--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: unblock: php-horde-mnemo/4.2.1-5
- From: Mathieu Parent <sathieu@debian.org>
- Date: Tue, 30 Dec 2014 21:41:43 +0100
- Message-id: <20141230204143.20573.98813.reportbug@ultrathieu.sathieu.net>
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock
Please unblock package php-horde-mnemo.
It only contains a security fix (#772474), backported from upstream.
Debdiff attached.
unblock php-horde-mnemo/4.2.1-5
Thanks!
-- System Information:
Debian Release: 8.0
APT prefers testing
APT policy: (500, 'testing')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 3.16.0-4-amd64 (SMP w/2 CPU cores)
Locale: LANG=fr_FR.utf8, LC_CTYPE=fr_FR.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
diff --git a/debian/changelog b/debian/changelog
index a206739..1441b07 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,9 @@
+php-horde-mnemo (4.2.1-5) unstable; urgency=medium
+
+ * Check permission when editing notes (Closes: #772474)
+
+ -- Mathieu Parent <sathieu@debian.org> Sun, 07 Dec 2014 16:41:39 +0100
+
php-horde-mnemo (4.2.1-4) unstable; urgency=medium
* Fixed DEP-8 tests, by removing "set -x"
diff --git a/debian/patches/0001-SECURITY-Check-permission-when-editing-notes.patch b/debian/patches/0001-SECURITY-Check-permission-when-editing-notes.patch
new file mode 100644
index 0000000..2328c41
--- /dev/null
+++ b/debian/patches/0001-SECURITY-Check-permission-when-editing-notes.patch
@@ -0,0 +1,182 @@
+From: Mathieu Parent <math.parent@gmail.com>
+Date: Sun, 7 Dec 2014 12:50:07 +0100
+Subject: SECURITY: Check permission when editing notes
+
+Bug-Debian: https://bugs.debian.org/772474
+Applied-Upstream: https://github.com/horde/horde/commit/94d57986f278a44d0df00d9fb82c455245bce95d
+---
+ mnemo-4.2.1/memo.php | 93 ++++++++++++++++++++++++----------------------------
+ 1 file changed, 43 insertions(+), 50 deletions(-)
+
+diff --git a/mnemo-4.2.1/memo.php b/mnemo-4.2.1/memo.php
+index e9e66a0..59325d0 100644
+--- a/mnemo-4.2.1/memo.php
++++ b/mnemo-4.2.1/memo.php
+@@ -50,6 +50,18 @@ function showPassphrase($memo)
+ return false;
+ }
+
++function getShare($notepad)
++{
++ global $mnemo_shares, $notification;
++
++ try {
++ return $mnemo_shares->getShare($notepad);
++ } catch (Horde_Share_Exception $e) {
++ $notification->push(sprintf(_("There was an error viewing this notepad: %s"), $e->getMessage()), 'horde.error');
++ Horde::url('list.php', true)->redirect();
++ }
++}
++
+ require_once __DIR__ . '/lib/Application.php';
+ Horde_Registry::appInit('mnemo');
+
+@@ -81,28 +93,28 @@ case 'add_memo':
+ $memolist_id = Mnemo::getDefaultNotepad();
+ } catch (Mnemo_Exception $e) {
+ $notification->push($e);
++ Horde::url('list.php', true)->redirect();
+ }
+ }
+- try {
+- $share = $mnemo_shares->getShare($memolist_id);
+- } catch (Horde_Share_Exception $e) {
+- $notification->push($e);
+- Horde::url('list.php', true)->redirect();
+- }
+- if (!$share->hasPermission($registry->getAuth(), Horde_Perms::EDIT)) {
++ if (!getShare($memolist_id)->hasPermission($registry->getAuth(), Horde_Perms::EDIT)) {
+ $notification->push(_("Access denied addings notes to this notepad."), 'horde.error');
+ Horde::url('list.php', true)->redirect();
+ }
+ $memo_id = null;
+ $memo_body = '';
+ $memo_encrypted = $show_passphrase = false;
+- $storage = $GLOBALS['injector']->getInstance('Mnemo_Factory_Driver')->create();
++ $storage = $injector->getInstance('Mnemo_Factory_Driver')->create();
+ $memo_tags = array();
+
+ $title = _("New Note");
+ break;
+
+ case 'modify_memo':
++ if (!getShare($memolist_id)->hasPermission($registry->getAuth(), Horde_Perms::EDIT)) {
++ $notification->push(_("Access denied editing note."), 'horde.error');
++ Horde::url('list.php', true)->redirect();
++ }
++
+ /* Check if a passphrase has been sent. */
+ $passphrase = Horde_Util::getFormData('memo_passphrase');
+
+@@ -113,7 +125,8 @@ case 'modify_memo':
+ $notification->push(_("Note not found."), 'horde.error');
+ Horde::url('list.php', true)->redirect();
+ }
+- $storage = $GLOBALS['injector']->getInstance('Mnemo_Factory_Driver')->create($memolist_id);
++ $storage = $injector->getInstance('Mnemo_Factory_Driver')
++ ->create($memolist_id);
+
+ /* Encryption tests. */
+ $show_passphrase = showPassphrase($memo);
+@@ -138,15 +151,11 @@ case 'save_memo':
+ // Save the memolist in case saving fails Bug: 12855
