Bug#883418: dolibarr: EDM module does not work because of jQuery version
Thanks. With v7, we have completely removed the library layout 2017-12-03 20:23 GMT+01:00 pitchum: > Package: dolibarr > Version: 4.0.2+dfsg4-2 > Severity: important > Tags: patch > > After upgrading from to stretch, module EDM does not work anymore. > Firefox's webconsole prints this: > 'TypeError: v.selector is undefined (jquery.layout.min.js:123:157)' > > After investigation it appears that this problem is Debian specific. > Dolibarr from upstream includes jquery v1.12 while Debian's package > provides jquery v.3.1 from package libjs-jquery and unfortunately > EDM uses a jquery plugin (UI Layout) which was not updated to be > compatible with jquery v3. > > The problem is already known: > https://github.com/allpro/layout/issues/10 > https://github.com/allpro/layout/issues/17 > > I attach a simple patch for the Debian package using the > workaround proposed in issue 17. > > -- > pitchum > -- EMail: e...@destailleur.fr Web: http://www.destailleur.fr Google+: https://plus.google.com/+LaurentDestailleur-Open-Source-Expert/ Facebook: https://www.facebook.com/Destailleur.Laurent Twitter: http://www.twitter.com/eldy10 * Dolibarr (Project leader): https://www.dolibarr.org (make a donation for Dolibarr project via Paypal: cont...@destailleur.fr) * AWStats (Author) : http://awstats.sourceforge.net (make a donation for AWStats project via Paypal: cont...@destailleur.fr) * AWBot (Author) : http://awbot.sourceforge.net * CVSChangeLogBuilder (Author) : http://cvschangelogb.sourceforge.net
Bug#885319: dolibarr: CVE-2017-14242: SQL injection vulnerability in don/list.php
Fixed in 6.0.5 2017-12-26 8:00 GMT+01:00 Salvatore Bonaccorso: > Source: dolibarr > Version: 3.5.5+dfsg1-1 > Severity: important > Tags: patch security upstream > > Hi, > > the following vulnerability was published for dolibarr. > > CVE-2017-14242[0]: > | SQL injection vulnerability in don/list.php in Dolibarr version 6.0.0 > | allows remote attackers to execute arbitrary SQL commands via the > | statut parameter. > > The code in question was moved several times around e.g. from > htdocs/compta/dons/list.php to htdocs/donations/list.php, then to the > dons directory. > > If you fix the vulnerability please also make sure to include the > CVE (Common Vulnerabilities & Exposures) id in your changelog entry. > > For further information see: > > [0] https://security-tracker.debian.org/tracker/CVE-2017-14242 > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14242 > > Please adjust the affected versions in the BTS as needed. > > Regards, > Salvatore > -- EMail: e...@destailleur.fr Web: http://www.destailleur.fr Google+: https://plus.google.com/+LaurentDestailleur-Open-Source-Expert/ Facebook: https://www.facebook.com/Destailleur.Laurent Twitter: http://www.twitter.com/eldy10 * Dolibarr (Project leader): https://www.dolibarr.org (make a donation for Dolibarr project via Paypal: cont...@destailleur.fr) * AWStats (Author) : http://awstats.sourceforge.net (make a donation for AWStats project via Paypal: cont...@destailleur.fr) * AWBot (Author) : http://awbot.sourceforge.net * CVSChangeLogBuilder (Author) : http://cvschangelogb.sourceforge.net
Bug#885320: dolibarr: CVE-2017-14238 CVE-2017-14239 CVE-2017-14240 CVE-2017-14241
Fixed in 6.0.5 2017-12-26 8:11 GMT+01:00 Salvatore Bonaccorso: > Source: dolibarr > Version: 3.5.5+dfsg1-1 > Severity: grave > Tags: patch security upstream > > Hi, > > the following vulnerabilities were published for dolibarr, filling > only one bug for the four CVEs since afaict the common set of > affectedversions to go back to at least 3.5.5+dfsg1-1. > > CVE-2017-14238[0]: > | SQL injection vulnerability in admin/menus/edit.php in Dolibarr ERP/CRM > | version 6.0.0 allows remote attackers to execute arbitrary SQL commands > | via the menuId parameter. > > CVE-2017-14239[1]: > | Multiple cross-site scripting (XSS) vulnerabilities in Dolibarr ERP/CRM > | 6.0.0 allow remote authenticated users to inject arbitrary web script > | or HTML via the (1) CompanyName, (2) CompanyAddress, (3) CompanyZip, > | (4) CompanyTown, (5) Fax, (6) EMail, (7) Web, (8) ManagingDirectors, > | (9) Note, (10) Capital, (11) ProfId1, (12) ProfId2, (13) ProfId3, (14) > | ProfId4, (15) ProfId5, or (16) ProfId6 parameter to > | htdocs/admin/company.php. > > CVE-2017-14240[2]: > | There is a sensitive information disclosure vulnerability in > | document.php in Dolibarr ERP/CRM version 6.0.0 via the file parameter. > > CVE-2017-14241[3]: > | Cross-site scripting (XSS) vulnerability in Dolibarr ERP/CRM 6.0.0 > | allows remote authenticated users to inject arbitrary web script or > | HTML via the Title parameter to