Hi, I've prepared an upload to fix the following:
php-horde-image (2.3.6-1+deb9u1) stretch-security; urgency=high * CVE-2017-9773: Prevent a denial of service attack by ensuring an infinite loop cannot be triggered by a malicious request. (Closes: #865504) * CVE-2017-9774: Prevent a remote code execution vulnerability (RCE) that was exploitable by a logged-in user sending a maliciously crafted HTTP GET request to the image backends. Note that the fix applied upstream has a regression in that it ignores the "force aspect ratio" option; see <https://github.com/horde/Image/pull/1>. This has been remedied in this fix. (Closes: #865505) * CVE-2017-14650: Prevent another RCE that was exploitable by a logged-in user sending a maliciously crafted GET request specifically to the "im" image backend. (Closes: #876400) The full debdiff is attached. Please let me know if it is okay to upload. Regards, -- ,''`. : :' : Chris Lamb `. `'` la...@debian.org / chris-lamb.co.uk `-
diffstat for php-horde-image-2.3.6 php-horde-image-2.3.6 changelog | 16 +++++++ patches/CVE-2017-14650.patch | 13 ++++++ patches/CVE-2017-9773.patch | 13 ++++++ patches/CVE-2017-9774.patch | 91 +++++++++++++++++++++++++++++++++++++++++++ patches/series | 3 + 5 files changed, 136 insertions(+) diff -Nru php-horde-image-2.3.6/debian/changelog php-horde-image-2.3.6/debian/changelog --- php-horde-image-2.3.6/debian/changelog 2016-09-09 13:58:40.000000000 +0100 +++ php-horde-image-2.3.6/debian/changelog 2018-06-23 11:09:57.000000000 +0100 @@ -1,3 +1,19 @@ +php-horde-image (2.3.6-1+deb9u1) stretch-security; urgency=high + + * CVE-2017-9773: Prevent a denial of service attack by ensuring an infinite + loop cannot be triggered by a malicious request. (Closes: #865504) + * CVE-2017-9774: Prevent a remote code execution vulnerability (RCE) that was + exploitable by a logged-in user sending a maliciously crafted HTTP GET + request to the image backends. Note that the fix applied upstream has a + regression in that it ignores the "force aspect ratio" option; see + <https://github.com/horde/Image/pull/1>. This has been remedied in this + fix. (Closes: #865505) + * CVE-2017-14650: Prevent another RCE that was exploitable by a logged-in + user sending a maliciously crafted GET request specifically to the "im" + image backend. (Closes: #876400) + + -- Chris Lamb <la...@debian.org> Sat, 23 Jun 2018 11:09:57 +0100 + php-horde-image (2.3.6-1) unstable; urgency=medium * New upstream version 2.3.6 diff -Nru php-horde-image-2.3.6/debian/patches/CVE-2017-14650.patch php-horde-image-2.3.6/debian/patches/CVE-2017-14650.patch --- php-horde-image-2.3.6/debian/patches/CVE-2017-14650.patch 1970-01-01 01:00:00.000000000 +0100 +++ php-horde-image-2.3.6/debian/patches/CVE-2017-14650.patch 2018-06-23 11:09:57.000000000 +0100 @@ -0,0 +1,13 @@ +Source: https://github.com/horde/horde/commit/eb3afd14c22c77ae0d29e2848f5ac726ef6e7c5b + +--- php-horde-image-2.3.6.orig/Horde_Image-2.3.6/lib/Horde/Image/Im.php ++++ php-horde-image-2.3.6/Horde_Image-2.3.6/lib/Horde/Image/Im.php +@@ -185,7 +185,7 @@ class Horde_Image_Im extends Horde_Image + $tmpin = $this->toFile($this->_data); + $tmpout = Horde_Util::getTempFile('img', false, $this->_tmpdir); + $command = $this->_convert . ' ' . implode(' ', $this->_operations) +- . ' "' . $tmpin . '"\'[' . $index . ']\' ' ++ . ' "' . $tmpin . '"\'[' . (integer)$index . ']\' ' + . implode(' ', $this->_postSrcOperations) + . ' -strip ' . $this->_type . ':"' . $tmpout . '" 2>&1'; + $this->_logDebug(sprintf("convert command executed by Horde_Image_im::raw(): %s", $command)); diff -Nru php-horde-image-2.3.6/debian/patches/CVE-2017-9773.patch php-horde-image-2.3.6/debian/patches/CVE-2017-9773.patch --- php-horde-image-2.3.6/debian/patches/CVE-2017-9773.patch 1970-01-01 01:00:00.000000000 +0100 +++ php-horde-image-2.3.6/debian/patches/CVE-2017-9773.patch 2018-06-23 11:09:57.000000000 +0100 @@ -0,0 +1,13 @@ +Source: https://github.com/horde/horde/commit/2b8a6fe1a5fc0fc662178145f853c65956985538 + +--- php-horde-image-2.3.6.orig/Horde_Image-2.3.6/lib/Horde/Image/Null.php ++++ php-horde-image-2.3.6/Horde_Image-2.3.6/lib/Horde/Image/Null.php +@@ -32,6 +32,8 @@ class Horde_Image_Null extends Horde_Ima + $this->loadFile($params['filename']); + } elseif (!empty($params['data'])) { + $this->loadString($params['data']); ++ } else { ++ $this->_data = new Horde_Stream_Temp(); + } + } + } diff -Nru php-horde-image-2.3.6/debian/patches/CVE-2017-9774.patch php-horde-image-2.3.6/debian/patches/CVE-2017-9774.patch --- php-horde-image-2.3.6/debian/patches/CVE-2017-9774.patch 1970-01-01 01:00:00.000000000 +0100 +++ php-horde-image-2.3.6/debian/patches/CVE-2017-9774.patch 2018-06-23 11:09:57.000000000 +0100 @@ -0,0 +1,91 @@ +Source: https://github.com/horde/horde/commit/01a11ccd37149101d67e0b20261fa48ab07dae13 +Comment: + Note that the fix applied upstream has a regression in that it ignores the + "force aspect ratio" option; see <https://github.com/horde/Image/pull/1> + . + -- Chris Lamb <la...@debian.org> Sat, 23 Jun 2018 11:16:49 +0100 + +--- php-horde-image-2.3.6.orig/Horde_Image-2.3.6/lib/Horde/Image/Base.php ++++ php-horde-image-2.3.6/Horde_Image-2.3.6/lib/Horde/Image/Base.php +@@ -129,10 +129,10 @@ abstract class Horde_Image_Base extends + } + + if (isset($params['width'])) { +- $this->_width = $params['width']; ++ $this->_width = (integer)$params['width']; + } + if (isset($params['height'])) { +- $this->_height = $params['height']; ++ $this->_height = (integer)$params['height']; + } + if (!empty($params['type'])) { + // We only want the extension, not the full mimetype. +--- php-horde-image-2.3.6.orig/Horde_Image-2.3.6/lib/Horde/Image/Im.php ++++ php-horde-image-2.3.6/Horde_Image-2.3.6/lib/Horde/Image/Im.php +@@ -134,7 +134,13 @@ class Horde_Image_Im extends Horde_Image + } elseif (!empty($params['data'])) { + $this->loadString($params['data']); + } else { +- $cmd = "-size {$this->_width}x{$this->_height} xc:{$this->_background} -strip {$this->_type}:__FILEOUT__"; ++ $cmd = sprintf( ++ '-size %dx%d xc:%s -strip %s:__FILEOUT__', ++ $this->_width, ++ $this->_height, ++ escapeshellarg($this->_background), ++ $this->_type ++ ); + $this->executeConvertCmd($cmd); + } + } +@@ -233,11 +239,11 @@ class Horde_Image_Im extends Horde_Image + if ($ratio) { + $this->_postSrcOperations[] = + ($keepProfile ? '-resize' : '-thumbnail') +- . " {$width}x{$height}"; ++ . sprintf(' %dx%d', $width, $height); + } else { + $this->_postSrcOperations[] = + ($keepProfile ? '-resize' : '-thumbnail') +- . " {$width}x{$height}!"; ++ . sprintf(' %dx%d!', $width, $height); + } + + // Refresh the data +@@ -277,7 +283,11 @@ class Horde_Image_Im extends Horde_Image + public function rotate($angle, $background = 'white') + { + $this->raw(); +- $this->_operations[] = "-background $background -rotate {$angle}"; ++ $this->_operations[] = sprintf( ++ '-background %s -rotate %d', ++ escapeshellarg($this->_background), ++ (integer)$angle ++ ); + $this->raw(); + + // Reset width/height since these might have changed +@@ -315,7 +325,7 @@ class Horde_Image_Im extends Horde_Image + */ + public function sepia($threshold = 85) + { +- $this->_operations[] = '-sepia-tone ' . $threshold . '%'; ++ $this->_operations[] = '-sepia-tone ' . (integer)$threshold . '%'; + } + + /** +@@ -345,9 +355,12 @@ class Horde_Image_Im extends Horde_Image + { + $string = addslashes('"' . $string . '"'); + $fontsize = Horde_Image::getFontSize($fontsize); +- $this->_postSrcOperations[] = "-fill $color " +- . (!empty($font) ? "-font $font" : '') +- . " -pointsize $fontsize -gravity northwest -draw \"text $x,$y $string\" -fill none"; ++ $this->_postSrcOperations[] = '-fill ' . escapeshellarg($color) ++ . (!empty($font) ? '-font ' . escapeshellarg($font) : '') ++ . sprintf( ++ '-pointsize %d -gravity northwest -draw "text %d,%d %s" -fill none', ++ $fontsize, $x, $y, escapeshellarg($string) ++ ); + } + + /** diff -Nru php-horde-image-2.3.6/debian/patches/series php-horde-image-2.3.6/debian/patches/series --- php-horde-image-2.3.6/debian/patches/series 1970-01-01 01:00:00.000000000 +0100 +++ php-horde-image-2.3.6/debian/patches/series 2018-06-23 11:09:57.000000000 +0100 @@ -0,0 +1,3 @@ +CVE-2017-9773.patch +CVE-2017-9774.patch +CVE-2017-14650.patch