--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: buster-pu: package php-horde/5.2.20+debian0-1+deb10u1
- From: "Roberto C. Sanchez" <roberto@connexer.com>
- Date: Fri, 13 Dec 2019 22:55:35 -0500
- Message-id: <157629573574.3919.16097780072136745155.reportbug@manzanillo.connexer.com>
Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian.org@packages.debian.org
Usertags: pu
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Please find attached a proposed debdiff for php-horde. The change fixes
CVE-2019-12095, which the security team has classified as <no-dsa>,
deeming it a minor issue which can be fixed via a point release. May I
have permission to upload to buster-proposed-updates?
- -- System Information:
Debian Release: 10.2
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 4.19.0-6-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEIYZ1DR4ae5UL01q7ldFmTdL1kUIFAl30XTYACgkQldFmTdL1
kULRBQ/+OSNVNYn6ChtrTCHDwNqI1R1HP2LnfQOZNiANcE6IcXrHkDsRqzA8jgsX
8mXAgd2EWyW2t3BrNqP2lK1v7Aw4XBp2YMDXtIG/iQMbTOZn7OaW3UnGaaUUJQmO
F8seqyVcqfufbveEvMAWOlf717ef1DPtxJQ/hOl3a//AEzvuOnU8VnmtnSHTjyOI
l1Dcw8CcIR1gI6vunDzzOY2bRAiHOyLaTXj0NKmLpZY1a51B9YTGLQP0hhBb27I2
4sApY1+6DnjiCW+8x7X/L+CTjtkorbP3yAUK4cdn7dosxs5Xb8Eb251HVKhfuk8X
dFPoWI0edKfJ8YIV0rFeRDhuB9PEs97fDX1o8pGfam55yNsQGXlQ/7oj/OtVC+g3
oZ62xDSGkdNkjgFygftkDT4VbmfN09g9BkthCUiqYfEPLRZYx5myngpzXOKGGkAd
Ea4fqZCN4P6N/CGwITYZn5jcNguYzGOluLbXjAVc2r+r4tBwLkLjCvLvBKlYepwb
yYi/lxi3xUJJdl86YZ8YehRJccXXqsfgWXXRB6U4iognWd0Cu3Q7p3MrAkzF1bKw
xh04NfhyGfHJ35opVTP56TQldA8UtJHN9Db/OPaTK6nJ9sVhvhf1pgQraiJYUSyZ
qoIGatMpqwG6KDCIXEXAKw9gLFRT5Y3pou3aYDuNhXizUwSGJmg=
=lu3y
-----END PGP SIGNATURE-----
diff -Nru php-horde-5.2.20+debian0/debian/changelog php-horde-5.2.20+debian0/debian/changelog
--- php-horde-5.2.20+debian0/debian/changelog 2018-10-25 15:08:21.000000000 -0400
+++ php-horde-5.2.20+debian0/debian/changelog 2019-12-13 21:13:53.000000000 -0500
@@ -1,3 +1,9 @@
+php-horde (5.2.20+debian0-1+deb10u1) buster; urgency=high
+
+ * Fix CVE-2019-12095: Stored XSS vuln in the Horde Cloud Block.
+
+ -- Roberto C. Sanchez <roberto@debian.org> Fri, 13 Dec 2019 21:13:53 -0500
+
php-horde (5.2.20+debian0-1) unstable; urgency=medium
* New upstream version 5.2.20+debian0
diff -Nru php-horde-5.2.20+debian0/debian/patches/0002-CVE-2019-12095-Fix-XSS-vuln-in-the-Horde-Cloud-Block.patch php-horde-5.2.20+debian0/debian/patches/0002-CVE-2019-12095-Fix-XSS-vuln-in-the-Horde-Cloud-Block.patch
--- php-horde-5.2.20+debian0/debian/patches/0002-CVE-2019-12095-Fix-XSS-vuln-in-the-Horde-Cloud-Block.patch 1969-12-31 19:00:00.000000000 -0500
+++ php-horde-5.2.20+debian0/debian/patches/0002-CVE-2019-12095-Fix-XSS-vuln-in-the-Horde-Cloud-Block.patch 2019-12-13 21:13:53.000000000 -0500
@@ -0,0 +1,50 @@
+From 81a7b53973506856db67e7f0b0263be29528aa75 Mon Sep 17 00:00:00 2001
+From: Michael J Rubinsky <mrubinsk@horde.org>
+Date: Sat, 20 Apr 2019 17:34:41 -0400
+Subject: [PATCH] Fix XSS vuln in the Horde Cloud Block.
+
+---
+ horde-5.2.20/lib/Block/Cloud.php | 6 +++++-
+ horde-5.2.20/services/portal/cloud_search.php | 2 +-
+ 2 files changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/horde-5.2.20/lib/Block/Cloud.php b/horde-5.2.20/lib/Block/Cloud.php
+index 92a44255..9df5bf3c 100644
+--- a/horde-5.2.20/lib/Block/Cloud.php
++++ b/horde-5.2.20/lib/Block/Cloud.php
+@@ -13,6 +13,10 @@ class Horde_Block_Cloud extends Horde_Core_Block
+ $this->_name = _("Tag Cloud");
+ }
+
++ protected function _escapeJs($string)
++ {
++ return str_replace("\n", '\n', str_replace('"', '\"', addcslashes(str_replace("\r", '', (string)$string), "\0..\37'\\")));
++ }
+ /**
+ */
+ protected function _content()
+@@ -21,7 +25,7 @@ class Horde_Block_Cloud extends Horde_Core_Block
+ foreach ($this->_getTags() as $tag) {
+ $cloud->addElement(
+ $tag['tag_name'], '#', $tag['count'], null,
+- 'doSearch(\'' . $tag['tag_name'] . '\'); return false;');
++ 'doSearch(\'' . htmlspecialchars($this->_escapeJs($tag['tag_name'])) . '\'); return false;');
+ }
+
+ Horde::startBuffer();
+diff --git a/horde-5.2.20/services/portal/cloud_search.php b/horde-5.2.20/services/portal/cloud_search.php
+index d72da96e..0d44b5a5 100644
+--- a/horde-5.2.20/services/portal/cloud_search.php
++++ b/horde-5.2.20/services/portal/cloud_search.php
+@@ -43,7 +43,7 @@ foreach ($results as $result) {
+ echo '<li class="linedRow"><span style="width:50%"> ' .
+ (empty($result['icon']) ? Horde_Themes_Image::tag(Horde_Themes::img($result['app'] . '.png', array('app' => $result['app'])), array('alt' => $result['app'])) : '') .
+ Horde::link($result['view_url'], '', '', '', '', '', '', array('style' => 'margin:4px')) .
+- (empty($result['icon']) ? $result['title'] : '<img src="' . $result['icon'] . '" />') .
++ (empty($result['icon']) ? htmlspecialchars($result['title']) : '<img src="' . $result['icon'] . '" />') .
+ '</a></span><span style="width:50%;font-style:italic;">' . $result['desc'] . '</span></li>';
+ }
+ echo '</ul>';
+--
+2.20.1
+
diff -Nru php-horde-5.2.20+debian0/debian/patches/series php-horde-5.2.20+debian0/debian/patches/series
--- php-horde-5.2.20+debian0/debian/patches/series 2018-10-25 15:08:21.000000000 -0400
+++ php-horde-5.2.20+debian0/debian/patches/series 2019-12-13 21:13:53.000000000 -0500
@@ -1 +1,2 @@
0001-Fix-rewrite-base.patch
+0002-CVE-2019-12095-Fix-XSS-vuln-in-the-Horde-Cloud-Block.patch
--- End Message ---