[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#778782: unblock: phpbb3/3.0.12-5

Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock

Hi,

Please unblock package phpbb3

It fixes a compatibility issue with PHP 5.6 (if php5-ldap is installed)
forbidding the administrator to setup an alternative authentication
scheme (#778553). This trivial fix is cherry-picked from upstream and
was already part of 3.0.13 as available in experimental.

It also fixes two annoying Debian-specific images issues. Even if not
critical, the fixes are really low risk.

Here is the new changelog entry, the full debdiff is attached.

phpbb3 (3.0.12-5) unstable; urgency=medium

  * Fix authentication setup: another PHP 5.6 compatibility issue, the
    internal ldap_escape() function was recently added into PHP 5.6 as
    provided by php5-ldap, and thus need to be renamed.
    (Closes: #778553)
  * Fix avatar upload permissions
  * Fix image display in Apache (Closes: #778457)

 -- David Prévot <taffit@debian.org>  Mon, 16 Feb 2015 13:51:53 -0400

unblock phpbb3/3.0.12-5

Thanks in advance for considering.

Regards

David

diff -Nru phpbb3-3.0.12/debian/changelog phpbb3-3.0.12/debian/changelog
--- phpbb3-3.0.12/debian/changelog	2015-02-02 20:38:36.000000000 -0400
+++ phpbb3-3.0.12/debian/changelog	2015-02-16 13:53:14.000000000 -0400
@@ -1,3 +1,14 @@
+phpbb3 (3.0.12-5) unstable; urgency=medium
+
+  * Fix authentication setup: another PHP 5.6 compatibility issue, the
+    internal ldap_escape() function was recently added into PHP 5.6 as
+    provided by php5-ldap, and thus need to be renamed.
+    (Closes: #778553)
+  * Fix avatar upload permissions
+  * Fix image display in Apache (Closes: #778457)
+
+ -- David Prévot <taffit@debian.org>  Mon, 16 Feb 2015 13:51:53 -0400
+
 phpbb3 (3.0.12-4) unstable; urgency=medium
 
   * Fix CSRF vulnerability [CVE-2015-1432] and CSS injection [CVE-2015-1431]
diff -Nru phpbb3-3.0.12/debian/examples/apache2.conf phpbb3-3.0.12/debian/examples/apache2.conf
--- phpbb3-3.0.12/debian/examples/apache2.conf	2013-09-28 12:22:30.000000000 -0400
+++ phpbb3-3.0.12/debian/examples/apache2.conf	2015-02-16 13:51:49.000000000 -0400
@@ -20,6 +20,16 @@
 		allow from all
 	</IfVersion>
 </Directory>
+<Directory /var/lib/phpbb3/images>
+	<IfVersion >= 2.3>
+		Require all granted
+	</IfVersion>
+	<IfVersion < 2.3>
+		AllowOverride None
+		order allow,deny
+		allow from all
+	</IfVersion>
+</Directory>
 
 ### Multisite examples (see README.multiboard for details)
 
diff -Nru phpbb3-3.0.12/debian/patches/add_phpbb_prefix_to_ldap_escape.patch phpbb3-3.0.12/debian/patches/add_phpbb_prefix_to_ldap_escape.patch
--- phpbb3-3.0.12/debian/patches/add_phpbb_prefix_to_ldap_escape.patch	1969-12-31 20:00:00.000000000 -0400
+++ phpbb3-3.0.12/debian/patches/add_phpbb_prefix_to_ldap_escape.patch	2015-02-16 12:33:38.000000000 -0400
@@ -0,0 +1,31 @@
+Description: Add phpbb_ prefix to ldap_escape() 
+ Since ldap_escape() has been added to PHP 5.6.0+, it’s internal
+ declaration throws a fatal error:
+   Cannot redeclare ldap_escape() at line 300 in /includes/auth/auth_ldap.php
+Author: Jakub Senko <jakubsenko@gmail.com>
+Origin: upstream
+Bug: https://tracker.phpbb.com/browse/PHPBB3-12468 https://tracker.phpbb.com/browse/PHPBB3-13168
+Bug-Debian: https://bugs.debian.org/778553
+Applied-Upstream: commit, https://github.com/phpbb/phpbb/commit/ba464ec93a2707b602d212e364905a920b3b9460
+Reviewed-by: Andreas Fischer <bantu@phpbb.com>
+Last-Update: 2015-02-16
+--- a/includes/auth/auth_ldap.php
++++ b/includes/auth/auth_ldap.php
+@@ -282,7 +282,7 @@
+ {
+ 	global $config;
+ 
+-	$filter = '(' . $config['ldap_uid'] . '=' . ldap_escape(htmlspecialchars_decode($username)) . ')';
++	$filter = '(' . $config['ldap_uid'] . '=' . phpbb_ldap_escape(htmlspecialchars_decode($username)) . ')';
+ 	if ($config['ldap_user_filter'])
+ 	{
+ 		$_filter = ($config['ldap_user_filter'][0] == '(' && substr($config['ldap_user_filter'], -1) == ')') ? $config['ldap_user_filter'] : "({$config['ldap_user_filter']})";
+@@ -294,7 +294,7 @@
+ /**
+ * Escapes an LDAP AttributeValue
+ */
+-function ldap_escape($string)
++function phpbb_ldap_escape($string)
+ {
+ 	return str_replace(array('*', '\\', '(', ')'), array('\\*', '\\\\', '\\(', '\\)'), $string);
+ }
diff -Nru phpbb3-3.0.12/debian/patches/series phpbb3-3.0.12/debian/patches/series
--- phpbb3-3.0.12/debian/patches/series	2015-02-02 20:27:08.000000000 -0400
+++ phpbb3-3.0.12/debian/patches/series	2015-02-16 12:26:45.000000000 -0400
@@ -8,3 +8,4 @@
 fix_CVE-2015-1431.patch
 fix_CVE-2015-1432.patch
 improve_php_5.6_compatibility.patch
+add_phpbb_prefix_to_ldap_escape.patch
diff -Nru phpbb3-3.0.12/debian/phpbb3.postinst phpbb3-3.0.12/debian/phpbb3.postinst
--- phpbb3-3.0.12/debian/phpbb3.postinst	2014-01-03 00:38:17.000000000 -0400
+++ phpbb3-3.0.12/debian/phpbb3.postinst	2015-02-16 13:51:49.000000000 -0400
@@ -159,7 +159,7 @@
     fi
 
 # set permissions that are appropriate for multisite too
-    chgrp www-data /var/lib/phpbb3/images/avatars
+    chgrp www-data /var/lib/phpbb3/images/avatars/upload
     chmod g=wx,o= /var/lib/phpbb3/images/avatars/upload
     chmod 0755 /var/lib/phpbb3/images/ranks
     chgrp -R www-data /var/cache/phpbb3/cache

Attachment: signature.asc
Description: Digital signature

Reply to: