Package: release.debian.org Severity: normal User: release.debian.org@packages.debian.org Usertags: unblock Hi, Please unblock package phpbb3 It fixes a compatibility issue with PHP 5.6 (if php5-ldap is installed) forbidding the administrator to setup an alternative authentication scheme (#778553). This trivial fix is cherry-picked from upstream and was already part of 3.0.13 as available in experimental. It also fixes two annoying Debian-specific images issues. Even if not critical, the fixes are really low risk. Here is the new changelog entry, the full debdiff is attached. phpbb3 (3.0.12-5) unstable; urgency=medium * Fix authentication setup: another PHP 5.6 compatibility issue, the internal ldap_escape() function was recently added into PHP 5.6 as provided by php5-ldap, and thus need to be renamed. (Closes: #778553) * Fix avatar upload permissions * Fix image display in Apache (Closes: #778457) -- David Prévot <taffit@debian.org> Mon, 16 Feb 2015 13:51:53 -0400 unblock phpbb3/3.0.12-5 Thanks in advance for considering. Regards David
diff -Nru phpbb3-3.0.12/debian/changelog phpbb3-3.0.12/debian/changelog --- phpbb3-3.0.12/debian/changelog 2015-02-02 20:38:36.000000000 -0400 +++ phpbb3-3.0.12/debian/changelog 2015-02-16 13:53:14.000000000 -0400 @@ -1,3 +1,14 @@ +phpbb3 (3.0.12-5) unstable; urgency=medium + + * Fix authentication setup: another PHP 5.6 compatibility issue, the + internal ldap_escape() function was recently added into PHP 5.6 as + provided by php5-ldap, and thus need to be renamed. + (Closes: #778553) + * Fix avatar upload permissions + * Fix image display in Apache (Closes: #778457) + + -- David Prévot <taffit@debian.org> Mon, 16 Feb 2015 13:51:53 -0400 + phpbb3 (3.0.12-4) unstable; urgency=medium * Fix CSRF vulnerability [CVE-2015-1432] and CSS injection [CVE-2015-1431] diff -Nru phpbb3-3.0.12/debian/examples/apache2.conf phpbb3-3.0.12/debian/examples/apache2.conf --- phpbb3-3.0.12/debian/examples/apache2.conf 2013-09-28 12:22:30.000000000 -0400 +++ phpbb3-3.0.12/debian/examples/apache2.conf 2015-02-16 13:51:49.000000000 -0400 @@ -20,6 +20,16 @@ allow from all </IfVersion> </Directory> +<Directory /var/lib/phpbb3/images> + <IfVersion >= 2.3> + Require all granted + </IfVersion> + <IfVersion < 2.3> + AllowOverride None + order allow,deny + allow from all + </IfVersion> +</Directory> ### Multisite examples (see README.multiboard for details) diff -Nru phpbb3-3.0.12/debian/patches/add_phpbb_prefix_to_ldap_escape.patch phpbb3-3.0.12/debian/patches/add_phpbb_prefix_to_ldap_escape.patch --- phpbb3-3.0.12/debian/patches/add_phpbb_prefix_to_ldap_escape.patch 1969-12-31 20:00:00.000000000 -0400 +++ phpbb3-3.0.12/debian/patches/add_phpbb_prefix_to_ldap_escape.patch 2015-02-16 12:33:38.000000000 -0400 @@ -0,0 +1,31 @@ +Description: Add phpbb_ prefix to ldap_escape() + Since ldap_escape() has been added to PHP 5.6.0+, it’s internal + declaration throws a fatal error: + Cannot redeclare ldap_escape() at line 300 in /includes/auth/auth_ldap.php +Author: Jakub Senko <jakubsenko@gmail.com> +Origin: upstream +Bug: https://tracker.phpbb.com/browse/PHPBB3-12468 https://tracker.phpbb.com/browse/PHPBB3-13168 +Bug-Debian: https://bugs.debian.org/778553 +Applied-Upstream: commit, https://github.com/phpbb/phpbb/commit/ba464ec93a2707b602d212e364905a920b3b9460 +Reviewed-by: Andreas Fischer <bantu@phpbb.com> +Last-Update: 2015-02-16 +--- a/includes/auth/auth_ldap.php ++++ b/includes/auth/auth_ldap.php +@@ -282,7 +282,7 @@ + { + global $config; + +- $filter = '(' . $config['ldap_uid'] . '=' . ldap_escape(htmlspecialchars_decode($username)) . ')'; ++ $filter = '(' . $config['ldap_uid'] . '=' . phpbb_ldap_escape(htmlspecialchars_decode($username)) . ')'; + if ($config['ldap_user_filter']) + { + $_filter = ($config['ldap_user_filter'][0] == '(' && substr($config['ldap_user_filter'], -1) == ')') ? $config['ldap_user_filter'] : "({$config['ldap_user_filter']})"; +@@ -294,7 +294,7 @@ + /** + * Escapes an LDAP AttributeValue + */ +-function ldap_escape($string) ++function phpbb_ldap_escape($string) + { + return str_replace(array('*', '\\', '(', ')'), array('\\*', '\\\\', '\\(', '\\)'), $string); + } diff -Nru phpbb3-3.0.12/debian/patches/series phpbb3-3.0.12/debian/patches/series --- phpbb3-3.0.12/debian/patches/series 2015-02-02 20:27:08.000000000 -0400 +++ phpbb3-3.0.12/debian/patches/series 2015-02-16 12:26:45.000000000 -0400 @@ -8,3 +8,4 @@ fix_CVE-2015-1431.patch fix_CVE-2015-1432.patch improve_php_5.6_compatibility.patch +add_phpbb_prefix_to_ldap_escape.patch diff -Nru phpbb3-3.0.12/debian/phpbb3.postinst phpbb3-3.0.12/debian/phpbb3.postinst --- phpbb3-3.0.12/debian/phpbb3.postinst 2014-01-03 00:38:17.000000000 -0400 +++ phpbb3-3.0.12/debian/phpbb3.postinst 2015-02-16 13:51:49.000000000 -0400 @@ -159,7 +159,7 @@ fi # set permissions that are appropriate for multisite too - chgrp www-data /var/lib/phpbb3/images/avatars + chgrp www-data /var/lib/phpbb3/images/avatars/upload chmod g=wx,o= /var/lib/phpbb3/images/avatars/upload chmod 0755 /var/lib/phpbb3/images/ranks chgrp -R www-data /var/cache/phpbb3/cache
Attachment:
signature.asc
Description: Digital signature