Hi,
I've prepared an upload to fix the following:
php-horde-image (2.3.6-1+deb9u1) stretch-security; urgency=high
* CVE-2017-9773: Prevent a denial of service attack by ensuring an infinite
loop cannot be triggered by a malicious request. (Closes: #865504)
* CVE-2017-9774: Prevent a remote code execution vulnerability (RCE) that was
exploitable by a logged-in user sending a maliciously crafted HTTP GET
request to the image backends. Note that the fix applied upstream has a
regression in that it ignores the "force aspect ratio" option; see
<https://github.com/horde/Image/pull/1>. This has been remedied in this
fix. (Closes: #865505)
* CVE-2017-14650: Prevent another RCE that was exploitable by a logged-in
user sending a maliciously crafted GET request specifically to the "im"
image backend. (Closes: #876400)
The full debdiff is attached. Please let me know if it is okay to upload.
Regards,
--
,''`.
: :' : Chris Lamb
`. `'` [email protected] / chris-lamb.co.uk
`-
diffstat for php-horde-image-2.3.6 php-horde-image-2.3.6
changelog | 16 +++++++
patches/CVE-2017-14650.patch | 13 ++++++
patches/CVE-2017-9773.patch | 13 ++++++
patches/CVE-2017-9774.patch | 91 +++++++++++++++++++++++++++++++++++++++++++
patches/series | 3 +
5 files changed, 136 insertions(+)
diff -Nru php-horde-image-2.3.6/debian/changelog
php-horde-image-2.3.6/debian/changelog
--- php-horde-image-2.3.6/debian/changelog 2016-09-09 13:58:40.000000000
+0100
+++ php-horde-image-2.3.6/debian/changelog 2018-06-23 11:09:57.000000000
+0100
@@ -1,3 +1,19 @@
+php-horde-image (2.3.6-1+deb9u1) stretch-security; urgency=high
+
+ * CVE-2017-9773: Prevent a denial of service attack by ensuring an infinite
+ loop cannot be triggered by a malicious request. (Closes: #865504)
+ * CVE-2017-9774: Prevent a remote code execution vulnerability (RCE) that was
+ exploitable by a logged-in user sending a maliciously crafted HTTP GET
+ request to the image backends. Note that the fix applied upstream has a
+ regression in that it ignores the "force aspect ratio" option; see
+ <https://github.com/horde/Image/pull/1>. This has been remedied in this
+ fix. (Closes: #865505)
+ * CVE-2017-14650: Prevent another RCE that was exploitable by a logged-in
+ user sending a maliciously crafted GET request specifically to the "im"
+ image backend. (Closes: #876400)
+
+ -- Chris Lamb <[email protected]> Sat, 23 Jun 2018 11:09:57 +0100
+
php-horde-image (2.3.6-1) unstable; urgency=medium
* New upstream version 2.3.6
diff -Nru php-horde-image-2.3.6/debian/patches/CVE-2017-14650.patch
php-horde-image-2.3.6/debian/patches/CVE-2017-14650.patch
--- php-horde-image-2.3.6/debian/patches/CVE-2017-14650.patch 1970-01-01
01:00:00.000000000 +0100
+++ php-horde-image-2.3.6/debian/patches/CVE-2017-14650.patch 2018-06-23
11:09:57.000000000 +0100
@@ -0,0 +1,13 @@
+Source:
https://github.com/horde/horde/commit/eb3afd14c22c77ae0d29e2848f5ac726ef6e7c5b
+
+--- php-horde-image-2.3.6.orig/Horde_Image-2.3.6/lib/Horde/Image/Im.php
++++ php-horde-image-2.3.6/Horde_Image-2.3.6/lib/Horde/Image/Im.php
+@@ -185,7 +185,7 @@ class Horde_Image_Im extends Horde_Image
+ $tmpin = $this->toFile($this->_data);
+ $tmpout = Horde_Util::getTempFile('img', false, $this->_tmpdir);
+ $command = $this->_convert . ' ' . implode(' ', $this->_operations)
+- . ' "' . $tmpin . '"\'[' . $index . ']\' '
++ . ' "' . $tmpin . '"\'[' . (integer)$index . ']\' '
+ . implode(' ', $this->_postSrcOperations)
+ . ' -strip ' . $this->_type . ':"' . $tmpout . '" 2>&1';
+ $this->_logDebug(sprintf("convert command executed by
Horde_Image_im::raw(): %s", $command));
diff -Nru php-horde-image-2.3.6/debian/patches/CVE-2017-9773.patch
php-horde-image-2.3.6/debian/patches/CVE-2017-9773.patch
--- php-horde-image-2.3.6/debian/patches/CVE-2017-9773.patch 1970-01-01
01:00:00.000000000 +0100
+++ php-horde-image-2.3.6/debian/patches/CVE-2017-9773.patch 2018-06-23
11:09:57.000000000 +0100
@@ -0,0 +1,13 @@
+Source:
https://github.com/horde/horde/commit/2b8a6fe1a5fc0fc662178145f853c65956985538
+
+--- php-horde-image-2.3.6.orig/Horde_Image-2.3.6/lib/Horde/Image/Null.php
++++ php-horde-image-2.3.6/Horde_Image-2.3.6/lib/Horde/Image/Null.php
+@@ -32,6 +32,8 @@ class Horde_Image_Null extends Horde_Ima
+ $this->loadFile($params['filename']);
+ } elseif (!empty($params['data'])) {
+ $this->loadString($params['data']);
++ } else {
++ $this->_data = new Horde_Stream_Temp();
+ }
+ }
+ }
diff -Nru php-horde-image-2.3.6/debian/patches/CVE-2017-9774.patch
php-horde-image-2.3.6/debian/patches/CVE-2017-9774.patch
--- php-horde-image-2.3.6/debian/patches/CVE-2017-9774.patch 1970-01-01
01:00:00.000000000 +0100
+++ php-horde-image-2.3.6/debian/patches/CVE-2017-9774.patch 2018-06-23
11:09:57.000000000 +0100
@@ -0,0 +1,91 @@
+Source:
https://github.com/horde/horde/commit/01a11ccd37149101d67e0b20261fa48ab07dae13
+Comment:
+ Note that the fix applied upstream has a regression in that it ignores the
+ "force aspect ratio" option; see <https://github.com/horde/Image/pull/1>
+ .
