Bug#883418: dolibarr: EDM module does not work because of jQuery version

2017-12-27 Thread Laurent Destailleur (aka Eldy) 
Thanks.
With v7, we have completely removed the library layout

2017-12-03 20:23 GMT+01:00 pitchum :

> Package: dolibarr
> Version: 4.0.2+dfsg4-2
> Severity: important
> Tags: patch
>
> After upgrading from to stretch, module EDM does not work anymore.
> Firefox's webconsole prints this:
> 'TypeError: v.selector is undefined (jquery.layout.min.js:123:157)'
>
> After investigation it appears that this problem is Debian specific.
> Dolibarr from upstream includes jquery v1.12 while Debian's package
> provides jquery v.3.1 from package libjs-jquery and unfortunately
> EDM uses a jquery plugin (UI Layout) which was not updated to be
> compatible with jquery v3.
>
> The problem is already known:
> https://github.com/allpro/layout/issues/10
> https://github.com/allpro/layout/issues/17
>
> I attach a simple patch for the Debian package using the
> workaround proposed in issue 17.
>
> --
> pitchum
>



-- 
EMail: e...@destailleur.fr
Web: http://www.destailleur.fr

Google+: https://plus.google.com/+LaurentDestailleur-Open-Source-Expert/
Facebook: https://www.facebook.com/Destailleur.Laurent
Twitter: http://www.twitter.com/eldy10

* Dolibarr (Project leader): https://www.dolibarr.org (make a donation for
Dolibarr project via Paypal: cont...@destailleur.fr)
* AWStats (Author) : http://awstats.sourceforge.net (make a donation for
AWStats project via Paypal: cont...@destailleur.fr)
* AWBot (Author) : http://awbot.sourceforge.net
* CVSChangeLogBuilder (Author) : http://cvschangelogb.sourceforge.net

Bug#885319: dolibarr: CVE-2017-14242: SQL injection vulnerability in don/list.php

2017-12-27 Thread Laurent Destailleur (aka Eldy) 
Fixed in 6.0.5

2017-12-26 8:00 GMT+01:00 Salvatore Bonaccorso :

> Source: dolibarr
> Version: 3.5.5+dfsg1-1
> Severity: important
> Tags: patch security upstream
>
> Hi,
>
> the following vulnerability was published for dolibarr.
>
> CVE-2017-14242[0]:
> | SQL injection vulnerability in don/list.php in Dolibarr version 6.0.0
> | allows remote attackers to execute arbitrary SQL commands via the
> | statut parameter.
>
> The code in question was moved several times around e.g. from
> htdocs/compta/dons/list.php to htdocs/donations/list.php, then to the
> dons directory.
>
> If you fix the vulnerability please also make sure to include the
> CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
>
> For further information see:
>
> [0] https://security-tracker.debian.org/tracker/CVE-2017-14242
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14242
>
> Please adjust the affected versions in the BTS as needed.
>
> Regards,
> Salvatore
>



-- 
EMail: e...@destailleur.fr
Web: http://www.destailleur.fr

Google+: https://plus.google.com/+LaurentDestailleur-Open-Source-Expert/
Facebook: https://www.facebook.com/Destailleur.Laurent
Twitter: http://www.twitter.com/eldy10

* Dolibarr (Project leader): https://www.dolibarr.org (make a donation for
Dolibarr project via Paypal: cont...@destailleur.fr)
* AWStats (Author) : http://awstats.sourceforge.net (make a donation for
AWStats project via Paypal: cont...@destailleur.fr)
* AWBot (Author) : http://awbot.sourceforge.net
* CVSChangeLogBuilder (Author) : http://cvschangelogb.sourceforge.net

Bug#885320: dolibarr: CVE-2017-14238 CVE-2017-14239 CVE-2017-14240 CVE-2017-14241

2017-12-27 Thread Laurent Destailleur (aka Eldy) 
Fixed in 6.0.5

2017-12-26 8:11 GMT+01:00 Salvatore Bonaccorso :

> Source: dolibarr
> Version: 3.5.5+dfsg1-1
> Severity: grave
> Tags: patch security upstream
>
> Hi,
>
> the following vulnerabilities were published for dolibarr, filling
> only one bug for the four CVEs since afaict the common set of
> affectedversions to go back to at least 3.5.5+dfsg1-1.
>
> CVE-2017-14238[0]:
> | SQL injection vulnerability in admin/menus/edit.php in Dolibarr ERP/CRM
> | version 6.0.0 allows remote attackers to execute arbitrary SQL commands
> | via the menuId parameter.
>
> CVE-2017-14239[1]:
> | Multiple cross-site scripting (XSS) vulnerabilities in Dolibarr ERP/CRM
> | 6.0.0 allow remote authenticated users to inject arbitrary web script
> | or HTML via the (1) CompanyName, (2) CompanyAddress, (3) CompanyZip,
> | (4) CompanyTown, (5) Fax, (6) EMail, (7) Web, (8) ManagingDirectors,
> | (9) Note, (10) Capital, (11) ProfId1, (12) ProfId2, (13) ProfId3, (14)
> | ProfId4, (15) ProfId5, or (16) ProfId6 parameter to
> | htdocs/admin/company.php.
>
> CVE-2017-14240[2]:
> | There is a sensitive information disclosure vulnerability in
> | document.php in Dolibarr ERP/CRM version 6.0.0 via the file parameter.
>
> CVE-2017-14241[3]:
> | Cross-site scripting (XSS) vulnerability in Dolibarr ERP/CRM 6.0.0
> | allows remote authenticated users to inject arbitrary web script or
> | HTML via the Title parameter to htdocs/admin/menus/edit.php.
>
> If you fix the vulnerabilities please also make sure to include the
> CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
>
> For further information see:
>
> [0] https://security-tracker.debian.org/tracker/CVE-2017-14238
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14238
> [1] https://security-tracker.debian.org/tracker/CVE-2017-14239
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14239
> [2] https://security-tracker.debian.org/tracker/CVE-2017-14240
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14240
> [3] https://security-tracker.debian.org/tracker/CVE-2017-14241
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14241
> [4] https://github.com/Dolibarr/dolibarr/commit/
> d26b2a694de30f95e46ea54ea72cc54f0d38e548
>
> Regards,
> Salvatore
>
>


