--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: unblock: php-horde-kronolith/4.2.2-4
- From: Mathieu Parent <sathieu@debian.org>
- Date: Tue, 30 Dec 2014 21:41:33 +0100
- Message-id: <20141230204133.20645.91579.reportbug@ultrathieu.sathieu.net>
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock
Please unblock package php-horde-kronolith
It only contains a security fix (#772454), backported from upstream.
Debdiff attached.
unblock php-horde-kronolith/4.2.2-4
-- System Information:
Debian Release: 8.0
APT prefers testing
APT policy: (500, 'testing')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 3.16.0-4-amd64 (SMP w/2 CPU cores)
Locale: LANG=fr_FR.utf8, LC_CTYPE=fr_FR.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
diff --git a/debian/changelog b/debian/changelog
index b96bf6e..c1431a3 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,9 @@
+php-horde-kronolith (4.2.2-4) unstable; urgency=medium
+
+ * Don't show private events in daily agenda email. (Closes: #772454)
+
+ -- Mathieu Parent <sathieu@debian.org> Sun, 07 Dec 2014 12:29:16 +0100
+
php-horde-kronolith (4.2.2-3) unstable; urgency=medium
* Fixed DEP-8 tests, by removing "set -x"
diff --git a/debian/patches/0001-SECURITY-Don-t-show-private-events-in-daily-agenda-e.patch b/debian/patches/0001-SECURITY-Don-t-show-private-events-in-daily-agenda-e.patch
new file mode 100644
index 0000000..0846638
--- /dev/null
+++ b/debian/patches/0001-SECURITY-Don-t-show-private-events-in-daily-agenda-e.patch
@@ -0,0 +1,182 @@
+From: Mathieu Parent <math.parent@gmail.com>
+Date: Sun, 7 Dec 2014 12:10:41 +0100
+Subject: SECURITY: Don't show private events in daily agenda email.
+
+This as cherry-picked from upstream.
+
+Bug: https://bugs.horde.org/ticket/13660
+Bug-Debian: https://bugs.debian.org/772454
+Applied-Upstream: https://github.com/horde/horde/commit/de5eff0536b013bb5d9400cf0f3b914ecc00ec59
+---
+ kronolith-4.2.2/bin/kronolith-agenda | 5 ++++-
+ kronolith-4.2.2/lib/CalendarsManager.php | 19 +++++++++++++++----
+ kronolith-4.2.2/lib/Event.php | 21 +++++++++++++--------
+ kronolith-4.2.2/lib/Kronolith.php | 19 +++++++++++++------
+ 4 files changed, 45 insertions(+), 19 deletions(-)
+
+diff --git a/kronolith-4.2.2/bin/kronolith-agenda b/kronolith-4.2.2/bin/kronolith-agenda
+index 993c2af..efe73e8 100755
+--- a/kronolith-4.2.2/bin/kronolith-agenda
++++ b/kronolith-4.2.2/bin/kronolith-agenda
+@@ -88,6 +88,9 @@ function send_agendas()
+ continue;
+ }
+
++ // Initialize the CalendarsManager for this user.
++ $GLOBALS['calendar_manager'] = new Kronolith_CalendarsManager($user);
++
+ // Try to find an email address for the user.
+ $identity = $GLOBALS['injector']->getInstance('Horde_Core_Factory_Identity')->create($user);
+ $email = $identity->getDefaultFromAddress(true);
+@@ -137,7 +140,7 @@ function send_agendas()
+ foreach ($events as $dayevents) {
+ foreach ($dayevents as $event) {
+ // The event list contains events starting at 12am.
+- if ($event->start->compareDate($runtime)) {
++ if ($event->start->compareDate($runtime) || $event->isPrivate($user)) {
+ continue;
+ }
+ $eventlist[] = $event;
+diff --git a/kronolith-4.2.2/lib/CalendarsManager.php b/kronolith-4.2.2/lib/CalendarsManager.php
+index 76b6588..205e6ca 100644
+--- a/kronolith-4.2.2/lib/CalendarsManager.php
++++ b/kronolith-4.2.2/lib/CalendarsManager.php
+@@ -124,21 +124,32 @@ class Kronolith_CalendarsManager
+ * - displayRemote
+ * - displayExternal
+ * - displayHolidays
++ *
++ * @param string $user The user to initialize for, if not the current.
++ * @since 4.2.4
+ */
+- public function __construct()
++ public function __construct($user = null)
+ {
++ $emptyUser = false;
++ if (empty($user)) {
++ $user = $GLOBALS['registry']->getAuth();
++ $emptyUser = true;
++ }
+ // Always perform the display related checks.
+ $this->_checkDisplayCals();
+ $this->_checkToggleCalendars();
+
+ // Check that all selected shares still exist.
+- foreach (Kronolith::listInternalCalendars() as $id => $calendar) {
++ foreach (Kronolith::listInternalCalendars(false, Horde_Perms::SHOW, $user) as $id => $calendar) {
+ $this->_allCalendars[$id] = new Kronolith_Calendar_Internal(array('share' => $calendar));
+ }
+ $this->_displayCalendars = array_intersect($this->_displayCalendars, array_keys($this->_allCalendars));
+
+- // Check that the user owns a calendar.