+ $memolist_id = $notepad_target;
+
+- try {
+- $share = $mnemo_shares->getShare($notepad_target);
+- } catch (Horde_Share_Exception $e) {
+- $notification->push($e);
+- Horde::url('list.php', true)->redirect();
+- }
+-
+- if (!$share->hasPermission($registry->getAuth(), Horde_Perms::EDIT)) {
+- $notification->push(_("Access denied saving note to this notepad."), 'horde.error');
++ if (!getShare($notepad_target)->hasPermission($registry->getAuth(), Horde_Perms::EDIT)) {
++ $notification->push(
++ _("Access denied saving note to this notepad."),
++ 'horde.error'
++ );
+ } elseif ($memo_passphrase != $memo_passphrase2) {
+ $notification->push(_("The passwords don't match."), 'horde.error');
+ if (empty($memo_id)) {
+@@ -163,38 +172,28 @@ case 'save_memo':
+ $memo_encrypted = $memo['encrypted'];
+ $memolist_id = $memolist_original;
+ }
+- $storage = $GLOBALS['injector']->getInstance('Mnemo_Factory_Driver')->create($memolist_original);
++ $storage = $injector->getInstance('Mnemo_Factory_Driver')
++ ->create($memolist_original);
+ break;
+ } else {
+ /* If $memo_id is set, we're modifying an existing note. Otherwise,
+ * we're adding a new note with the provided attributes. */
+ if (!empty($memo_id)) {
+- $storage = $GLOBALS['injector']->getInstance('Mnemo_Factory_Driver')->create($memolist_original);
++ $storage = $injector->getInstance('Mnemo_Factory_Driver')
++ ->create($memolist_original);
+ if ($memolist_original != $notepad_target) {
+ /* Moving the note to another notepad. */
+- try {
+- $share = $mnemo_shares->getShare($memolist_original);
+- } catch (Horde_Share_Exception $e) {
+- throw new Mnemo_Exception($e);
+- }
+- if ($share->hasPermission($registry->getAuth(), Horde_Perms::DELETE)) {
+- try {
+- $share = $mnemo_shares->getShare($notepad_target);
+- } catch (Horde_Share_Exception $e) {
+- throw new Mnemo_Exception($e);
+- }
+- if ($share->hasPermission($registry->getAuth(), Horde_Perms::EDIT)) {
+- $storage->move($memo_id, $notepad_target);
+- $storage = $GLOBALS['injector']->getInstance('Mnemo_Factory_Driver')->create($notepad_target);
+- } else {
+- $notification->push(_("Access denied moving the note."), 'horde.error');
+- }
+- } else {
++ if (!getShare($memolist_original)->hasPermission($registry->getAuth(), Horde_Perms::DELETE)) {
+ $notification->push(_("Access denied moving the note."), 'horde.error');
++ } else {
++ $storage->move($memo_id, $notepad_target);
++ $storage = $injector->getInstance('Mnemo_Factory_Driver')
++ ->create($notepad_target);
+ }
+ }
+ $memo_desc = $storage->getMemoDescription($memo_body);
+- if (!strlen($memo_passphrase) && Horde_Util::getFormData('memo_encrypt') == 'on') {
++ if (!strlen($memo_passphrase) &&
++ Horde_Util::getFormData('memo_encrypt') == 'on') {
+ $memo_passphrase = Mnemo::getPassphrase($memo_id);
+ }
+ try {
+@@ -212,7 +211,8 @@ case 'save_memo':
+ Horde::url('list.php', true)->redirect();
+ }
+ /* Creating a new note. */
+- $storage = $GLOBALS['injector']->getInstance('Mnemo_Factory_Driver')->create($notepad_target);
++ $storage = $injector->getInstance('Mnemo_Factory_Driver')
++ ->create($notepad_target);
+ $memo_desc = $storage->getMemoDescription($memo_body);
+ try {
+ $memo_id = $storage->add(
+@@ -236,17 +236,10 @@ case 'save_memo':
+
+ case 'delete_memos':
+ /* Delete the note if we're provided with a valid note ID. */
+- $memo_id = Horde_Util::getFormData('memo');
+- $memolist_id = Horde_Util::getFormData('memolist');
+-
+ if (!is_null($memo_id) && Mnemo::getMemo($memolist_id, $memo_id)) {
+- try {
+- $share = $mnemo_shares->getShare($memolist_id);
+- } catch (Horde_Share_Exception $e) {
+- throw new Mnemo_Exception($e);
+- }
+- if ($share->hasPermission($registry->getAuth(), Horde_Perms::DELETE)) {
+- $storage = $GLOBALS['injector']->getInstance('Mnemo_Factory_Driver')->create($memolist_id);
++ if (getShare($memolist_id)->hasPermission($registry->getAuth(), Horde_Perms::DELETE)) {
++ $storage = $injector->getInstance('Mnemo_Factory_Driver')
++ ->create($memolist_id);
+ try {
+ $storage->delete($memo_id);
+ $notification->push(_("The note was deleted."), 'horde.success');
diff --git a/debian/patches/series b/debian/patches/series
new file mode 100644
index 0000000..42140b1
--- /dev/null
+++ b/debian/patches/series
@@ -0,0 +1 @@
+0001-SECURITY-Check-permission-when-editing-notes.patch
--- End Message ---