-- 
EMail: e...@destailleur.fr
Web: http://www.destailleur.fr

Google+: https://plus.google.com/+LaurentDestailleur-Open-Source-Expert/
Facebook: https://www.facebook.com/Destailleur.Laurent
Twitter: http://www.twitter.com/eldy10

* Dolibarr (Project leader): https://www.dolibarr.org (make a donation for
Dolibarr project via Paypal: cont...@destailleur.fr)
* AWStats (Author) : http://awstats.sourceforge.net (make a donation for
AWStats project via Paypal: cont...@destailleur.fr)
* AWBot (Author) : http://awbot.sourceforge.net
* CVSChangeLogBuilder (Author) : http://cvschangelogb.sourceforge.net

Bug#885321: dolibarr: CVE-2017-17897 CVE-2017-17898 CVE-2017-17899 CVE-2017-17900

2017-12-27 Thread Laurent Destailleur (aka Eldy) 
Fixed in 6.0.5

2017-12-26 8:38 GMT+01:00 Salvatore Bonaccorso :

> Source: dolibarr
> Version: 3.5.5+dfsg1-1
> Severity: grave
> Tags: patch security upstream
>
> Hi,
>
> the following vulnerabilities were published for dolibarr.
>
> CVE-2017-17897[0]:
> | SQL injection vulnerability in comm/multiprix.php in Dolibarr ERP/CRM
> | version 6.0.4 allows remote attackers to execute arbitrary SQL commands
> | via the id parameter.
>
> CVE-2017-17898[1]:
> | Dolibarr ERP/CRM version 6.0.4 does not block direct requests to
> | *.tpl.php files, which allows remote attackers to obtain sensitive
> | information.
>
> CVE-2017-17899[2]:
> | SQL injection vulnerability in adherents/subscription/info.php in
> | Dolibarr ERP/CRM version 6.0.4 allows remote attackers to execute
> | arbitrary SQL commands via the rowid parameter.
>
> CVE-2017-17900[3]:
> | SQL injection vulnerability in fourn/index.php in Dolibarr ERP/CRM
> | version 6.0.4 allows remote attackers to execute arbitrary SQL commands
> | via the socid parameter.
>
> If you fix the vulnerabilities please also make sure to include the
> CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
>
> For further information see:
>
> [0] https://security-tracker.debian.org/tracker/CVE-2017-17897
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17897
> [1] https://security-tracker.debian.org/tracker/CVE-2017-17898
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17898
> [2] https://security-tracker.debian.org/tracker/CVE-2017-17899
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17899
> [3] https://security-tracker.debian.org/tracker/CVE-2017-17900
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17900
>
> In one case the code moved from subscriptions_info.php to
> subscriptions/info.php, still decided to fill one bug report for the
> four CVEs since set of fixes and affected versions are same.
>
> If I was wrong on this regard, please clone the bug and adjust
> affected versions as needed for the BTS.
>
> Regards,
> Salvatore
>
>


-- 
EMail: e...@destailleur.fr
Web: http://www.destailleur.fr

Google+: https://plus.google.com/+LaurentDestailleur-Open-Source-Expert/
Facebook: https://www.facebook.com/Destailleur.Laurent
Twitter: http://www.twitter.com/eldy10

* Dolibarr (Project leader): https://www.dolibarr.org (make a donation for
Dolibarr project via Paypal: cont...@destailleur.fr)
* AWStats (Author) : http://awstats.sourceforge.net (make a donation for
AWStats project via Paypal: cont...@destailleur.fr)
* AWBot (Author) : http://awbot.sourceforge.net
* CVSChangeLogBuilder (Author) : http://cvschangelogb.sourceforge.net

Bug#862201: dolibarr: Applying absolute discount in proposal fails

2017-05-11 Thread Laurent Destailleur (aka Eldy) 
Bug was fixed in official version 4.0.6. An upstream must be done to debian
package

2017-05-09 20:27 GMT+02:00 Maximilian Stein :

