tags 472685 +wontfix thanks Well... nobody cared for answering to my message.
And the code isn't exposed so we won't try and make an updated version for stable. Best regards, Le jeudi 27 mars 2008 à 13:08 +0100, Olivier Berger a écrit : > Hello. > > I've been trying to investigate the issue of the potential uncomplete > fix for CVE-2007-4048, which had not been applied to the version of > phpgroupware in stable/etch (bug #472685). > > It appears that that version of the phpgroupware-phpsysinfo package was > not vulnerable (see Dave Hall's (upstream developper) message bellow). > There was just a copy of the original vulenrable phpsysinfo code, but > which wouldn't be callable in the version wrapped inside phpGroupware > (phpsysinfo footer replaced by phpgroupware footer). > > Thus, the proposed patch seems not necessary if we trust Dave (note that > it wouldn't hurt either, since that code is not executed, as I verified > on a patched package on stable). > > I'm not sure it's worth issueing a security update for that package, > then. If it were to be, then the proposed NMU is available in the > #472685 thread). > > I'm requesting the security team's advice on what should be done now. > > I'm still concerned that > http://security-tracker.debian.net/tracker/CVE-2007-4048 would exhibit a > problem on stable, then. > > Lookin forward to reading from you. > > Best regards, > > Le jeudi 27 mars 2008 à 12:46 +0100, Olivier Berger a écrit : > > Le mercredi 26 mars 2008 à 11:40 +0100, Olivier Berger a écrit : > > > > > Having had a closer look at the phpsysinfo integration in phpgroupware > > > in etch, I'm not so sure it was even a problem, since I cannot exactly > > > understand how the vulnerable code could have been executed. It is > > > located in the phpsysinfo footer and I only see ways to have the > > > standard phpgroupware footer displayed... but I'm not so much aware of > > > the XSS mechanism involved here. > > > > > SNIP > > > > > Maybe I'll get in touch with upstream to try and get a clearer view. > > > > > > > FYI, here's the response from upstream concerning this fix, which > > indicates that apparently (as I suspected), phpGroupware wasn't > > vulnerable. > > > > Now, for consistency (and better safe than sorry ?), we may apply the > > patch... but we might also as well close the bug... > > > > I'll need security team's advice on what to do, I think. > > > > Copy of > > http://lists.gnu.org/archive/html/phpgroupware-developers/2008-03/msg00076.html > > bellow : > > -------- Message transféré -------- > > De: Dave Hall <[EMAIL PROTECTED]> > > Répondre à: [EMAIL PROTECTED] > > À: [EMAIL PROTECTED] > > Sujet: Re: [phpGroupWare-developers] SECURITY - URGENT ? [Fwd: Re: > > Bug#472685: phpgroupware-phpsysinfo: [CVE-2007-4048] XSS vulnerability, > > still no fix provided for stable/etch ?] > > Date: Thu, 27 Mar 2008 10:45:26 +0000 > > > > Hi Olivier, > > > > I thought I would reply publicly here in addition to my email last night > > my time. > > > > On Wed, 2008-03-26 at 12:21 +0100, Olivier Berger wrote: > > > Hi. > > > > > > I'm trying to understand if/how the code in 0.9.16.011 was indeed > > > vulnerable concerning the phpsysinfo XSS vulnerability... > > > > > > Can you please enlighten me (privately, if details are sensitive) ? > > > > > > My impression is that the Debian package was after all not vulnerable... > > > as the phpsysinfo footer shouldn't have been called directly, the > > > phpsysinfo being wrapped by phpgroupware... Or I have it all wrong on > > > how the XSS works... or the proposed patch for a fix for Debian was > > > useless... or... I'm a bit lost ;) > > > > After looking into this, we weren't vulnerable in the first place - oh > > the joys of jumping at shadows when you are under resourced. > > > > I looked at the old code - scary stuff. The fix proposed in > > http://bugs.debian.org/cgi-bin/bugreport.cgi?msg=15;filename=CVE-2007-4048.patch;att=1;bug=435936 > > should be used for debian (old)stable just to be sure. The 0.9.16.012 > > release updated phpsysinfo to 2.5.4 from upstream (with some mods), to keep > > our code in sync. > > > > Thanks for picking this up. > > > > Just so people are clear CVE-2007-4048 was not exploitable when running > > phpsysinfo from within phpGroupWare. In 0.9.16.012 you got an updated > > (and more secure) version of phpsysinfo. > > > > > Btw, if there's a security related list, it may be worth being on board > > > as soon as possible to be able to prepare patchs and so on for the > > > Debian package... > > > > There isn't such a list. What I usually try to grab our packagers to > > let them know what is happening in advance - by a couple of hours. I am > > happy to try to provide security only patches on request, or give you a > > list of svn revision/s to grab. > > > > Cheers > > > > Dave -- Olivier BERGER <[EMAIL PROTECTED]> (*NEW ADDRESS*) http://www-inf.it-sudparis.eu/~olberger/ - OpenPGP-Id: 1024D/6B829EEC Ingénieur Recherche - Dept INF Institut TELECOM / TELECOM & Management SudParis (http://www.it-sudparis.eu/), Evry
