Bug 1059000 (CVE-2014-1691)

Summary: CVE-2014-1691 horde: unserializing certain form input leads to code execution
Product: [Other] Security Response Reporter: Murray McAllister <mmcallis>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED WONTFIX QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: fedora, j, vkaigoro
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-08-22 16:49:05 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1059001, 1059003    
Bug Blocks:    

Description Murray McAllister 2014-01-28 23:57:08 UTC 
It was found that certain, user-supplied form input was unserialized by Horde. A remote attacker could use this flaw to execute arbitrary code.

It was reported[1] that this issue affects at least versions 3.1.x to 5.1.1. This issue has already been fixed in php-horde-Horde-Util for Fedora and EPEL.

[1] http://seclists.org/oss-sec/2014/q1/153

Upstream commit:

https://github.com/horde/horde/commit/da6afc7e9f4e290f782eca9dbca794f772caccb3

Note that this issue also affects the horde package. There, it is in the Variables class (different from the above github commit):

21 class Variables {
22 
23     var $_vars;
24     var $_expectedVariables = array();
25 
26     function Variables($vars = array())
27     {
28         if (is_null($vars)) {
29             $vars = Util::dispelMagicQuotes($_REQUEST);
30         }
31         if (isset($vars['_formvars'])) {
32             $this->_expectedVariables = @unserialize($vars['_formvars']);
33             unset($vars['_formvars']);
34         }
35         $this->_vars = $vars;
Comment 1 Murray McAllister 2014-01-28 23:58:56 UTC 
Created horde tracking bugs for this issue:

Affects: fedora-all [bug 1059001]
Affects: epel-all [bug 1059003]
Comment 2 Murray McAllister 2014-01-29 00:18:52 UTC 
I do not know the difference between php-horde-Horde-Util and horde. Mailed oss-sec in case another CVE or anything is needed:

http://www.openwall.com/lists/oss-security/2014/01/29/1
Comment 3 Remi Collet 2014-01-29 06:06:13 UTC 
FYI: "horde" is the old application (version 3) build from a single tarball (but still available in the repository)

horde is now distributed via a pear channel and split in ~100 packages.

php-pear-Horde-Util 2.3.0 (with this fix) is already in the repository (but not yet used as pear-horde-horde 5.1.5 is still under  review).
Comment 4 Murray McAllister 2014-01-29 12:01:46 UTC 
> Upstream commit:
> 
> https://github.com/horde/horde/commit/
> da6afc7e9f4e290f782eca9dbca794f772caccb3

Jan Schneider noted on the oss-security list:

Packagers, please note that applying only this patch will break all forms in Horde. The changed serialization method need to be used in the Horde_Form package too. This is happening since Horde_Form 2.0.5 and introduced with this commit:
https://github.com/horde/horde/commit/acf67ab4a633037849aca9e4a7592465b999ad93
Comment 5 Vasyl Kaigorodov 2014-06-30 13:25:22 UTC 
Public exploit has been posted to FullDisclosure mailing list: http://seclists.org/fulldisclosure/2014/Jun/164