> Package: dolibarr
> Version: 4.0.2+dfsg4-2
> Severity: normal
>
> Dear Maintainer,
>
> After having added a customer in Dolibarr, I gave this customer an
> absolute discount. Then, I tried to create a proposal, however, applying
> the discount fails with the error message:
>
> "You have an error in your SQL syntax; check the manual that corresponds
> to your MariaDB server version for the right syntax to use near ' 0)' at
> line 1 sql=INSERT INTO llx_propaldet (fk_propal, fk_parent_line, label,
> description, fk_product, product_type, fk_remise_except, qty, tva_tx,
> localtax1_tx, localtax2_tx, localtax1_type, localtax2_type, subprice,
> remise_percent, info_bits, total_ht, total_tva, total_localtax1,
> total_localtax2, total_ttc, fk_product_fournisseur_price, buy_price_ht,
> special_code, rang, fk_unit, date_start, date_end, fk_multicurrency,
> multicurrency_code, multicurrency_subprice, multicurrency_total_ht,
> multicurrency_total_tva, multicurrency_total_ttc) VALUES (1, null, null,
> 'test discount', null, '0', '1', 1, 19, 0, 0, '0', '0', -100, 0, '2',
> -100, -19, 0, 0, -119, null, '0', 0, -1, NULL, null, null, null, '', 0,
> 0, , 0)"
>
> Apparently, the SQL statement is invalid. I tried to manually execute
> the statement through the mysql tool and added a value of '0' at the
> last but one position in the value vector. This has actually worked, so
> the discount is now correctly applied in the offer.
>
> I then tried to find a quickfix for this problem. The SQL statement is
> crafted in the file
> "/usr/share/dolibarr/htdocs/comm/propal/class/propal.class.php" on lines
> 3252 and following. The class member "multicurrency_total_tva" seems to
> be uninitialized, so I just changed line 3098 to:
>
> var $multicurrency_total_tva = 0;
>
> As I am not using multiple currency currently, this seems to be an
> adequate fix for me now.
>
> Best,
> Maximilian
>
> -- System Information:
> Debian Release: 8.8
>   APT prefers stable
>   APT policy: (900, 'stable'), (800, 'testing'), (500, 'stable-updates')
> Architecture: amd64 (x86_64)
>
> Kernel: Linux 3.16.0-4-amd64 (SMP w/4 CPU cores)
> Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
> Shell: /bin/sh linked to /bin/dash
> Init: systemd (via /run/systemd/system)
>
> Versions of packages dolibarr depends on:
> ii  fonts-dejavu-core   2.34-1
> ii  javascript-common   11
> ii  libapache2-mod-php  1:7.0+49
> ii  libapache2-mod-php7.0 [libapache2-mod-php]  7.0.16-3
> ii  libjs-jquery3.1.1-2
> ii  libjs-jquery-cookie 11-3
> ii  libjs-jquery-flot   0.8.2+dfsg-1
> ii  libjs-jquery-ui 1.10.1+dfsg-1
> ii  libnusoap-php   0.9.5-3
> ii  libphp-adodb5.20.9-1
> ii  php-curl1:7.0+49
> ii  php-gd  1:7.0+49
> ii  php-ldap1:7.0+49
> ii  php-pclzip  2.8.2-4
> ii  php-tcpdf   6.0.093+dfsg-1
> ii  php7.0-cli [php-cli]7.0.16-3
> ii  php7.0-curl [php-curl]  7.0.16-3
> ii  php7.0-gd [php-gd]  7.0.16-3
> ii  php7.0-ldap [php-ldap]  7.0.16-3
> ii  php7.0-mysql [php-mysqli]   7.0.16-3
> ii  xdg-utils   1.1.0~rc1+git20111210-7.4
>
> Versions of packages dolibarr recommends:
> ii  apache2 [httpd]   2.4.25-3
> ii  default-mysql-client  1.0.2
> ii  default-mysql-server  1.0.2
>
> Versions of packages dolibarr suggests:
> pn  php-geoip  
> ii  w3m [www-browser]  0.5.3-19+deb8u1
>
> -- no debconf information
>
>
>


-- 
EMail: e...@destailleur.fr
Web: http://www.destailleur.fr

Google+: https://plus.google.com/+LaurentDestailleur-Open-Source-Expert/
Facebook: https://www.facebook.com/Destailleur.Laurent
Twitter: http://www.twitter.com/eldy10

* Dolibarr (Project leader): https://www.dolibarr.org (make a donation for
Dolibarr project via Paypal: cont...@destailleur.fr)
* AWStats (Author) : http://awstats.sourceforge.net (make a donation for
AWStats project via Paypal: cont...@destailleur.fr)
* AWBot (Author) : http://awbot.sourceforge.net
* CVSChangeLogBuilder (Author) : http://cvschangelogb.sourceforge.net

Bug#861926: Acknowledgement (jessie-pu: package php-tcpdf/6.0.093+dfsg-1)

2017-05-06 Thread Laurent Destailleur (aka Eldy) 
I made an error when copying and paste the CVE number in my first request.
Bug number was correct, so #814030, but CVE related is CVE-2017-6100


Also, this is the full debdiff (i previously provided only the patch file):


diff -Nru tcpdf-6.0.093+dfsg/debian/changelog tcpdf-6.0.093+dfsg/debian/
changelog
--- tcpdf-6.0.093+dfsg/debian/changelog 2014-09-07 17:22:38.0 +0200
+++ tcpdf-6.0.093+dfsg/debian/changelog 2017-02-23 18:36:27.0 +0100
@@ -1,3 +1,9 @@
+tcpdf (6.0.093+dfsg-1+deb8u1) UNRELEASED; urgency=medium
+
+  * Fix CVE-2017-6100 (Closes: #814030)
+
+ -- Laurent Destailleur (eldy)   Wed, 22 Feb
2017 11:43:27 +0100
+
 tcpdf (6.0.093+dfsg-1) unstable; urgency=medium

   * New upstream release 6.0.093+dfsg
diff -Nru 
tcpdf-6.0.093+dfsg/debian/patches/default-K_TCPDF_CALLS_IN_HTML-to-false.patch
tcpdf-6.0.093+dfsg/debian/patches/default-K_TCPDF_CALLS_
IN_HTML-to-false.patch
--- tcpdf-6.0.093+dfsg/debian/patches/default-K_TCPDF_CALLS_
IN_HTML-to-false.patch 1970-01-01 01:00:00.0 +0100
+++ tcpdf-6.0.093+dfsg/debian/patches/default-K_TCPDF_CALLS_
IN_HTML-to-false.patch 2017-02-23 18:36:27.0 +0100
@@ -0,0 +1,17 @@
+Description: Set default value of K_TCPDF_CALLS_IN_HTML to false.
+Author: Laurent Destailleur 
+Forwarded: not-needed
+Last-Update: 2013-07-29
+---
+This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
+--- a/config/tcpdf_config.php
 b/config/tcpdf_config.php
+@@ -210,7 +210,7 @@
+  * If true allows to call TCPDF methods using HTML syntax
+  * IMPORTANT: For security reason, disable this feature if you are
printing user HTML content.
+  */
+-define('K_TCPDF_CALLS_IN_HTML', true);
++define('K_TCPDF_CALLS_IN_HTML', false);
+
+ /**
+  * If true and PHP version is greater than 5, then the Error() method
throw new exception instead of terminating the execution.
diff -Nru tcpdf-6.0.093+dfsg/debian/patches/series
tcpdf-6.0.093+dfsg/debian/patches/series
--- tcpdf-6.0.093+dfsg/debian/patches/series 1970-01-01 01:00:00.0
+0100
+++ tcpdf-6.0.093+dfsg/debian/patches/series 2017-02-23 18:36:27.0
+0100
@@ -0,0 +1 @@
+default-K_TCPDF_CALLS_IN_HTML-to-false.patch