htdocs/admin/menus/edit.php. > > If you fix the vulnerabilities please also make sure to include the > CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. > > For further information see: > > [0] https://security-tracker.debian.org/tracker/CVE-2017-14238 > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14238 > [1] https://security-tracker.debian.org/tracker/CVE-2017-14239 > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14239 > [2] https://security-tracker.debian.org/tracker/CVE-2017-14240 > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14240 > [3] https://security-tracker.debian.org/tracker/CVE-2017-14241 > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14241 > [4] https://github.com/Dolibarr/dolibarr/commit/ > d26b2a694de30f95e46ea54ea72cc54f0d38e548 > > Regards, > Salvatore > > -- EMail: e...@destailleur.fr Web: http://www.destailleur.fr Google+: https://plus.google.com/+LaurentDestailleur-Open-Source-Expert/ Facebook: https://www.facebook.com/Destailleur.Laurent Twitter: http://www.twitter.com/eldy10 * Dolibarr (Project leader): https://www.dolibarr.org (make a donation for Dolibarr project via Paypal: cont...@destailleur.fr) * AWStats (Author) : http://awstats.sourceforge.net (make a donation for AWStats project via Paypal: cont...@destailleur.fr) * AWBot (Author) : http://awbot.sourceforge.net * CVSChangeLogBuilder (Author) : http://cvschangelogb.sourceforge.net
Bug#885321: dolibarr: CVE-2017-17897 CVE-2017-17898 CVE-2017-17899 CVE-2017-17900
Fixed in 6.0.5 2017-12-26 8:38 GMT+01:00 Salvatore Bonaccorso: > Source: dolibarr > Version: 3.5.5+dfsg1-1 > Severity: grave > Tags: patch security upstream > > Hi, > > the following vulnerabilities were published for dolibarr. > > CVE-2017-17897[0]: > | SQL injection vulnerability in comm/multiprix.php in Dolibarr ERP/CRM > | version 6.0.4 allows remote attackers to execute arbitrary SQL commands > | via the id parameter. > > CVE-2017-17898[1]: > | Dolibarr ERP/CRM version 6.0.4 does not block direct requests to > | *.tpl.php files, which allows remote attackers to obtain sensitive > | information. > > CVE-2017-17899[2]: > | SQL injection vulnerability in adherents/subscription/info.php in > | Dolibarr ERP/CRM version 6.0.4 allows remote attackers to execute > | arbitrary SQL commands via the rowid parameter. > > CVE-2017-17900[3]: > | SQL injection vulnerability in fourn/index.php in Dolibarr ERP/CRM > | version 6.0.4 allows remote attackers to execute arbitrary SQL commands > | via the socid parameter. > > If you fix the vulnerabilities please also make sure to include the > CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. > > For further information see: > > [0] https://security-tracker.debian.org/tracker/CVE-2017-17897 > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17897 > [1] https://security-tracker.debian.org/tracker/CVE-2017-17898 > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17898 > [2] https://security-tracker.debian.org/tracker/CVE-2017-17899 > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17899 > [3] https://security-tracker.debian.org/tracker/CVE-2017-17900 > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17900 > > In one case the code moved from subscriptions_info.php to > subscriptions/info.php, still decided to fill one bug report for the > four CVEs since set of fixes and affected versions are same. > > If I was wrong on this regard, please clone the bug and adjust > affected versions as needed for the BTS. > > Regards, > Salvatore > > -- EMail: e...@destailleur.fr Web: http://www.destailleur.fr Google+: https://plus.google.com/+LaurentDestailleur-Open-Source-Expert/ Facebook: https://www.facebook.com/Destailleur.Laurent Twitter: http://www.twitter.com/eldy10 * Dolibarr (Project leader): https://www.dolibarr.org (make a donation for Dolibarr project via Paypal: cont...@destailleur.fr) * AWStats (Author) : http://awstats.sourceforge.net (make a donation for AWStats project via Paypal: cont...@destailleur.fr) * AWBot (Author) : http://awbot.sourceforge.net * CVSChangeLogBuilder (Author) : http://cvschangelogb.sourceforge.net
Bug#862201: dolibarr: Applying absolute discount in proposal fails
