Debian Bug report logs - #513265
horde3: security issues via util/barcode.php and services/portal/cloud_search.php

version graph

Package: horde3; Maintainer for horde3 is Horde Maintainers <pkg-horde-hackers@lists.alioth.debian.org>;

Reported by: Gregory Colpart <reg@evolix.fr>

Date: Tue, 27 Jan 2009 18:24:04 UTC

Severity: important

Tags: patch, security

Found in versions horde3/3.2.2+debian0-1, horde3/3.1.3-4etch4

Fixed in version 3.2.2+debian0-2

Done: Gregory Colpart <reg@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Horde Maintainers <pkg-horde-hackers@lists.alioth.debian.org>:
Bug#513265; Package horde3. (Tue, 27 Jan 2009 18:24:07 GMT) Full text and rfc822 format available.

Acknowledgement sent to Gregory Colpart <reg@evolix.fr>:
New Bug report received and forwarded. Copy sent to Horde Maintainers <pkg-horde-hackers@lists.alioth.debian.org>. (Tue, 27 Jan 2009 18:24:07 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Gregory Colpart <reg@evolix.fr>
To: submit@bugs.debian.org
Subject: horde3: security issues via util/barcode.php and services/portal/cloud_search.php
Date: Tue, 27 Jan 2009 19:21:04 +0100
Package: horde3
Version: 3.2.2+debian0-1
Severity: important
Tags: patch security

Hello,

Infos from upstream:

* File Inclusion issue via util/barcode.php
The file Image.php passes an unvalidated filename to a dynamic
include statement on line 559. Allowing unvalidated user input to
to control files that are included dynamically in PHP can lead to
malicious code execution. (fix is in the Horde_Image package)

* There is a small XSS/unescaped output (only exploitable by
someone who can create a contact, and requiring the victim to
have access to that contact).

Patches inline:

Index: framework/Image/Image.php
===================================================================
RCS file: /repository/framework/Image/Image.php,v
retrieving revision 1.39.10.17
diff -u -r1.39.10.17 Image.php
--- framework/Image/Image.php   6 Jun 2008 04:17:20 -0000       1.39.10.17
+++ framework/Image/Image.php   21 Jan 2009 22:09:31 -0000
@@ -551,6 +551,7 @@
             list($app, $driver) = $driver;
         }

+        $driver = basename($driver);
         $class = 'Horde_Image_' . $driver;
         if (!class_exists($class)) {
             if (!empty($app)) {
Index: services/portal/cloud_search.php
===================================================================
RCS file: /repository/horde/services/portal/cloud_search.php,v
retrieving revision 1.1.2.2
diff -u -r1.1.2.2 cloud_search.php
--- services/portal/cloud_search.php    2 Jan 2008 11:32:37 -0000       1.1.2.2
+++ services/portal/cloud_search.php    21 Jan 2009 22:09:32 -0000
@@ -28,7 +28,7 @@
 $results = array_merge($results, $registry->call('news/searchTags',
                                                  array(array($tag))));
 echo '<div class="control"><strong>'
-    . sprintf(_("Results for %s"), '<span style="font-style:italic">' . $tag . '</span>')
+    . sprintf(_("Results for %s"), '<span style="font-style:italic">' . htmlspecialchars($tag) . '</span>')
     . '</strong>'
     . Horde::link('#', '', '', '', '$(\'cloudsearch\').hide();', '', '', array('style' => 'font-size:75%;'))
     . '(' . _("Hide Results") . ')</a></span></div><ul class="linedRow">';


Regards,
-- 
Gregory Colpart <reg@evolix.fr>  GnuPG:1024D/C1027A0E
Evolix - Informatique et Logiciels Libres http://www.evolix.fr/




Reply sent to Gregory Colpart <reg@debian.org>:
You have taken responsibility. (Thu, 29 Jan 2009 01:57:04 GMT) Full text and rfc822 format available.

Notification sent to Gregory Colpart <reg@evolix.fr>:
Bug acknowledged by developer. (Thu, 29 Jan 2009 01:57:04 GMT) Full text and rfc822 format available.

Message #10 received at 513265-close@bugs.debian.org (full text, mbox):

From: Gregory Colpart <reg@debian.org>
To: 513265-close@bugs.debian.org
Subject: Bug#513265: fixed in horde3 3.2.2+debian0-2
Date: Thu, 29 Jan 2009 01:47:06 +0000
Source: horde3
Source-Version: 3.2.2+debian0-2

