Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock
Please unblock package php-horde-crypt
This fixes a security issue:
* Escape user provided recipients and charset data. Fixes CVE-2017-7413 and
CVE-2017-7414 (Closes: #859635)
(debdiff attached)
Note that the package doesn't work correctly in stretch, because it is not
compatible with gpg v2 (#849151 and #854819). I plan to fix this later, but
maybe in a point-release. Today, I want to prevent IMP (php-horde-imp) from
being removed from testing.
unblock php-horde-crypt/2.7.5-2
Thanks!
-- System Information:
Debian Release: 9.0
APT prefers testing-debug
APT policy: (500, 'testing-debug'), (500, 'testing')
Architecture: amd64
(x86_64)
Foreign Architectures: i386
Kernel: Linux 4.9.0-2-amd64 (SMP w/2 CPU cores)
Locale: LANG=fr_FR.utf8, LC_CTYPE=fr_FR.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
diff -Nru php-horde-crypt-2.7.5/debian/changelog
php-horde-crypt-2.7.5/debian/changelog
--- php-horde-crypt-2.7.5/debian/changelog 2016-12-17 23:04:22.0
+0100
+++ php-horde-crypt-2.7.5/debian/changelog 2017-05-03 07:15:32.0
+0200
@@ -1,3 +1,10 @@
+php-horde-crypt (2.7.5-2) unstable; urgency=medium
+
+ * Escape user provided recipients and charset data. Fixes CVE-2017-7413 and
+CVE-2017-7414 (Closes: #859635)
+
+ -- Mathieu Parent Wed, 03 May 2017 07:15:32 +0200
+
php-horde-crypt (2.7.5-1) unstable; urgency=medium
* New upstream version 2.7.5
diff -Nru
php-horde-crypt-2.7.5/debian/patches/0001-Escape-user-provided-recipients-and-charset-data.patch
php-horde-crypt-2.7.5/debian/patches/0001-Escape-user-provided-recipients-and-charset-data.patch
---
php-horde-crypt-2.7.5/debian/patches/0001-Escape-user-provided-recipients-and-charset-data.patch
1970-01-01 01:00:00.0 +0100
+++
php-horde-crypt-2.7.5/debian/patches/0001-Escape-user-provided-recipients-and-charset-data.patch
2017-05-03 07:15:32.0 +0200
@@ -0,0 +1,34 @@
+From 5ef589a3d47f94810c8b86805723b9450867aedf Mon Sep 17 00:00:00 2001
+From: Michael J Rubinsky
+Date: Wed, 29 Mar 2017 08:21:02 -0400
+Subject: [PATCH] Escape user provided recipients and charset data.
+
+---
+ framework/Crypt/lib/Horde/Crypt/Pgp/Backend/Binary.php | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/Horde_Crypt-2.7.5/lib/Horde/Crypt/Pgp/Backend/Binary.php
b/Horde_Crypt-2.7.5/Crypt/lib/Horde/Crypt/Pgp/Backend/Binary.php
+index a340caaf62..c33c05c9a3 100644
+--- a/Horde_Crypt-2.7.5/lib/Horde/Crypt/Pgp/Backend/Binary.php
b/Horde_Crypt-2.7.5/lib/Horde/Crypt/Pgp/Backend/Binary.php
+@@ -433,7 +433,7 @@ extends Horde_Crypt_Pgp_Backend
+ $cmdline[] = $keyring;
+ $cmdline[] = '--encrypt';
+ foreach (array_keys($params['recips']) as $val) {
+-$cmdline[] = '--recipient ' . $val;
++$cmdline[] = '--recipient ' . escapeshellarg($val);
+ }
+ } else {
+ $cmdline[] = '--symmetric';
+@@ -552,7 +552,7 @@ extends Horde_Crypt_Pgp_Backend
+ '--armor',
+ '--always-trust',
+ '--batch',
+-'--charset ' . (isset($params['charset']) ? $params['charset'] :
'UTF-8'),
++'--charset ' . (isset($params['charset']) ?
escapeshellarg($params['charset']) : 'UTF-8'),
+ $keyring,
+ '--verify'
+ );
+--
+2.11.0
+
diff -Nru php-horde-crypt-2.7.5/debian/patches/series
php-horde-crypt-2.7.5/debian/patches/series
--- php-horde-crypt-2.7.5/debian/patches/series 1970-01-01 01:00:00.0
+0100
+++ php-horde-crypt-2.7.5/debian/patches/series 2017-05-03 07:15:32.0
+0200
@@ -0,0 +1 @@
+0001-Escape-user-provided-recipients-and-charset-data.patch