2017-05-06 2:00 GMT+02:00 Debian Bug Tracking System 
:

> Thank you for filing a new Bug report with Debian.
>
> This is an automatically generated reply to let you know your message
> has been received.
>
> Your message is being forwarded to the package maintainers and other
> interested parties for their attention; they will reply in due course.
>
> Your message has been sent to the package maintainer(s):
>  Debian Release Team 
>
> If you wish to submit further information on this problem, please
> send it to 861...@bugs.debian.org.
>
> Please do not send mail to ow...@bugs.debian.org unless you wish
> to report a problem with the Bug-tracking system.
>
> --
> 861926: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=861926
> Debian Bug Tracking System
> Contact ow...@bugs.debian.org with problems
>



-- 
EMail: e...@destailleur.fr
Web: http://www.destailleur.fr

Google+: https://plus.google.com/+LaurentDestailleur-Open-Source-Expert/
Facebook: https://www.facebook.com/Destailleur.Laurent
Twitter: http://www.twitter.com/eldy10

* Dolibarr (Project leader): https://www.dolibarr.org (make a donation for
Dolibarr project via Paypal: cont...@destailleur.fr)
* AWStats (Author) : http://awstats.sourceforge.net (make a donation for
AWStats project via Paypal: cont...@destailleur.fr)
* AWBot (Author) : http://awbot.sourceforge.net
* CVSChangeLogBuilder (Author) : http://cvschangelogb.sourceforge.net

Bug#844612: a new version of TCPDF is under development

2017-01-10 Thread Laurent Destailleur (aka Eldy) 
The modularization is done to have code cleaner for developer.
It seems useless for end user or a distribution: we can't imagine having
one debian package to build a pdf that include one image and another
package if we want the build a pdf to be able to have a different font and
another package to be able to build a pdf with accent text, another package
to build a pdf with some color, etc... We need only 1 lib to build PDF as
most modularized code (a dozen of subproject) are all required. So we
should have, I think, one and only one debian package for the set.

Also, this rewriting called 8.0 is still in development and not ready yet,
so for the moment, it's "wait and see" when the new version is available.
My 2 cents, is that there is so many difference, that it will probably be
another/different package into debian.



2016-11-17 16:46 GMT+01:00 Paolo Greppi :

> Package: tcpdf
> Version: 6.2.12+dfsg2-1
> Severity: minor
>
> Dear Maintainer,
>
> The current version of tcpdf in stretch is 6.2.12 which is just one
> patch away from the latest one at
> https://github.com/tecnickcom/TCPDF/blob/master/CHANGELOG.TXT 6.2.13
> (2016-06-10)
>
> But this is the "old version"; the website says "A new version ... is
> under development at https://github.com/tecnickcom/tc-lib-pdf and as a
> consequence the old version will not receive any additional development
> or support."
>
> The "new version" in the tc-lib-pdf repo is now at 8.0.0 (?)
>
> It matches this package on packagist:
> https://packagist.org/packages/tecnickcom/tc-lib-pdf
>
> From its dependency tee, it appears that it has been modularized:
> - tecnickcom/tc-lib-barcode
> - tecnickcom/tc-lib-color
> - tecnickcom/tc-lib-pdf-image
> ...
>
> Are there any plans to move tcpdf to this new version? How to handle the
> transition ? Should there be a new set of packages ?
>
> Paolo
>
>


-- 
EMail: e...@destailleur.fr
Web: http://www.destailleur.fr


Google+: https://plus.google.com/+LaurentDestailleur-Open-Source-Expert/
Facebook: https://www.facebook.com/Destailleur.Laurent
Twitter: http://www.twitter.com/eldy10


* Dolibarr (Project leader): https://www.dolibarr.org (make a donation for
Dolibarr project via Paypal: cont...@destailleur.fr)
* AWStats (Author) : http://awstats.sourceforge.net (make a donation for
AWStats project via Paypal: cont...@destailleur.fr)
* AWBot (Author) : http://awbot.sourceforge.net
* CVSChangeLogBuilder (Author) : http://cvschangelogb.sourceforge.net

Bug#797906: jessie-pu: package dolibarr/3.5.5+dfsg1-2

2016-03-20 Thread Laurent Destailleur (aka Eldy) 
Hi Adam.

A fix was prepared to solve several CVE. Security team already answered me
they on't plan any DSA released for this patch. All fixes are already
included into unstable.

