[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#785155: marked as done (wheezy-pu: package phpbb3/3.0.10-4+deb7u3)

Your message dated Sat, 05 Sep 2015 14:33:54 +0100
with message-id <1441460034.2151.33.camel@adam-barratt.org.uk>
and subject line Closing bugs for 7.9
has caused the Debian Bug report #785155,
regarding wheezy-pu: package phpbb3/3.0.10-4+deb7u3
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
785155: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=785155
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
Tags: wheezy
User: release.debian.org@packages.debian.org
Usertags: pu

Hi,

Please accept the fix for CVE-2015-3880 in Wheezy, tagged as <no-dsa> as
agreed with the security team. The attached debdiff is pretty similar to
the one for Jessie (phpbb3/3.0.12-5+deb8u1, #785154).

Regards

David

diff --git a/changelog b/changelog
index 0856a51..e4048ab 100644
--- a/changelog
+++ b/changelog
@@ -1,3 +1,11 @@
+phpbb3 (3.0.10-4+deb7u3) wheezy; urgency=medium
+
+  * Fix possible redirection on Chrome: an insufficient check allowed users of
+    the Google Chrome browser to be redirected to external domains (e.g. on
+    login) [CVE-2015-3880]
+
+ -- David Prévot <taffit@debian.org>  Tue, 12 May 2015 16:02:09 -0400
+
 phpbb3 (3.0.10-4+deb7u2) wheezy; urgency=medium
 
   * Fix CSRF vulnerability [CVE-2015-1432] and CSS injection [CVE-2015-1431]
diff --git a/patches/fix_CVE-2015-3880.patch b/patches/fix_CVE-2015-3880.patch
new file mode 100644
index 0000000..bf789db
--- /dev/null
+++ b/patches/fix_CVE-2015-3880.patch
@@ -0,0 +1,32 @@
+Description: Fix possible redirection on Chrome
+ An insufficient check allowed users of the Google Chrome browser to be
+ redirected to external domains (e.g. on login).
+ [CVE-2015-3880]
+Author: Marc Alexander <admin@m-a-styles.de>, Joas Schilling <nickvergessen@gmx.de>
+Origin: upstream, https://github.com/phpbb/phpbb/commit/1a3350619f428d9d69d196c52128727e27ef2f04
+Reviewed-by: Andreas Fischer <bantu@phpbb.com>
+Last-Update: 2015-05-09
+--- a/includes/functions.php
++++ b/includes/functions.php
+@@ -2426,7 +2426,7 @@
+ 		// Attention: only able to redirect within the same domain if $disable_cd_check is false (yourdomain.com -> www.yourdomain.com will not work)
+ 		if (!$disable_cd_check && $url_parts['host'] !== $user->host)
+ 		{
+-			$url = generate_board_url();
++			trigger_error('Tried to redirect to potentially insecure url.', E_USER_ERROR);
+ 		}
+ 	}
+ 	else if ($url[0] == '/')
+@@ -2513,6 +2513,12 @@
+ 		}
+ 	}
+ 
++	// Make sure we don't redirect to external URLs
++	if (!$disable_cd_check && strpos($url, generate_board_url(true) . '/') !== 0)
++	{
++		trigger_error('Tried to redirect to potentially insecure url.', E_USER_ERROR);
++	}
++
+ 	// Make sure no linebreaks are there... to prevent http response splitting for PHP < 4.4.2
+ 	if (strpos(urldecode($url), "\n") !== false || strpos(urldecode($url), "\r") !== false || strpos($url, ';') !== false)
+ 	{
diff --git a/patches/series b/patches/series
index 42df55d..86f65b1 100644
--- a/patches/series
+++ b/patches/series
@@ -8,3 +8,4 @@ fix-php54.patch
 fix_chown.patch
 fix_CVE-2015-1431.patch
 fix_CVE-2015-1432.patch
+fix_CVE-2015-3880.patch

Attachment: signature.asc
Description: Digital signature


--- End Message ---
--- Begin Message --- 
Version: 7.9

Hi,

These bugs relate to updates which were included in the 7.9 point
release.

Regards,

Adam

--- End Message ---
Reply to: