.1.7 and  
> Turba 2.2-RC3 releases. I plan to roll them tomorrow (Friday) morning,  
> U.S Eastern time. I'm also attaching a patch for HEAD for anyone who  
> wants/needs it.

Thanks a lot for your final patches. Turba 2.1.7 is already in
Debian unstable distribution. But for Debian stable and
oldstable, I can't upload version 2.1.7: I need backport
security changes. Could you review my backported patches?

- Patch for Turba 2.1.4 (Debian stable):
http://gcolpart.evolix.net/debian/turba2/turba2_2.1.3-1_2.1.3-1etch1.diff

- Patch for Turba 2.0.2 (Debian oldstable):
http://gcolpart.evolix.net/debian/turba2/turba2_2.0.2-1_2.0.2-1sarge1.diff


Note: FYI, Debian security team requested CVE id for this security issue.

Regards,
-- 
Gregory Colpart <reg@evolix.fr>  GnuPG:1024D/C1027A0E
Evolix - Informatique et Logiciels Libres http://www.evolix.fr/




Information forwarded to debian-bugs-dist@lists.debian.org, Horde Maintainers <pkg-horde-hackers@lists.alioth.debian.org>:
Bug#464058; Package turba2. Full text and rfc822 format available.

Acknowledgement sent to Chuck Hagenbuch <chuck@horde.org>:
Extra info received and forwarded to list. Copy sent to Horde Maintainers <pkg-horde-hackers@lists.alioth.debian.org>. Full text and rfc822 format available.

Message #109 received at 464058@bugs.debian.org (full text, mbox):

From: Chuck Hagenbuch <chuck@horde.org>
To: Gregory Colpart <reg@evolix.fr>
Cc: 464058@bugs.debian.org, vendor@lists.horde.org, Peter Paul Elfferich <pp@dia.uva.nl>
Subject: Re: [horde-vendor] Bug#464058: turba access checking issue
Date: Mon, 18 Feb 2008 18:26:38 -0500
Quoting Gregory Colpart <reg@evolix.fr>:

> Thanks a lot for your final patches. Turba 2.1.7 is already in
> Debian unstable distribution. But for Debian stable and
> oldstable, I can't upload version 2.1.7: I need backport
> security changes. Could you review my backported patches?
>
> - Patch for Turba 2.1.4 (Debian stable):
> http://gcolpart.evolix.net/debian/turba2/turba2_2.1.3-1_2.1.3-1etch1.diff
>
> - Patch for Turba 2.0.2 (Debian oldstable):
> http://gcolpart.evolix.net/debian/turba2/turba2_2.0.2-1_2.0.2-1sarge1.diff

I don't feel qualified without a _lot_ more time to review the 2.0.x  
patch; that is very, very different from the current code.

The 2.1.4 patch seems to have a bunch of extra stuff in it - I would  
just do the changes to Group.php, sql.php, and browse.php. If you're  
also including different fixes those would have to be reviewed  
separately - those changes are a bit harder to follow.

> Note: FYI, Debian security team requested CVE id for this security issue.

We got the report from you, so unless you created one I don't think  
there is one. Or do you mean that they started the process of creating  
one from CVE?

-chuck




Information forwarded to debian-bugs-dist@lists.debian.org, Horde Maintainers <pkg-horde-hackers@lists.alioth.debian.org>:
Bug#464058; Package turba2. Full text and rfc822 format available.

Acknowledgement sent to Gregory Colpart <reg@evolix.fr>:
Extra info received and forwarded to list. Copy sent to Horde Maintainers <pkg-horde-hackers@lists.alioth.debian.org>. Full text and rfc822 format available.

Message #114 received at 464058@bugs.debian.org (full text, mbox):

From: Gregory Colpart <reg@evolix.fr>
To: Chuck Hagenbuch <chuck@horde.org>
Cc: 464058@bugs.debian.org, vendor@lists.horde.org, Peter Paul Elfferich <pp@dia.uva.nl>
Subject: Re: [horde-vendor] Bug#464058: turba access checking issue
Date: Tue, 19 Feb 2008 01:34:27 +0100
Hi,

On Mon, Feb 18, 2008 at 06:26:38PM -0500, Chuck Hagenbuch wrote:

> The 2.1.4 patch seems to have a bunch of extra stuff in it - I would  
> just do the changes to Group.php, sql.php, and browse.php. If you're  
> also including different fixes those would have to be reviewed  
> separately - those changes are a bit harder to follow.

