Bug 6603 - horde, horde-imp, horde-dimp new security issues CVE-2012-0791 and CVE-2012-0909
: horde, horde-imp, horde-dimp new security issues CVE-2012-0791 and CVE-2012-0909
Status: RESOLVED FIXED
Product: Mageia
Classification: Unclassified
Component: Security
: 1
: i586 Linux
: Normal Severity: normal
: ---
Assigned To: QA Team
:
:
: MGA1-32-OK MGA1-64-OK
: validated_update
:
:
  Show dependency treegraph
 
Reported: 2012-06-28 02:08 CEST by David Walser
Modified: 2012-08-26 22:56 CEST (History)
5 users (show)

See Also:
Source RPM: horde-imp-4.3.7-1.mga1.src.rpm
CVE:
Status comment:


Attachments
Errors displayed when accesss https://127.0.0.1/horde/ (2.02 KB, text/plain)
2012-08-14 00:46 CEST, Dave Hodgins
Details
urpmi --debug log (10.28 KB, text/plain)
2012-08-22 01:46 CEST, Dave Hodgins
Details

Description David Walser 2012-06-28 02:08:57 CEST
Debian has issued an advisory on June 3:
http://www.debian.org/security/2012/dsa-2485

The referenced Debian bug has a patch for horde-imp 4.3.7, which we have.

horde-imp is not packaged for Mageia 2 or Cauldron, so they are not affected.
Comment 1 David Walser 2012-07-10 20:17:39 CEST
Patched package uploaded.

Advisory:
========================

Updated horde-imp package fixes security vulnerabilities:

Multiple cross-site scripting (XSS) vulnerabilities were discovered in
IMP, the webmail component in the Horde framework. The vulnerabilities
allow remote attackers to inject arbitrary web script or HTML via
various crafted parameters (CVE-2012-0791).

Please note that this package is no longer available in Mageia 2.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0791
http://www.debian.org/security/2012/dsa-2485
========================

Updated packages in core/updates_testing:
========================
horde-imp-4.3.7-1.1.mga1

from horde-imp-4.3.7-1.1.mga1.src.rpm
Comment 2 Dave Hodgins 2012-07-24 03:57:31 CEST
I'm not sure how to test this one.

If I go to https://127.0.0.1/horde/imp
I get the login screen.  I have dovecot installed and a working imap
account, but the login is rejected with username or password incorrect.

I don't see anything in the log files.

How do I get horde-imp to pass the login to dovecot, or am I mis-understanding
how it should work?
Comment 3 Dave Hodgins 2012-07-24 04:20:10 CEST
Ignore comment 2.

Figured out I have to edit /etc/horde/imp/servers.php

However, after editing that file, when I login, it takes me to
http://127.0.0.1/horde/imp/redirect.php
which is a blank page.  If I then replace the address in the url with
http://127.0.0.1/horde/imp/

I then find I am logged in, and can see the messages in the inbox.
Comment 4 Samuel Verschelde 2012-07-28 17:08:43 CEST
Dave, does comment #3 mean that it's ok on your i586 box and that we can follow the same steps on x86_64, or is testing still in progress for this one?
Comment 5 Dave Hodgins 2012-07-31 19:14:19 CEST
Testing is still in progress. I have to go back to the release version to see
if the problem I encountered in comment 3 is a regression or not.
Comment 6 Dave Hodgins 2012-08-06 01:05:10 CEST
Testing Mageia 1 x86-64 now.  This time, I'm starting with the Core Release
version, and will sort out the configuration to get that working, before I
install the update.
Comment 7 Dave Hodgins 2012-08-06 02:56:48 CEST
According to /usr/share/doc/horde/README.mdv, I should be able to
configure horde, and then horde-imp using it's web interface.

I have created the mysql database/user as per
/usr/share/horde/scripts/SCRIPTS and run the set_perms.sh script,
but I'm getting 403 access denied when I try going to
https://127.0.0.1/horde

The ssl_error_log shows
client denied by server configuration: /usr/share/horde

Any suggestions?
Comment 8 David Walser 2012-08-08 22:09:20 CEST
I've just discovered that OpenSuSE issued an advisory for this on February 20:
http://lists.opensuse.org/opensuse-updates/2012-02/msg00055.html

They also updated the horde-dimp package, which we also have.  It looks like they just updated it rather than patching.  Thomas, maybe you can have a look?
Comment 9 David Walser 2012-08-08 22:10:14 CEST
OpenSuSE also issued an advisory for horde itself on February 20:
http://lists.opensuse.org/opensuse-updates/2012-02/msg00054.html

They fixed that by upgrading it to 3.3.13.
Comment 10 Thomas Spuhler 2012-08-09 04:56:44 CEST
Let's do the same, update to 3.3.13.
I will work on this soon.
Comment 11 Thomas Spuhler 2012-08-10 06:41:42 CEST
horde-3.3.13 
horde-dimp-1.1.8
horde-imp-4.3.11
are in upgrade testing. I have no set-up to do the test.
Comment 12 David Walser 2012-08-10 14:27:22 CEST
Thanks Thomas!

