Bug#861715: marked as done (unblock: php-horde-crypt/2.7.5-2)

Debian Bug Tracking System Sat, 27 May 2017 15:36:49 -0700

Your message dated Sat, 27 May 2017 22:34:17 +0000
with message-id <[email protected]>
and subject line unblock php-horde-crypt
has caused the Debian Bug report #861715,
regarding unblock: php-horde-crypt/2.7.5-2
to be marked as done.


This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
861715: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=861715
Debian Bug Tracking System
Contact [email protected] with problems

--- Begin Message ---

Package: release.debian.org
Severity: normal
User: [email protected]
Usertags: unblock

Please unblock package php-horde-crypt

This fixes a security issue:

  * Escape user provided recipients and charset data. Fixes CVE-2017-7413 and
    CVE-2017-7414 (Closes: #859635)

(debdiff attached)

Note that the package doesn't work correctly in stretch, because it is not
compatible with gpg v2 (#849151 and #854819). I plan to fix this later, but
maybe in a point-release. Today, I want to prevent IMP (php-horde-imp) from
being removed from testing.

unblock php-horde-crypt/2.7.5-2

Thanks!

-- System Information:
Debian Release: 9.0
  APT prefers testing-debug
  APT policy: (500, 'testing-debug'), (500, 'testing')
Architecture: amd64
 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.9.0-2-amd64 (SMP w/2 CPU cores)
Locale: LANG=fr_FR.utf8, LC_CTYPE=fr_FR.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)

diff -Nru php-horde-crypt-2.7.5/debian/changelog 
php-horde-crypt-2.7.5/debian/changelog
--- php-horde-crypt-2.7.5/debian/changelog      2016-12-17 23:04:22.000000000 
+0100
+++ php-horde-crypt-2.7.5/debian/changelog      2017-05-03 07:15:32.000000000 
+0200
@@ -1,3 +1,10 @@
+php-horde-crypt (2.7.5-2) unstable; urgency=medium
+
+  * Escape user provided recipients and charset data. Fixes CVE-2017-7413 and
+    CVE-2017-7414 (Closes: #859635)
+
+ -- Mathieu Parent <[email protected]>  Wed, 03 May 2017 07:15:32 +0200
+
 php-horde-crypt (2.7.5-1) unstable; urgency=medium
 
   * New upstream version 2.7.5
diff -Nru 
php-horde-crypt-2.7.5/debian/patches/0001-Escape-user-provided-recipients-and-charset-data.patch
 
php-horde-crypt-2.7.5/debian/patches/0001-Escape-user-provided-recipients-and-charset-data.patch
--- 
php-horde-crypt-2.7.5/debian/patches/0001-Escape-user-provided-recipients-and-charset-data.patch
    1970-01-01 01:00:00.000000000 +0100
+++ 
php-horde-crypt-2.7.5/debian/patches/0001-Escape-user-provided-recipients-and-charset-data.patch
    2017-05-03 07:15:32.000000000 +0200
@@ -0,0 +1,34 @@
+From 5ef589a3d47f94810c8b86805723b9450867aedf Mon Sep 17 00:00:00 2001
+From: Michael J Rubinsky <[email protected]>
+Date: Wed, 29 Mar 2017 08:21:02 -0400
+Subject: [PATCH] Escape user provided recipients and charset data.
+
+---
+ framework/Crypt/lib/Horde/Crypt/Pgp/Backend/Binary.php | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/Horde_Crypt-2.7.5/lib/Horde/Crypt/Pgp/Backend/Binary.php 
b/Horde_Crypt-2.7.5/Crypt/lib/Horde/Crypt/Pgp/Backend/Binary.php
+index a340caaf62..c33c05c9a3 100644
+--- a/Horde_Crypt-2.7.5/lib/Horde/Crypt/Pgp/Backend/Binary.php
++++ b/Horde_Crypt-2.7.5/lib/Horde/Crypt/Pgp/Backend/Binary.php
+@@ -433,7 +433,7 @@ extends Horde_Crypt_Pgp_Backend
+             $cmdline[] = $keyring;
+             $cmdline[] = '--encrypt';
+             foreach (array_keys($params['recips']) as $val) {
+-                $cmdline[] = '--recipient ' . $val;
++                $cmdline[] = '--recipient ' . escapeshellarg($val);
+             }
+         } else {
+             $cmdline[] = '--symmetric';
+@@ -552,7 +552,7 @@ extends Horde_Crypt_Pgp_Backend
+             '--armor',
+             '--always-trust',
+             '--batch',
+-            '--charset ' . (isset($params['charset']) ? $params['charset'] : 
'UTF-8'),
++            '--charset ' . (isset($params['charset']) ? 
escapeshellarg($params['charset']) : 'UTF-8'),
+             $keyring,
+             '--verify'
+         );
+-- 
+2.11.0
+
diff -Nru php-horde-crypt-2.7.5/debian/patches/series 
php-horde-crypt-2.7.5/debian/patches/series
--- php-horde-crypt-2.7.5/debian/patches/series 1970-01-01 01:00:00.000000000 
+0100
+++ php-horde-crypt-2.7.5/debian/patches/series 2017-05-03 07:15:32.000000000 
+0200
@@ -0,0 +1 @@
+0001-Escape-user-provided-recipients-and-charset-data.patch

--- End Message ---

--- Begin Message ---
Unblocked php-horde-crypt.
--- End Message ---

Bug#861715: marked as done (unblock: php-horde-crypt/2.7.5-2)

Reply via email to