Bug#785386: jessie-pu: package php-horde/5.2.1+debian0-2

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#785386: jessie-pu: package php-horde/5.2.1+debian0-2
From: Mathieu Parent <sathieu@debian.org>
Date: Fri, 15 May 2015 17:16:35 +0200
Message-id: <[🔎] 20150515151635.32598.84967.reportbug@ultrathieu.sathieu.net>
Reply-to: Mathieu Parent <sathieu@debian.org>, 785386@bugs.debian.org

Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian.org@packages.debian.org
Usertags: pu

Hello,

php-horde in Jessie has an XSS security bug (#785364).

I plan to fix in thru -updates.

Debdiff attached.

Regards

Mathieu Parent


-- System Information:
Debian Release: stretch/sid
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 3.16.0-4-amd64 (SMP w/2 CPU cores)
Locale: LANG=fr_FR.utf8, LC_CTYPE=fr_FR.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

>From 4b855a205b0c33f91a908d070d7848100ef4697a Mon Sep 17 00:00:00 2001
From: Mathieu Parent <math.parent@gmail.com>
Date: Fri, 15 May 2015 11:38:49 +0200
Subject: [PATCH] Fix XSS in group administration (Closes: #785364)

---
 debian/changelog                                   |  6 ++++++
 .../0003-Fix-XSS-in-group-administration.patch     | 23 ++++++++++++++++++++++
 debian/patches/series                              |  1 +
 3 files changed, 30 insertions(+)
 create mode 100644 debian/patches/0003-Fix-XSS-in-group-administration.patch

diff --git a/debian/changelog b/debian/changelog
index 2796877..b801a8d 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,9 @@
+php-horde (5.2.1+debian0-2+deb8u1) stable; urgency=medium
+
+  * Fix XSS in group administration (Closes: #785364)
+
+ -- Mathieu Parent <sathieu@debian.org>  Fri, 15 May 2015 17:14:33 +0200
+
 php-horde (5.2.1+debian0-2) unstable; urgency=medium
 
   * Update Standards-Version, no change
diff --git a/debian/patches/0003-Fix-XSS-in-group-administration.patch b/debian/patches/0003-Fix-XSS-in-group-administration.patch
new file mode 100644
index 0000000..f318a40
--- /dev/null
+++ b/debian/patches/0003-Fix-XSS-in-group-administration.patch
@@ -0,0 +1,23 @@
+From: Mathieu Parent <math.parent@gmail.com>
+Date: Tue, 5 May 2015 21:56:08 +0200
+Subject: Fix XSS in group administration
+
+Origin: https://github.com/horde/horde/commit/dae5277746abe613de0cacc004e95e9ed9d78220
+Author: Jan Schneider <jan@horde.org>
+---
+ horde-5.2.1/admin/groups.php | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/horde-5.2.1/admin/groups.php b/horde-5.2.1/admin/groups.php
+index 3a3fa48..0423531 100644
+--- a/horde-5.2.1/admin/groups.php
++++ b/horde-5.2.1/admin/groups.php
+@@ -211,7 +211,7 @@ foreach ($nodes as $id => $node) {
+     $tree->addNode(array(
+         'id' => $id,
+         'parent' => null,
+-        'label' => $node,
++        'label' => htmlspecialchars($node),
+         'expanded' => false,
+         'params' => $group_node + $node_params,
+         'right' => array($spacer, $delete_link)
diff --git a/debian/patches/series b/debian/patches/series
index 8e6d7d8..df54592 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1 +1,2 @@
 0002-Fix-rewrite-base.patch
+0003-Fix-XSS-in-group-administration.patch
-- 
2.1.4

Reply to:

Follow-Ups:
- Processed: Re: Bug#785386: jessie-pu: package php-horde/5.2.1+debian0-2
  - From: owner@bugs.debian.org (Debian Bug Tracking System)
- Bug#785386: jessie-pu: package php-horde/5.2.1+debian0-2
  - From: "Adam D. Barratt" <adam@adam-barratt.org.uk>
- Processed: Re: Bug#785386: jessie-pu: package php-horde/5.2.1+debian0-2
  - From: owner@bugs.debian.org (Debian Bug Tracking System)

Prev by Date: Re: libvpx transition
Next by Date: Bug#785376: transition: nettle
Previous by thread: Processed: Re: Bug#784160: transition: proj
Next by thread: Processed: Re: Bug#785386: jessie-pu: package php-horde/5.2.1+debian0-2
Index(es):
- Date
- Thread