Full package names (RPMs and SRPMs) are:
horde-3.3.13-1.mga1
horde-imp-4.3.11-1.1.mga1
horde-dimp-1.1.8-1.mga1

Advisory:
========================

Updated horde, horde-imp, horde-dimp packages fix security vulnerabilities:

Multiple cross-site scripting (XSS) vulnerabilities were discovered in
IMP, the webmail component in the Horde framework. The vulnerabilities
allow remote attackers to inject arbitrary web script or HTML via
various crafted parameters (CVE-2012-0791).

Cross-site scripting (XSS) vulnerability in Horde_Form in Horde
Groupware Webmail Edition before 4.0.6 allows remote attackers to
inject arbitrary web script or HTML via unspecified vectors, related
to email verification (CVE-2012-0909).

Please note that these packages are no longer available in Mageia 2.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0791
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0909
http://lists.opensuse.org/opensuse-updates/2012-02/msg00054.html
http://lists.opensuse.org/opensuse-updates/2012-02/msg00055.html
http://www.debian.org/security/2012/dsa-2485
Comment 13 Samuel Verschelde 2012-08-13 12:58:06 CEST
Thomas, any suggestion for comment #7?
Comment 14 Dave Hodgins 2012-08-14 00:46:28 CEST
Created attachment 2642 [details]
Errors displayed when accesss https://127.0.0.1/horde/

I've managed to get a bit farther by replacing /etc/php.ini with
/usr/share/doc/php-doc/php.ini-development
and changing all directories defined in
/etc/httpd/conf/webapps.d/horde.conf to Allow from all.

The attached file shows the errors now being displayed.

php-pear-PHPUnit-3.3.17-3.mga1 is installed.
Comment 15 David Walser 2012-08-14 23:38:37 CEST
I discovered two more CVEs that will be fixed by this horde update.

Debian has issued an advisory on July 16, 2011:
http://www.debian.org/security/2011/dsa-2278

This fixes the following issues that were fixed upstream in 3.3.9.

Cross-site scripting (XSS) vulnerability in util/icon_browser.php in the
Horde Application Framework before 3.3.9 allows remote attackers to inject
arbitrary web script or HTML via the subdir parameter (CVE-2010-3077).

Cross-site request forgery (CSRF) vulnerability in the Horde Application
Framework before 3.3.9 allows remote attackers to hijack the authentication
of unspecified victims for requests to a preference form (CVE-2010-3694).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3077
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3694
http://www.debian.org/security/2011/dsa-2278

from http://lwn.net/Vulnerabilities/413565/

I'll update the advisory once the other issues are sorted out.
Comment 16 David Walser 2012-08-16 19:47:32 CEST
Found another CVE that will be fixed by this horde-imp update.

Debian has issued an advisory on March 27, 2011:
http://www.debian.org/security/2011/dsa-2204

This fixes the following issue that was fixed upstream in 4.3.8.

Cross-site scripting (XSS) vulnerability in fetchmailprefs.php in Horde
IMP before 4.3.8, and Horde Groupware Webmail Edition before 1.2.7, allows
remote attackers to inject arbitrary web script or HTML via the
fm_id parameter in a fetchmail_prefs_save action, related to the Fetchmail
configuration (CVE-2010-3695).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3695
http://www.debian.org/security/2011/dsa-2204

from http://lwn.net/Vulnerabilities/435711/
Comment 17 Dave Hodgins 2012-08-22 01:46:36 CEST
Created attachment 2665 [details]
urpmi --debug log

Sorry for the delay getting back to this.  I misread the latest comments and
thought there was a new update in progress.

Trying to install the latest version fails, as there are new requires, one
of which is not satisfied (/usr/bin/php), though I don't understand why
the php-cli package doesn't satisfy it.
Comment 18 David Walser 2012-08-22 02:57:40 CEST
(In reply to comment #17)
> Trying to install the latest version fails, as there are new requires, one
> of which is not satisfied (/usr/bin/php), though I don't understand why
> the php-cli package doesn't satisfy it.

