Package: release.debian.org Severity: normal Tags: buster User: release.debian....@packages.debian.org Usertags: pu
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Please find attached a proposed debdiff for php-horde-trean. The change fixes CVE-2020-8865, which the security team has classified as <no-dsa>, deeming it a minor issue which can be fixed via a point release. I have prepared this update in coordination with the security team. May I have permission to upload to buster-proposed-updates? Regards, - -Roberto - -- System Information: Debian Release: 10.3 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.19.0-8-amd64 (SMP w/4 CPU cores) Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8), LANGUAGE=en_US.utf8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEz9ERzDttUsU/BH8iLNd4Xt2nsg8FAl6TGLQACgkQLNd4Xt2n sg+eqhAAqWuNkW46Mo1KX8bV/2JEcMEG4MizjeX+/+N5J5IG+P4ICHC9GXQ0Qj+L u1TrdqUyBN8gJXZ5ncQeDBGNMIEwCZHg9SNtAafNCIzL23cYXsOIIlDTNfq/fI6T vjuypjdNR4TQ1XwZM6XEUOxRoktlzHjJDg3UDunk9Ny4K+weXbPvsCL3UVTOmSqu XqWF/jR0lvi3IYLVTYqAYpJJuGifGU31+V4F8LCzJptNjjhBlFnaRfAVTCjQ1Tmj YyAzn//MxByoSrmjvG9xA7OP+1bXPSTAQvHiAW7mMyCkcR4ItRy86LrQz5wVrGRt BXTX3MMHuPnjPx8qM+TkBwzHwyvR2iqB7sjoJQALiLzqLjlmZF2XRtSDf0aKqR0k ub7n4kd39pHGmc+QhIRY++EmHQCT+dj2y9KtGWrEkWLVRs2u2Q4UzG+yppxPSovH LC36148/jPtmuaJbCPgbmJ7hBktQCyLFChsC5RuDJS2Gk9WietCVeQ1is0A077GJ hE0di33hHWN9LhGkmAF0t/J8ez4QViuZq73ddQQxrXry4Ywl3xmhaVtGDIfXEqWQ 8PNmajSQrqJ8Z7x1w4BX98SZ5NGQXt/v9ke/YKQaW9s/ntBZofjzA75LVHUEsvyV VvJBTx4AJ1pKZwYyInDwogRh3A5sx5Mr3wpQOHnFZUNWPlHwMNI= =sfm+ -----END PGP SIGNATURE-----
diff -Nru php-horde-trean-1.1.9/debian/changelog php-horde-trean-1.1.9/debian/changelog --- php-horde-trean-1.1.9/debian/changelog 2018-05-15 10:52:05.000000000 -0400 +++ php-horde-trean-1.1.9/debian/changelog 2020-04-10 20:31:30.000000000 -0400 @@ -1,3 +1,13 @@ +php-horde-trean (1.1.9-3+deb10u1) buster; urgency=high + + * Fix CVE-2020-8865: + The Horde Application Framework contained a directory traversal + vulnerability resulting from insufficient input sanitization. An + authenticated remote attacker could use this flaw to execute code in the + context of the web server user. (Closes: #955019) + + -- Roberto C. Sanchez <robe...@debian.org> Fri, 10 Apr 2020 20:31:30 -0400 + php-horde-trean (1.1.9-3) unstable; urgency=medium * Update Standards-Version to 4.1.4, no change diff -Nru php-horde-trean-1.1.9/debian/patches/0001-CVE-2020-8865-SECURITY-Fix-Directory-Traversal-Vulerability.patch php-horde-trean-1.1.9/debian/patches/0001-CVE-2020-8865-SECURITY-Fix-Directory-Traversal-Vulerability.patch --- php-horde-trean-1.1.9/debian/patches/0001-CVE-2020-8865-SECURITY-Fix-Directory-Traversal-Vulerability.patch 1969-12-31 19:00:00.000000000 -0500 +++ php-horde-trean-1.1.9/debian/patches/0001-CVE-2020-8865-SECURITY-Fix-Directory-Traversal-Vulerability.patch 2020-04-10 20:31:30.000000000 -0400 @@ -0,0 +1,36 @@ +From db0714a0c04d87bda9e2852f1b0d259fc281ca75 Mon Sep 17 00:00:00 2001 +From: Michael J Rubinsky <mrubi...@horde.org> +Date: Sun, 1 Mar 2020 15:00:46 -0500 +Subject: [PATCH] SECURITY: Fix Directory Traversal Vulerability. + +--- + lib/Block/Bookmarks.php | 2 +- + lib/Block/Mostclicked.php | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/trean-1.1.9/lib/Block/Bookmarks.php b/trean-1.1.9/lib/Block/Bookmarks.php +index 7027bc3..16c7ba2 100644 +--- a/trean-1.1.9/lib/Block/Bookmarks.php ++++ b/trean-1.1.9/lib/Block/Bookmarks.php +@@ -68,7 +68,7 @@ protected function _title() + */ + protected function _content() + { +- $template = TREAN_TEMPLATES . '/block/' . $this->_params['template'] . '.inc'; ++ $template = TREAN_TEMPLATES . '/block/' . basename($this->_params['template']) . '.inc'; + + $sortby = 'title'; + $sortdir = 0; +diff --git a/trean-1.1.9/lib/Block/Mostclicked.php b/trean-1.1.9/lib/Block/Mostclicked.php +index ffbc52b..3308110 100644 +--- a/trean-1.1.9/lib/Block/Mostclicked.php ++++ b/trean-1.1.9/lib/Block/Mostclicked.php +@@ -58,7 +58,7 @@ protected function _title() + */ + protected function _content() + { +- $template = TREAN_TEMPLATES . '/block/' . $this->_params['template'] . '.inc'; ++ $template = TREAN_TEMPLATES . '/block/' . basename($this->_params['template']) . '.inc'; + + $html = ''; + $bookmarks = $GLOBALS['trean_gateway']->listBookmarks('clicks', 1, 0, $this->_params['rows']); diff -Nru php-horde-trean-1.1.9/debian/patches/series php-horde-trean-1.1.9/debian/patches/series --- php-horde-trean-1.1.9/debian/patches/series 1969-12-31 19:00:00.000000000 -0500 +++ php-horde-trean-1.1.9/debian/patches/series 2020-04-10 20:31:30.000000000 -0400 @@ -0,0 +1 @@ +0001-CVE-2020-8865-SECURITY-Fix-Directory-Traversal-Vulerability.patch