[pkg-horde] Possible remote code execution on horde3
Luciano Bello
luciano at debian.org
Thu Jan 23 12:11:24 UTC 2014
Hi Pedro (and Horde hackers),
Thanks for the head up! I'm forwarding your report to the Horde maintainers
asking for a patch to Debian oldstable.
Cheers, luciano
-------------- next part --------------
Content-Type: message/rfc822
Content-Disposition: inline; filename="forwarded message"
Content-Description: Pedro Ribeiro <pedrib at gmail.com>: Possible remote code execution on horde3
Return-Path: <pedrib at gmail.com>
Received: from deliver ([unix socket]) by trulala.usla.org.ar (Cyrus v2.4.16-Debian-2.4.16-4+deb7u1) with LMTPA; Wed, 22 Jan 2014 13:22:26 -0300
X-Sieve: CMU Sieve 2.4
Received: by nube.usla.org.ar (Postfix, from userid 5001) id 4F92B355FDC; Wed, 22 Jan 2014 13:22:26 -0300 (ART)
X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on trulala.usla.org.ar
X-Spam-Status: No, score=-1.3 required=5.0 tests=FREEMAIL_FROM,HTML_MESSAGE, RCVD_IN_DNSWL_MED,SPF_SOFTFAIL,T_DKIM_INVALID autolearn=unavailable version=3.3.2
Received-SPF: Softfail (domain owner discourages use of this host) identity=mailfrom; client-ip=195.20.242.124; helo=chopin.debian.org; envelope-from=pedrib at gmail.com; receiver=luciano at cafelug.org.ar
Received: from chopin.debian.org (chopin.debian.org [195.20.242.124]) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by nube.usla.org.ar (Postfix) with ESMTPS id E9D7C355FDA for <luciano at cafelug.org.ar>; Wed, 22 Jan 2014 13:22:23 -0300 (ART)
Received: from muffat.debian.org ([2607:f8f0:610:4000:6564:a62:ce0c:1392]) from C=NA,ST=NA,L=Ankh Morpork,O=Debian SMTP,OU=Debian SMTP CA,CN=muffat.debian.org,EMAIL=hostmaster at muffat.debian.org (verified) by chopin.debian.org with esmtps (TLS1.2:DHE_RSA_AES_128_CBC_SHA1:128) (Exim 4.80) (envelope-from <pedrib at gmail.com>) id 1W60ZH-0005hP-AO for team at security.debian.org; Wed, 22 Jan 2014 16:22:19 +0000
Received: from mail-vc0-x22b.google.com ([2607:f8b0:400c:c03::22b]) by muffat.debian.org with esmtps (TLS1.0:RSA_ARCFOUR_SHA1:128) (Exim 4.80) (envelope-from <pedrib at gmail.com>) id 1W60ZD-0007bw-KS for security at debian.org; Wed, 22 Jan 2014 16:22:15 +0000
Received: by mail-vc0-f171.google.com with SMTP id le5so347351vcb.16 for <security at debian.org>; Wed, 22 Jan 2014 08:22:08 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type; bh=slRcQS8+d+I+mV1WJ5hBRHLQSupuMU4ft6uMYZVghg8=; b=HLcEPmXR81Nu6jugT3IAXhN/TsXDWaXLHp6dZxFkN/I11lhWuqLfpk+PXl7hXoXMWD gzz0BdqLKfQBNo5CMNPllHUyRcOlnhzIRUv2j3iPF2VUiVQ0UC/isU3dIGsWf+c3syCC 55DtE74/lwWq/39xDgQ0fDSISHZuU9+Hedb28hG0aRTxiBpwmnaXHnmpcSihKGvTjJni UD8VOdmbq81ptMJRhDJ86Okb1DpwfkTnA2WWGb6e+LTCRmnNfuPR5dxsDwrkkdZBOxEx LkWuJSgT9o5s6tmElAZgmcZBxNH3wGrfBl991NMOvXVe87K8GKA9Lfv+wFET3Q+7RUO6 9s7g==
MIME-Version: 1.0
X-Received: by 10.58.226.163 with SMTP id rt3mr1497961vec.34.1390407728377; Wed, 22 Jan 2014 08:22:08 -0800 (PST)
Received: by 10.220.156.84 with HTTP; Wed, 22 Jan 2014 08:22:07 -0800 (PST)
Received: by 10.220.156.84 with HTTP; Wed, 22 Jan 2014 08:22:07 -0800 (PST)
In-Reply-To: <CAEDdjHdwO+3SoJtA6yDpCnsVDepeDh+iPg9u7gRPfeJRHEnZ+Q at mail.gmail.com>
References: <CAEDdjHdAwNZzT9JC-24YGsXEF0AZfMw2-HcuS6pKAN2GB-Zg5Q at mail.gmail.com> <CAEDdjHdwO+3SoJtA6yDpCnsVDepeDh+iPg9u7gRPfeJRHEnZ+Q at mail.gmail.com>
Date: Wed, 22 Jan 2014 16:22:07 +0000
Message-ID: <CAEDdjHfpytAK7TPS8gAis8LtrwCSyeWg48VoAw=8w+w-G0vCGw at mail.gmail.com>
Subject: Possible remote code execution on horde3
From: Pedro Ribeiro <pedrib at gmail.com>
To: security at debian.org, security at ubuntu.com, security at horde.org
Content-Type: multipart/mixed; boundary="047d7bd6aed4be33a304f0918638"
Delivered-To: security at debian.org
Delivered-To: team at security.debian.org
--047d7bd6aed4be33a304f0918638
Content-Type: multipart/alternative; boundary="047d7bd6aed4be339f04f0918636"
--047d7bd6aed4be339f04f0918636
Content-Type: text/plain; charset="ISO-8859-1"
Hi,
I found a possible remote code execution on horde3 (3.1.13).
