Bugzilla will be upgraded to version 5.0 on a still to be determined date in the near future. The original upgrade date has been delayed.
Bug 646659 - (CVE-2010-3690, CVE-2010-3691, CVE-2010-3692) CVE-2010-3690 CVE-2010-3691 CVE-2010-3692 phpCAS: multiple vulnerabilities fixes in 1.1.3
CVE-2010-3690 CVE-2010-3691 CVE-2010-3692 phpCAS: multiple vulnerabilities fi...
Status: CLOSED CURRENTRELEASE
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
public=20100825,reported=20101007,sou...
: Security
Depends On: 620759
Blocks:
  Show dependency treegraph
 
Reported: 2010-10-25 17:07 EDT by Vincent Danen
Modified: 2013-05-08 14:40 EDT (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-05-08 14:40:33 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Vincent Danen 2010-10-25 17:07:19 EDT
Common Vulnerabilities and Exposures assigned an identifier CVE-2010-3690 to
the following vulnerability:

Name: CVE-2010-3690
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3690
Assigned: 20101001
Reference: MLIST:[oss-security] 20100929 CVE request - phpCAS: prevent symlink attacks, directory traversal and XSS during a proxy callback
Reference: URL: http://www.openwall.com/lists/oss-security/2010/09/29/6
Reference: MLIST:[oss-security] 20101001 Re: CVE request - phpCAS: prevent symlink attacks, directory traversal and XSS during a proxy callback
Reference: URL: http://www.openwall.com/lists/oss-security/2010/10/01/2
Reference: MLIST:[oss-security] 20101001 Re: CVE request - phpCAS: prevent symlink attacks, directory traversal and XSS during a proxy callback
Reference: URL: http://www.openwall.com/lists/oss-security/2010/10/01/5
Reference: CONFIRM: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=495542#82
Reference: CONFIRM: https://developer.jasig.org/source/changelog/jasigsvn?cs=21538
Reference: CONFIRM: https://issues.jasig.org/browse/PHPCAS-80

Multiple cross-site scripting (XSS) vulnerabilities in phpCAS before
1.1.3, when proxy mode is enabled, allow remote attackers to inject
arbitrary web script or HTML via (1) a crafted Proxy Granting Ticket
IOU (PGTiou) parameter to the callback function in client.php, (2)
vectors involving functions that make getCallbackURL calls, or (3)
vectors involving functions that make getURL calls.


Common Vulnerabilities and Exposures assigned an identifier CVE-2010-3691 to
the following vulnerability:

Name: CVE-2010-3691
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3691
Assigned: 20101001
Reference: MLIST:[oss-security] 20100929 CVE request - phpCAS: prevent symlink attacks, directory traversal and XSS during a proxy callback
Reference: URL: http://www.openwall.com/lists/oss-security/2010/09/29/6
Reference: MLIST:[oss-security] 20101001 Re: CVE request - phpCAS: prevent symlink attacks, directory traversal and XSS during a proxy callback
Reference: URL: http://www.openwall.com/lists/oss-security/2010/10/01/2
Reference: MLIST:[oss-security] 20101001 Re: CVE request - phpCAS: prevent symlink attacks, directory traversal and XSS during a proxy callback
Reference: URL: http://www.openwall.com/lists/oss-security/2010/10/01/5
Reference: CONFIRM: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=495542#82
Reference: CONFIRM: https://developer.jasig.org/source/changelog/jasigsvn?cs=21538
Reference: CONFIRM: https://issues.jasig.org/browse/PHPCAS-80

PGTStorage/pgt-file.php in phpCAS before 1.1.3, when proxy mode is
enabled, allows local users to overwrite arbitrary files via a symlink
attack on an unspecified file.