+ -- Chris Lamb <[email protected]> Sat, 23 Jun 2018 11:16:49 +0100
+
+--- php-horde-image-2.3.6.orig/Horde_Image-2.3.6/lib/Horde/Image/Base.php
++++ php-horde-image-2.3.6/Horde_Image-2.3.6/lib/Horde/Image/Base.php
+@@ -129,10 +129,10 @@ abstract class Horde_Image_Base extends
+ }
+
+ if (isset($params['width'])) {
+- $this->_width = $params['width'];
++ $this->_width = (integer)$params['width'];
+ }
+ if (isset($params['height'])) {
+- $this->_height = $params['height'];
++ $this->_height = (integer)$params['height'];
+ }
+ if (!empty($params['type'])) {
+ // We only want the extension, not the full mimetype.
+--- php-horde-image-2.3.6.orig/Horde_Image-2.3.6/lib/Horde/Image/Im.php
++++ php-horde-image-2.3.6/Horde_Image-2.3.6/lib/Horde/Image/Im.php
+@@ -134,7 +134,13 @@ class Horde_Image_Im extends Horde_Image
+ } elseif (!empty($params['data'])) {
+ $this->loadString($params['data']);
+ } else {
+- $cmd = "-size {$this->_width}x{$this->_height}
xc:{$this->_background} -strip {$this->_type}:__FILEOUT__";
++ $cmd = sprintf(
++ '-size %dx%d xc:%s -strip %s:__FILEOUT__',
++ $this->_width,
++ $this->_height,
++ escapeshellarg($this->_background),
++ $this->_type
++ );
+ $this->executeConvertCmd($cmd);
+ }
+ }
+@@ -233,11 +239,11 @@ class Horde_Image_Im extends Horde_Image
+ if ($ratio) {
+ $this->_postSrcOperations[] =
+ ($keepProfile ? '-resize' : '-thumbnail')
+- . " {$width}x{$height}";
++ . sprintf(' %dx%d', $width, $height);
+ } else {
+ $this->_postSrcOperations[] =
+ ($keepProfile ? '-resize' : '-thumbnail')
+- . " {$width}x{$height}!";
++ . sprintf(' %dx%d!', $width, $height);
+ }
+
+ // Refresh the data
+@@ -277,7 +283,11 @@ class Horde_Image_Im extends Horde_Image
+ public function rotate($angle, $background = 'white')
+ {
+ $this->raw();
+- $this->_operations[] = "-background $background -rotate {$angle}";
++ $this->_operations[] = sprintf(
++ '-background %s -rotate %d',
++ escapeshellarg($this->_background),
++ (integer)$angle
++ );
+ $this->raw();
+
+ // Reset width/height since these might have changed
+@@ -315,7 +325,7 @@ class Horde_Image_Im extends Horde_Image
+ */
+ public function sepia($threshold = 85)
+ {
+- $this->_operations[] = '-sepia-tone ' . $threshold . '%';
++ $this->_operations[] = '-sepia-tone ' . (integer)$threshold . '%';
+ }
+
+ /**
+@@ -345,9 +355,12 @@ class Horde_Image_Im extends Horde_Image
+ {
+ $string = addslashes('"' . $string . '"');
+ $fontsize = Horde_Image::getFontSize($fontsize);
+- $this->_postSrcOperations[] = "-fill $color "
+- . (!empty($font) ? "-font $font" : '')
+- . " -pointsize $fontsize -gravity northwest -draw \"text $x,$y
$string\" -fill none";
++ $this->_postSrcOperations[] = '-fill ' . escapeshellarg($color)
++ . (!empty($font) ? '-font ' . escapeshellarg($font) : '')
++ . sprintf(
++ '-pointsize %d -gravity northwest -draw "text %d,%d %s" -fill
none',
++ $fontsize, $x, $y, escapeshellarg($string)
++ );
+ }
+
+ /**
diff -Nru php-horde-image-2.3.6/debian/patches/series
php-horde-image-2.3.6/debian/patches/series
--- php-horde-image-2.3.6/debian/patches/series 1970-01-01 01:00:00.000000000
+0100
+++ php-horde-image-2.3.6/debian/patches/series 2018-06-23 11:09:57.000000000
+0100
@@ -0,0 +1,3 @@
+CVE-2017-9773.patch
+CVE-2017-9774.patch
+CVE-2017-14650.patch