Bug was fixed in official version 4.0.6. An upstream must be done to debian package 2017-05-09 20:27 GMT+02:00 Maximilian Stein: > Package: dolibarr > Version: 4.0.2+dfsg4-2 > Severity: normal > > Dear Maintainer, > > After having added a customer in Dolibarr, I gave this customer an > absolute discount. Then, I tried to create a proposal, however, applying > the discount fails with the error message: > > "You have an error in your SQL syntax; check the manual that corresponds > to your MariaDB server version for the right syntax to use near ' 0)' at > line 1 sql=INSERT INTO llx_propaldet (fk_propal, fk_parent_line, label, > description, fk_product, product_type, fk_remise_except, qty, tva_tx, > localtax1_tx, localtax2_tx, localtax1_type, localtax2_type, subprice, > remise_percent, info_bits, total_ht, total_tva, total_localtax1, > total_localtax2, total_ttc, fk_product_fournisseur_price, buy_price_ht, > special_code, rang, fk_unit, date_start, date_end, fk_multicurrency, > multicurrency_code, multicurrency_subprice, multicurrency_total_ht, > multicurrency_total_tva, multicurrency_total_ttc) VALUES (1, null, null, > 'test discount', null, '0', '1', 1, 19, 0, 0, '0', '0', -100, 0, '2', > -100, -19, 0, 0, -119, null, '0', 0, -1, NULL, null, null, null, '', 0, > 0, , 0)" > > Apparently, the SQL statement is invalid. I tried to manually execute > the statement through the mysql tool and added a value of '0' at the > last but one position in the value vector. This has actually worked, so > the discount is now correctly applied in the offer. > > I then tried to find a quickfix for this problem. The SQL statement is > crafted in the file > "/usr/share/dolibarr/htdocs/comm/propal/class/propal.class.php" on lines > 3252 and following. The class member "multicurrency_total_tva" seems to > be uninitialized, so I just changed line 3098 to: > > var $multicurrency_total_tva = 0; > > As I am not using multiple currency currently, this seems to be an > adequate fix for me now. > > Best, > Maximilian > > -- System Information: > Debian Release: 8.8 > APT prefers stable > APT policy: (900, 'stable'), (800, 'testing'), (500, 'stable-updates') > Architecture: amd64 (x86_64) > > Kernel: Linux 3.16.0-4-amd64 (SMP w/4 CPU cores) > Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8) > Shell: /bin/sh linked to /bin/dash > Init: systemd (via /run/systemd/system) > > Versions of packages dolibarr depends on: > ii fonts-dejavu-core 2.34-1 > ii javascript-common 11 > ii libapache2-mod-php 1:7.0+49 > ii libapache2-mod-php7.0 [libapache2-mod-php] 7.0.16-3 > ii libjs-jquery3.1.1-2 > ii libjs-jquery-cookie 11-3 > ii libjs-jquery-flot 0.8.2+dfsg-1 > ii libjs-jquery-ui 1.10.1+dfsg-1 > ii libnusoap-php 0.9.5-3 > ii libphp-adodb5.20.9-1 > ii php-curl1:7.0+49 > ii php-gd 1:7.0+49 > ii php-ldap1:7.0+49 > ii php-pclzip 2.8.2-4 > ii php-tcpdf 6.0.093+dfsg-1 > ii php7.0-cli [php-cli]7.0.16-3 > ii php7.0-curl [php-curl] 7.0.16-3 > ii php7.0-gd [php-gd] 7.0.16-3 > ii php7.0-ldap [php-ldap] 7.0.16-3 > ii php7.0-mysql [php-mysqli] 7.0.16-3 > ii xdg-utils 1.1.0~rc1+git20111210-7.4 > > Versions of packages dolibarr recommends: > ii apache2 [httpd] 2.4.25-3 > ii default-mysql-client 1.0.2 > ii default-mysql-server 1.0.2 > > Versions of packages dolibarr suggests: > pn php-geoip > ii w3m [www-browser] 0.5.3-19+deb8u1 > > -- no debconf information > > > -- EMail: e...@destailleur.fr Web: http://www.destailleur.fr Google+: https://plus.google.com/+LaurentDestailleur-Open-Source-Expert/ Facebook: https://www.facebook.com/Destailleur.Laurent Twitter: http://www.twitter.com/eldy10 * Dolibarr (Project leader): https://www.dolibarr.org (make a donation for Dolibarr project via Paypal: cont...@destailleur.fr) * AWStats (Author) : http://awstats.sourceforge.net (make a donation for AWStats project via Paypal: cont...@destailleur.fr) * AWBot (Author) : http://awbot.sourceforge.net * CVSChangeLogBuilder (Author) : http://cvschangelogb.sourceforge.net
Bug#861926: Acknowledgement (jessie-pu: package php-tcpdf/6.0.093+dfsg-1)
I made an error when copying and paste the CVE number in my first request. Bug number was correct, so #814030, but CVE related is CVE-2017-6100 Also, this is the full debdiff (i previously provided only the patch file): diff -Nru tcpdf-6.0.093+dfsg/debian/changelog tcpdf-6.0.093+dfsg/debian/ changelog --- tcpdf-6.0.093+dfsg/debian/changelog 2014-09-07 17:22:38.0 +0200 +++ tcpdf-6.0.093+dfsg/debian/changelog 2017-02-23 18:36:27.0 +0100 @@ -1,3 +1,9 @@ +tcpdf (6.0.093+dfsg-1+deb8u1) UNRELEASED; urgency=medium + + * Fix CVE-2017-6100 (Closes: #814030) + + -- Laurent Destailleur (eldy)Wed, 22 Feb 2017 11:43:27 +0100 + tcpdf (6.0.093+dfsg-1) unstable; urgency=medium * New upstream release 6.0.093+dfsg diff -Nru tcpdf-6.0.093+dfsg/debian/patches/default-K_TCPDF_CALLS_IN_HTML-to-false.patch tcpdf-6.0.093+dfsg/debian/patches/default-K_TCPDF_CALLS_ IN_HTML-to-false.patch --- tcpdf-6.0.093+dfsg/debian/patches/default-K_TCPDF_CALLS_ IN_HTML-to-false.patch 1970-01-01 01:00:00.0 +0100 +++ tcpdf-6.0.093+dfsg/debian/patches/default-K_TCPDF_CALLS_ IN_HTML-to-false.patch 2017-02-23 18:36:27.0 +0100 @@ -0,0 +1,17 @@ +Description: Set default value of K_TCPDF_CALLS_IN_HTML to false. +Author: Laurent Destailleur +Forwarded: not-needed +Last-Update: 