[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#956533: marked as done (buster-pu: package php-horde-form/2.0.18-3.1+deb10u1)

Your message dated Sat, 09 May 2020 11:53:52 +0100
with message-id <fd7fa4d56896c35aab49a5a51cb69727dc60e87a.camel@adam-barratt.org.uk>
and subject line Closing requests included in 10.4 point release
has caused the Debian Bug report #956533,
regarding buster-pu: package php-horde-form/2.0.18-3.1+deb10u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
956533: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=956533
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian.org@packages.debian.org
Usertags: pu

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Please find attached a proposed debdiff for php-horde-form.  The change
fixes CVE-2020-8866, which the security team has classified as <no-dsa>,
deeming it a minor issue which can be fixed via a point release.  I have
prepared this update in coordination with the security team.  May I have
permission to upload to buster-proposed-updates?

- -- System Information:
Debian Release: 10.3
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.19.0-8-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8), LANGUAGE=en_US.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEz9ERzDttUsU/BH8iLNd4Xt2nsg8FAl6TFyUACgkQLNd4Xt2n
sg+O0g/+MK8cNMqs7/njWJ7BOEz7q5M4PslbEGWEp3J03ry68NPoZxM7pWJvB+rR
e4m7s2NMWJ8CtWgaNGCJbR9i+jAUAUDYLbbjoAsEAM1EmDcqgDyeZm7L7rQk6WBW
zetL/vjiR0orkSswLUOXiwlTe/POBg6sCFM4jFtYXoiECs9k65G7gLWWafIYfkT9
AmglUyFSMAWn0ju/DC7X6fHjMCKl0TtMiZYCjmdUmqnRw3r+qR8MshKO7BLK2FAQ
oKwuZkiAMhTR593ASPMGnddWzzOubDpQlCjmM9VckOoqmLNbKtCqgNWB6knhOkOq
JOu/p1nXBGDUMCbZYxAeDPILh7FyXO8byzjftXdRplm1P27xeMKS1UkOamFqwdL0
pPfxhe9jlEQHObVgGNsYnhcvJJDtfkMXuFqE9JUX2JEhYH7fQJTxH0rDhCSo8av2
nnh27GbJLTWXlzqUX4r+9JzqRs3GT7yM8UJ5ezbYW1jNUNT6Gl5yBois0ZRnhk+H
pzQljGER2l3ol6VAhjlyVE0itvljBN1UaLU6+o3lgb/2N3wOClZSUCk0XzYt0ayy
Bg8kPaOD5wWshHnkCnjzn3j387zgnNjqp61xCWoE183XKGoeUmNj18btv9wr0qt1
Qs6Z/OgPp7usqRH/fPNCi0/aXDJlCm6gxvULEU1qBLCYQxQfE3s=
=2qMc
-----END PGP SIGNATURE-----

diff -Nru php-horde-form-2.0.18/debian/changelog php-horde-form-2.0.18/debian/changelog
--- php-horde-form-2.0.18/debian/changelog	2019-06-16 03:29:14.000000000 -0400
+++ php-horde-form-2.0.18/debian/changelog	2020-03-24 13:55:11.000000000 -0400
@@ -1,3 +1,14 @@
+php-horde-form (2.0.18-3.1+deb10u1) buster; urgency=high
+
+  * Fix CVE-2020-8866:
+    The Horde Application Framework contained a remote code execution
+    vulnerability. An authenticated remote attacker could use this flaw to
+    upload arbitrary content to an arbitrary writable location on the server
+    and potentially execute code in the context of the web server user.
+    (Closes: #955020)
+
+ -- Roberto C. Sanchez <roberto@debian.org>  Tue, 24 Mar 2020 13:55:11 -0400
+
 php-horde-form (2.0.18-3.1) unstable; urgency=high
 
   * Non-maintainer upload.
diff -Nru php-horde-form-2.0.18/debian/patches/0002-SECURITY-Prevent-ability-to-specify-temporary-filename.patch php-horde-form-2.0.18/debian/patches/0002-SECURITY-Prevent-ability-to-specify-temporary-filename.patch
--- php-horde-form-2.0.18/debian/patches/0002-SECURITY-Prevent-ability-to-specify-temporary-filename.patch	1969-12-31 19:00:00.000000000 -0500
+++ php-horde-form-2.0.18/debian/patches/0002-SECURITY-Prevent-ability-to-specify-temporary-filename.patch	2020-03-24 13:55:11.000000000 -0400
@@ -0,0 +1,35 @@
+From 35d382cc3a0482c07d0c2272cac89a340922e0a6 Mon Sep 17 00:00:00 2001
+From: Michael J Rubinsky <mrubinsk@horde.org>
+Date: Sun, 1 Mar 2020 14:46:49 -0500
+Subject: [PATCH] SECURITY: Prevent ability to specify temporary filename.
+
+Origin: https://github.com/horde/Form/commit/35d382cc3a0482c07d0c2272cac89a340922e0a6
+---
+ lib/Horde/Form/Type.php | 11 +++++------
+ 1 file changed, 5 insertions(+), 6 deletions(-)
+
+diff --git a/Horde_Form-2.0.18/lib/Horde/Form/Type.php b/Horde_Form-2.0.18/lib/Horde/Form/Type.php
+index f1e8157..e302d8d 100644
+--- a/Horde_Form-2.0.18/lib/Horde/Form/Type.php
++++ b/Horde_Form-2.0.18/lib/Horde/Form/Type.php
+@@ -1200,12 +1200,11 @@ class Horde_Form_Type_image extends Horde_Form_Type {
+             if (!empty($upload['hash'])) {
+                 $upload['img'] = $session->get('horde', 'form/' . $upload['hash']);
+                 $session->remove('horde', 'form/' . $upload['hash']);
+-            }
+-
+-            /* Get the temp file if already one uploaded, otherwise create a
+-             * new temporary file. */
+-            if (!empty($upload['img']['file'])) {
+-                $tmp_file = Horde::getTempDir() . '/' . basename($upload['img']['file']);
++                if (!empty($upload['img']['file'])) {
++                    $tmp_file = Horde::getTempDir() . '/' . basename($upload['img']['file']);
++                } else {
++                    $tmp_file = Horde::getTempFile('Horde', false);
++                }
+             } else {
+                 $tmp_file = Horde::getTempFile('Horde', false);
+             }
+-- 
+2.20.1
+
diff -Nru php-horde-form-2.0.18/debian/patches/series php-horde-form-2.0.18/debian/patches/series
--- php-horde-form-2.0.18/debian/patches/series	2019-06-16 03:23:14.000000000 -0400
+++ php-horde-form-2.0.18/debian/patches/series	2020-03-24 13:55:11.000000000 -0400
@@ -1 +1,2 @@
 0001-SECURITY-prevent-directory-traversal-vulnerability.patch
+0002-SECURITY-Prevent-ability-to-specify-temporary-filename.patch

--- End Message ---
--- Begin Message --- 
Package: release.debian.org
Version: 10.4

Hi,

Each of the uploads referred to by these bugs was included in today's
stable point release.

Regards,

Adam

--- End Message ---
Reply to: