Hi team, here is the debdiff for the changes.
Best regards Roland
diff -Nru ldap-account-manager-7.4/debian/changelog ldap-account-manager-7.4/debian/changelog --- ldap-account-manager-7.4/debian/changelog 2020-12-06 09:05:33.000000000 +0100 +++ ldap-account-manager-7.4/debian/changelog 2022-04-15 19:33:40.000000000 +0200 @@ -1,3 +1,9 @@ +ldap-account-manager (7.4-1+deb11u1) stable-security; urgency=medium + + * fixes CVE-2022-24851 + + -- Roland Gruber <p...@rolandgruber.de> Fri, 15 Apr 2022 19:33:40 +0200 + ldap-account-manager (7.4-1) unstable; urgency=medium * new upstream release diff -Nru ldap-account-manager-7.4/debian/patches/01_CVE-2022-24851.patch ldap-account-manager-7.4/debian/patches/01_CVE-2022-24851.patch --- ldap-account-manager-7.4/debian/patches/01_CVE-2022-24851.patch 1970-01-01 01:00:00.000000000 +0100 +++ ldap-account-manager-7.4/debian/patches/01_CVE-2022-24851.patch 2022-04-15 19:29:02.000000000 +0200 @@ -0,0 +1,87 @@ +Description: CVE-2022-24851 + Security fix for stored XSS and reading of arbitary images. +Author: Roland Gruber <p...@rolandgruber.de> +Origin: upstream +Bug: https://github.com/LDAPAccountManager/lam/issues/170 +Applied-Upstream: 7.9.1 +Reviewed-by: Roland Gruber <p...@rolandgruber.de> +Last-Update: 2022-04-15 +--- +This patch header follows DEP-3: http://dep.debian.net/deps/dep3/ +Index: ldap-account-manager-7.4/lib/html.inc +=================================================================== +--- ldap-account-manager-7.4.orig/lib/html.inc ++++ ldap-account-manager-7.4/lib/html.inc +@@ -525,10 +525,10 @@ class htmlInputField extends htmlElement + } + if (isset($values[$this->fieldName])) { + if (isObfuscatedText($values[$this->fieldName][0])) { +- $this->fieldValue = deobfuscateText($values[$this->fieldName][0]); ++ $this->fieldValue = htmlspecialchars(deobfuscateText($values[$this->fieldName][0])); + } + else { +- $this->fieldValue = $values[$this->fieldName][0]; ++ $this->fieldValue = htmlspecialchars($values[$this->fieldName][0]); + } + } + $validators = array(); +@@ -2588,7 +2588,7 @@ class htmlInputTextarea extends htmlElem + function generateHTML($module, $input, $values, $restricted, &$tabindex, $scope) { + $this->cssClasses[] = 'ui-corner-all'; + if (isset($values[$this->name])) { +- $this->value = implode("\r\n", $values[$this->name]); ++ $this->value = htmlspecialchars(implode("\r\n", $values[$this->name])); + } + $colCount = ($this->colCount != null) ? ' cols="' . $this->colCount . '"' : ''; + $rowCount = ($this->rowCount != null) ? ' rows="' . $this->rowCount . '"' : ''; +Index: ldap-account-manager-7.4/templates/pdfedit/pdfpage.php +=================================================================== +--- ldap-account-manager-7.4.orig/templates/pdfedit/pdfpage.php ++++ ldap-account-manager-7.4/templates/pdfedit/pdfpage.php +@@ -121,8 +121,9 @@ if(!isset($_SESSION['currentPDFStructure + } + } + ++$logoFiles = \LAM\PDF\getAvailableLogos($_SESSION['config']->getName()); + if (!empty($_POST['form_submit'])) { +- updateBasicSettings($_SESSION['currentPDFStructure']); ++ updateBasicSettings($_SESSION['currentPDFStructure'], $logoFiles); + updateSectionTitles($_SESSION['currentPDFStructure']); + addSection($_SESSION['currentPDFStructure']); + addSectionEntry($_SESSION['currentPDFStructure']); +@@ -218,7 +219,6 @@ else if (isset($_POST['pdfname'])) { + // headline + $headline = $_SESSION['currentPDFStructure']->getTitle(); + // logo +-$logoFiles = \LAM\PDF\getAvailableLogos($_SESSION['config']->getName()); + $logos = array(_('No logo') => 'none'); + foreach($logoFiles as $logoFile) { + $logos[$logoFile['filename'] . ' (' . $logoFile['infos'][0] . ' x ' . $logoFile['infos'][1] . ")"] = $logoFile['filename']; +@@ -509,14 +509,25 @@ function translateFieldIDToName($id, $sc + * + * @param PDFStructure $structure + */ +-function updateBasicSettings(PDFStructure &$structure) { ++function updateBasicSettings(PDFStructure &$structure, $logoFiles) { + // set headline + if (isset($_POST['headline'])) { + $structure->setTitle(str_replace('<', '', str_replace('>', '', $_POST['headline']))); + } + // set logo + if (isset($_POST['logoFile'])) { +- $structure->setLogo($_POST['logoFile']); ++ $fileName = $_POST['logoFile']; ++ $found = false; ++ foreach ($logoFiles as $logoFile) { ++ if ($logoFile['filename'] === $fileName) { ++ $found = true; ++ } ++ } ++ if (!$found) { ++ logNewMessage(LOG_ERR, 'Invalid PDF logo file: ' . $fileName); ++ return; ++ } ++ $structure->setLogo($fileName); + } + // set folding marks + if (isset($_POST['foldingmarks'])) { diff -Nru ldap-account-manager-7.4/debian/patches/series ldap-account-manager-7.4/debian/patches/series --- ldap-account-manager-7.4/debian/patches/series 1970-01-01 01:00:00.000000000 +0100 +++ ldap-account-manager-7.4/debian/patches/series 2022-04-15 19:14:10.000000000 +0200 @@ -0,0 +1 @@ +01_CVE-2022-24851.patch