Bug#861715: unblock: php-horde-crypt/2.7.5-2

[Niels Thykier]

Mathieu Parent (Debian):
> [...]
> 
> It is non-functionnal, but IMP is functionnal and it depends on it.
> 
> Alternatively, I can remove this dependency, but I have not tested it.
> 
> Regards
> 

Hi,

I prefer we either fix php-horde-crypt or remove it.  If IMP works
without it, then dropping the dependency be worth it.

Thanks,
~Niels

Bug#861715: unblock: php-horde-crypt/2.7.5-2

[Mathieu Parent (Debian)]

2017-05-07 22:47 GMT+02:00 Niels Thykier :
> Control: tags -1 moreinfo
>
> Mathieu Parent:
>> Package: release.debian.org
>> Severity: normal
>> User: release.debian@packages.debian.org
>> Usertags: unblock
>>
>> Please unblock package php-horde-crypt
>>
>> This fixes a security issue:
>>
>>   * Escape user provided recipients and charset data. Fixes CVE-2017-7413 and
>> CVE-2017-7414 (Closes: #859635)
>>
>> (debdiff attached)
>>
>> Note that the package doesn't work correctly in stretch, because it is not
>> compatible with gpg v2 (#849151 and #854819). I plan to fix this later, but
>> maybe in a point-release. Today, I want to prevent IMP (php-horde-imp) from
>> being removed from testing.
>>
>> unblock php-horde-crypt/2.7.5-2
>>
>> Thanks!
>>
>> [...]
>
> Sorry, but I think I am missing context here.  How functional is
> php-horde-crypt in stretch right now?  If lack of gpg v2 support causes
> a major loss of functionality then #849151 and #854819 should be RC and
> handled accordingly.

It is non-functionnal, but IMP is functionnal and it depends on it.

Alternatively, I can remove this dependency, but I have not tested it.

Regards

-- 
Mathieu Parent

Bug#861715: unblock: php-horde-crypt/2.7.5-2

[Niels Thykier]

Control: tags -1 moreinfo

Mathieu Parent:
> Package: release.debian.org
> Severity: normal
> User: release.debian@packages.debian.org
> Usertags: unblock
> 
> Please unblock package php-horde-crypt
> 
> This fixes a security issue:
> 
>   * Escape user provided recipients and charset data. Fixes CVE-2017-7413 and
> CVE-2017-7414 (Closes: #859635)
> 
> (debdiff attached)
> 
> Note that the package doesn't work correctly in stretch, because it is not
> compatible with gpg v2 (#849151 and #854819). I plan to fix this later, but
> maybe in a point-release. Today, I want to prevent IMP (php-horde-imp) from
> being removed from testing.
> 
> unblock php-horde-crypt/2.7.5-2
> 
> Thanks!
> 
> [...]

Sorry, but I think I am missing context here.  How functional is
php-horde-crypt in stretch right now?  If lack of gpg v2 support causes
a major loss of functionality then #849151 and #854819 should be RC and
handled accordingly.

Thanks,
~Niels

Bug#861715: unblock: php-horde-crypt/2.7.5-2

[Mathieu Parent]

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock

Please unblock package php-horde-crypt

This fixes a security issue:

  * Escape user provided recipients and charset data. Fixes CVE-2017-7413 and
CVE-2017-7414 (Closes: #859635)

(debdiff attached)

Note that the package doesn't work correctly in stretch, because it is not
compatible with gpg v2 (#849151 and #854819). I plan to fix this later, but
maybe in a point-release. Today, I want to prevent IMP (php-horde-imp) from
being removed from testing.

unblock php-horde-crypt/2.7.5-2

Thanks!

-- System Information:
Debian Release: 9.0
  APT prefers testing-debug
  APT policy: (500, 'testing-debug'), (500, 'testing')
Architecture: amd64
 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.9.0-2-amd64 (SMP w/2 CPU cores)
Locale: LANG=fr_FR.utf8, LC_CTYPE=fr_FR.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
diff -Nru php-horde-crypt-2.7.5/debian/changelog 
php-horde-crypt-2.7.5/debian/changelog
--- php-horde-crypt-2.7.5/debian/changelog  2016-12-17 23:04:22.0 
+0100
+++ php-horde-crypt-2.7.5/debian/changelog  2017-05-03 07:15:32.0 
+0200
@@ -1,3 +1,10 @@
+php-horde-crypt (2.7.5-2) unstable; urgency=medium
+
+  * Escape user provided recipients and charset data. Fixes CVE-2017-7413 and
+CVE-2017-7414 (Closes: #859635)
+
+ -- Mathieu Parent   Wed, 03 May 2017 07:15:32 +0200
+
 php-horde-crypt (2.7.5-1) unstable; urgency=medium
 
   * New upstream version 2.7.5
diff -Nru 
php-horde-crypt-2.7.5/debian/patches/0001-Escape-user-provided-recipients-and-charset-data.patch
 
php-horde-crypt-2.7.5/debian/patches/0001-Escape-user-provided-recipients-and-charset-data.patch
--- 
php-horde-crypt-2.7.5/debian/patches/0001-Escape-user-provided-recipients-and-charset-data.patch
1970-01-01 01:00:00.0 +0100
+++ 
php-horde-crypt-2.7.5/debian/patches/0001-Escape-user-provided-recipients-and-charset-data.patch
2017-05-03 07:15:32.0 +0200
@@ -0,0 +1,34 @@
+From 5ef589a3d47f94810c8b86805723b9450867aedf Mon Sep 17 00:00:00 2001
+From: Michael J Rubinsky 
+Date: Wed, 29 Mar 2017 08:21:02 -0400
+Subject: [PATCH] Escape user provided recipients and charset data.
+
+---
+ framework/Crypt/lib/Horde/Crypt/Pgp/Backend/Binary.php | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/Horde_Crypt-2.7.5/lib/Horde/Crypt/Pgp/Backend/Binary.php 
b/Horde_Crypt-2.7.5/Crypt/lib/Horde/Crypt/Pgp/Backend/Binary.php
+index a340caaf62..c33c05c9a3 100644
+--- a/Horde_Crypt-2.7.5/lib/Horde/Crypt/Pgp/Backend/Binary.php
 b/Horde_Crypt-2.7.5/lib/Horde/Crypt/Pgp/Backend/Binary.php
+@@ -433,7 +433,7 @@ extends Horde_Crypt_Pgp_Backend
+ $cmdline[] = $keyring;
+ $cmdline[] = '--encrypt';
+ foreach (array_keys($params['recips']) as $val) {
+-$cmdline[] = '--recipient ' . $val;
++$cmdline[] = '--recipient ' . escapeshellarg($val);
+ }
+ } else {
+ $cmdline[] = '--symmetric';
+@@ -552,7 +552,7 @@ extends Horde_Crypt_Pgp_Backend
+ '--armor',
+ '--always-trust',
+ '--batch',
+-'--charset ' . (isset($params['charset']) ? $params['charset'] : 
'UTF-8'),
++'--charset ' . (isset($params['charset']) ? 
escapeshellarg($params['charset']) : 'UTF-8'),
+ $keyring,
+ '--verify'
+ );
+-- 
+2.11.0
+
diff -Nru php-horde-crypt-2.7.5/debian/patches/series 
php-horde-crypt-2.7.5/debian/patches/series
--- php-horde-crypt-2.7.5/debian/patches/series 1970-01-01 01:00:00.0 
+0100
+++ php-horde-crypt-2.7.5/debian/patches/series 2017-05-03 07:15:32.0 
+0200
@@ -0,0 +1 @@
+0001-Escape-user-provided-recipients-and-charset-data.patch