Your message dated Tue, 18 Jun 2019 19:14:05 +0000
with message-id <[email protected]>
and subject line Bug#930321: fixed in php-horde-form 2.0.18-3.1
has caused the Debian Bug report #930321,
regarding php-horde-form: CVE-2019-9858
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
930321: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=930321
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: php-horde-form
Version: 2.0.18-3
Severity: grave
Tags: security upstream
Justification: user security hole
Hi,
The following vulnerability was published for php-horde-form.
CVE-2019-9858[0]:
| Remote code execution was discovered in Horde Groupware Webmail 5.2.22
| and 5.2.17. Horde/Form/Type.php contains a vulnerable class that
| handles image upload in forms. When the Horde_Form_Type_image method
| onSubmit() is called on uploads, it invokes the functions getImage()
| and _getUpload(), which uses unsanitized user input as a path to save
| the image. The unsanitized POST parameter object[photo][img][file] is
| saved in the $upload[img][file] PHP variable, allowing an attacker to
| manipulate the $tmp_file passed to move_uploaded_file() to save the
| uploaded file. By setting the parameter to (for example)
| ../usr/share/horde/static/bd.php, one can write a PHP backdoor inside
| the web root. The static/ destination folder is a good candidate to
| drop the backdoor because it is always writable in Horde
| installations. (The unsanitized POST parameter went probably unnoticed
| because it's never submitted by the forms, which default to securely
| using a random path.)
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2019-9858
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9858
[1]
https://github.com/horde/Form/commit/c916ba979ad1613d76a9407dd0b67968a9594c0e
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: php-horde-form
Source-Version: 2.0.18-3.1
We believe that the bug you reported is fixed in the latest version of
php-horde-form, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Salvatore Bonaccorso <[email protected]> (supplier of updated php-horde-form
package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sun, 16 Jun 2019 09:29:14 +0200
Source: php-horde-form
Architecture: source
Version: 2.0.18-3.1
Distribution: unstable
Urgency: high
Maintainer: Horde Maintainers <[email protected]>
Changed-By: Salvatore Bonaccorso <[email protected]>
Closes: 930321
Changes:
php-horde-form (2.0.18-3.1) unstable; urgency=high
.
* Non-maintainer upload.
* Prevent directory traversal vulnerability (CVE-2019-9858)
(Closes: #930321)
Checksums-Sha1:
63ce4b1e6713c2f598a2cecca90296ad2f38083f 2155 php-horde-form_2.0.18-3.1.dsc
6abeb5a6738bc33457189f48c2cfc499640de351 3292
php-horde-form_2.0.18-3.1.debian.tar.xz
63b4daf40d0edc1ef950923980d67b74f49397c8 6107
php-horde-form_2.0.18-3.1_source.buildinfo
Checksums-Sha256:
4d2be8d9cd04fd7b0b5fd5c49775f86ad06e9b85e5d72ec19a3010716fb71f27 2155
php-horde-form_2.0.18-3.1.dsc
33a31e601450432691b03761868428e213c789c75133911a8c6a2c999ccd27b6 3292
php-horde-form_2.0.18-3.1.debian.tar.xz
0a67fb6cc24d9dd06b18abda3a0300daab7c9174cf114cab8e11a806369e3a28 6107
php-horde-form_2.0.18-3.1_source.buildinfo
Files:
abfc1093deedb6582a5dc573a49adf8d 2155 php optional
php-horde-form_2.0.18-3.1.dsc
f2a641aa7d55c088b7d050ad6af227da 3292 php optional
php-horde-form_2.0.18-3.1.debian.tar.xz
bc41fc1d5c280113b02a493efd6aa515 6107 php optional
php-horde-form_2.0.18-3.1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAl0F8C9fFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk
ZWJpYW4ub3JnAAoJEAVMuPMTQ89E+rcP/3Z7jwwtHDZzfF9jsFXE2krcRT7lwvAx
cJxOEiIICu3dmEAFTG1mBKlfRWfYt2lQIXPmFKpewoxveXMqAmFJWlNXzyNDGgYA
LjDu0ENMV99+asQnUiQXzFEUGw78Yrdmtp0gl/rjASk1XmfaQjv4MUC9cgDPvVOg
AX8ZDOcZX+CQAFnwiVrvSELSfmwb6HTdk8/xSuaqASmY4XfLGYDyOBtla5RN1NE8
cvByO4QSu9GD3UEZMyKhSTTr+k/D2udztrCg2xAY/XdX1zLY0DjtfOKClDXqaN0/
rH7NdQhxG3wcDOP0SPAoAYHCr6j0EhBemJcfc+CxORcpRV/eoVm5YupZpeDosoMx
rSRLo28Sz1n0p2GW3Ue0LRTuEGqIuKVIHOsxRO/mekE/VXdDtc14Lf5JNtfGHHwJ
uWpwppIaPtatysFyvAKBi+anCLqi11mHsEBBB6JjtmgTH07tMiShSsHyjnaS3+Wb
5EhVzvGTpo/LprRsPFQktHqat7XdYoXbNgMxhXHPMaRCKlu13cwbf90uebaQNsYh
2HWptrB2UjOU2HOE8DTquZgbT7bFQPuRX4KxPG5MyD93+iHpjOeQ+CRA/E86GeeB
ebzgshjlJzc+xje7qkD2jJvxE6ZO6y6AD1I/iOXCxDo8RKxIPmaE0wyvfc7AKriQ
ZLdDJVT7Nosr
=MHx2
-----END PGP SIGNATURE-----
--- End Message ---
