Bug#464058: [horde-vendor] Bug#464058: turba access checking issue
On Thu Feb 21, 2008 at 02:41:41 +0100, Gregory Colpart wrote: The package turba2 has vulnerabilities (See CVE-2008-0807, bug #464058 and changelogs of fixed sarge/etch packages). A shining example of how to handle security updates. Thanks very very much for the fixed packages, and the clear writeup. Ill upload them today, and handle the release when they are done. Steve -- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#464058: [horde-vendor] Bug#464058: turba access checking issue
Hello, The package turba2 has vulnerabilities (See CVE-2008-0807, bug #464058 and changelogs of fixed sarge/etch packages). I prepared fixed packages: - Sarge version (source package and debdiff): http://gcolpart.evolix.net/debian/turba2/turba2_2.0.2-1sarge1.dsc http://gcolpart.evolix.net/debian/turba2/turba2_2.0.2-1_2.0.2-1sarge1.diff - Etch version (source package and debdiff): http://gcolpart.evolix.net/debian/turba2/turba2_2.1.3-1etch1.dsc http://gcolpart.evolix.net/debian/turba2/turba2_2.1.3-1_2.1.3-1etch1.diff Information for the advisory: 8-- turba2 -- several vulenrabilities Date Reported: ?? Feb 2008 Affected Packages: turba2 Vulnerable: Yes Security database references: In Mitre's CVE dictionary: CVE-2008-0807 More information: It was discovered that the Turba contact management component for Horde framework has several vulnerabilities, allows authenticated users to modify address data in the same SQL table via guessing unique key (CVE-2008-0807), allows privilege escalation in Horde API and cross-site scripting (XSS) vulnerabilities with address book and contact data (only for Sarge version). The old stable distribution (sarge) this problem has been fixed in version 2.0.2-1sarge1. For the stable distribution (etch) this problem has been fixed in version 2.1.3-1etch1. For the unstable distribution (sid) this problem has been fixed in version 2.1.7-1. We recommend that you upgrade your turba2 package. 8-- Regards, -- Gregory Colpart [EMAIL PROTECTED] GnuPG:1024D/C1027A0E Evolix - Informatique et Logiciels Libres http://www.evolix.fr/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#464058: [horde-vendor] Bug#464058: turba access checking issue
Hi Chuck, On Fri, Feb 15, 2008 at 12:42:56AM -0500, Chuck Hagenbuch wrote: Finally, these should be the patches for the upcoming Turba 2.1.7 and Turba 2.2-RC3 releases. I plan to roll them tomorrow (Friday) morning, U.S Eastern time. I'm also attaching a patch for HEAD for anyone who wants/needs it. Thanks a lot for your final patches. Turba 2.1.7 is already in Debian unstable distribution. But for Debian stable and oldstable, I can't upload version 2.1.7: I need backport security changes. Could you review my backported patches? - Patch for Turba 2.1.4 (Debian stable): http://gcolpart.evolix.net/debian/turba2/turba2_2.1.3-1_2.1.3-1etch1.diff - Patch for Turba 2.0.2 (Debian oldstable): http://gcolpart.evolix.net/debian/turba2/turba2_2.0.2-1_2.0.2-1sarge1.diff Note: FYI, Debian security team requested CVE id for this security issue. Regards, -- Gregory Colpart [EMAIL PROTECTED] GnuPG:1024D/C1027A0E Evolix - Informatique et Logiciels Libres http://www.evolix.fr/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#464058: [horde-vendor] Bug#464058: turba access checking issue
Quoting Gregory Colpart [EMAIL PROTECTED]: Thanks a lot for your final patches. Turba 2.1.7 is already in Debian unstable distribution. But for Debian stable and oldstable, I can't upload version 2.1.7: I need backport security changes. Could you review my backported patches? - Patch for Turba 2.1.4 (Debian stable): http://gcolpart.evolix.net/debian/turba2/turba2_2.1.3-1_2.1.3-1etch1.diff - Patch for Turba 2.0.2 (Debian oldstable): http://gcolpart.evolix.net/debian/turba2/turba2_2.0.2-1_2.0.2-1sarge1.diff I don't feel qualified without a _lot_ more time to review the 2.0.x patch; that is very, very different from the current code. The 2.1.4 patch seems to have a bunch of extra stuff in it - I would just do the changes to Group.php, sql.php, and browse.php. If you're also including different fixes those would have to be reviewed separately - those changes are a bit harder to follow. Note: FYI, Debian security team requested CVE id for this security issue. We got the report from you, so unless you created one I don't think there is one. Or do you mean that they started the process of creating one from CVE? -chuck
Bug#464058: [horde-vendor] Bug#464058: turba access checking issue
Hi, On Mon, Feb 18, 2008 at 06:26:38PM -0500, Chuck Hagenbuch wrote: The 2.1.4 patch seems to have a bunch of extra stuff in it - I would just do the changes to Group.php, sql.php, and browse.php. If you're also including different fixes those would have to be reviewed separately - those changes are a bit harder to follow. I apologize because this patch includes *two* security patches: - [jan] SECURITY: Fix privilege escalation in Horde API = from 2.1.6 - [cjh] SECURITY: Fix unchecked access to contacts in the same SQL table (Bug #6208). = from 2.1.7 (patch spoken in this thread) For 2.0.2, I include one more security patch: - [cjh] Close several XSS vulnerabilities with address book and contact data. = from 2.0.5 For easy reviewing, I include comments in my patches like: --8-- // backport security patch from Turba 2.*.* --8-- Note: FYI, Debian security team requested CVE id for this security issue. We got the report from you, so unless you created one I don't think there is one. Or do you mean that they started the process of creating one from CVE? Yes, they started the process of creating one. We're waiting it. Regards, -- Gregory Colpart [EMAIL PROTECTED] GnuPG:1024D/C1027A0E Evolix - Informatique et Logiciels Libres http://www.evolix.fr/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#464058: [horde-vendor] Bug#464058: turba access checking issue
Quoting Gregory Colpart [EMAIL PROTECTED]: I apologize because this patch includes *two* security patches: - [jan] SECURITY: Fix privilege escalation in Horde API = from 2.1.6 - [cjh] SECURITY: Fix unchecked access to contacts in the same SQL table (Bug #6208). = from 2.1.7 (patch spoken in this thread) This looks fine. -chuck -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#464058: [horde-vendor] Bug#464058: turba access checking issue
Quoting Chuck Hagenbuch [EMAIL PROTECTED]:
I agree it would be nice, but that's more in the realm of an
enhancement than a security fix. We'll consider it for Turba 2.2, but
I'd like to get 2.1.7 out with the fixes now.