Can we push it into stable ? It fixes the following CVE:
* Fix CVE-2016-1912 (Closes: #812496)
* Fix CVE-2015-8685 (Closes: #812449)
* Fix CVE-2015-3935 (Closes: #787762)


This is the debdiff.


diff -Nru dolibarr-3.5.5+dfsg1/debian/changelog
dolibarr-3.5.5+dfsg1/debian/changelog
--- dolibarr-3.5.5+dfsg1/debian/changelog 2014-12-07 15:52:53.0
+0100
+++ dolibarr-3.5.5+dfsg1/debian/changelog 2016-02-08 21:30:58.0
+0100
@@ -1,3 +1,11 @@
+dolibarr (3.5.5+dfsg1-1+deb8u1) UNRELEASED; urgency=high
+
+  * Fix CVE-2016-1912 (Closes: #812496)
+  * Fix CVE-2015-8685 (Closes: #812449)
+  * Fix CVE-2015-3935 (Closes: #787762)
+
+ -- Laurent Destailleur (eldy)   Tue, 08 Sep
2015 15:22:52 +0200
+
 dolibarr (3.5.5+dfsg1-1) unstable; urgency=medium

   * New upstream release with 3.5.5
diff -Nru dolibarr-3.5.5+dfsg1/debian/patches/FIX-4291-GETPOSTs.patch
dolibarr-3.5.5+dfsg1/debian/patches/FIX-4291-GETPOSTs.patch
--- dolibarr-3.5.5+dfsg1/debian/patches/FIX-4291-GETPOSTs.patch 1970-01-01
01:00:00.0 +0100
+++ dolibarr-3.5.5+dfsg1/debian/patches/FIX-4291-GETPOSTs.patch 2016-02-08
21:30:58.0 +0100
@@ -0,0 +1,35 @@
+diff --git a/htdocs/admin/agenda_extsites.php
b/htdocs/admin/agenda_extsites.php
+index ac105cf..bf68c61 100644
+--- a/htdocs/admin/agenda_extsites.php
 b/htdocs/admin/agenda_extsites.php
+@@ -1,6 +1,7 @@
+ 
+- * Copyright (C) 2011-2014 Juanjo Menent
++/* Copyright (C) 2008-2011  Laurent Destailleur <
e...@users.sourceforge.net>
++ * Copyright (C) 2011-2014  Juanjo Menent   
++ * Copyright (C) 2016   Raphaël Doursenaud  <
rdoursen...@gpcsolutions.fr>
+  *
+  * This program is free software; you can redistribute it and/or modify
+  * it under the terms of the GNU General Public License as published by
+@@ -88,7 +89,7 @@
+  // Save nb of agenda
+  if (! $error)
+  {
+-
$res=dolibarr_set_const($db,'AGENDA_EXT_NB',trim(GETPOST('AGENDA_EXT_NB','alpha')),'chaine',0,'',$conf->entity);
++
$res=dolibarr_set_const($db,'AGENDA_EXT_NB',trim(GETPOST('AGENDA_EXT_NB','int')),'chaine',0,'',$conf->entity);
+  if (! $res > 0) $error++;
+  if (empty($conf->global->AGENDA_EXT_NB)) $conf->global->AGENDA_EXT_NB=5;
+
$MAXAGENDA=empty($conf->global->AGENDA_EXT_NB)?5:$conf->global->AGENDA_EXT_NB;
+@@ -201,9 +202,9 @@
+  // Nb
+  print ''.$langs->trans("AgendaExtNb",$key)."";
+  // Name
+- print '';
++ print '';
+  // URL
+- print '';
++ print '';
+  // Color (Possible colors are limited by Google)
+  print '';
+  //print $formadmin->selectColor($conf->global->$color,
"google_agenda_color".$key, $colorlist);
diff -Nru dolibarr-3.5.5+dfsg1/debian/patches/Fix-787762-CVE20153935.patch
dolibarr-3.5.5+dfsg1/debian/patches/Fix-787762-CVE20153935.patch
--- dolibarr-3.5.5+dfsg1/debian/patches/Fix-787762-CVE20153935.patch 1970-01-01
01:00:00.0 +0100
+++ dolibarr-3.5.5+dfsg1/debian/patches/Fix-787762-CVE20153935.patch 2016-02-08
21:30:58.0 +0100
@@ -0,0 +1,22 @@
+diff --git a/debian/changelog b/debian/changelog
+index 7d3e2e1..09dd3e0 100644
+--- a/htdocs/societe/societe.php
 b/htdocs/societe/societe.php
+@@ -272,7 +272,7 @@
+  $num = $db->num_rows($resql);
+  $i = 0;
+
+- $params =
"socname=".$socname."search_nom=".$search_nom."search_town=".$search_town;
++ $params =
"socname=".urlencode($socname)."search_nom=".urlencode($search_nom)."search_town=".urlencode($search_town);
+  $params.= ($sbarcode?"sbarcode=".$sbarcode:"");
+  $params.= 'search_idprof1='.$search_idprof1;
+  $params.= 'search_idprof2='.$search_idprof2;
+@@ -348,7 +348,7 @@
+  print '';
+  print '';
+  if (! empty($search_nom_only) && empty($search_nom))
$search_nom=$search_nom_only;
+- print '';
++ print '';
+  print '';
+  // Barcode
+  if (! empty($conf->barcode->enabled))
diff -Nru
dolibarr-3.5.5+dfsg1/debian/patches/FIX-CVE-CVE20158685-CVE-2016-1912.patch
dolibarr-3.5.5+dfsg1/debian/patches/FIX-CVE-CVE20158685-CVE-2016-1912.patch
---
dolibarr-3.5.5+dfsg1/debian/patches/FIX-CVE-CVE20158685-CVE-2016-1912.patch
1970-01-01
01:00:00.0 +0100
+++
dolibarr-3.5.5+dfsg1/debian/patches/FIX-CVE-CVE20158685-CVE-2016-1912.patch
2016-02-08
21:30:58.0 +0100
@@ -0,0 +1,37 @@
+diff --git a/htdocs/main.inc.php b/htdocs/main.inc.php
+index 7fba7f5..90eac77 100644
+--- a/htdocs/main.inc.php
 b/htdocs/main.inc.php
+@@ -80,13 +80,15 @@
+ // For SQL Injection (only GET and POST are used to be included into
bad escaped SQL requests)
+ if ($type != 2)
+ {
+-$sql_inj += preg_match('/delete[\s]+from/i', $val);
+-$sql_inj += preg_match('/create[\s]+table/i', $val);
+-$sql_inj += preg_match('/update.+set.+=/i', $val);
+-$sql_inj += preg_match('/insert[\s]+into/i', $val);
+-$sql_inj += preg_match('/select.+from/i', $val);
+-