That's a strange issue that's affected other things too, but I don't consider it to be a package issue.  Let's not block an update just for that.

What are other issues are there?  Is Comment 7 still relevant?
Comment 19 Thomas Spuhler 2012-08-23 05:32:34 CEST
To comment 7: I don't know why, but you need to change 
/etc/httpd/conf/webapps.d/horde.conf    
<Allow from localhost> 
to     
<Allow from 127.0.0.1> and it will work.
I could change this and submit a horde update. But so far nobody else has submitted a bug, so I am not sure about the merit of doing it.
This is not a regression
Comment 20 Dave Hodgins 2012-08-26 07:36:03 CEST
Testing complete on Mageia 1 i586 for the srpms
horde-3.3.13-1.mga1.src.rpm
horde-imp-4.3.11-1.1.mga1.src.rpm
horde-dimp-1.1.8-1.mga1.src.rpm

In addition to editing /etc/httpd/conf/webapps.d/horde.conf,
to get it to work, I had to create the following symlinks ...
/etc/horde/lib -> /usr/share/horde/gollem/lib/
/usr/share/horde/lib/PEAR.php -> /usr/share/pear/PEAR.php
/usr/share/horde/lib/Gollem.php -> /usr/share/horde/gollem/lib/Gollem.php
/usr/share/horde/lib/Log.php -> Horde/Log.php

There are probably other/better ways to get it to work, such as changing
the search paths in the config files, but this worked for me.

Then using http://127.0.0.1/horde/admin/setup, I was able to get things
setup, to the point dovecot log shows a successful login, even though I'm
still getting a login error from horde.

While it's still not working properly for me, I think it's a configuration 
problem only.
Comment 21 Dave Hodgins 2012-08-26 09:04:46 CEST
Testing complete on Mageia 1 x86-64.

Could someone from the sysadmin team push the srpms
horde-3.3.13-1.mga1.src.rpm
horde-imp-4.3.11-1.1.mga1.src.rpm
horde-dimp-1.1.8-1.mga1.src.rpm
from Mageia 1 Core Updates testing to Core Updates and link
the following packages from Core Updates to Core Release
php-pear-Auth_SASL-1.0.4-2.mga1 (Core 32bit Release (distrib31))
php-pear-Auth_SASL-1.0.4-2.mga1 (Core Release (distrib1))
php-pear-Benchmark-1.2.8-1.mga1 (Core 32bit Release (distrib31))
php-pear-Benchmark-1.2.8-1.mga1 (Core Release (distrib1))

Advisory: Updated horde, horde-imp, horde-dimp packages fix security vulnerabilities:

Multiple cross-site scripting (XSS) vulnerabilities were discovered in
IMP, the webmail component in the Horde framework. The vulnerabilities
allow remote attackers to inject arbitrary web script or HTML via
various crafted parameters (CVE-2012-0791).

Cross-site scripting (XSS) vulnerability in Horde_Form in Horde
Groupware Webmail Edition before 4.0.6 allows remote attackers to
inject arbitrary web script or HTML via unspecified vectors, related
to email verification (CVE-2012-0909).

Cross-site scripting (XSS) vulnerability in util/icon_browser.php in the
Horde Application Framework before 3.3.9 allows remote attackers to inject
arbitrary web script or HTML via the subdir parameter (CVE-2010-3077).

Cross-site request forgery (CSRF) vulnerability in the Horde Application
Framework before 3.3.9 allows remote attackers to hijack the authentication
of unspecified victims for requests to a preference form (CVE-2010-3694).

Cross-site scripting (XSS) vulnerability in fetchmailprefs.php in Horde
IMP before 4.3.8, and Horde Groupware Webmail Edition before 1.2.7, allows
remote attackers to inject arbitrary web script or HTML via the
fm_id parameter in a fetchmail_prefs_save action, related to the Fetchmail
configuration (CVE-2010-3695).

Please note that these packages are no longer available in Mageia 2.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0791
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0909
http://lists.opensuse.org/opensuse-updates/2012-02/msg00054.html
http://lists.opensuse.org/opensuse-updates/2012-02/msg00055.html
http://www.debian.org/security/2012/dsa-2485
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3077
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3694
http://www.debian.org/security/2011/dsa-2278
http://lwn.net/Vulnerabilities/413565/
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3695
http://www.debian.org/security/2011/dsa-2204
http://lwn.net/Vulnerabilities/435711/

https://bugs.mageia.org/show_bug.cgi?id=6603
Comment 22 Thomas Backlund 2012-08-26 22:56:50 CEST
Update pushed:
https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0239

Note You need to log in before you can comment on or make changes to this bug.