[Pkg-kde-extras] Bug#429209: CVE-2007-3154 information is misleading and wrong
Modestas Vainius
modestas at vainius.eu
Tue Jun 26 22:32:40 UTC 2007
Hi,
CVE-2007-3154 claims that the bug exists in wz_tooltip.js before 4.01 and has
been fixed in eGroupware 1.2.107-2 and later which can't be true since the
latest egroupware uses wz_tooltip v3.45 (as pointed out in previous #429215
mails). Now I'll try to guess what happened here.
Both CVE-2007-3154 & CVE-2007-3155 are certainly "derived" from eGroupware
1.2.107-2 release notes[1]. Those release notes claims that "The problems are
in the external library wz_tooltips (fixed by using the ___newest
version__)". Now guess what, 1.2.107-2 was released on 2007-06-03 [2] and
wz_tooltip.js v4.01 was released on 2007-06-02 according to the changelog
[3]. A creator of CVE-2007-3154 read those magic "newest version" words in
the release notes, checked wz_tooltip.js changelog and saw v4.01 released the
day before eGroupWare 1.2.107-2. Then he concluded (without checking the
facts first) that the bug had been fixed in v4.01 and all versions prior that
one are affected, which is plain wrong.
eGroupware 1.2.107-2 release notes (regarding wz_tooltip) refer to the svn
commit 23934 [4]. You can check egroupware svn logs on 2007-05-25 and you
will see that numerous issues found by Janosch Machowinski <scotch-AT-tzi.de>
were fixed by Ralf Becker (including commit 23934 [4] fixing wz_tooltip.js
problem). According to the wz_tooltip changelog [3], v3.45 was the latest on
2007-05-25 and the author of the egroupware release notes was probably not
aware that on 2007-06-03 a newer major release of wz_tooltip.js was
available.
eGroupWare svn commit 23934 upgraded wz_tooltip.js from v3.25 to v3.45 so
apparently the security problem was fixed between >3.25 and <=3.45. ktorrent
had wz_tooltip.js v3.44 which I now believe was not affected by this bug
since a fix/new feature in 3.45 is probably not related. Although I
have "fixed" #429209 by upgrading to v3.45, now I believe this change was
redundant (but I'm not going to revert it) and the bug was false alarm.
Florian, check if other bugs you reported about this CVE-2007-3154 are valid
and applicable to wz_tooltip.js in those packages. You may also ask reporter
Janosch Machowinski <scotch-AT-tzi.de> or committer Ralf Becker to clarify
what the problem really was. I couldn't find more details on this
vulnerability.
1.
http://sourceforge.net/project/shownotes.php?release_id=513749&group_id=78745
2. http://sourceforge.net/project/showfiles.php?group_id=78745
3. http://www.walterzorn.com/tooltip/history.htm
4. http://ww.egroupware.org/viewvc?view=rev&revision=23934
--
Modestas Vainius <modestas at vainius.eu>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part.
Url : http://lists.alioth.debian.org/pipermail/pkg-kde-extras/attachments/20070627/98635443/attachment.pgp
More information about the pkg-kde-extras
mailing list