Bug#797906: jessie-pu: package dolibarr/3.5.5+dfsg1-2

2016-02-23 Thread Laurent Destailleur (aka Eldy) 
To fix opened securities hole into dolibarr stable package, i prepared the
following 3 patch. This patch is now already included into unstable.
It fixes the following CVE:
* Fix CVE-2016-1912 (Closes: #812496)
* Fix CVE-2015-8685 (Closes: #812449)
* Fix CVE-2015-3935 (Closes: #787762)


This is the debdiff. Can my mentor (Raphael Hertzog) push the new package
with this patch into stable ?


diff -Nru dolibarr-3.5.5+dfsg1/debian/changelog
dolibarr-3.5.5+dfsg1/debian/changelog
--- dolibarr-3.5.5+dfsg1/debian/changelog 2014-12-07 15:52:53.0
+0100
+++ dolibarr-3.5.5+dfsg1/debian/changelog 2016-02-08 21:30:58.0
+0100
@@ -1,3 +1,11 @@
+dolibarr (3.5.5+dfsg1-1+deb8u1) UNRELEASED; urgency=high
+
+  * Fix CVE-2016-1912 (Closes: #812496)
+  * Fix CVE-2015-8685 (Closes: #812449)
+  * Fix CVE-2015-3935 (Closes: #787762)
+
+ -- Laurent Destailleur (eldy)   Tue, 08 Sep
2015 15:22:52 +0200
+
 dolibarr (3.5.5+dfsg1-1) unstable; urgency=medium

   * New upstream release with 3.5.5
diff -Nru dolibarr-3.5.5+dfsg1/debian/patches/FIX-4291-GETPOSTs.patch
dolibarr-3.5.5+dfsg1/debian/patches/FIX-4291-GETPOSTs.patch
--- dolibarr-3.5.5+dfsg1/debian/patches/FIX-4291-GETPOSTs.patch 1970-01-01
01:00:00.0 +0100
+++ dolibarr-3.5.5+dfsg1/debian/patches/FIX-4291-GETPOSTs.patch 2016-02-08
21:30:58.0 +0100
@@ -0,0 +1,35 @@
+diff --git a/htdocs/admin/agenda_extsites.php
b/htdocs/admin/agenda_extsites.php
+index ac105cf..bf68c61 100644
+--- a/htdocs/admin/agenda_extsites.php
 b/htdocs/admin/agenda_extsites.php
+@@ -1,6 +1,7 @@
+ 
+- * Copyright (C) 2011-2014 Juanjo Menent
++/* Copyright (C) 2008-2011  Laurent Destailleur <
e...@users.sourceforge.net>
++ * Copyright (C) 2011-2014  Juanjo Menent   
++ * Copyright (C) 2016   Raphaël Doursenaud  <
rdoursen...@gpcsolutions.fr>
+  *
+  * This program is free software; you can redistribute it and/or modify
+  * it under the terms of the GNU General Public License as published by
+@@ -88,7 +89,7 @@
+ // Save nb of agenda
+ if (! $error)
+ {
+-
$res=dolibarr_set_const($db,'AGENDA_EXT_NB',trim(GETPOST('AGENDA_EXT_NB','alpha')),'chaine',0,'',$conf->entity);
++
$res=dolibarr_set_const($db,'AGENDA_EXT_NB',trim(GETPOST('AGENDA_EXT_NB','int')),'chaine',0,'',$conf->entity);
+ if (! $res > 0) $error++;
+ if (empty($conf->global->AGENDA_EXT_NB)) $conf->global->AGENDA_EXT_NB=5;
+
$MAXAGENDA=empty($conf->global->AGENDA_EXT_NB)?5:$conf->global->AGENDA_EXT_NB;
+@@ -201,9 +202,9 @@
+ // Nb
+ print ''.$langs->trans("AgendaExtNb",$key)."";
+ // Name
+- print '';
++ print '';
+ // URL
+- print '';
++ print '';
+ // Color (Possible colors are limited by Google)
+ print '';
+ //print $formadmin->selectColor($conf->global->$color,
"google_agenda_color".$key, $colorlist);
diff -Nru dolibarr-3.5.5+dfsg1/debian/patches/Fix-787762-CVE20153935.patch
dolibarr-3.5.5+dfsg1/debian/patches/Fix-787762-CVE20153935.patch
--- dolibarr-3.5.5+dfsg1/debian/patches/Fix-787762-CVE20153935.patch 1970-01-01
01:00:00.0 +0100
+++ dolibarr-3.5.5+dfsg1/debian/patches/Fix-787762-CVE20153935.patch 2016-02-08
21:30:58.0 +0100
@@ -0,0 +1,22 @@
+diff --git a/debian/changelog b/debian/changelog
+index 7d3e2e1..09dd3e0 100644
+--- a/htdocs/societe/societe.php
 b/htdocs/societe/societe.php
+@@ -272,7 +272,7 @@
+ $num = $db->num_rows($resql);
+ $i = 0;
+
+- $params =
"socname=".$socname."search_nom=".$search_nom."search_town=".$search_town;
++ $params =
"socname=".urlencode($socname)."search_nom=".urlencode($search_nom)."search_town=".urlencode($search_town);
+ $params.= ($sbarcode?"sbarcode=".$sbarcode:"");
+ $params.= 'search_idprof1='.$search_idprof1;
+ $params.= 'search_idprof2='.$search_idprof2;
+@@ -348,7 +348,7 @@
+ print '';
+ print '';
+ if (! empty($search_nom_only) && empty($search_nom))
$search_nom=$search_nom_only;
+- print '';
++ print '';
+ print '';
+ // Barcode
+ if (! empty($conf->barcode->enabled))
diff -Nru
dolibarr-3.5.5+dfsg1/debian/patches/FIX-CVE-CVE20158685-CVE-2016-1912.patch
dolibarr-3.5.5+dfsg1/debian/patches/FIX-CVE-CVE20158685-CVE-2016-1912.patch
---
dolibarr-3.5.5+dfsg1/debian/patches/FIX-CVE-CVE20158685-CVE-2016-1912.patch
1970-01-01
01:00:00.0 +0100
+++
dolibarr-3.5.5+dfsg1/debian/patches/FIX-CVE-CVE20158685-CVE-2016-1912.patch
2016-02-08
21:30:58.0 +0100
@@ -0,0 +1,37 @@
+diff --git a/htdocs/main.inc.php b/htdocs/main.inc.php
+index 7fba7f5..90eac77 100644
+--- a/htdocs/main.inc.php
 b/htdocs/main.inc.php
+@@ -80,13 +80,15 @@
+ // For SQL Injection (only GET and POST are used to be included into
bad escaped SQL requests)
+ if ($type != 2)
+ {
+-$sql_inj += preg_match('/delete[\s]+from/i', $val);
+-$sql_inj += preg_match('/create[\s]+table/i', $val);
+-$sql_inj += preg_match('/update.+set.+=/i', $val);
+-$sql_inj += preg_match('/insert[\s]+into/i', $val);
+-$sql_inj += preg_match('/select.+from/i', $val);
+-

