Package: release.debian.org Severity: normal Tags: buster User: release.debian....@packages.debian.org Usertags: pu
Dear release team, I have just uploaded this php-horde update to buster, fixing a no-dsa CVE: + * CVE-2020-8035: Don't allow to view images inline if opened directly. + * debian/patches/0001-Fix-rewrite-base.patch: Trivial rebase. Greets, Mike -- System Information: Debian Release: 10.4 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'proposed-updates'), (500, 'stable') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.19.0-8-amd64 (SMP w/4 CPU cores) Kernel taint flags: TAINT_WARN, TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled
diff -Nru php-horde-5.2.20+debian0/debian/changelog php-horde-5.2.20+debian0/debian/changelog --- php-horde-5.2.20+debian0/debian/changelog 2019-12-14 03:13:53.000000000 +0100 +++ php-horde-5.2.20+debian0/debian/changelog 2020-05-31 21:45:26.000000000 +0200 @@ -1,3 +1,10 @@ +php-horde (5.2.20+debian0-1+deb10u2) buster; urgency=medium + + * CVE-2020-8035: Don't allow to view images inline if opened directly. + * debian/patches/0001-Fix-rewrite-base.patch: Trivial rebase. + + -- Mike Gabriel <sunwea...@debian.org> Sun, 31 May 2020 21:45:26 +0200 + php-horde (5.2.20+debian0-1+deb10u1) buster; urgency=high * Fix CVE-2019-12095: Stored XSS vuln in the Horde Cloud Block. diff -Nru php-horde-5.2.20+debian0/debian/patches/0001-Fix-rewrite-base.patch php-horde-5.2.20+debian0/debian/patches/0001-Fix-rewrite-base.patch --- php-horde-5.2.20+debian0/debian/patches/0001-Fix-rewrite-base.patch 2019-12-14 03:13:53.000000000 +0100 +++ php-horde-5.2.20+debian0/debian/patches/0001-Fix-rewrite-base.patch 2020-05-31 21:45:26.000000000 +0200 @@ -6,11 +6,9 @@ horde-5.2.20/.htaccess | 1 + 1 file changed, 1 insertion(+) -diff --git a/horde-5.2.20/.htaccess b/horde-5.2.20/.htaccess -index 89eaf0a..348046e 100644 --- a/horde-5.2.20/.htaccess +++ b/horde-5.2.20/.htaccess -@@ -5,6 +5,7 @@ allow from all +@@ -10,6 +10,7 @@ <IfModule mod_rewrite.c> RewriteEngine On diff -Nru php-horde-5.2.20+debian0/debian/patches/0003-CVE-2020-8035-dont-allow-to-view-images-inline.patch php-horde-5.2.20+debian0/debian/patches/0003-CVE-2020-8035-dont-allow-to-view-images-inline.patch --- php-horde-5.2.20+debian0/debian/patches/0003-CVE-2020-8035-dont-allow-to-view-images-inline.patch 1970-01-01 01:00:00.000000000 +0100 +++ php-horde-5.2.20+debian0/debian/patches/0003-CVE-2020-8035-dont-allow-to-view-images-inline.patch 2020-05-31 21:45:26.000000000 +0200 @@ -0,0 +1,28 @@ +From 64127fe3c2b9843c9760218e59dae9731cc56bdf Mon Sep 17 00:00:00 2001 +From: Jan Schneider <j...@horde.org> +Date: Mon, 20 Apr 2020 23:07:51 +0200 +Subject: [PATCH] Don't allow to view images inline if opened directly. + +This services is supposed to process and view images inside a web page. +--- + services/images/view.php | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/horde-5.2.20/services/images/view.php b/horde-5.2.20/services/images/view.php +index bc7da534..f5b0cb25 100644 +--- a/horde-5.2.20/services/images/view.php ++++ b/horde-5.2.20/services/images/view.php +@@ -84,6 +84,7 @@ + + /* Check if no editing action required and send the image to browser. */ + if (empty($action)) { ++ header('Content-Disposition: attachment'); + $image->display(); + exit; + } +@@ -132,4 +133,5 @@ + /* Write out any changes to the temporary file. */ + file_put_contents($file_name, $image->raw()); + ++header('Content-Disposition: attachment'); + $image->display(); diff -Nru php-horde-5.2.20+debian0/debian/patches/series php-horde-5.2.20+debian0/debian/patches/series --- php-horde-5.2.20+debian0/debian/patches/series 2019-12-14 03:13:53.000000000 +0100 +++ php-horde-5.2.20+debian0/debian/patches/series 2020-05-31 21:45:26.000000000 +0200 @@ -1,2 +1,3 @@ 0001-Fix-rewrite-base.patch 0002-CVE-2019-12095-Fix-XSS-vuln-in-the-Horde-Cloud-Block.patch +0003-CVE-2020-8035-dont-allow-to-view-images-inline.patch