Your message dated Sat, 09 May 2020 11:53:52 +0100
with message-id
<fd7fa4d56896c35aab49a5a51cb69727dc60e87a.ca...@adam-barratt.org.uk>
and subject line Closing requests included in 10.4 point release
has caused the Debian Bug report #956533,
regarding buster-pu: package php-horde-form/2.0.18-3.1+deb10u1
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
956533: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=956533
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: buster
User: [email protected]
Usertags: pu
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Please find attached a proposed debdiff for php-horde-form. The change
fixes CVE-2020-8866, which the security team has classified as <no-dsa>,
deeming it a minor issue which can be fixed via a point release. I have
prepared this update in coordination with the security team. May I have
permission to upload to buster-proposed-updates?
- -- System Information:
Debian Release: 10.3
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 4.19.0-8-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8),
LANGUAGE=en_US.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEz9ERzDttUsU/BH8iLNd4Xt2nsg8FAl6TFyUACgkQLNd4Xt2n
sg+O0g/+MK8cNMqs7/njWJ7BOEz7q5M4PslbEGWEp3J03ry68NPoZxM7pWJvB+rR
e4m7s2NMWJ8CtWgaNGCJbR9i+jAUAUDYLbbjoAsEAM1EmDcqgDyeZm7L7rQk6WBW
zetL/vjiR0orkSswLUOXiwlTe/POBg6sCFM4jFtYXoiECs9k65G7gLWWafIYfkT9
AmglUyFSMAWn0ju/DC7X6fHjMCKl0TtMiZYCjmdUmqnRw3r+qR8MshKO7BLK2FAQ
oKwuZkiAMhTR593ASPMGnddWzzOubDpQlCjmM9VckOoqmLNbKtCqgNWB6knhOkOq
JOu/p1nXBGDUMCbZYxAeDPILh7FyXO8byzjftXdRplm1P27xeMKS1UkOamFqwdL0
pPfxhe9jlEQHObVgGNsYnhcvJJDtfkMXuFqE9JUX2JEhYH7fQJTxH0rDhCSo8av2
nnh27GbJLTWXlzqUX4r+9JzqRs3GT7yM8UJ5ezbYW1jNUNT6Gl5yBois0ZRnhk+H
pzQljGER2l3ol6VAhjlyVE0itvljBN1UaLU6+o3lgb/2N3wOClZSUCk0XzYt0ayy
Bg8kPaOD5wWshHnkCnjzn3j387zgnNjqp61xCWoE183XKGoeUmNj18btv9wr0qt1
Qs6Z/OgPp7usqRH/fPNCi0/aXDJlCm6gxvULEU1qBLCYQxQfE3s=
=2qMc
-----END PGP SIGNATURE-----
diff -Nru php-horde-form-2.0.18/debian/changelog
php-horde-form-2.0.18/debian/changelog
--- php-horde-form-2.0.18/debian/changelog 2019-06-16 03:29:14.000000000
-0400
+++ php-horde-form-2.0.18/debian/changelog 2020-03-24 13:55:11.000000000
-0400
@@ -1,3 +1,14 @@
+php-horde-form (2.0.18-3.1+deb10u1) buster; urgency=high
+
+ * Fix CVE-2020-8866:
+ The Horde Application Framework contained a remote code execution
+ vulnerability. An authenticated remote attacker could use this flaw to
+ upload arbitrary content to an arbitrary writable location on the server
+ and potentially execute code in the context of the web server user.
+ (Closes: #955020)
+
+ -- Roberto C. Sanchez <[email protected]> Tue, 24 Mar 2020 13:55:11 -0400
+
php-horde-form (2.0.18-3.1) unstable; urgency=high
* Non-maintainer upload.
diff -Nru
php-horde-form-2.0.18/debian/patches/0002-SECURITY-Prevent-ability-to-specify-temporary-filename.patch
php-horde-form-2.0.18/debian/patches/0002-SECURITY-Prevent-ability-to-specify-temporary-filename.patch
---
php-horde-form-2.0.18/debian/patches/0002-SECURITY-Prevent-ability-to-specify-temporary-filename.patch
1969-12-31 19:00:00.000000000 -0500
+++
php-horde-form-2.0.18/debian/patches/0002-SECURITY-Prevent-ability-to-specify-temporary-filename.patch
2020-03-24 13:55:11.000000000 -0400
@@ -0,0 +1,35 @@
+From 35d382cc3a0482c07d0c2272cac89a340922e0a6 Mon Sep 17 00:00:00 2001
+From: Michael J Rubinsky <[email protected]>
+Date: Sun, 1 Mar 2020 14:46:49 -0500
+Subject: [PATCH] SECURITY: Prevent ability to specify temporary filename.
+
+Origin:
https://github.com/horde/Form/commit/35d382cc3a0482c07d0c2272cac89a340922e0a6
+---
+ lib/Horde/Form/Type.php | 11 +++++------
+ 1 file changed, 5 insertions(+), 6 deletions(-)
+
+diff --git a/Horde_Form-2.0.18/lib/Horde/Form/Type.php
b/Horde_Form-2.0.18/lib/Horde/Form/Type.php
+index f1e8157..e302d8d 100644
+--- a/Horde_Form-2.0.18/lib/Horde/Form/Type.php
++++ b/Horde_Form-2.0.18/lib/Horde/Form/Type.php
+@@ -1200,12 +1200,11 @@ class Horde_Form_Type_image extends Horde_Form_Type {
+ if (!empty($upload['hash'])) {
+ $upload['img'] = $session->get('horde', 'form/' .
$upload['hash']);
+ $session->remove('horde', 'form/' . $upload['hash']);
+- }
+-
+- /* Get the temp file if already one uploaded, otherwise create a
+- * new temporary file. */
+- if (!empty($upload['img']['file'])) {
+- $tmp_file = Horde::getTempDir() . '/' .
basename($upload['img']['file']);
++ if (!empty($upload['img']['file'])) {
++ $tmp_file = Horde::getTempDir() . '/' .
basename($upload['img']['file']);
++ } else {
++ $tmp_file = Horde::getTempFile('Horde', false);
++ }
+ } else {
+ $tmp_file = Horde::getTempFile('Horde', false);
+ }
+--
+2.20.1
+
diff -Nru php-horde-form-2.0.18/debian/patches/series
php-horde-form-2.0.18/debian/patches/series
--- php-horde-form-2.0.18/debian/patches/series 2019-06-16 03:23:14.000000000
-0400
+++ php-horde-form-2.0.18/debian/patches/series 2020-03-24 13:55:11.000000000
-0400
@@ -1 +1,2 @@
0001-SECURITY-prevent-directory-traversal-vulnerability.patch
+0002-SECURITY-Prevent-ability-to-specify-temporary-filename.patch
--- End Message ---
--- Begin Message ---
Package: release.debian.org
Version: 10.4
Hi,
Each of the uploads referred to by these bugs was included in today's
stable point release.
Regards,
Adam
--- End Message ---