I know horde consider this to be deprecated, but it is still shipped in
Debian oldstable and Ubuntu LTS.
Please have a look at the attached report and let me know if I'm right or
if I missed something.
If you decide to fix and release an advisory, credit for the discovery to
Pedro Ribeiro (pedrib at gmail.com) from Agile Information Security is highly
appreciated.
Note that this report is not public yet and I don't intend to release it
until I hear from you.
Regards
Pedro
--047d7bd6aed4be339f04f0918636
Content-Type: text/html; charset="ISO-8859-1"
<p dir="ltr">Hi, </p>
<p dir="ltr">I found a possible remote code execution on horde3 (3.1.13).<br>
I know horde consider this to be deprecated, but it is still shipped in Debian oldstable and Ubuntu LTS. </p>
<p dir="ltr">Please have a look at the attached report and let me know if I'm right or if I missed something. </p>
<p dir="ltr">If you decide to fix and release an advisory, credit for the discovery to Pedro Ribeiro (<a href="mailto:pedrib at gmail.com">pedrib at gmail.com</a>) from Agile Information Security is highly appreciated. </p>
<p dir="ltr">Note that this report is not public yet and I don't intend to release it until I hear from you. </p>
<p dir="ltr">Regards <br>
Pedro </p>
--047d7bd6aed4be339f04f0918636--
--047d7bd6aed4be33a304f0918638
Content-Type: text/plain; charset="US-ASCII"; name="horde-3.1.13.txt"
Content-Disposition: attachment; filename="horde-3.1.13.txt"
Content-Transfer-Encoding: base64
X-Attachment-Id: 1457948116607381050-local0
PiBWdWxuZXJhYmlsaXRpZXMgaW4gSG9yZGUgMy4xLjEzCj4gRGlzY292ZXJlZCBieSBQZWRybyBS
aWJlaXJvIChwZWRyaWJAZ21haWwuY29tKSBvZiBBZ2lsZSBJbmZvcm1hdGlvbiBTZWN1cml0eQoK
PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09
PT09PT09PT09PT0KVnVsbmVyYWJpbGl0eTogUmVtb3RlIGNvZGUgZXhlY3V0aW9uIHZpYSBQSFAg
dW5zZXJpYWxpemUoKQpGaWxlKGxpbmUpOiBob3JkZS0zLjMuMTMvbGliL0hvcmRlL1ZhcmlhYmxl
cy5waHAoMzIpCkNvZGUgc25pcHBldDoKCmNsYXNzIFZhcmlhYmxlcyB7CgogICAgdmFyICRfdmFy
czsKICAgIHZhciAkX2V4cGVjdGVkVmFyaWFibGVzID0gYXJyYXkoKTsKCiAgICBmdW5jdGlvbiBW
YXJpYWJsZXMoJHZhcnMgPSBhcnJheSgpKQogICAgewogICAgICAgIGlmIChpc19udWxsKCR2YXJz
KSkgewogICAgICAgICAgICAkdmFycyA9IFV0aWw6OmRpc3BlbE1hZ2ljUXVvdGVzKCRfUkVRVUVT
VCk7CiAgICAgICAgfQogICAgICAgIGlmIChpc3NldCgkdmFyc1snX2Zvcm12YXJzJ10pKSB7CiAg
ICAgICAgICAgICR0aGlzLT5fZXhwZWN0ZWRWYXJpYWJsZXMgPSBAdW5zZXJpYWxpemUoJHZhcnNb
J19mb3JtdmFycyddKTsKICAgICAgICAgICAgdW5zZXQoJHZhcnNbJ19mb3JtdmFycyddKTsKICAg
ICAgICB9CiAgICAgICAgJHRoaXMtPl92YXJzID0gJHZhcnM7CiAgICB9CgkKQ29tbWVudDoKVXNl
ciBpbnB1dCBpcyBwYXNzZWQgZGlyZWN0bHkgaW50byB1bnNlcmlhbGl6ZSgpLCB0cmlnZ2VyaW5n
IGNvZGUgZXhlY3V0aW9uCgkKUmVmZXJlbmNlczoKaHR0cHM6Ly93d3cub3dhc3Aub3JnL2luZGV4
LnBocC9QSFBfT2JqZWN0X0luamVjdGlvbgpodHRwOi8vd3d3LmFsZXJ0bG9naWMuY29tL3dyaXRp
bmctZXhwbG9pdHMtZm9yLWV4b3RpYy1idWctY2xhc3Nlcy8KaHR0cDovL3d3dy5zdXNwZWt0Lm9y
Zy9kb3dubG9hZHMvUE9DMjAwOS1TaG9ja2luZ05ld3NJblBIUEV4cGxvaXRhdGlvbi5wZGYK
--047d7bd6aed4be33a304f0918638--
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: This is a digitally signed message part.
URL: <http://lists.alioth.debian.org/pipermail/pkg-horde-hackers/attachments/20140123/5051086e/attachment.sig>
More information about the pkg-horde-hackers
mailing list