[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#956535: marked as done (buster-pu: package php-horde-data/2.1.4-5+deb10u1)

Your message dated Sat, 09 May 2020 11:53:52 +0100
with message-id <fd7fa4d56896c35aab49a5a51cb69727dc60e87a.camel@adam-barratt.org.uk>
and subject line Closing requests included in 10.4 point release
has caused the Debian Bug report #956535,
regarding buster-pu: package php-horde-data/2.1.4-5+deb10u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
956535: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=956535
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian.org@packages.debian.org
Usertags: pu

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Please find attached a proposed debdiff for php-horde-data.  The change
fixes CVE-2020-8518, which the security team has classified as <no-dsa>,
deeming it a minor issue which can be fixed via a point release.  May I
have permission to upload to stretch-proposed-updates?

- -- System Information:
Debian Release: 10.3
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.19.0-8-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8), LANGUAGE=en_US.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEz9ERzDttUsU/BH8iLNd4Xt2nsg8FAl6TFk8ACgkQLNd4Xt2n
sg+sYg//TsXLF5Ww2+2Ubc12mXOIAOtrbjgjZaZMpgXqCV3cxnQcIygUOHkwLG2N
eT3mXO90y1qryjhK0H7jUuhdBMG9VA0FHmlhcScoecpOHU3dJekSz0tEa+ySewy3
ZP4pxVRq6TzYnk6HvtqUZ81GFJymWhN3HmGjkMlI25nmIN7udlWiMoYtqtzd3ZZA
cxskKlaLCqnowC1L2QZQdSdgqj2ZBjWtmZRxeEwalkBDsx+aeu2wUR1lg2ibwNvD
S6nR4d3ZwwmDd0RrGJemFRc0MXaAbIhpXjUT5OC35MQP7hgHqwzbtIY7CBt6s1z4
+aqLvev128e5R8bAJzgsOrWwvxJ2SeHJ5NsW5mfNDn+/1DcCu4KJmjTKzNHCGlL9
815DvmvD+l1s6Ls0E6+HvIN0GcVyOFvT7zhg2VaHcxCQxExkR05vFMxb51Bbd8zk
uTt/Xj2GBXZiURRfxibB8GP6GinB8a3V0LYHAPDVx3rjqkCi2+h0zH0Y2fsQVEJ8
tdSCiNAsFDH7H6S5I6Wd3kIRpcDsIfRowsjLaUiDTNfg/ZQxbuqnFlY623Y13cO1
QEPqCq+cqMqbnVCBA/9ZFLR3DNhobqksLQzEtGTzKrKx8q9cpxqlMehNhgBX8q5j
PUSOTm8kG1uuOziYe1d6WchObze2YxxNcV37Oq/N5gZ59hX1TCI=
=wKCR
-----END PGP SIGNATURE-----

diff -Nru php-horde-data-2.1.4/debian/changelog php-horde-data-2.1.4/debian/changelog
--- php-horde-data-2.1.4/debian/changelog	2018-05-14 18:16:00.000000000 -0400
+++ php-horde-data-2.1.4/debian/changelog	2020-04-10 19:57:00.000000000 -0400
@@ -1,3 +1,12 @@
+php-horde-data (2.1.4-5+deb10u1) buster; urgency=high
+
+  * Fix CVE-2020-8518:
+    The Horde Application Framework contained a remote code execution
+    vulnerability. An authenticated remote attacker could use this flaw to
+    cause execution of uploaded CSV data. (Closes: #951537)
+
+ -- Roberto C. Sanchez <roberto@debian.org>  Fri, 10 Apr 2020 19:57:00 -0400
+
 php-horde-data (2.1.4-5) unstable; urgency=medium
 
   * Update Standards-Version to 4.1.4, no change
diff -Nru php-horde-data-2.1.4/debian/patches/0001-CVE-2020-8518-Dont-use-create_function.patch php-horde-data-2.1.4/debian/patches/0001-CVE-2020-8518-Dont-use-create_function.patch
--- php-horde-data-2.1.4/debian/patches/0001-CVE-2020-8518-Dont-use-create_function.patch	1969-12-31 19:00:00.000000000 -0500
+++ php-horde-data-2.1.4/debian/patches/0001-CVE-2020-8518-Dont-use-create_function.patch	2020-04-10 19:57:00.000000000 -0400
@@ -0,0 +1,36 @@
+From 78ad0c2390176cdde7260a271bc6ddd86f4c9c0e Mon Sep 17 00:00:00 2001
+From: Jan Schneider <jan@horde.org>
+Date: Mon, 13 Feb 2017 18:38:59 +0100
+Subject: [PATCH] Don't use create_function().
+
+It's deprecated and unsafe and closures should be used instead.
+---
+ lib/Horde/Data/Csv.php | 15 ++++++++++++++-
+ 1 file changed, 14 insertions(+), 1 deletion(-)
+
+diff --git a/Horde_Data-2.1.4/lib/Horde/Data/Csv.php b/Horde_Data-2.1.4/lib/Horde/Data/Csv.php
+index c2dc7dc..c0ffa63 100644
+--- a/Horde_Data-2.1.4/lib/Horde/Data/Csv.php
++++ b/Horde_Data-2.1.4/lib/Horde/Data/Csv.php
+@@ -332,7 +332,20 @@ public static function getCsv($file, array $params = array())
+ 
+         if ($row) {
+             $row = (strlen($params['quote']) && strlen($params['escape']))
+-                ? array_map(create_function('$a', 'return str_replace(\'' . str_replace('\'', '\\\'', $params['escape'] . $params['quote']) . '\', \'' . str_replace('\'', '\\\'', $params['quote']) . '\', $a);'), $row)
++                ? array_map(
++                    function ($a) use ($params) {
++                        return str_replace(
++                            str_replace(
++                                '\'',
++                                '\\\'',
++                                $params['escape'] . $params['quote']
++                            ),
++                            str_replace('\'', '\\\'', $params['quote']),
++                            $a
++                        );
++                    },
++                    $row
++                )
+                 : array_map('trim', $row);
+ 
+             if (!empty($params['length'])) {
diff -Nru php-horde-data-2.1.4/debian/patches/series php-horde-data-2.1.4/debian/patches/series
--- php-horde-data-2.1.4/debian/patches/series	1969-12-31 19:00:00.000000000 -0500
+++ php-horde-data-2.1.4/debian/patches/series	2020-04-10 19:57:00.000000000 -0400
@@ -0,0 +1 @@
+0001-CVE-2020-8518-Dont-use-create_function.patch

--- End Message ---
--- Begin Message --- 
Package: release.debian.org
Version: 10.4

Hi,

Each of the uploads referred to by these bugs was included in today's
stable point release.

Regards,

Adam

--- End Message ---
Reply to: