Hi, CVE-2007-3154 claims that the bug exists in wz_tooltip.js before 4.01 and has been fixed in eGroupware 1.2.107-2 and later which can't be true since the latest egroupware uses wz_tooltip v3.45 (as pointed out in previous #429215 mails). Now I'll try to guess what happened here.
Both CVE-2007-3154 & CVE-2007-3155 are certainly "derived" from eGroupware 1.2.107-2 release notes[1]. Those release notes claims that "The problems are in the external library wz_tooltips (fixed by using the ___newest version__)". Now guess what, 1.2.107-2 was released on 2007-06-03 [2] and wz_tooltip.js v4.01 was released on 2007-06-02 according to the changelog [3]. A creator of CVE-2007-3154 read those magic "newest version" words in the release notes, checked wz_tooltip.js changelog and saw v4.01 released the day before eGroupWare 1.2.107-2. Then he concluded (without checking the facts first) that the bug had been fixed in v4.01 and all versions prior that one are affected, which is plain wrong. eGroupware 1.2.107-2 release notes (regarding wz_tooltip) refer to the svn commit 23934 [4]. You can check egroupware svn logs on 2007-05-25 and you will see that numerous issues found by Janosch Machowinski <scotch-AT-tzi.de> were fixed by Ralf Becker (including commit 23934 [4] fixing wz_tooltip.js problem). According to the wz_tooltip changelog [3], v3.45 was the latest on 2007-05-25 and the author of the egroupware release notes was probably not aware that on 2007-06-03 a newer major release of wz_tooltip.js was available. eGroupWare svn commit 23934 upgraded wz_tooltip.js from v3.25 to v3.45 so apparently the security problem was fixed between >3.25 and <=3.45. ktorrent had wz_tooltip.js v3.44 which I now believe was not affected by this bug since a fix/new feature in 3.45 is probably not related. Although I have "fixed" #429209 by upgrading to v3.45, now I believe this change was redundant (but I'm not going to revert it) and the bug was false alarm. Florian, check if other bugs you reported about this CVE-2007-3154 are valid and applicable to wz_tooltip.js in those packages. You may also ask reporter Janosch Machowinski <scotch-AT-tzi.de> or committer Ralf Becker to clarify what the problem really was. I couldn't find more details on this vulnerability. 1. http://sourceforge.net/project/shownotes.php?release_id=513749&group_id=78745 2. http://sourceforge.net/project/showfiles.php?group_id=78745 3. http://www.walterzorn.com/tooltip/history.htm 4. http://ww.egroupware.org/viewvc?view=rev&revision=23934 -- Modestas Vainius <[EMAIL PROTECTED]>
signature.asc
Description: This is a digitally signed message part.