I apologize because this patch includes *two* security patches:
- [jan] SECURITY: Fix privilege escalation in Horde API => from 2.1.6
- [cjh] SECURITY: Fix unchecked access to contacts in the same
  SQL table (Bug #6208). => from 2.1.7 (patch spoken in this thread)

For 2.0.2, I include one more security patch:
- [cjh] Close several XSS vulnerabilities with address book and
  contact data. => from 2.0.5

For easy reviewing, I include comments in my patches like:
--8<--
// backport security patch from Turba 2.*.*
--8<--


> >Note: FYI, Debian security team requested CVE id for this security issue.
> 
> We got the report from you, so unless you created one I don't think  
> there is one. Or do you mean that they started the process of creating  
> one from CVE?

Yes, they started the process of creating one. We're waiting it.


Regards,
-- 
Gregory Colpart <reg@evolix.fr>  GnuPG:1024D/C1027A0E
Evolix - Informatique et Logiciels Libres http://www.evolix.fr/




Information forwarded to debian-bugs-dist@lists.debian.org, Horde Maintainers <pkg-horde-hackers@lists.alioth.debian.org>:
Bug#464058; Package turba2. Full text and rfc822 format available.

Acknowledgement sent to Chuck Hagenbuch <chuck@horde.org>:
Extra info received and forwarded to list. Copy sent to Horde Maintainers <pkg-horde-hackers@lists.alioth.debian.org>. Full text and rfc822 format available.

Message #119 received at 464058@bugs.debian.org (full text, mbox):

From: Chuck Hagenbuch <chuck@horde.org>
To: Gregory Colpart <reg@evolix.fr>
Cc: 464058@bugs.debian.org, vendor@lists.horde.org, Peter Paul Elfferich <pp@dia.uva.nl>
Subject: Re: [horde-vendor] Bug#464058: turba access checking issue
Date: Mon, 18 Feb 2008 21:43:36 -0500
Quoting Gregory Colpart <reg@evolix.fr>:

> I apologize because this patch includes *two* security patches:
> - [jan] SECURITY: Fix privilege escalation in Horde API => from 2.1.6
> - [cjh] SECURITY: Fix unchecked access to contacts in the same
>   SQL table (Bug #6208). => from 2.1.7 (patch spoken in this thread)

This looks fine.

-chuck




Information forwarded to debian-bugs-dist@lists.debian.org, Horde Maintainers <pkg-horde-hackers@lists.alioth.debian.org>:
Bug#464058; Package turba2. Full text and rfc822 format available.

Acknowledgement sent to Gregory Colpart <reg@evolix.fr>:
Extra info received and forwarded to list. Copy sent to Horde Maintainers <pkg-horde-hackers@lists.alioth.debian.org>. Full text and rfc822 format available.

Message #124 received at 464058@bugs.debian.org (full text, mbox):

From: Gregory Colpart <reg@evolix.fr>
To: 464058@bugs.debian.org
Cc: Peter Paul Elfferich <pp@dia.uva.nl>, security@debian.org, team@testing-security.debian.net
Subject: Re: [horde-vendor] Bug#464058: turba access checking issue
Date: Thu, 21 Feb 2008 02:41:41 +0100
Hello,

The package turba2 has vulnerabilities (See CVE-2008-0807, bug
#464058 and changelogs of fixed sarge/etch packages).

I prepared fixed packages:

- Sarge version (source package and debdiff):
http://gcolpart.evolix.net/debian/turba2/turba2_2.0.2-1sarge1.dsc
http://gcolpart.evolix.net/debian/turba2/turba2_2.0.2-1_2.0.2-1sarge1.diff

- Etch version (source package and debdiff):
http://gcolpart.evolix.net/debian/turba2/turba2_2.1.3-1etch1.dsc
http://gcolpart.evolix.net/debian/turba2/turba2_2.1.3-1_2.1.3-1etch1.diff

Information for the advisory:

8<----------------------------------
turba2 -- several vulenrabilities

Date Reported:
    ?? Feb 2008
Affected Packages:
    turba2
Vulnerable:
    Yes
Security database references:
    In Mitre's CVE dictionary: CVE-2008-0807
More information:

It was discovered that the Turba contact management component for Horde
framework has several vulnerabilities, allows authenticated users to modify
address data in the same SQL table via guessing unique key (CVE-2008-0807),
allows privilege escalation in Horde API and cross-site scripting (XSS)
vulnerabilities with address book and contact data (only for Sarge version).