Finally, these should be the patches for the upcoming Turba 2.1.7 and
Turba 2.2-RC3 releases. I plan to roll them tomorrow (Friday) morning,
U.S Eastern time. I'm also attaching a patch for HEAD for anyone who
wants/needs it.
Thanks to Peter, and also Michael R. for the count checks.
-chuck
? urls
Index: docs/CHANGES
===
RCS file: /repository/turba/docs/CHANGES,v
retrieving revision 1.384
diff -u -r1.384 CHANGES
--- docs/CHANGES 10 Feb 2008 16:01:44 - 1.384
+++ docs/CHANGES 15 Feb 2008 05:56:34 -
@@ -9,6 +9,8 @@
v2.2-cvs
+[cjh] SECURITY: Fix unchecked access to contacts in the same SQL table
+ (Bug #6208).
[jan] Add configuration to more flexibly parse full names into the name parts.
Index: lib/Driver.php
===
RCS file: /repository/turba/lib/Driver.php,v
retrieving revision 1.181
diff -u -r1.181 Driver.php
--- lib/Driver.php 11 Feb 2008 00:40:39 - 1.181
+++ lib/Driver.php 15 Feb 2008 05:56:34 -
@@ -618,9 +618,8 @@
*/
function getObjects($objectIds)
{
-$criteria = $this-map['__key'];
-
-$objects = $this-_read($criteria, $objectIds,
+$objects = $this-_read($this-map['__key'], $objectIds,
+$this-getContactOwner(),
array_values($this-fields));
if (is_a($objects, 'PEAR_Error')) {
return $objects;
@@ -1573,22 +1572,22 @@
}
/**
- * Reads the given data from the address book and returns the result's
- * fields.
+ * Reads the given data from the address book and returns the results.
*
- * @param array $criteria Search criteria.
- * @param string $id Data identifier.
- * @param array $fieldsList of fields to return.
+ * @param string $keyThe primary key field to use.
+ * @param mixed $ids The ids of the contacts to load.
+ * @param string $owner Only return contacts owned by this user.
+ * @param array $fields List of fields to return.
*
- * @return Hash containing the search results.
+ * @return array Hash containing the search results.
*/
-function _read($criteria, $id, $fields)
+function _read($key, $ids, $owner, $fields)
{
return PEAR::raiseError(_(Reading contacts is not available.));
}
/**
- * Adds the specified object to the SQL database.
+ * Adds the specified contact to the SQL database.
*/
function _add($attributes)
{
@@ -1596,7 +1595,7 @@
}
/**
- * Deletes the specified object from the SQL database.
+ * Deletes the specified contact from the SQL database.
*/
function _delete($object_key, $object_id)
{
Index: lib/Driver/imsp.php
===
RCS file: /repository/turba/lib/Driver/imsp.php,v
retrieving revision 1.61
diff -u -r1.61 imsp.php
--- lib/Driver/imsp.php 4 Jan 2008 18:53:28 - 1.61
+++ lib/Driver/imsp.php 15 Feb 2008 05:56:34 -
@@ -131,7 +131,7 @@
}
/* Now we have a list of names, get the rest. */
-$result = $this-_read('name', $names, $fields);
+$result = $this-_read('name', $names, null, $fields);
if (is_array($result)) {
$results = $result;
}
@@ -143,32 +143,33 @@
/**
* Reads the given data from the IMSP server and returns the
- * result's fields.
+ * results.
*
- * @param array $criteria (Ignored: Always 'name' for IMSP) Search criteria.
- * @param array $idArray of data identifiers.
- * @param array $fieldsList of fields to return.
+ * @param string $keyThe primary key field to use (always 'name' for IMSP).
+ * @param mixed $ids The ids of the contacts to load.
+ * @param string $owner Only return contacts owned by this user.
+ * @param array $fields List of fields to return.
*
* @return array Hash containing the search results.
*/
-function _read($criteria, $id, $fields)
+function _read($key, $ids, $owner, $fields)
{
$results = array();
if (!$this-_authenticated) {
return $results;
}
-$id = array_values($id);
-$idCount = count($id);
+$ids = array_values($ids);
+$idCount = count($ids);
$members = array();
$tmembers = array();
$IMSPGroups = array();
for ($i = 0; $i $idCount; $i++) {
$result = array();
-if (!isset($IMSPGroups[$id[$i]])) {
-$temp = $this-_imsp-getEntry($this-_bookName, $id[$i]);
+
