Bug#778782: marked as done (unblock: phpbb3/3.0.12-5)

To: Mehdi Dogguy <mehdi@dogguy.org>
Subject: Bug#778782: marked as done (unblock: phpbb3/3.0.12-5)
From: owner@bugs.debian.org (Debian Bug Tracking System)
Date: Thu, 19 Feb 2015 19:33:22 +0000
Message-id: <[🔎] handler.778782.D778782.142437416927082.ackdone@bugs.debian.org>
References: <20150219192926.GG23417@dogguy.org> <[🔎] 20150219181616.GA20723@mikado.tilapin.org>

Your message dated Thu, 19 Feb 2015 20:29:26 +0100
with message-id <20150219192926.GG23417@dogguy.org>
and subject line Re: Bug#778782: unblock: phpbb3/3.0.12-5
has caused the Debian Bug report #778782,
regarding unblock: phpbb3/3.0.12-5
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
778782: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=778782
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: unblock: phpbb3/3.0.12-5
From: David Prévot <taffit@debian.org>
Date: Thu, 19 Feb 2015 14:16:16 -0400
Message-id: <[🔎] 20150219181616.GA20723@mikado.tilapin.org>

Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock

Hi,

Please unblock package phpbb3

It fixes a compatibility issue with PHP 5.6 (if php5-ldap is installed)
forbidding the administrator to setup an alternative authentication
scheme (#778553). This trivial fix is cherry-picked from upstream and
was already part of 3.0.13 as available in experimental.

It also fixes two annoying Debian-specific images issues. Even if not
critical, the fixes are really low risk.

Here is the new changelog entry, the full debdiff is attached.

phpbb3 (3.0.12-5) unstable; urgency=medium

  * Fix authentication setup: another PHP 5.6 compatibility issue, the
    internal ldap_escape() function was recently added into PHP 5.6 as
    provided by php5-ldap, and thus need to be renamed.
    (Closes: #778553)
  * Fix avatar upload permissions
  * Fix image display in Apache (Closes: #778457)

 -- David Prévot <taffit@debian.org>  Mon, 16 Feb 2015 13:51:53 -0400

unblock phpbb3/3.0.12-5

Thanks in advance for considering.

Regards

David

diff -Nru phpbb3-3.0.12/debian/changelog phpbb3-3.0.12/debian/changelog
--- phpbb3-3.0.12/debian/changelog	2015-02-02 20:38:36.000000000 -0400
+++ phpbb3-3.0.12/debian/changelog	2015-02-16 13:53:14.000000000 -0400
@@ -1,3 +1,14 @@
+phpbb3 (3.0.12-5) unstable; urgency=medium
+
+  * Fix authentication setup: another PHP 5.6 compatibility issue, the
+    internal ldap_escape() function was recently added into PHP 5.6 as
+    provided by php5-ldap, and thus need to be renamed.
+    (Closes: #778553)
+  * Fix avatar upload permissions
+  * Fix image display in Apache (Closes: #778457)
+
+ -- David Prévot <taffit@debian.org>  Mon, 16 Feb 2015 13:51:53 -0400
+
 phpbb3 (3.0.12-4) unstable; urgency=medium
 
   * Fix CSRF vulnerability [CVE-2015-1432] and CSS injection [CVE-2015-1431]
diff -Nru phpbb3-3.0.12/debian/examples/apache2.conf phpbb3-3.0.12/debian/examples/apache2.conf
--- phpbb3-3.0.12/debian/examples/apache2.conf	2013-09-28 12:22:30.000000000 -0400
+++ phpbb3-3.0.12/debian/examples/apache2.conf	2015-02-16 13:51:49.000000000 -0400
@@ -20,6 +20,16 @@
 		allow from all
 	</IfVersion>
 </Directory>
+<Directory /var/lib/phpbb3/images>
+	<IfVersion >= 2.3>
+		Require all granted
+	</IfVersion>
+	<IfVersion < 2.3>
+		AllowOverride None
+		order allow,deny
+		allow from all
+	</IfVersion>
+</Directory>
 
