[Pkg-kde-extras] Bug#429209: CVE-2007-3154 information is misleading and wrong

Modestas Vainius modestas at vainius.eu
Tue Jun 26 22:32:40 UTC 2007


Hi,

CVE-2007-3154 claims that the bug exists in wz_tooltip.js before 4.01 and has 
been fixed in eGroupware 1.2.107-2 and later which can't be true since the 
latest egroupware uses wz_tooltip v3.45 (as pointed out in previous #429215 
mails). Now I'll try to guess what happened here.

Both CVE-2007-3154 & CVE-2007-3155 are certainly "derived" from eGroupware 
1.2.107-2 release notes[1]. Those release notes claims that "The problems are 
in the external library wz_tooltips (fixed by using the ___newest 
version__)". Now guess what, 1.2.107-2 was released on 2007-06-03 [2] and 
wz_tooltip.js v4.01 was released on 2007-06-02 according to the changelog 
[3]. A creator of CVE-2007-3154 read those magic "newest version" words in 
the release notes, checked wz_tooltip.js changelog and saw v4.01 released the 
day before eGroupWare 1.2.107-2. Then he concluded (without checking the 
facts first) that the bug had been fixed in v4.01 and all versions prior that 
one are affected, which is plain wrong.

eGroupware 1.2.107-2 release notes (regarding wz_tooltip) refer to the svn 
commit 23934 [4]. You can check egroupware svn logs on 2007-05-25 and you 
will see that numerous issues found by Janosch Machowinski <scotch-AT-tzi.de> 
were fixed by Ralf Becker (including commit 23934 [4] fixing wz_tooltip.js 
problem). According to the wz_tooltip changelog [3], v3.45 was the latest on 
2007-05-25 and the author of the egroupware release notes was probably not 
aware that on 2007-06-03 a newer major release of wz_tooltip.js was 
available. 

eGroupWare svn commit 23934 upgraded wz_tooltip.js from v3.25 to v3.45 so 
apparently the security problem was fixed between >3.25 and <=3.45. ktorrent 
had wz_tooltip.js v3.44 which I now believe was not affected by this bug 
since a fix/new feature in 3.45 is probably not related. Although I 
have "fixed" #429209 by upgrading to v3.45, now I believe this change was 
redundant (but I'm not going to revert it) and the bug was false alarm.

Florian, check if other bugs you reported about this CVE-2007-3154 are valid 
and applicable to wz_tooltip.js in those packages. You may also ask reporter 
Janosch Machowinski <scotch-AT-tzi.de> or committer Ralf Becker to clarify 
what the problem really was. I couldn't find more details on this 
vulnerability.

1. 
http://sourceforge.net/project/shownotes.php?release_id=513749&group_id=78745
2. http://sourceforge.net/project/showfiles.php?group_id=78745
3. http://www.walterzorn.com/tooltip/history.htm
4. http://ww.egroupware.org/viewvc?view=rev&revision=23934

-- 
Modestas Vainius <modestas at vainius.eu>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part.
Url : http://lists.alioth.debian.org/pipermail/pkg-kde-extras/attachments/20070627/98635443/attachment.pgp 


More information about the pkg-kde-extras mailing list