The old stable distribution (sarge) this problem has been fixed in version 2.0.2-1sarge1.

For the stable distribution (etch) this problem has been fixed in version 2.1.3-1etch1.

For the unstable distribution (sid) this problem has been fixed in version 2.1.7-1.

We recommend that you upgrade your turba2 package.
8<----------------------------------


Regards,
-- 
Gregory Colpart <reg@evolix.fr>  GnuPG:1024D/C1027A0E
Evolix - Informatique et Logiciels Libres http://www.evolix.fr/




Information forwarded to debian-bugs-dist@lists.debian.org, Horde Maintainers <pkg-horde-hackers@lists.alioth.debian.org>:
Bug#464058; Package turba2. Full text and rfc822 format available.

Acknowledgement sent to Steve Kemp <skx@debian.org>:
Extra info received and forwarded to list. Copy sent to Horde Maintainers <pkg-horde-hackers@lists.alioth.debian.org>. Full text and rfc822 format available.

Message #129 received at 464058@bugs.debian.org (full text, mbox):

From: Steve Kemp <skx@debian.org>
To: Gregory Colpart <reg@evolix.fr>
Cc: 464058@bugs.debian.org, Peter Paul Elfferich <pp@dia.uva.nl>, security@debian.org, team@testing-security.debian.net
Subject: Re: [horde-vendor] Bug#464058: turba access checking issue
Date: Thu, 21 Feb 2008 10:35:01 +0000
On Thu Feb 21, 2008 at 02:41:41 +0100, Gregory Colpart wrote:

> The package turba2 has vulnerabilities (See CVE-2008-0807, bug
> #464058 and changelogs of fixed sarge/etch packages).

  A shining example of how to handle security updates. Thanks very
 very much for the fixed packages, and the clear writeup.

  I"ll upload them today, and handle the release when they are
 done.

Steve
-- 




Reply sent to Gregory Colpart (evolix) <reg@evolix.fr>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Peter Paul Elfferich <pp@dia.uva.nl>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #134 received at 464058-close@bugs.debian.org (full text, mbox):

From: Gregory Colpart (evolix) <reg@evolix.fr>
To: 464058-close@bugs.debian.org
Subject: Bug#464058: fixed in turba2 2.0.2-1sarge1
Date: Thu, 28 Feb 2008 07:52:16 +0000
Source: turba2
Source-Version: 2.0.2-1sarge1

We believe that the bug you reported is fixed in the latest version of
turba2, which is due to be installed in the Debian FTP archive:

turba2_2.0.2-1sarge1.diff.gz
  to pool/main/t/turba2/turba2_2.0.2-1sarge1.diff.gz
turba2_2.0.2-1sarge1.dsc
  to pool/main/t/turba2/turba2_2.0.2-1sarge1.dsc
turba2_2.0.2-1sarge1_all.deb
  to pool/main/t/turba2/turba2_2.0.2-1sarge1_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 464058@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Gregory Colpart (evolix) <reg@evolix.fr> (supplier of updated turba2 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Thu, 21 Feb 2008 02:17:37 +0100
Source: turba2
Binary: turba2
Architecture: source all
Version: 2.0.2-1sarge1
Distribution: oldstable-security
Urgency: high
Maintainer: Ola Lundqvist <opal@debian.org>
Changed-By: Gregory Colpart (evolix) <reg@evolix.fr>
Description: 
 turba2     - contact management component for horde framework
Closes: 464058
Changes: 
 turba2 (2.0.2-1sarge1) oldstable-security; urgency=high
 .
   * Fix unchecked access to contacts in the same SQL table, if the unique key
     of another user's contact can be guessed. See CVE-2008-0807 for more
     informations. (Closes: #464058)
   * Fix privilege escalation in Horde API.
   * Close several XSS vulnerabilities with address book and contact data.
Files: 
 78ef803c5a5c3c0564ddd8b23a96da4d 626 web optional turba2_2.0.2-1sarge1.dsc
 43381a9620d08ad17758fc533e865db3 1221378 web optional turba2_2.0.2.orig.tar.gz
 8ccfd8d4f1886141a916d706217d8a73 8049 web optional turba2_2.0.2-1sarge1.diff.gz
 ee4a5791cb7b942305f9095b9b3ae697 1282950 web optional turba2_2.0.2-1sarge1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFHvd+9wM/Gs81MDZ0RAqHaAKC7uu/8TNn6rBQDFeccDMhHAsjFZACggpZE
GxcN9VEj5Cuf6oRyGAjg6JE=
=Wd+H
-----END PGP SIGNATURE-----