+- $this->_checkForOwnedCalendar();
++ // Check that the user owns a calendar if we aren't loading a different
++ // user.
++ if ($emptyUser) {
++ $this->_checkForOwnedCalendar();
++ }
+ }
+
+ /**
+diff --git a/kronolith-4.2.2/lib/Event.php b/kronolith-4.2.2/lib/Event.php
+index 1ffbd27..f38ea2f 100644
+--- a/kronolith-4.2.2/lib/Event.php
++++ b/kronolith-4.2.2/lib/Event.php
+@@ -2603,26 +2603,31 @@ abstract class Kronolith_Event
+ * Returns whether the event should be considered private.
+ *
+ * The event's private flag can be overriden if the current user
+- * is an administrator and the code is run from command line. This
+- * is to allow full event notifications in alarm messages or
+- * agendas.
++ * is an administrator and the code is run from command line, and no
++ * $user parameter was passed. This is to allow full event notifications in
++ * alarm messages (agendas know the user the agenda is being prepared for).
+ *
+- * @param string $user The current user.
++ * @param string $user The current user. If omitted, uses the current user.
+ *
+ * @return boolean Whether to consider the event as private.
+ */
+ public function isPrivate($user = null)
+ {
++ global $registry;
++
++ $haveNullUser = false;
+ if ($user === null) {
+- $user = $GLOBALS['registry']->getAuth();
++ $user = $registry->getAuth();
++ $haveNullUser = true;
+ }
+
+- if (!(Horde_Cli::runningFromCLI() && $GLOBALS['registry']->isAdmin()) &&
++ if (!(Horde_Cli::runningFromCLI() && $registry->isAdmin()) &&
+ $this->private && $this->creator != $user) {
+ return true;
+ }
+- if ($GLOBALS['registry']->isAdmin() ||
+- $this->hasPermission(Horde_Perms::READ, $user)) {
++
++ if (($registry->isAdmin() && $haveNullUser) ||
++ $this->hasPermission(Horde_Perms::READ, $user)) {
+ return false;
+ }
+ return true;
+diff --git a/kronolith-4.2.2/lib/Kronolith.php b/kronolith-4.2.2/lib/Kronolith.php
+index 991a38d..a34fb4f 100644
+--- a/kronolith-4.2.2/lib/Kronolith.php
++++ b/kronolith-4.2.2/lib/Kronolith.php
+@@ -987,24 +987,31 @@ class Kronolith
+ * @param boolean $owneronly Only return calenders that this user owns?
+ * Defaults to false.
+ * @param integer $permission The permission to filter calendars by.
++ * @param string $user The user to list calendars for, if not
++ * the current.
+ *
+ * @return array The calendar list.
+ */
+- static public function listInternalCalendars($owneronly = false,
+- $permission = Horde_Perms::SHOW)
++ public static function listInternalCalendars($owneronly = false,
++ $permission = Horde_Perms::SHOW,
++ $user = null)
+ {
+ if ($owneronly && !$GLOBALS['registry']->getAuth()) {
+ return array();
+ }
+
++ if (empty($user)) {
++ $user = $GLOBALS['registry']->getAuth();
++ }
++
+ $kronolith_shares = $GLOBALS['injector']->getInstance('Kronolith_Shares');
+
+ if ($owneronly || empty($GLOBALS['conf']['share']['hidden'])) {
+ try {
+ $calendars = $kronolith_shares->listShares(
+- $GLOBALS['registry']->getAuth(),
++ $user,
+ array('perm' => $permission,
+- 'attributes' => $owneronly ? $GLOBALS['registry']->getAuth() : null,
++ 'attributes' => $owneronly ? $user : null,
+ 'sort_by' => 'name'));
+ } catch (Horde_Share_Exception $e) {
+ Horde::log($e);
+@@ -1015,7 +1022,7 @@ class Kronolith
+ $calendars = $kronolith_shares->listShares(
+ $GLOBALS['registry']->getAuth(),
+ array('perm' => $permission,
+- 'attributes' => $GLOBALS['registry']->getAuth(),
++ 'attributes' => $user,
+ 'sort_by' => 'name'));
+ } catch (Horde_Share_Exception $e) {
+ Horde::log($e);
+@@ -1026,7 +1033,7 @@ class Kronolith
+ foreach ($display_calendars as $id) {
+ try {
+ $calendar = $kronolith_shares->getShare($id);
+- if ($calendar->hasPermission($GLOBALS['registry']->getAuth(), $permission)) {
++ if ($calendar->hasPermission($user, $permission)) {
+ $calendars[$id] = $calendar;
+ }
+ } catch (Horde_Exception_NotFound $e) {
diff --git a/debian/patches/series b/debian/patches/series
new file mode 100644
index 0000000..1c62c56
--- /dev/null
+++ b/debian/patches/series
@@ -0,0 +1 @@
+0001-SECURITY-Don-t-show-private-events-in-daily-agenda-e.patch
--- End Message ---