 ### Multisite examples (see README.multiboard for details)
 
diff -Nru phpbb3-3.0.12/debian/patches/add_phpbb_prefix_to_ldap_escape.patch phpbb3-3.0.12/debian/patches/add_phpbb_prefix_to_ldap_escape.patch
--- phpbb3-3.0.12/debian/patches/add_phpbb_prefix_to_ldap_escape.patch	1969-12-31 20:00:00.000000000 -0400
+++ phpbb3-3.0.12/debian/patches/add_phpbb_prefix_to_ldap_escape.patch	2015-02-16 12:33:38.000000000 -0400
@@ -0,0 +1,31 @@
+Description: Add phpbb_ prefix to ldap_escape() 
+ Since ldap_escape() has been added to PHP 5.6.0+, it’s internal
+ declaration throws a fatal error:
+   Cannot redeclare ldap_escape() at line 300 in /includes/auth/auth_ldap.php
+Author: Jakub Senko <jakubsenko@gmail.com>
+Origin: upstream
+Bug: https://tracker.phpbb.com/browse/PHPBB3-12468 https://tracker.phpbb.com/browse/PHPBB3-13168
+Bug-Debian: https://bugs.debian.org/778553
+Applied-Upstream: commit, https://github.com/phpbb/phpbb/commit/ba464ec93a2707b602d212e364905a920b3b9460
+Reviewed-by: Andreas Fischer <bantu@phpbb.com>
+Last-Update: 2015-02-16
+--- a/includes/auth/auth_ldap.php
++++ b/includes/auth/auth_ldap.php
+@@ -282,7 +282,7 @@
+ {
+ 	global $config;
+ 
+-	$filter = '(' . $config['ldap_uid'] . '=' . ldap_escape(htmlspecialchars_decode($username)) . ')';
++	$filter = '(' . $config['ldap_uid'] . '=' . phpbb_ldap_escape(htmlspecialchars_decode($username)) . ')';
+ 	if ($config['ldap_user_filter'])
+ 	{
+ 		$_filter = ($config['ldap_user_filter'][0] == '(' && substr($config['ldap_user_filter'], -1) == ')') ? $config['ldap_user_filter'] : "({$config['ldap_user_filter']})";
+@@ -294,7 +294,7 @@
+ /**
+ * Escapes an LDAP AttributeValue
+ */
+-function ldap_escape($string)
++function phpbb_ldap_escape($string)
+ {
+ 	return str_replace(array('*', '\\', '(', ')'), array('\\*', '\\\\', '\\(', '\\)'), $string);
+ }
diff -Nru phpbb3-3.0.12/debian/patches/series phpbb3-3.0.12/debian/patches/series
--- phpbb3-3.0.12/debian/patches/series	2015-02-02 20:27:08.000000000 -0400
+++ phpbb3-3.0.12/debian/patches/series	2015-02-16 12:26:45.000000000 -0400
@@ -8,3 +8,4 @@
 fix_CVE-2015-1431.patch
 fix_CVE-2015-1432.patch
 improve_php_5.6_compatibility.patch
+add_phpbb_prefix_to_ldap_escape.patch
diff -Nru phpbb3-3.0.12/debian/phpbb3.postinst phpbb3-3.0.12/debian/phpbb3.postinst
--- phpbb3-3.0.12/debian/phpbb3.postinst	2014-01-03 00:38:17.000000000 -0400
+++ phpbb3-3.0.12/debian/phpbb3.postinst	2015-02-16 13:51:49.000000000 -0400
@@ -159,7 +159,7 @@
     fi
 
 # set permissions that are appropriate for multisite too
-    chgrp www-data /var/lib/phpbb3/images/avatars
+    chgrp www-data /var/lib/phpbb3/images/avatars/upload
     chmod g=wx,o= /var/lib/phpbb3/images/avatars/upload
     chmod 0755 /var/lib/phpbb3/images/ranks
     chgrp -R www-data /var/cache/phpbb3/cache

Attachment: signature.asc
Description: Digital signature

--- End Message ---

--- Begin Message ---

To: David Prévot <taffit@debian.org>, 778782-done@bugs.debian.org

Subject: Re: Bug#778782: unblock: phpbb3/3.0.12-5

From: Mehdi Dogguy <mehdi@dogguy.org>

Date: Thu, 19 Feb 2015 20:29:26 +0100

Message-id: <20150219192926.GG23417@dogguy.org>

In-reply-to: <[🔎] 20150219181616.GA20723@mikado.tilapin.org>

References: <[🔎] 20150219181616.GA20723@mikado.tilapin.org>
On Thu, Feb 19, 2015 at 02:16:16PM -0400, David Prévot <taffit@debian.org> wrote:
> Please unblock package phpbb3
> 
> It fixes a compatibility issue with PHP 5.6 (if php5-ldap is installed)
> forbidding the administrator to setup an alternative authentication
> scheme (#778553). This trivial fix is cherry-picked from upstream and
> was already part of 3.0.13 as available in experimental.
> 
> It also fixes two annoying Debian-specific images issues. Even if not
> critical, the fixes are really low risk.
> 

Unblocked. Please talk to us next time though.

Regards,

-- 
Mehdi Dogguy
--- End Message ---

Reply to:

References:
- Bug#778782: unblock: phpbb3/3.0.12-5
  - From: David Prévot <taffit@debian.org>

Prev by Date: Bug#778732: marked as done (nmu: abiword_3.0.1-1)
Next by Date: Bug#776721: unblock: lftp/4.6.0-1+deb8u1
Previous by thread: Bug#778782: unblock: phpbb3/3.0.12-5
Next by thread: Bug#772107: marked as done (unblock: bind-dyndb-ldap/6.0-4)
Index(es):
- Date
- Thread