2013-07-29 +--- +This patch header follows DEP-3: http://dep.debian.net/deps/dep3/ +--- a/config/tcpdf_config.php b/config/tcpdf_config.php +@@ -210,7 +210,7 @@ + * If true allows to call TCPDF methods using HTML syntax + * IMPORTANT: For security reason, disable this feature if you are printing user HTML content. + */ +-define('K_TCPDF_CALLS_IN_HTML', true); ++define('K_TCPDF_CALLS_IN_HTML', false); + + /** + * If true and PHP version is greater than 5, then the Error() method throw new exception instead of terminating the execution. diff -Nru tcpdf-6.0.093+dfsg/debian/patches/series tcpdf-6.0.093+dfsg/debian/patches/series --- tcpdf-6.0.093+dfsg/debian/patches/series 1970-01-01 01:00:00.0 +0100 +++ tcpdf-6.0.093+dfsg/debian/patches/series 2017-02-23 18:36:27.0 +0100 @@ -0,0 +1 @@ +default-K_TCPDF_CALLS_IN_HTML-to-false.patch 2017-05-06 2:00 GMT+02:00 Debian Bug Tracking System : > Thank you for filing a new Bug report with Debian. > > This is an automatically generated reply to let you know your message > has been received. > > Your message is being forwarded to the package maintainers and other > interested parties for their attention; they will reply in due course. > > Your message has been sent to the package maintainer(s): > Debian Release Team > > If you wish to submit further information on this problem, please > send it to 861...@bugs.debian.org. > > Please do not send mail to ow...@bugs.debian.org unless you wish > to report a problem with the Bug-tracking system. > > -- > 861926: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=861926 > Debian Bug Tracking System > Contact ow...@bugs.debian.org with problems > -- EMail: e...@destailleur.fr Web: http://www.destailleur.fr Google+: https://plus.google.com/+LaurentDestailleur-Open-Source-Expert/ Facebook: https://www.facebook.com/Destailleur.Laurent Twitter: http://www.twitter.com/eldy10 * Dolibarr (Project leader): https://www.dolibarr.org (make a donation for Dolibarr project via Paypal: cont...@destailleur.fr) * AWStats (Author) : http://awstats.sourceforge.net (make a donation for AWStats project via Paypal: cont...@destailleur.fr) * AWBot (Author) : http://awbot.sourceforge.net * CVSChangeLogBuilder (Author) : http://cvschangelogb.sourceforge.net
Bug#844612: a new version of TCPDF is under development
The modularization is done to have code cleaner for developer. It seems useless for end user or a distribution: we can't imagine having one debian package to build a pdf that include one image and another package if we want the build a pdf to be able to have a different font and another package to be able to build a pdf with accent text, another package to build a pdf with some color, etc... We need only 1 lib to build PDF as most modularized code (a dozen of subproject) are all required. So we should have, I think, one and only one debian package for the set. Also, this rewriting called 8.0 is still in development and not ready yet, so for the moment, it's "wait and see" when the new version is available. My 2 cents, is that there is so many difference, that it will probably be another/different package into debian. 2016-11-17 16:46 GMT+01:00 Paolo Greppi: > Package: tcpdf > Version: 6.2.12+dfsg2-1 > Severity: minor > > Dear Maintainer, > > The current version of tcpdf in stretch is 6.2.12 which is just one > patch away from the latest one at > https://github.com/tecnickcom/TCPDF/blob/master/CHANGELOG.TXT 6.2.13 > (2016-06-10) > > But this is the "old version"; the website says "A new version ... is > under development at https://github.com/tecnickcom/tc-lib-pdf and as a > consequence the old version will not receive any additional development > or support." > > The "new version" in the tc-lib-pdf repo is now at 8.0.0 (?) > > It matches this package on packagist: > https://packagist.org/packages/tecnickcom/tc-lib-pdf > > From its dependency tee, it appears that it has been modularized: > - tecnickcom/tc-lib-barcode > - tecnickcom/tc-lib-color > - tecnickcom/tc-lib-pdf-image > ... > > Are there any plans to move tcpdf to this new version? How to handle the > transition ? Should there be a new set of packages ? > > Paolo > > -- EMail: e...@destailleur.fr Web: http://www.destailleur.fr Google+: https://plus.google.com/+LaurentDestailleur-Open-Source-Expert/ Facebook: https://www.facebook.com/Destailleur.Laurent Twitter: http://www.twitter.com/eldy10 * Dolibarr (Project leader): https://www.dolibarr.org (make a donation for Dolibarr project via Paypal: cont...@destailleur.fr) * AWStats (Author) : http://awstats.sourceforge.net (make a donation for AWStats project via Paypal: cont...@destailleur.fr) * AWBot (Author) : http://awbot.sourceforge.net * CVSChangeLogBuilder (Author) : http://cvschangelogb.sourceforge.net
