Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Wed, 29 Jan 2014 18:40:02 +1100
From: Murray McAllister <mmcallis@...hat.com>
To: oss-security@...ts.openwall.com
CC: Pedro Ribeiro <pedrib@...il.com>, Jan Schneider <jan@...de.org>,
        Salvatore Bonaccorso <carnil@...ian.org>,
        Seth Arnold <seth.arnold@...onical.com>, security@...ian.org,
        security@...ntu.com, security@...de.org
Subject: Re: Remote code execution in horde < 5.1.1

On 01/29/2014 11:10 AM, Murray McAllister wrote:
> On 01/28/2014 09:10 PM, Pedro Ribeiro wrote:
>> Hi,
>>
>> There is a remote code execution bug in horde affecting all versions from
>> at least horde 3.1.x to 5.1.1.
>> This has been fixed in commit
>> https://github.com/horde/horde/commit/da6afc7e9f4e290f782eca9dbca794f772caccb3
>>
>> Also check changelog
>> https://github.com/horde/horde/blob/82c400788537cfc0106b68447789ff53793ac086/bundles/groupware/docs/CHANGES#L215
>>
>>
>> Can you please assign a CVE for this issue?
>>
>> Thanks in advance.
>>
>> PS: while I discovered this bug independently reviewing horde3 code, the
>> full credit should go to the horde maintainers as they discovered and
>> fixed
>> it first on horde5.
>>
>> Regards
>> Pedro
>>
>
> Morning,
>
> In Fedora there is horde and php-horde-Horde-Util:
>
> http://koji.fedoraproject.org/koji/buildinfo?buildID=446660
> http://koji.fedoraproject.org/koji/buildinfo?buildID=449705
>
> I am not familiar with Horde or know the difference between those
> packages, whether one is an older version and the other providing
> equivalent functionality to version 5. The github commit in the original
> message is in php-horde-Horde-Util for us.
>
> The same vulnerability is in our horde package too, but I could not find
> this (horde-3.3.13/lib/Horde/Variables.php) in github:
>
> 21 class Variables {
> 22
> 23     var $_vars;
> 24     var $_expectedVariables = array();
> 25
> 26     function Variables($vars = array())
> 27     {
> 28         if (is_null($vars)) {
> 29             $vars = Util::dispelMagicQuotes($_REQUEST);
> 30         }
> 31         if (isset($vars['_formvars'])) {
> 32             $this->_expectedVariables =
> @unserialize($vars['_formvars']);
> 33             unset($vars['_formvars']);
> 34         }
> 35         $this->_vars = $vars;
>
> Mailing here in case anyone else is shipping in a similar way (or if
> another CVE is needed?).
>
> Cheers,
>
> --
> Murray McAllister / Red Hat Security Response Team

As noted by Remi Collet at [1]:

""horde" is the old application (version 3) build from a single tarball 
(but still available in the repository)

horde is now distributed via a pear channel and split in ~100 packages.

php-pear-Horde-Util 2.3.0 (with this fix) is already in the repository 
(but not yet used as pear-horde-horde 5.1.5 is still under  review)."

Sorry for the noise!

[1] https://bugzilla.redhat.com/show_bug.cgi?id=1059000#c3

--
Murray McAllister / Red Hat Security Response Team

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