Common Vulnerabilities and Exposures assigned an identifier CVE-2010-3692 to
the following vulnerability:

Name: CVE-2010-3692
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3692
Assigned: 20101001
Reference: MLIST:[oss-security] 20100929 CVE request - phpCAS: prevent symlink attacks, directory traversal and XSS during a proxy callback
Reference: URL: http://www.openwall.com/lists/oss-security/2010/09/29/6
Reference: MLIST:[oss-security] 20101001 Re: CVE request - phpCAS: prevent symlink attacks, directory traversal and XSS during a proxy callback
Reference: URL: http://www.openwall.com/lists/oss-security/2010/10/01/2
Reference: MLIST:[oss-security] 20101001 Re: CVE request - phpCAS: prevent symlink attacks, directory traversal and XSS during a proxy callback
Reference: URL: http://www.openwall.com/lists/oss-security/2010/10/01/5
Reference: CONFIRM: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=495542#82
Reference: CONFIRM: https://developer.jasig.org/source/changelog/jasigsvn?cs=21538
Reference: CONFIRM: https://issues.jasig.org/browse/PHPCAS-80

Directory traversal vulnerability in the callback function in
client.php in phpCAS before 1.1.3, when proxy mode is enabled, allows
remote attackers to create or overwrite arbitrary files via directory
traversal sequences in a Proxy Granting Ticket IOU (PGTiou) parameter.
Comment 3 Vincent Danen 2010-10-25 17:18:26 EDT
Created glpi tracking bugs for this issue

Affects: fedora-all [bug 620759]
Comment 4 Vincent Danen 2010-10-25 17:18:29 EDT
Created moodle tracking bugs for this issue

Affects: fedora-all [bug 646661]
Comment 5 Gwyn Ciesla 2010-10-26 10:33:49 EDT
I don't think this affects moodle in Fedora currently, since as of 1.9.9-2, we use system phpCAS.
Comment 6 Vincent Danen 2010-10-26 11:30:40 EDT
(In reply to comment #5)
> I don't think this affects moodle in Fedora currently, since as of 1.9.9-2, we
> use system phpCAS.

You're right, I see that in the spec now.  I'll fix the tracking bug then.  Thank you.  For reference:


#use system php-pear-CAS                                                                                                                                                                                
rm -rf $RPM_BUILD_ROOT/var/www/moodle/web/auth/cas
ln -s /usr/share/pear/ $RPM_BUILD_ROOT/var/www/moodle/web/auth/cas

...

* Thu Aug 19 2010 Jon Ciesla <limb@jcomserv.net> - 1.9.9-2
- Switch to system php-pear-CAS, BZ 577467, 620772.
Comment 7 Remi Collet 2010-10-27 01:21:18 EDT
GLPI also use, for a while, system phpCAS (php-pear-CAS-1.1.3 is available in the repositories).

Except in EPEL-4, but I think I'm going to remove this oudated version (not maintained, and which can't be updated because of php 5 dep.)

From spec:
> # Use system lib
> rm -rf lib/phpcas
Comment 8 Vincent Danen 2010-10-27 17:23:22 EDT
(In reply to comment #7)
> GLPI also use, for a while, system phpCAS (php-pear-CAS-1.1.3 is available in
> the repositories).
> 
> Except in EPEL-4, but I think I'm going to remove this oudated version (not
> maintained, and which can't be updated because of php 5 dep.)

And Fedora 12.  This change was made in Fedora 13.  0.72.4-2.svn11035.fc12 still has an embedded phpCAS.  In fact, the last changelog entry on that one:

* Mon Mar 22 2010 Remi Collet <> - 0.72.4-2.svn11035
- update embedded phpCAS to 1.1.0RC7 (security fix - #575906)
Comment 9 Remi Collet 2010-10-28 03:53:19 EDT
I must apologize... I was thinking I have push this update in all branch :(

glpi-0.72.4-3.svn11497 is now in f12 and f13 (updates pending)
glpi-0.71 have been retired from el4 (ticket pending)
Comment 10 Vincent Danen 2010-10-28 13:58:29 EDT
Fantastic.  Thank you, Remi.

Note You need to log in before you can comment on or make changes to this bug.