Bug#797906: jessie-pu: package dolibarr/3.5.5+dfsg1-2
Hi Adam. A fix was prepared to solve several CVE. Security team already answered me they on't plan any DSA released for this patch. All fixes are already included into unstable. Can we push it into stable ? It fixes the following CVE: * Fix CVE-2016-1912 (Closes: #812496) * Fix CVE-2015-8685 (Closes: #812449) * Fix CVE-2015-3935 (Closes: #787762) This is the debdiff. diff -Nru dolibarr-3.5.5+dfsg1/debian/changelog dolibarr-3.5.5+dfsg1/debian/changelog --- dolibarr-3.5.5+dfsg1/debian/changelog 2014-12-07 15:52:53.0 +0100 +++ dolibarr-3.5.5+dfsg1/debian/changelog 2016-02-08 21:30:58.0 +0100 @@ -1,3 +1,11 @@ +dolibarr (3.5.5+dfsg1-1+deb8u1) UNRELEASED; urgency=high + + * Fix CVE-2016-1912 (Closes: #812496) + * Fix CVE-2015-8685 (Closes: #812449) + * Fix CVE-2015-3935 (Closes: #787762) + + -- Laurent Destailleur (eldy)Tue, 08 Sep 2015 15:22:52 +0200 + dolibarr (3.5.5+dfsg1-1) unstable; urgency=medium * New upstream release with 3.5.5 diff -Nru dolibarr-3.5.5+dfsg1/debian/patches/FIX-4291-GETPOSTs.patch dolibarr-3.5.5+dfsg1/debian/patches/FIX-4291-GETPOSTs.patch --- dolibarr-3.5.5+dfsg1/debian/patches/FIX-4291-GETPOSTs.patch 1970-01-01 01:00:00.0 +0100 +++ dolibarr-3.5.5+dfsg1/debian/patches/FIX-4291-GETPOSTs.patch 2016-02-08 21:30:58.0 +0100 @@ -0,0 +1,35 @@ +diff --git a/htdocs/admin/agenda_extsites.php b/htdocs/admin/agenda_extsites.php +index ac105cf..bf68c61 100644 +--- a/htdocs/admin/agenda_extsites.php b/htdocs/admin/agenda_extsites.php +@@ -1,6 +1,7 @@ + +- * Copyright (C) 2011-2014 Juanjo Menent ++/* Copyright (C) 2008-2011 Laurent Destailleur < e...@users.sourceforge.net> ++ * Copyright (C) 2011-2014 Juanjo Menent ++ * Copyright (C) 2016 Raphaël Doursenaud < rdoursen...@gpcsolutions.fr> + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by +@@ -88,7 +89,7 @@ + // Save nb of agenda + if (! $error) + { +- $res=dolibarr_set_const($db,'AGENDA_EXT_NB',trim(GETPOST('AGENDA_EXT_NB','alpha')),'chaine',0,'',$conf->entity); ++ $res=dolibarr_set_const($db,'AGENDA_EXT_NB',trim(GETPOST('AGENDA_EXT_NB','int')),'chaine',0,'',$conf->entity); + if (! $res > 0) $error++; + if (empty($conf->global->AGENDA_EXT_NB)) $conf->global->AGENDA_EXT_NB=5; + $MAXAGENDA=empty($conf->global->AGENDA_EXT_NB)?5:$conf->global->AGENDA_EXT_NB; +@@ -201,9 +202,9 @@ + // Nb + print ''.$langs->trans("AgendaExtNb",$key).""; + // Name +- print ''; ++ print ''; + // URL +- print ''; ++ print ''; + // Color (Possible colors are limited by Google) + print ''; + //print $formadmin->selectColor($conf->global->$color, "google_agenda_color".$key, $colorlist); diff -Nru dolibarr-3.5.5+dfsg1/debian/patches/Fix-787762-CVE20153935.patch dolibarr-3.5.5+dfsg1/debian/patches/Fix-787762-CVE20153935.patch --- dolibarr-3.5.5+dfsg1/debian/patches/Fix-787762-CVE20153935.patch 1970-01-01 01:00:00.0 +0100 +++ dolibarr-3.5.5+dfsg1/debian/patches/Fix-787762-CVE20153935.patch 2016-02-08 21:30:58.0 +0100 @@ -0,0 +1,22 @@ +diff --git a/debian/changelog b/debian/changelog +index 7d3e2e1..09dd3e0 100644 +--- a/htdocs/societe/societe.php b/htdocs/societe/societe.php +@@ -272,7 +272,7 @@ + $num = $db->num_rows($resql); + $i = 0; + +- $params = "socname=".$socname."search_nom=".$search_nom."search_town=".$search_town; ++ $params = "socname=".urlencode($socname)."search_nom=".urlencode($search_nom)."search_town=".urlencode($search_town); + $params.= ($sbarcode?"sbarcode=".$sbarcode:""); + $params.= 'search_idprof1='.$search_idprof1; + $params.= 'search_idprof2='.$search_idprof2; +@@ -348,7 +348,7 @@ + print ''; + print ''; + if (! empty($search_nom_only) && empty($search_nom)) $search_nom=$search_nom_only; +- print ''; ++ print ''; + print ''; + // Barcode + if (! empty($conf->barcode->enabled)) diff -Nru dolibarr-3.5.5+dfsg1/debian/patches/FIX-CVE-CVE20158685-CVE-2016-1912.patch dolibarr-3.5.5+dfsg1/debian/patches/FIX-CVE-CVE20158685-CVE-2016-1912.patch --- dolibarr-3.5.5+dfsg1/debian/patches/FIX-CVE-CVE20158685-CVE-2016-1912.patch 1970-01-01 01:00:00.0 +0100 +++ dolibarr-3.5.5+dfsg1/debian/patches/FIX-CVE-CVE20158685-CVE-2016-1912.patch 2016-02-08 21:30:58.0 +0100 @@ -0,0 +1,37 @@ +diff --git a/htdocs/main.inc.php b/htdocs/main.inc.php +index 7fba7f5..90eac77 100644 +--- a/htdocs/main.inc.php b/htdocs/main.inc.php +@@ -80,13 +80,15 @@ + // For SQL Injection (only GET and POST are used to be included into bad escaped SQL requests) + if ($type != 2) + { +-$sql_inj += preg_match('/delete[\s]+from/i', $val); +-$sql_inj += preg_match('/create[\s]+table/i', $val); +-$sql_inj += preg_match('/update.+set.+=/i', $val); +-$sql_inj += preg_match('/insert[\s]+into/i', $val); +-$sql_inj += preg_match('/select.+from/i', $val); +-