Bug#814030: Intent to bring php-tcpdf in the Debian PHP PEAR (and Composer) Maintainers team (Was: Bug#814030: Security flaw fixed in version 6.2.0)

2016-02-23 Thread Laurent Destailleur (aka Eldy) 
Hi David.

I have sent to my mentor (Raphael Hertzog), a commit with the new upstream
6.2.12 updated, of TCPDF.

If you plan/want to move package maintenance into Debian PHP PEAR umbrella,
why not. What will be the benefit and impact ?

2016-02-23 4:33 GMT+01:00 David Prévot :

> Hi,
>
> On Sun, Feb 07, 2016 at 02:28:04PM -0400, David Prévot wrote:
> > Package: php-tcpdf
> > Version: 6.0.093+dfsg-1
> > Severity: serious
> > Tags: security upstream
> >
> > According to their changelog [1], upstream fixed a security issue over a
> > year ago: […]
>
> In order to bring php-tcpdf back in line with upstream, and to follow
> more closely the PHP class packaging, I’d like to take the
> opportunity of team maintaining it under the Debian PHP PEAR (and
> Composer) Maintainers umbrella.
>
> Unless someone objects, I intend to move forward as soon as I have some
> time to spare on it.
>
> Regards
>
> David
>



-- 
EMail: e...@destailleur.fr
Web: http://www.destailleur.fr

Google+: https://plus.google.com/+LaurentDestailleur/
Facebook: https://www.facebook.com/Destailleur.Laurent
Twitter: http://www.twitter.com/eldy10

* Dolibarr (Project leader): http://www.dolibarr.org (make a donation for
Dolibarr project via Paypal: cont...@destailleur.fr)
* AWStats (Author) : http://awstats.sourceforge.net (make a donation for
AWStats project via Paypal: cont...@destailleur.fr)
* AWBot (Author) : http://awbot.sourceforge.net
* CVSChangeLogBuilder (Author) : http://cvschangelogb.sourceforge.net

Bug#797906: jessie-pu: package dolibarr/3.5.5+dfsg1-2

2015-09-03 Thread Laurent Destailleur (aka Eldy) 
Sorry. I didn't understood your answer (my english is not my mother
language).

You are speaking about "unstable".

I am speaking about pushing a CVE fix into stable 3.5.5. This fix is part
of a patch that include other fix and this patch is called 3.5.7.
My question is can I push fix1 + fix2 + fix3 with "1 push, called 3.5.7"
even if only fix1 was declared on debian.


My understood is that unstable has a different cycle than stable and is
dedicated for next debian stable. So version that will be pushed into
"unstable" will be 3.8 (a major release that will include upstream with fix
found into maintenance official project release of 3.5.* branch, 3.6.*
branch, 3.7.* branch + new features, so including the CVE included in 3.5.7
and not yet pushed to debian becuse debian is 3.5.5)
Do you mean
* i need first to update upstream of "unstable" with 3.8 (so it will
include the CVE fix) to be ok to fix stable with the maintenances fixes of
3.5.7
or
* i can't push 3.5.7 into stable even if it contains only CVE or stability
fix compared to 3.5.5, and I must prepare a 3.5.5bis that will include only
the CVE reported to debian and not other discovered and fixed into 3.5.7
official projet ?




2015-09-03 18:43 GMT+02:00 Adam D. Barratt :

> Control: tags -1 + moreinfo
>
> On 2015-09-03 15:44, Laurent Destailleur (eldy) wrote:
>
>> A security error CVE-2015-3935 was reported for Dolibarr ERP CRM
>> package. This bug is fixed into official package 3.5.7 of Dolibarr.
>> Package 3.5.7 is a maintenance release compared to 3.5.5 and contains
>> only fixes. But not only bugs reported to debian, it includes also
>> other fixes (but they are all related to stability or security).
>> I think it is a better solution to validate this maintenance release
>> based on the new upstream version of Dolibarr than applying a patch of
>> the only CVE-2015-3935.
>>
> [...]
>
>> So I just need to know if it's ok to push such a version 3.5.7 (fixes
>> for 3.5.* branch) instead of only one fix for only the few (the only)
>> reported debian bugs,
>> since it provides more stability and is or me a more secured process.
>>
>
> Certainly not whilst neither the CVE fix nor 3.5.7 are in unstable (which
> still has 3.5.5 without the fix, afaict).
>
> Regards,
>
> Adam
>



