Your message dated Sat, 12 Apr 2008 07:52:38 +0000
with message-id <[EMAIL PROTECTED]>
and subject line Bug#464058: fixed in turba2 2.1.3-1etch1
has caused the Debian Bug report #464058,
regarding turba2: Access rights not checked properly
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [EMAIL PROTECTED]
immediately.)
--
464058: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=464058
Debian Bug Tracking System
Contact [EMAIL PROTECTED] with problems
--- Begin Message ---
Package: turba2
Version: 2.1.3-1
Severity: normal
Access rights do not seem to be checked properly before allowing a user
to edit address data as illustrated in the following example:
A user adds an address from his or her personal addressbook to a contact
list in a shared address book. Now anybody who has write access to the
shared address book can also edit this person's address data in the
user's personal addressbook.
In fact, after manually entering an object_id (which I looked up in the
database) from somebody else's address book I found I could edit this
data as well.
So it seems that when edit.php is passed an object_id, the owner_id and
the requesting user's access rights to the addressbook that the owner_id
refers to aren't checked. Apparantly knowing the object_id is enough to
be able to edit any address! I guess this is left over from the time
address books couldn't be shared yet, based on the assumption that
people wouldn't be able to guess the pseudo random 32 character id's.
-- System Information:
Debian Release: 4.0
APT prefers stable
APT policy: (500, 'stable')
Architecture: i386 (i686)
Shell: /bin/sh linked to /bin/bash
Kernel: Linux 2.6.18
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)
--- End Message ---
--- Begin Message ---
Source: turba2
Source-Version: 2.1.3-1etch1
We believe that the bug you reported is fixed in the latest version of
turba2, which is due to be installed in the Debian FTP archive:
turba2_2.1.3-1etch1.diff.gz
to pool/main/t/turba2/turba2_2.1.3-1etch1.diff.gz
turba2_2.1.3-1etch1.dsc
to pool/main/t/turba2/turba2_2.1.3-1etch1.dsc
turba2_2.1.3-1etch1_all.deb
to pool/main/t/turba2/turba2_2.1.3-1etch1_all.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Gregory Colpart (evolix) <[EMAIL PROTECTED]> (supplier of updated turba2
package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Thu, 21 Feb 2008 02:17:51 +0100
Source: turba2
Binary: turba2
Architecture: source all
Version: 2.1.3-1etch1
Distribution: stable-security
Urgency: high
Maintainer: Horde Maintainers <[EMAIL PROTECTED]>
Changed-By: Gregory Colpart (evolix) <[EMAIL PROTECTED]>
Description:
turba2 - contact management component for horde framework
Closes: 464058
Changes:
turba2 (2.1.3-1etch1) stable-security; urgency=high
.
* Fix unchecked access to contacts in the same SQL table, if the unique key
of another user's contact can be guessed. See CVE-2008-0807 for more
informations. (Closes: #464058)
* Fix privilege escalation in the Horde API.
Files:
0aa309ef908c6ab95b62fa6fbb97d7c5 722 web optional turba2_2.1.3-1etch1.dsc
a0407717f3f64fb33f6a57e2244a12b4 1790717 web optional turba2_2.1.3.orig.tar.gz
fcef7709711274ebf26b99e3032f4e7e 7434 web optional turba2_2.1.3-1etch1.diff.gz
0fb704f257a5d583196e10de104289f0 1860044 web optional
turba2_2.1.3-1etch1_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
iD8DBQFHveA2wM/Gs81MDZ0RAix7AKCzys545lPRKunQOBRxfpwhexu57gCgo2JA
zzSijNzt4cddZ5aEeOzhFv4=
=8IVv
-----END PGP SIGNATURE-----
--- End Message ---