Bug#797906: jessie-pu: package dolibarr/3.5.5+dfsg1-2
To fix opened securities hole into dolibarr stable package, i prepared the following 3 patch. This patch is now already included into unstable. It fixes the following CVE: * Fix CVE-2016-1912 (Closes: #812496) * Fix CVE-2015-8685 (Closes: #812449) * Fix CVE-2015-3935 (Closes: #787762) This is the debdiff. Can my mentor (Raphael Hertzog) push the new package with this patch into stable ? diff -Nru dolibarr-3.5.5+dfsg1/debian/changelog dolibarr-3.5.5+dfsg1/debian/changelog --- dolibarr-3.5.5+dfsg1/debian/changelog 2014-12-07 15:52:53.0 +0100 +++ dolibarr-3.5.5+dfsg1/debian/changelog 2016-02-08 21:30:58.0 +0100 @@ -1,3 +1,11 @@ +dolibarr (3.5.5+dfsg1-1+deb8u1) UNRELEASED; urgency=high + + * Fix CVE-2016-1912 (Closes: #812496) + * Fix CVE-2015-8685 (Closes: #812449) + * Fix CVE-2015-3935 (Closes: #787762) + + -- Laurent Destailleur (eldy)Tue, 08 Sep 2015 15:22:52 +0200 + dolibarr (3.5.5+dfsg1-1) unstable; urgency=medium * New upstream release with 3.5.5 diff -Nru dolibarr-3.5.5+dfsg1/debian/patches/FIX-4291-GETPOSTs.patch dolibarr-3.5.5+dfsg1/debian/patches/FIX-4291-GETPOSTs.patch --- dolibarr-3.5.5+dfsg1/debian/patches/FIX-4291-GETPOSTs.patch 1970-01-01 01:00:00.0 +0100 +++ dolibarr-3.5.5+dfsg1/debian/patches/FIX-4291-GETPOSTs.patch 2016-02-08 21:30:58.0 +0100 @@ -0,0 +1,35 @@ +diff --git a/htdocs/admin/agenda_extsites.php b/htdocs/admin/agenda_extsites.php +index ac105cf..bf68c61 100644 +--- a/htdocs/admin/agenda_extsites.php b/htdocs/admin/agenda_extsites.php +@@ -1,6 +1,7 @@ + +- * Copyright (C) 2011-2014 Juanjo Menent ++/* Copyright (C) 2008-2011 Laurent Destailleur < e...@users.sourceforge.net> ++ * Copyright (C) 2011-2014 Juanjo Menent ++ * Copyright (C) 2016 Raphaël Doursenaud < rdoursen...@gpcsolutions.fr> + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by +@@ -88,7 +89,7 @@ + // Save nb of agenda + if (! $error) + { +- $res=dolibarr_set_const($db,'AGENDA_EXT_NB',trim(GETPOST('AGENDA_EXT_NB','alpha')),'chaine',0,'',$conf->entity); ++ $res=dolibarr_set_const($db,'AGENDA_EXT_NB',trim(GETPOST('AGENDA_EXT_NB','int')),'chaine',0,'',$conf->entity); + if (! $res > 0) $error++; + if (empty($conf->global->AGENDA_EXT_NB)) $conf->global->AGENDA_EXT_NB=5; + $MAXAGENDA=empty($conf->global->AGENDA_EXT_NB)?5:$conf->global->AGENDA_EXT_NB; +@@ -201,9 +202,9 @@ + // Nb + print ''.$langs->trans("AgendaExtNb",$key).""; + // Name +- print ''; ++ print ''; + // URL +- print ''; ++ print ''; + // Color (Possible colors are limited by Google) + print ''; + //print $formadmin->selectColor($conf->global->$color, "google_agenda_color".$key, $colorlist); diff -Nru dolibarr-3.5.5+dfsg1/debian/patches/Fix-787762-CVE20153935.patch dolibarr-3.5.5+dfsg1/debian/patches/Fix-787762-CVE20153935.patch --- dolibarr-3.5.5+dfsg1/debian/patches/Fix-787762-CVE20153935.patch 1970-01-01 01:00:00.0 +0100 +++ dolibarr-3.5.5+dfsg1/debian/patches/Fix-787762-CVE20153935.patch 2016-02-08 21:30:58.0 +0100 @@ -0,0 +1,22 @@ +diff --git a/debian/changelog b/debian/changelog +index 7d3e2e1..09dd3e0 100644 +--- a/htdocs/societe/societe.php b/htdocs/societe/societe.php +@@ -272,7 +272,7 @@ + $num = $db->num_rows($resql); + $i = 0; + +- $params = "socname=".$socname."search_nom=".$search_nom."search_town=".$search_town; ++ $params = "socname=".urlencode($socname)."search_nom=".urlencode($search_nom)."search_town=".urlencode($search_town); + $params.= ($sbarcode?"sbarcode=".$sbarcode:""); + $params.= 'search_idprof1='.$search_idprof1; + $params.= 'search_idprof2='.$search_idprof2; +@@ -348,7 +348,7 @@ + print ''; + print ''; + if (! empty($search_nom_only) && empty($search_nom)) $search_nom=$search_nom_only; +- print ''; ++ print ''; + print ''; + // Barcode + if (! empty($conf->barcode->enabled)) diff -Nru dolibarr-3.5.5+dfsg1/debian/patches/FIX-CVE-CVE20158685-CVE-2016-1912.patch dolibarr-3.5.5+dfsg1/debian/patches/FIX-CVE-CVE20158685-CVE-2016-1912.patch --- dolibarr-3.5.5+dfsg1/debian/patches/FIX-CVE-CVE20158685-CVE-2016-1912.patch 1970-01-01 01:00:00.0 +0100 +++ dolibarr-3.5.5+dfsg1/debian/patches/FIX-CVE-CVE20158685-CVE-2016-1912.patch 2016-02-08 21:30:58.0 +0100 @@ -0,0 +1,37 @@ +diff --git a/htdocs/main.inc.php b/htdocs/main.inc.php +index 7fba7f5..90eac77 100644 +--- a/htdocs/main.inc.php b/htdocs/main.inc.php +@@ -80,13 +80,15 @@ + // For SQL Injection (only GET and POST are used to be included into bad escaped SQL requests) + if ($type != 2) + { +-$sql_inj += preg_match('/delete[\s]+from/i', $val); +-$sql_inj += preg_match('/create[\s]+table/i', $val); +-$sql_inj += preg_match('/update.+set.+=/i', $val); +-$sql_inj += preg_match('/insert[\s]+into/i', $val); +-$sql_inj += preg_match('/select.+from/i', $val); +-