We believe that the bug you reported is fixed in the latest version of
horde3, which is due to be installed in the Debian FTP archive:

horde3_3.2.2+debian0-2.diff.gz
  to pool/main/h/horde3/horde3_3.2.2+debian0-2.diff.gz
horde3_3.2.2+debian0-2.dsc
  to pool/main/h/horde3/horde3_3.2.2+debian0-2.dsc
horde3_3.2.2+debian0-2_all.deb
  to pool/main/h/horde3/horde3_3.2.2+debian0-2_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 513265@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Gregory Colpart <reg@debian.org> (supplier of updated horde3 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Thu, 29 Jan 2009 01:15:51 +0100
Source: horde3
Binary: horde3
Architecture: source all
Version: 3.2.2+debian0-2
Distribution: unstable
Urgency: high
Maintainer: Horde Maintainers <pkg-horde-hackers@lists.alioth.debian.org>
Changed-By: Gregory Colpart <reg@debian.org>
Description: 
 horde3     - horde web application framework
Closes: 512592 513265
Changes: 
 horde3 (3.2.2+debian0-2) unstable; urgency=high
 .
   * Add informations in README.Debian about test.php files: these files should
     not be "allow from all", because test.php includes private informations and
     could be unsafe (for example see CVE-2008-4182).
   * Include a patch from Horde upstream to fix an IE-only hole in XSS filter
     (See CVE-2008-5917 for more information). (Closes: #512592)
   * Include patches from Horde upstream to fix a file inclusion issue in
     Horde_Image driver name (Image/Image.php) and an unescaped output in
     the tag cloud block (services/portal/cloud_search.php). (Closes: #513265)
Checksums-Sha1: 
 4b8dcdac985d32f53fc43bafe80a72a863067dbc 1360 horde3_3.2.2+debian0-2.dsc
 29b2ff3287c0d505d3f2bbb5fcd6608c73ccb755 23856 horde3_3.2.2+debian0-2.diff.gz
 861b3314df8c0887148fd6fe4d847481d9a0aae2 7215490 horde3_3.2.2+debian0-2_all.deb
Checksums-Sha256: 
 8d1ea931167d20e47faa0751d021fabe09100212b76bb8152f7ce93aed47fb78 1360 horde3_3.2.2+debian0-2.dsc
 4e55e03dd7fc884d05a8d1b6b6b4bf660a771acdeebb97e6335050a324f7b41e 23856 horde3_3.2.2+debian0-2.diff.gz
 5efce58e08ac7b1f9779a31b71b226f0b719ffbd2cf41dd51b0e9b7cb71dbe62 7215490 horde3_3.2.2+debian0-2_all.deb
Files: 
 5a63857027659277189fb113731e6116 1360 web optional horde3_3.2.2+debian0-2.dsc
 bd040798ef3629b8a95c5c57773f6191 23856 web optional horde3_3.2.2+debian0-2.diff.gz
 12698e83f292061100570685bc647d01 7215490 web optional horde3_3.2.2+debian0-2_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAkmBBwQACgkQMhdcDcECeg7yJgCfcxf3GBsOTLrPOXXgPIgXXL/H
9CUAoIc5BmR6RrbvC48wB2OWB5nKgSgH
=UB8Q
-----END PGP SIGNATURE-----





Information forwarded to debian-bugs-dist@lists.debian.org, Horde Maintainers <pkg-horde-hackers@lists.alioth.debian.org>:
Bug#513265; Package horde3. (Thu, 29 Jan 2009 03:15:18 GMT) Full text and rfc822 format available.

Acknowledgement sent to Gregory Colpart <reg@evolix.fr>:
Extra info received and forwarded to list. Copy sent to Horde Maintainers <pkg-horde-hackers@lists.alioth.debian.org>. (Thu, 29 Jan 2009 03:15:19 GMT) Full text and rfc822 format available.

Message #15 received at 513265@bugs.debian.org (full text, mbox):

From: Gregory Colpart <reg@evolix.fr>
To: 512592@bugs.debian.org, 513265@bugs.debian.org
Subject: Debdiff for stable-security
Date: Thu, 29 Jan 2009 03:57:06 +0100
Hello,

Etch is also impacted by these bugs. Dediff is here:
http://gcolpart.evolix.net/debian/horde3/horde3_3.1.3-4etch4_3.1.3-4etch5.diff

Regards,
-- 
Gregory Colpart <reg@evolix.fr>  GnuPG:1024D/C1027A0E
Evolix - Informatique et Logiciels Libres http://www.evolix.fr/




Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Mon, 02 Mar 2009 07:31:55 GMT) Full text and rfc822 format available.

Bug unarchived. Request was from Raphael Geissert <atomo64@gmail.com> to control@bugs.debian.org. (Tue, 24 Mar 2009 15:36:05 GMT) Full text and rfc822 format available.

Bug marked as found in version 3.1.3-4etch4. Request was from Raphael Geissert <atomo64@gmail.com> to control@bugs.debian.org. (Tue, 24 Mar 2009 15:36:06 GMT) Full text and rfc822 format available.

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Wed, 22 Apr 2009 07:31:40 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Apr 23 08:17:33 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.