Bug#785155: wheezy-pu: package phpbb3/3.0.10-4+deb7u3

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#785155: wheezy-pu: package phpbb3/3.0.10-4+deb7u3
From: David Prévot <taffit@debian.org>
Date: Tue, 12 May 2015 16:13:09 -0400
Message-id: <[🔎] 20150512201309.GA9328@mikado.tilapin.org>
Reply-to: David Prévot <taffit@debian.org>, 785155@bugs.debian.org

Package: release.debian.org
Severity: normal
Tags: wheezy
User: release.debian.org@packages.debian.org
Usertags: pu

Hi,

Please accept the fix for CVE-2015-3880 in Wheezy, tagged as <no-dsa> as
agreed with the security team. The attached debdiff is pretty similar to
the one for Jessie (phpbb3/3.0.12-5+deb8u1, #785154).

Regards

David

diff --git a/changelog b/changelog
index 0856a51..e4048ab 100644
--- a/changelog
+++ b/changelog
@@ -1,3 +1,11 @@
+phpbb3 (3.0.10-4+deb7u3) wheezy; urgency=medium
+
+  * Fix possible redirection on Chrome: an insufficient check allowed users of
+    the Google Chrome browser to be redirected to external domains (e.g. on
+    login) [CVE-2015-3880]
+
+ -- David Prévot <taffit@debian.org>  Tue, 12 May 2015 16:02:09 -0400
+
 phpbb3 (3.0.10-4+deb7u2) wheezy; urgency=medium
 
   * Fix CSRF vulnerability [CVE-2015-1432] and CSS injection [CVE-2015-1431]
diff --git a/patches/fix_CVE-2015-3880.patch b/patches/fix_CVE-2015-3880.patch
new file mode 100644
index 0000000..bf789db
--- /dev/null
+++ b/patches/fix_CVE-2015-3880.patch
@@ -0,0 +1,32 @@
+Description: Fix possible redirection on Chrome
+ An insufficient check allowed users of the Google Chrome browser to be
+ redirected to external domains (e.g. on login).
+ [CVE-2015-3880]
+Author: Marc Alexander <admin@m-a-styles.de>, Joas Schilling <nickvergessen@gmx.de>
+Origin: upstream, https://github.com/phpbb/phpbb/commit/1a3350619f428d9d69d196c52128727e27ef2f04
+Reviewed-by: Andreas Fischer <bantu@phpbb.com>
+Last-Update: 2015-05-09
+--- a/includes/functions.php
++++ b/includes/functions.php
+@@ -2426,7 +2426,7 @@
+ 		// Attention: only able to redirect within the same domain if $disable_cd_check is false (yourdomain.com -> www.yourdomain.com will not work)
+ 		if (!$disable_cd_check && $url_parts['host'] !== $user->host)
+ 		{
+-			$url = generate_board_url();
++			trigger_error('Tried to redirect to potentially insecure url.', E_USER_ERROR);
+ 		}
+ 	}
+ 	else if ($url[0] == '/')
+@@ -2513,6 +2513,12 @@
+ 		}
+ 	}
+ 
++	// Make sure we don't redirect to external URLs
++	if (!$disable_cd_check && strpos($url, generate_board_url(true) . '/') !== 0)
++	{
++		trigger_error('Tried to redirect to potentially insecure url.', E_USER_ERROR);
++	}
++
+ 	// Make sure no linebreaks are there... to prevent http response splitting for PHP < 4.4.2
+ 	if (strpos(urldecode($url), "\n") !== false || strpos(urldecode($url), "\r") !== false || strpos($url, ';') !== false)
+ 	{
diff --git a/patches/series b/patches/series
index 42df55d..86f65b1 100644
--- a/patches/series
+++ b/patches/series
@@ -8,3 +8,4 @@ fix-php54.patch
 fix_chown.patch
 fix_CVE-2015-1431.patch
 fix_CVE-2015-1432.patch
+fix_CVE-2015-3880.patch

Attachment: signature.asc
Description: Digital signature

Reply to:

Follow-Ups:
- Bug#785155: wheezy-pu: package phpbb3/3.0.10-4+deb7u3
  - From: "Adam D. Barratt" <adam@adam-barratt.org.uk>
- Processed: Re: Bug#785155: wheezy-pu: package phpbb3/3.0.10-4+deb7u3
  - From: owner@bugs.debian.org (Debian Bug Tracking System)
- Processed: Re: Bug#785154: Bug#785155: wheezy-pu: package phpbb3/3.0.10-4+deb7u3
  - From: owner@bugs.debian.org (Debian Bug Tracking System)

Prev by Date: Bug#785154: jessie-pu: package phpbb3/3.0.12-5+deb8u1
Next by Date: Processed: Re: Bug#785154: jessie-pu: package phpbb3/3.0.12-5+deb8u1
Previous by thread: Processed: Re: Bug#785154: Bug#785155: wheezy-pu: package phpbb3/3.0.10-4+deb7u3
Next by thread: Bug#785155: wheezy-pu: package phpbb3/3.0.10-4+deb7u3
Index(es):
- Date
- Thread