-- 
EMail: e...@destailleur.fr
Web: http://www.destailleur.fr

Google+: https://plus.google.com/+LaurentDestailleur/
Facebook: https://www.facebook.com/Destailleur.Laurent
Twitter: http://www.twitter.com/eldy10

* Dolibarr (Project leader): http://www.dolibarr.org (make a donation for
Dolibarr project via Paypal: cont...@destailleur.fr)
* AWStats (Author) : http://awstats.sourceforge.net (make a donation for
AWStats project via Paypal: cont...@destailleur.fr)
* AWBot (Author) : http://awbot.sourceforge.net
* CVSChangeLogBuilder (Author) : http://cvschangelogb.sourceforge.net

Bug#783061: dolibarr: incomplete installation instructions

2015-04-22 Thread Laurent Destailleur (aka Eldy) 
The package already depends on libjs-jquery, so the /javascript should not
missing, because libjs-jquery should depends on it.

Don't you think the bug should be moved into libjs-jquery package ?


For the second point, i will replace the libjs-flot into libjs-jquery-flot
into a next patch.

2015-04-21 13:03 GMT+02:00 Dmitry Smirnov only...@debian.org:

 Package: dolibarr
 Version: 3.5.5+dfsg1-1
 Severity: normal

 I'm accessing dolibarr as http://localhost/dolibarr
 as per /etc/apache2/conf-available/dolibarr.conf
 however I'm getting 404 errors in browser on

 GET /javascript/jquery/jquery.min.js
 GET /javascript/jquery-ui/jquery-ui.min.js
 GET /javascript/flot/jquery.flot.js
 GET /javascript/flot/jquery.flot.pie.js
 GET /javascript/flot/jquery.flot.stack.js

 and others because /javascript do not exist in the Apache configuration.
 Naturally dolibarr interface is not functioning properly...

 I've managed to fix that by installing package javascript-common and
 invoking the following command:

 a2enconf javascript-common

 But dolibarr should document that necessary installation instructions in
 README.Debian and perhaps depend on javascript-common.

 Besides dolibarr depends on transitional dummy package libjs-flot which
 should be replaced with libjs-jquery-flot.

 --
 Best wishes,
  Dmitry Smirnov

Bug#776458: unblock: dolibarr/3.5.5+dfsg1-1

2015-02-15 Thread Laurent Destailleur (aka Eldy) 
This is my point of view of what to do for this case:

My first choice was to not send any unblock request. Reaon is that CVE need
privileged account to be exploited, so it is not a high risk, and I would
not like to bother anybody.

However, Moritz Muehlenhoff ask me to provide a fix. A fix was already done
before the CVE was reported on debian. It is the version 3.5.5. So idea was
to send an unblock request to validate this version. That's what Raphael
did for me (i received a bounce when doing it myself).
This is clearly the choice I recommand for 2 reasons:
- On debian, only one CVE was reported, but several others were reported to
project directly. Why adding a CVE fix that will include only fixes for the
debian CVE and not others ? I think it is better to include others too.
- This version and package 3.5.5 is a long term production version. Even if
not into debian, it has been released several month ago into tgz package
and is really very more stable than current 3.5.4. So if stability of
application is a consideration, i think this package is a best choice than
a target fix because it fixes other stability bugs (3.5.5 fixes only bugs).
I think it is a better choice more secure because the CVE reported into
debian is not one security report but a long list of several holes (all
require privileged account however), so fixing it need a lof of changes on
a lof of files. Reporting locally all fixes for only this CVE is a high
risk to forget and miss something where we are sure that 3.5.5 is complete
and stable.

I share point of view of Rapĥael thinking that making a targeted fix does
not bring us more security, i will tell more, I think a targetted fix is
less secured than 3.5.5 since this version is the official version in
production for branch 3.5.5  since begin of october 2014 and no other
packages depends on it.




2015-02-09 10:02 GMT+01:00 Raphael Hertzog hert...@debian.org:

 Hi,

 On Sun, 08 Feb 2015, Ivo De Decker wrote:
  On Wed, Jan 28, 2015 at 09:50:30AM +0100, Raphael Hertzog wrote:
   Please unblock package dolibarr
 
   Version 3.5.5+dfsg1-1 fixes a security issue: CVE-2014-7137 (Closes:
 #770313)
 
  This bug was filed by the security team as 'grave', but downgraded by the
  maintainer to 'important' without explanation. If the issue is actually
 grave,
  the severity should be increased again.

 Well, the maintainer explained (to me only apparently) that the issue is
 only exploitable with privileged accounts so that the threat is not very
 high and I thus instructed him that it's his reponsibility to downgrade
 the bug if he doesn't want the packages to be removed from Jessie.

 Later the security team contacted him about this CVE and asked him to
 request an unblock because it would be better to release Jessie without
 an open CVE on dolibarr.

  The diff is very large, and it probably contains lots of changes that
 are not
  appropriate at this point of the freeze. If you think this is not the
 case,
  please explain why.

 It's certainly the case, but the package is a leaf package and the fixed
 version has been well tested in sid.

 The package maintainer is also the upstream author.

  A targeted fix for this issue is probably better.

 I don't see what a targeted fix brings us given that the only risk of
 regression is in dolibarr itself (and Dolibarr is maintained).

 Laurent, what's you opinion? Would you be willing to prepare a targeted
 fix?

 Cheers,
 --
 Raphaël Hertzog ◈ Debian Developer

 Support Debian LTS: http://www.freexian.com/services/debian-lts.html
 Learn to master Debian: http://debian-handbook.info/get/