Bug#814030: Intent to bring php-tcpdf in the Debian PHP PEAR (and Composer) Maintainers team (Was: Bug#814030: Security flaw fixed in version 6.2.0)
Hi David. I have sent to my mentor (Raphael Hertzog), a commit with the new upstream 6.2.12 updated, of TCPDF. If you plan/want to move package maintenance into Debian PHP PEAR umbrella, why not. What will be the benefit and impact ? 2016-02-23 4:33 GMT+01:00 David Prévot: > Hi, > > On Sun, Feb 07, 2016 at 02:28:04PM -0400, David Prévot wrote: > > Package: php-tcpdf > > Version: 6.0.093+dfsg-1 > > Severity: serious > > Tags: security upstream > > > > According to their changelog [1], upstream fixed a security issue over a > > year ago: […] > > In order to bring php-tcpdf back in line with upstream, and to follow > more closely the PHP class packaging, I’d like to take the > opportunity of team maintaining it under the Debian PHP PEAR (and > Composer) Maintainers umbrella. > > Unless someone objects, I intend to move forward as soon as I have some > time to spare on it. > > Regards > > David > -- EMail: e...@destailleur.fr Web: http://www.destailleur.fr Google+: https://plus.google.com/+LaurentDestailleur/ Facebook: https://www.facebook.com/Destailleur.Laurent Twitter: http://www.twitter.com/eldy10 * Dolibarr (Project leader): http://www.dolibarr.org (make a donation for Dolibarr project via Paypal: cont...@destailleur.fr) * AWStats (Author) : http://awstats.sourceforge.net (make a donation for AWStats project via Paypal: cont...@destailleur.fr) * AWBot (Author) : http://awbot.sourceforge.net * CVSChangeLogBuilder (Author) : http://cvschangelogb.sourceforge.net
Bug#797906: jessie-pu: package dolibarr/3.5.5+dfsg1-2
Sorry. I didn't understood your answer (my english is not my mother language). You are speaking about "unstable". I am speaking about pushing a CVE fix into stable 3.5.5. This fix is part of a patch that include other fix and this patch is called 3.5.7. My question is can I push fix1 + fix2 + fix3 with "1 push, called 3.5.7" even if only fix1 was declared on debian. My understood is that unstable has a different cycle than stable and is dedicated for next debian stable. So version that will be pushed into "unstable" will be 3.8 (a major release that will include upstream with fix found into maintenance official project release of 3.5.* branch, 3.6.* branch, 3.7.* branch + new features, so including the CVE included in 3.5.7 and not yet pushed to debian becuse debian is 3.5.5) Do you mean * i need first to update upstream of "unstable" with 3.8 (so it will include the CVE fix) to be ok to fix stable with the maintenances fixes of 3.5.7 or * i can't push 3.5.7 into stable even if it contains only CVE or stability fix compared to 3.5.5, and I must prepare a 3.5.5bis that will include only the CVE reported to debian and not other discovered and fixed into 3.5.7 official projet ? 2015-09-03 18:43 GMT+02:00 Adam D. Barratt: > Control: tags -1 + moreinfo > > On 2015-09-03 15:44, Laurent Destailleur (eldy) wrote: > >> A security error CVE-2015-3935 was reported for Dolibarr ERP CRM >> package. This bug is fixed into official package 3.5.7 of Dolibarr. >> Package 3.5.7 is a maintenance release compared to 3.5.5 and contains >> only fixes. But not only bugs reported to debian, it includes also >> other fixes (but they are all related to stability or security). >> I think it is a better solution to validate this maintenance release >> based on the new upstream version of Dolibarr than applying a patch of >> the only CVE-2015-3935. >> > [...] > >> So I just need to know if it's ok to push such a version 3.5.7 (fixes >> for 3.5.* branch) instead of only one fix for only the few (the only) >> reported debian bugs, >> since it provides more stability and is or me a more secured process. >> > > Certainly not whilst neither the CVE fix nor 3.5.7 are in unstable (which > still has 3.5.5 without the fix, afaict). > > Regards, > > Adam > -- EMail: e...@destailleur.fr Web: http://www.destailleur.fr Google+: https://plus.google.com/+LaurentDestailleur/ Facebook: https://www.facebook.com/Destailleur.Laurent Twitter: http://www.twitter.com/eldy10 * Dolibarr (Project leader): http://www.dolibarr.org (make a donation for Dolibarr project via Paypal: cont...@destailleur.fr) * AWStats (Author) : http://awstats.sourceforge.net (make a donation for AWStats project via Paypal: cont...@destailleur.fr) * AWBot (Author) : http://awbot.sourceforge.net * CVSChangeLogBuilder (Author) : http://cvschangelogb.sourceforge.net
Bug#783061: dolibarr: incomplete installation instructions
