Package: release.debian.org Severity: normal User: release.debian....@packages.debian.org Usertags: unblock
Hi Release Team, Please unblock package php-horde-form. It contains a security fix for CVE-2019-9858. We plan to issue a DSA for this problem as well for stretch-security. Attaching the full debdiff and I did test the specific vector for CVE-2019-9858 before and after the fix. unblock php-horde-form/2.0.18-3.1 Regards, Salvatore
diff -Nru php-horde-form-2.0.18/debian/changelog php-horde-form-2.0.18/debian/changelog --- php-horde-form-2.0.18/debian/changelog 2018-05-15 10:43:28.000000000 +0200 +++ php-horde-form-2.0.18/debian/changelog 2019-06-16 09:29:14.000000000 +0200 @@ -1,3 +1,11 @@ +php-horde-form (2.0.18-3.1) unstable; urgency=high + + * Non-maintainer upload. + * Prevent directory traversal vulnerability (CVE-2019-9858) + (Closes: #930321) + + -- Salvatore Bonaccorso <car...@debian.org> Sun, 16 Jun 2019 09:29:14 +0200 + php-horde-form (2.0.18-3) unstable; urgency=medium * Update Standards-Version to 4.1.4, no change diff -Nru php-horde-form-2.0.18/debian/patches/0001-SECURITY-prevent-directory-traversal-vulnerability.patch php-horde-form-2.0.18/debian/patches/0001-SECURITY-prevent-directory-traversal-vulnerability.patch --- php-horde-form-2.0.18/debian/patches/0001-SECURITY-prevent-directory-traversal-vulnerability.patch 1970-01-01 01:00:00.000000000 +0100 +++ php-horde-form-2.0.18/debian/patches/0001-SECURITY-prevent-directory-traversal-vulnerability.patch 2019-06-16 09:24:04.000000000 +0200 @@ -0,0 +1,27 @@ +From: Michael J Rubinsky <mrubi...@horde.org> +Date: Thu, 3 Jan 2019 19:22:56 -0500 +Subject: SECURITY: prevent directory traversal vulnerability. +Origin: https://github.com/horde/Form/commit/c916ba979ad1613d76a9407dd0b67968a9594c0e +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2019-9858 +Bug-Debian: https://bugs.debian.org/930321 + +--- + Horde_Form-2.0.18/lib/Horde/Form/Type.php | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/Horde_Form-2.0.18/lib/Horde/Form/Type.php b/Horde_Form-2.0.18/lib/Horde/Form/Type.php +index e92c7903915b..f1e8157f0b68 100644 +--- a/Horde_Form-2.0.18/lib/Horde/Form/Type.php ++++ b/Horde_Form-2.0.18/lib/Horde/Form/Type.php +@@ -1205,7 +1205,7 @@ class Horde_Form_Type_image extends Horde_Form_Type { + /* Get the temp file if already one uploaded, otherwise create a + * new temporary file. */ + if (!empty($upload['img']['file'])) { +- $tmp_file = Horde::getTempDir() . '/' . $upload['img']['file']; ++ $tmp_file = Horde::getTempDir() . '/' . basename($upload['img']['file']); + } else { + $tmp_file = Horde::getTempFile('Horde', false); + } +-- +2.20.1 + diff -Nru php-horde-form-2.0.18/debian/patches/series php-horde-form-2.0.18/debian/patches/series --- php-horde-form-2.0.18/debian/patches/series 1970-01-01 01:00:00.000000000 +0100 +++ php-horde-form-2.0.18/debian/patches/series 2019-06-16 09:23:14.000000000 +0200 @@ -0,0 +1 @@ +0001-SECURITY-prevent-directory-traversal-vulnerability.patch
