Bug#961944: marked as done (buster-pu: package php-horde/5.2.20+debian0-1+deb10u2)

Debian Bug Tracking System Sat, 01 Aug 2020 05:05:43 -0700

Your message dated Sat, 01 Aug 2020 12:51:28 +0100
with message-id 
<43535efb498a168cf81452ca0c326f004f46adc6.ca...@adam-barratt.org.uk>
and subject line Closing bugs for fixes included in 10.5 point release
has caused the Debian Bug report #961944,
regarding buster-pu: package php-horde/5.2.20+debian0-1+deb10u2
to be marked as done.


This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
961944: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=961944
Debian Bug Tracking System
Contact [email protected] with problems

--- Begin Message ---

Package: release.debian.org
Severity: normal
Tags: buster
User: [email protected]
Usertags: pu

Dear release team,

I have just uploaded this php-horde update to buster, fixing a no-dsa CVE:

+  * CVE-2020-8035: Don't allow to view images inline if opened directly.
+  * debian/patches/0001-Fix-rewrite-base.patch: Trivial rebase.

Greets,
Mike

-- System Information:
Debian Release: 10.4
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'proposed-updates'), (500, 
'stable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.19.0-8-amd64 (SMP w/4 CPU cores)
Kernel taint flags: TAINT_WARN, TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), 
LANGUAGE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

diff -Nru php-horde-5.2.20+debian0/debian/changelog 
php-horde-5.2.20+debian0/debian/changelog
--- php-horde-5.2.20+debian0/debian/changelog   2019-12-14 03:13:53.000000000 
+0100
+++ php-horde-5.2.20+debian0/debian/changelog   2020-05-31 21:45:26.000000000 
+0200
@@ -1,3 +1,10 @@
+php-horde (5.2.20+debian0-1+deb10u2) buster; urgency=medium
+
+  * CVE-2020-8035: Don't allow to view images inline if opened directly.
+  * debian/patches/0001-Fix-rewrite-base.patch: Trivial rebase.
+
+ -- Mike Gabriel <[email protected]>  Sun, 31 May 2020 21:45:26 +0200
+
 php-horde (5.2.20+debian0-1+deb10u1) buster; urgency=high
 
   * Fix CVE-2019-12095: Stored XSS vuln in the Horde Cloud Block.
diff -Nru php-horde-5.2.20+debian0/debian/patches/0001-Fix-rewrite-base.patch 
php-horde-5.2.20+debian0/debian/patches/0001-Fix-rewrite-base.patch
--- php-horde-5.2.20+debian0/debian/patches/0001-Fix-rewrite-base.patch 
2019-12-14 03:13:53.000000000 +0100
+++ php-horde-5.2.20+debian0/debian/patches/0001-Fix-rewrite-base.patch 
2020-05-31 21:45:26.000000000 +0200
@@ -6,11 +6,9 @@
  horde-5.2.20/.htaccess | 1 +
  1 file changed, 1 insertion(+)
 
-diff --git a/horde-5.2.20/.htaccess b/horde-5.2.20/.htaccess
-index 89eaf0a..348046e 100644
 --- a/horde-5.2.20/.htaccess
 +++ b/horde-5.2.20/.htaccess
-@@ -5,6 +5,7 @@ allow from all
+@@ -10,6 +10,7 @@
  
  <IfModule mod_rewrite.c>
      RewriteEngine On
diff -Nru 
php-horde-5.2.20+debian0/debian/patches/0003-CVE-2020-8035-dont-allow-to-view-images-inline.patch
 
php-horde-5.2.20+debian0/debian/patches/0003-CVE-2020-8035-dont-allow-to-view-images-inline.patch
--- 
php-horde-5.2.20+debian0/debian/patches/0003-CVE-2020-8035-dont-allow-to-view-images-inline.patch
   1970-01-01 01:00:00.000000000 +0100
+++ 
php-horde-5.2.20+debian0/debian/patches/0003-CVE-2020-8035-dont-allow-to-view-images-inline.patch
   2020-05-31 21:45:26.000000000 +0200
@@ -0,0 +1,28 @@
+From 64127fe3c2b9843c9760218e59dae9731cc56bdf Mon Sep 17 00:00:00 2001
+From: Jan Schneider <[email protected]>
+Date: Mon, 20 Apr 2020 23:07:51 +0200
+Subject: [PATCH] Don't allow to view images inline if opened directly.
+
+This services is supposed to process and view images inside a web page.
+---
+ services/images/view.php | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/horde-5.2.20/services/images/view.php 
b/horde-5.2.20/services/images/view.php
+index bc7da534..f5b0cb25 100644
+--- a/horde-5.2.20/services/images/view.php
++++ b/horde-5.2.20/services/images/view.php
+@@ -84,6 +84,7 @@
+ 
+ /* Check if no editing action required and send the image to browser. */
+ if (empty($action)) {
++    header('Content-Disposition: attachment');
+     $image->display();
+     exit;
+ }
+@@ -132,4 +133,5 @@
+ /* Write out any changes to the temporary file. */
+ file_put_contents($file_name, $image->raw());
+ 
++header('Content-Disposition: attachment');
+ $image->display();
diff -Nru php-horde-5.2.20+debian0/debian/patches/series 
php-horde-5.2.20+debian0/debian/patches/series
--- php-horde-5.2.20+debian0/debian/patches/series      2019-12-14 
03:13:53.000000000 +0100
+++ php-horde-5.2.20+debian0/debian/patches/series      2020-05-31 
21:45:26.000000000 +0200
@@ -1,2 +1,3 @@
 0001-Fix-rewrite-base.patch
 0002-CVE-2019-12095-Fix-XSS-vuln-in-the-Horde-Cloud-Block.patch
+0003-CVE-2020-8035-dont-allow-to-view-images-inline.patch

--- End Message ---

--- Begin Message ---

Package: release.debian.org
Version: 10.5

Hi,

Each of these bugs relates to an update that was included in today's
stable point release.

Regards,

Adam

--- End Message ---

Bug#961944: marked as done (buster-pu: package php-horde/5.2.20+debian0-1+deb10u2)

Reply via email to