860833 – (CVE-2014-1691.) VUL-0: CVE-2014-1691: horde: remote command execution horde < 5.1.1

Bug 860833 (CVE-2014-1691.) - VUL-0: CVE-2014-1691: horde: remote command execution horde < 5.1.1

Summary: VUL-0: CVE-2014-1691: horde: remote command execution horde < 5.1.1

Status:	RESOLVED FIXED

Alias:	CVE-2014-1691.

Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents (show other bugs)
Version:	unspecified
Hardware:	Other openSUSE 13.1

Priority:	P3 - Medium Severity: Major
Target Milestone:	---
Assignee:	Ralf Lang
QA Contact:	Security Team bot

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Clone This Bug

Reported:	2014-01-28 15:04 UTC by Sebastian Krahmer
Modified:	2015-02-17 17:32 UTC (History)
CC List:	3 users (show)

See Also:
Found By:	---
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Sebastian Krahmer 2014-01-28 15:04:10 UTC

Via OSS-sec:

Date: Tue, 28 Jan 2014 10:10:19 +0000
From: Pedro Ribeiro
To: oss-security

Hi,

There is a remote code execution bug in horde affecting all versions from
at least horde 3.1.x to 5.1.1.
This has been fixed in commit
https://github.com/horde/horde/commit/da6afc7e9f4e290f782eca9dbca794f772caccb3
Also check changelog
https://github.com/horde/horde/blob/82c400788537cfc0106b68447789ff53793ac086/bundles/groupware/docs/CHANGES#
+L215

Can you please assign a CVE for this issue?

Thanks in advance.

PS: while I discovered this bug independently reviewing horde3 code, the
full credit should go to the horde maintainers as they discovered and fixed
it first on horde5.

Regards
Pedro

Comment 1 Ralf Lang 2014-01-28 15:06:52 UTC

Nothing to do for 13.1 or factory. We already ship horde5 5.1.2-2.1

Comment 2 Ralf Lang 2014-01-28 15:08:14 UTC

Sorry - mixed up with the ISV repo. 

I'll forward the fixed version.

Comment 3 Swamp Workflow Management 2014-01-28 23:00:21 UTC

bugbot adjusting priority

Comment 4 Sebastian Krahmer 2014-01-29 07:21:02 UTC

Via RH:

Morning,

In Fedora there is horde and php-horde-Horde-Util:

http://koji.fedoraproject.org/koji/buildinfo?buildID=446660
http://koji.fedoraproject.org/koji/buildinfo?buildID=449705

I am not familiar with Horde or know the difference between those packages,
whether one is an older version and the other providing equivalent
functionality to version 5. The github commit in the original message is in
php-horde-Horde-Util for us.

The same vulnerability is in our horde package too, but I could not find
this (horde-3.3.13/lib/Horde/Variables.php) in github:

21 class Variables {
22
23     var $_vars;
24     var $_expectedVariables = array();
25
26     function Variables($vars = array())
27     {
28         if (is_null($vars)) {
29             $vars = Util::dispelMagicQuotes($_REQUEST);
30         }
31         if (isset($vars['_formvars'])) {
32             $this->_expectedVariables = @unserialize($vars['_formvars']);
33             unset($vars['_formvars']);
34         }
35         $this->_vars = $vars;

Mailing here in case anyone else is shipping in a similar way (or if
another CVE is needed?).

Cheers,

--
Murray McAllister / Red Hat Security Response Team

Comment 5 Sebastian Krahmer 2014-01-29 07:30:10 UTC

CVE-2014-1691

Comment 6 Ralf Lang 2014-01-29 08:22:19 UTC

We have long dropped horde3 (which is in cvs, not git) and only need to update the horde5-related package.

Comment 7 Victor Pereira 2015-02-17 17:32:21 UTC

already fixed