Reply sent to Gregory Colpart (evolix) <reg@evolix.fr>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Peter Paul Elfferich <pp@dia.uva.nl>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #139 received at 464058-close@bugs.debian.org (full text, mbox):

From: Gregory Colpart (evolix) <reg@evolix.fr>
To: 464058-close@bugs.debian.org
Subject: Bug#464058: fixed in turba2 2.1.3-1etch1
Date: Sat, 12 Apr 2008 07:52:38 +0000
Source: turba2
Source-Version: 2.1.3-1etch1

We believe that the bug you reported is fixed in the latest version of
turba2, which is due to be installed in the Debian FTP archive:

turba2_2.1.3-1etch1.diff.gz
  to pool/main/t/turba2/turba2_2.1.3-1etch1.diff.gz
turba2_2.1.3-1etch1.dsc
  to pool/main/t/turba2/turba2_2.1.3-1etch1.dsc
turba2_2.1.3-1etch1_all.deb
  to pool/main/t/turba2/turba2_2.1.3-1etch1_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 464058@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Gregory Colpart (evolix) <reg@evolix.fr> (supplier of updated turba2 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Thu, 21 Feb 2008 02:17:51 +0100
Source: turba2
Binary: turba2
Architecture: source all
Version: 2.1.3-1etch1
Distribution: stable-security
Urgency: high
Maintainer: Horde Maintainers <pkg-horde-hackers@lists.alioth.debian.org>
Changed-By: Gregory Colpart (evolix) <reg@evolix.fr>
Description: 
 turba2     - contact management component for horde framework
Closes: 464058
Changes: 
 turba2 (2.1.3-1etch1) stable-security; urgency=high
 .
   * Fix unchecked access to contacts in the same SQL table, if the unique key
     of another user's contact can be guessed. See CVE-2008-0807 for more
     informations. (Closes: #464058)
   * Fix privilege escalation in the Horde API.
Files: 
 0aa309ef908c6ab95b62fa6fbb97d7c5 722 web optional turba2_2.1.3-1etch1.dsc
 a0407717f3f64fb33f6a57e2244a12b4 1790717 web optional turba2_2.1.3.orig.tar.gz
 fcef7709711274ebf26b99e3032f4e7e 7434 web optional turba2_2.1.3-1etch1.diff.gz
 0fb704f257a5d583196e10de104289f0 1860044 web optional turba2_2.1.3-1etch1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFHveA2wM/Gs81MDZ0RAix7AKCzys545lPRKunQOBRxfpwhexu57gCgo2JA
zzSijNzt4cddZ5aEeOzhFv4=
=8IVv
-----END PGP SIGNATURE-----





Reply sent to Gregory Colpart (evolix) <reg@evolix.fr>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Peter Paul Elfferich <pp@dia.uva.nl>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #144 received at 464058-close@bugs.debian.org (full text, mbox):

From: Gregory Colpart (evolix) <reg@evolix.fr>
To: 464058-close@bugs.debian.org
Subject: Bug#464058: fixed in turba2 2.0.2-1sarge1
Date: Sat, 12 Apr 2008 17:54:59 +0000
Source: turba2
Source-Version: 2.0.2-1sarge1

