Your message dated Sat, 05 Sep 2015 14:33:54 +0100
with message-id <[email protected]>
and subject line Closing bugs for 7.9
has caused the Debian Bug report #785155,
regarding wheezy-pu: package phpbb3/3.0.10-4+deb7u3
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
785155: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=785155
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: wheezy
User: [email protected]
Usertags: pu
Hi,
Please accept the fix for CVE-2015-3880 in Wheezy, tagged as <no-dsa> as
agreed with the security team. The attached debdiff is pretty similar to
the one for Jessie (phpbb3/3.0.12-5+deb8u1, #785154).
Regards
David
diff --git a/changelog b/changelog
index 0856a51..e4048ab 100644
--- a/changelog
+++ b/changelog
@@ -1,3 +1,11 @@
+phpbb3 (3.0.10-4+deb7u3) wheezy; urgency=medium
+
+ * Fix possible redirection on Chrome: an insufficient check allowed users of
+ the Google Chrome browser to be redirected to external domains (e.g. on
+ login) [CVE-2015-3880]
+
+ -- David Prévot <[email protected]> Tue, 12 May 2015 16:02:09 -0400
+
phpbb3 (3.0.10-4+deb7u2) wheezy; urgency=medium
* Fix CSRF vulnerability [CVE-2015-1432] and CSS injection [CVE-2015-1431]
diff --git a/patches/fix_CVE-2015-3880.patch b/patches/fix_CVE-2015-3880.patch
new file mode 100644
index 0000000..bf789db
--- /dev/null
+++ b/patches/fix_CVE-2015-3880.patch
@@ -0,0 +1,32 @@
+Description: Fix possible redirection on Chrome
+ An insufficient check allowed users of the Google Chrome browser to be
+ redirected to external domains (e.g. on login).
+ [CVE-2015-3880]
+Author: Marc Alexander <[email protected]>, Joas Schilling <[email protected]>
+Origin: upstream, https://github.com/phpbb/phpbb/commit/1a3350619f428d9d69d196c52128727e27ef2f04
+Reviewed-by: Andreas Fischer <[email protected]>
+Last-Update: 2015-05-09
+--- a/includes/functions.php
++++ b/includes/functions.php
+@@ -2426,7 +2426,7 @@
+ // Attention: only able to redirect within the same domain if $disable_cd_check is false (yourdomain.com -> www.yourdomain.com will not work)
+ if (!$disable_cd_check && $url_parts['host'] !== $user->host)
+ {
+- $url = generate_board_url();
++ trigger_error('Tried to redirect to potentially insecure url.', E_USER_ERROR);
+ }
+ }
+ else if ($url[0] == '/')
+@@ -2513,6 +2513,12 @@
+ }
+ }
+
++ // Make sure we don't redirect to external URLs
++ if (!$disable_cd_check && strpos($url, generate_board_url(true) . '/') !== 0)
++ {
++ trigger_error('Tried to redirect to potentially insecure url.', E_USER_ERROR);
++ }
++
+ // Make sure no linebreaks are there... to prevent http response splitting for PHP < 4.4.2
+ if (strpos(urldecode($url), "\n") !== false || strpos(urldecode($url), "\r") !== false || strpos($url, ';') !== false)
+ {
diff --git a/patches/series b/patches/series
index 42df55d..86f65b1 100644
--- a/patches/series
+++ b/patches/series
@@ -8,3 +8,4 @@ fix-php54.patch
fix_chown.patch
fix_CVE-2015-1431.patch
fix_CVE-2015-1432.patch
+fix_CVE-2015-3880.patch
signature.asc
Description: Digital signature
--- End Message ---
--- Begin Message ---
Version: 7.9
Hi,
These bugs relate to updates which were included in the 7.9 point
release.
Regards,
Adam
--- End Message ---