The package already depends on libjs-jquery, so the /javascript should not missing, because libjs-jquery should depends on it. Don't you think the bug should be moved into libjs-jquery package ? For the second point, i will replace the libjs-flot into libjs-jquery-flot into a next patch. 2015-04-21 13:03 GMT+02:00 Dmitry Smirnov only...@debian.org: Package: dolibarr Version: 3.5.5+dfsg1-1 Severity: normal I'm accessing dolibarr as http://localhost/dolibarr as per /etc/apache2/conf-available/dolibarr.conf however I'm getting 404 errors in browser on GET /javascript/jquery/jquery.min.js GET /javascript/jquery-ui/jquery-ui.min.js GET /javascript/flot/jquery.flot.js GET /javascript/flot/jquery.flot.pie.js GET /javascript/flot/jquery.flot.stack.js and others because /javascript do not exist in the Apache configuration. Naturally dolibarr interface is not functioning properly... I've managed to fix that by installing package javascript-common and invoking the following command: a2enconf javascript-common But dolibarr should document that necessary installation instructions in README.Debian and perhaps depend on javascript-common. Besides dolibarr depends on transitional dummy package libjs-flot which should be replaced with libjs-jquery-flot. -- Best wishes, Dmitry Smirnov
Bug#776458: unblock: dolibarr/3.5.5+dfsg1-1
This is my point of view of what to do for this case: My first choice was to not send any unblock request. Reaon is that CVE need privileged account to be exploited, so it is not a high risk, and I would not like to bother anybody. However, Moritz Muehlenhoff ask me to provide a fix. A fix was already done before the CVE was reported on debian. It is the version 3.5.5. So idea was to send an unblock request to validate this version. That's what Raphael did for me (i received a bounce when doing it myself). This is clearly the choice I recommand for 2 reasons: - On debian, only one CVE was reported, but several others were reported to project directly. Why adding a CVE fix that will include only fixes for the debian CVE and not others ? I think it is better to include others too. - This version and package 3.5.5 is a long term production version. Even if not into debian, it has been released several month ago into tgz package and is really very more stable than current 3.5.4. So if stability of application is a consideration, i think this package is a best choice than a target fix because it fixes other stability bugs (3.5.5 fixes only bugs). I think it is a better choice more secure because the CVE reported into debian is not one security report but a long list of several holes (all require privileged account however), so fixing it need a lof of changes on a lof of files. Reporting locally all fixes for only this CVE is a high risk to forget and miss something where we are sure that 3.5.5 is complete and stable. I share point of view of Rapĥael thinking that making a targeted fix does not bring us more security, i will tell more, I think a targetted fix is less secured than 3.5.5 since this version is the official version in production for branch 3.5.5 since begin of october 2014 and no other packages depends on it. 2015-02-09 10:02 GMT+01:00 Raphael Hertzog hert...@debian.org: Hi, On Sun, 08 Feb 2015, Ivo De Decker wrote: On Wed, Jan 28, 2015 at 09:50:30AM +0100, Raphael Hertzog wrote: Please unblock package dolibarr Version 3.5.5+dfsg1-1 fixes a security issue: CVE-2014-7137 (Closes: #770313) This bug was filed by the security team as 'grave', but downgraded by the maintainer to 'important' without explanation. If the issue is actually grave, the severity should be increased again. Well, the maintainer explained (to me only apparently) that the issue is only exploitable with privileged accounts so that the threat is not very high and I thus instructed him that it's his reponsibility to downgrade the bug if he doesn't want the packages to be removed from Jessie. Later the security team contacted him about this CVE and asked him to request an unblock because it would be better to release Jessie without an open CVE on dolibarr. The diff is very large, and it probably contains lots of changes that are not appropriate at this point of the freeze. If you think this is not the case, please explain why. It's certainly the case, but the package is a leaf package and the fixed version has been well tested in sid. The package maintainer is also the upstream author. A targeted fix for this issue is probably better. I don't see what a targeted fix brings us given that the only risk of regression is in dolibarr itself (and Dolibarr is maintained). Laurent, what's you opinion? Would you be willing to prepare a targeted fix? Cheers, -- Raphaël Hertzog ◈ Debian Developer Support Debian LTS: http://www.freexian.com/services/debian-lts.html Learn to master Debian: http://debian-handbook.info/get/