[pkg-horde] horde problem.

Lionel Elie Mamane lionel at mamane.lu
Wed Mar 29 18:07:50 UTC 2006 

On Wed, Mar 29, 2006 at 05:04:27PM +0200, Martin Schulze wrote:

> I've been told (haven't had the time to check on my own) that a very
> serious security problem in horde has been discovered.

> Are you able to provide fixed packages for woody, sarge and sid
> soon, if the version in one of these distributions is affected
> by this problem?

Update for sarge is at http://people.debian.org/horde/ . Review
recommended and appreciated. Summary of issues and changes:

 - Remote code execution in help browser (eval() of user-provided
   data). CVE to be allocated. My packages use "CVE-UNKNOWN-TODO" as a
   placeholder. (from 3.0.10)

 - Further removal of eval() calls that are not known (by Lionel) to
   be exploitable. Included under general umbrella of "cleaner more
   secure code" and "let's fix it before it is found to be
   exploitable". (from 3.0.10)

 - CVE-2006-1260: allows remote attackers to read arbitrary files via
   a null character in the url parameter in services/go.php, which
   bypasses a sanity check. (from 3.0.10)

 - CVE-2005-4190: several XSS problems in the share edit window. (from
   3.0.8)

Furthermore, these issues, being XSS vulnerabilities in applications
of the Horde suite (in their own Debian source package) have unclear
status for sarge (fixed in etch, sid); the question is whether the 1.x
versions of these programs are affected by the vulnerability or
not. (The announcements say "2.0.x and earlier", for a specific value
of x.)

 CVE-2005-4192
 CVE-2005-4191

We have issued a DSA for CVE-2005-4189, so it is possible that someone
looked at -4192 and -4191 and determined they didn't affect the 1.x
versions (and hence sarge). Can somebody confirm this?


And this one (to imp, imp3, imp4) affects woody, sarge, etch, sid (and
potato). No solution known. New upstream 4.1 doesn't seem to fix the
issue.

 CVE-2005-4080 Horde IMP 4.0.4 and earlier does not sanitize strings
 containing UTF16 null characters, which allows remote attackers to
 conduct cross-site scripting (XSS) attacks via UTF16 encoded
 attachments and strings that will be executed when viewed using
 Internet Explorer, which ignores the characters.

-- 
Lionel

More information about the pkg-horde-hackers mailing list