We believe that the bug you reported is fixed in the latest version of
turba2, which is due to be installed in the Debian FTP archive:

turba2_2.0.2-1sarge1.diff.gz
  to pool/main/t/turba2/turba2_2.0.2-1sarge1.diff.gz
turba2_2.0.2-1sarge1.dsc
  to pool/main/t/turba2/turba2_2.0.2-1sarge1.dsc
turba2_2.0.2-1sarge1_all.deb
  to pool/main/t/turba2/turba2_2.0.2-1sarge1_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 464058@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Gregory Colpart (evolix) <reg@evolix.fr> (supplier of updated turba2 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Thu, 21 Feb 2008 02:17:37 +0100
Source: turba2
Binary: turba2
Architecture: source all
Version: 2.0.2-1sarge1
Distribution: oldstable-security
Urgency: high
Maintainer: Ola Lundqvist <opal@debian.org>
Changed-By: Gregory Colpart (evolix) <reg@evolix.fr>
Description: 
 turba2     - contact management component for horde framework
Closes: 464058
Changes: 
 turba2 (2.0.2-1sarge1) oldstable-security; urgency=high
 .
   * Fix unchecked access to contacts in the same SQL table, if the unique key
     of another user's contact can be guessed. See CVE-2008-0807 for more
     informations. (Closes: #464058)
   * Fix privilege escalation in Horde API.
   * Close several XSS vulnerabilities with address book and contact data.
Files: 
 78ef803c5a5c3c0564ddd8b23a96da4d 626 web optional turba2_2.0.2-1sarge1.dsc
 43381a9620d08ad17758fc533e865db3 1221378 web optional turba2_2.0.2.orig.tar.gz
 8ccfd8d4f1886141a916d706217d8a73 8049 web optional turba2_2.0.2-1sarge1.diff.gz
 ee4a5791cb7b942305f9095b9b3ae697 1282950 web optional turba2_2.0.2-1sarge1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFHvd+9wM/Gs81MDZ0RAqHaAKC7uu/8TNn6rBQDFeccDMhHAsjFZACggpZE
GxcN9VEj5Cuf6oRyGAjg6JE=
=Wd+H
-----END PGP SIGNATURE-----





Reply sent to Gregory Colpart (evolix) <reg@evolix.fr>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Peter Paul Elfferich <pp@dia.uva.nl>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #149 received at 464058-close@bugs.debian.org (full text, mbox):

From: Gregory Colpart (evolix) <reg@evolix.fr>
To: 464058-close@bugs.debian.org
Subject: Bug#464058: fixed in turba2 2.1.3-1etch1
Date: Sat, 26 Jul 2008 09:58:04 +0000
Source: turba2
Source-Version: 2.1.3-1etch1

We believe that the bug you reported is fixed in the latest version of
turba2, which is due to be installed in the Debian FTP archive:

turba2_2.1.3-1etch1.diff.gz
  to pool/main/t/turba2/turba2_2.1.3-1etch1.diff.gz
turba2_2.1.3-1etch1.dsc
  to pool/main/t/turba2/turba2_2.1.3-1etch1.dsc
turba2_2.1.3-1etch1_all.deb
  to pool/main/t/turba2/turba2_2.1.3-1etch1_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 464058@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Gregory Colpart (evolix) <reg@evolix.fr> (supplier of updated turba2 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Thu, 21 Feb 2008 02:17:51 +0100
Source: turba2
Binary: turba2
Architecture: source all
Version: 2.1.3-1etch1
Distribution: stable-security
Urgency: high
Maintainer: Horde Maintainers <pkg-horde-hackers@lists.alioth.debian.org>
Changed-By: Gregory Colpart (evolix) <reg@evolix.fr>
Description: 
 turba2     - contact management component for horde framework
Closes: 464058
Changes: 
 turba2 (2.1.3-1etch1) stable-security; urgency=high
 .
   * Fix unchecked access to contacts in the same SQL table, if the unique key
     of another user's contact can be guessed. See CVE-2008-0807 for more
     informations. (Closes: #464058)
   * Fix privilege escalation in the Horde API.
Files: 
 0aa309ef908c6ab95b62fa6fbb97d7c5 722 web optional turba2_2.1.3-1etch1.dsc
 a0407717f3f64fb33f6a57e2244a12b4 1790717 web optional turba2_2.1.3.orig.tar.gz
 fcef7709711274ebf26b99e3032f4e7e 7434 web optional turba2_2.1.3-1etch1.diff.gz
 0fb704f257a5d583196e10de104289f0 1860044 web optional turba2_2.1.3-1etch1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFHveA2wM/Gs81MDZ0RAix7AKCzys545lPRKunQOBRxfpwhexu57gCgo2JA
zzSijNzt4cddZ5aEeOzhFv4=
=8IVv
-----END PGP SIGNATURE-----





Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sun, 24 Aug 2008 07:32:50 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Apr 23 21:35:10 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.