Bug#774259: marked as done (unblock: php-horde-mnemo/4.2.1-5)

[owner@bugs.debian.org (Debian Bug Tracking System)]

Your message dated Fri, 2 Jan 2015 23:54:25 +0100
with message-id <20150102225425.GJ8727@ugent.be>
and subject line Re: Bug#774259: unblock: php-horde-mnemo/4.2.1-5
has caused the Debian Bug report #774259,
regarding unblock: php-horde-mnemo/4.2.1-5
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
774259: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=774259
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

• To: Debian Bug Tracking System <submit@bugs.debian.org>
• Subject: unblock: php-horde-mnemo/4.2.1-5
• From: Mathieu Parent <sathieu@debian.org>
• Date: Tue, 30 Dec 2014 21:41:43 +0100
• Message-id: <20141230204143.20573.98813.reportbug@ultrathieu.sathieu.net>

Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock

Please unblock package php-horde-mnemo.

It only contains a security fix (#772474), backported from upstream.

Debdiff attached.

unblock php-horde-mnemo/4.2.1-5

Thanks!

-- System Information:
Debian Release: 8.0
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 3.16.0-4-amd64 (SMP w/2 CPU cores)
Locale: LANG=fr_FR.utf8, LC_CTYPE=fr_FR.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

diff --git a/debian/changelog b/debian/changelog
index a206739..1441b07 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,9 @@
+php-horde-mnemo (4.2.1-5) unstable; urgency=medium
+
+  * Check permission when editing notes (Closes: #772474)
+
+ -- Mathieu Parent <sathieu@debian.org>  Sun, 07 Dec 2014 16:41:39 +0100
+
 php-horde-mnemo (4.2.1-4) unstable; urgency=medium
 
   * Fixed DEP-8 tests, by removing "set -x"
diff --git a/debian/patches/0001-SECURITY-Check-permission-when-editing-notes.patch b/debian/patches/0001-SECURITY-Check-permission-when-editing-notes.patch
new file mode 100644
index 0000000..2328c41
--- /dev/null
+++ b/debian/patches/0001-SECURITY-Check-permission-when-editing-notes.patch
@@ -0,0 +1,182 @@
+From: Mathieu Parent <math.parent@gmail.com>
+Date: Sun, 7 Dec 2014 12:50:07 +0100
+Subject: SECURITY: Check permission when editing notes
+
+Bug-Debian: https://bugs.debian.org/772474
+Applied-Upstream: https://github.com/horde/horde/commit/94d57986f278a44d0df00d9fb82c455245bce95d
+---
+ mnemo-4.2.1/memo.php | 93 ++++++++++++++++++++++++----------------------------
+ 1 file changed, 43 insertions(+), 50 deletions(-)
+
+diff --git a/mnemo-4.2.1/memo.php b/mnemo-4.2.1/memo.php
+index e9e66a0..59325d0 100644
+--- a/mnemo-4.2.1/memo.php
++++ b/mnemo-4.2.1/memo.php
+@@ -50,6 +50,18 @@ function showPassphrase($memo)
+     return false;
+ }
+ 
++function getShare($notepad)
++{
++    global $mnemo_shares, $notification;
++
++    try {
++        return $mnemo_shares->getShare($notepad);
++    } catch (Horde_Share_Exception $e) {
++        $notification->push(sprintf(_("There was an error viewing this notepad: %s"), $e->getMessage()), 'horde.error');
++        Horde::url('list.php', true)->redirect();
++    }
++}
++
+ require_once __DIR__ . '/lib/Application.php';
+ Horde_Registry::appInit('mnemo');
+ 
+@@ -81,28 +93,28 @@ case 'add_memo':
+             $memolist_id = Mnemo::getDefaultNotepad();
+         } catch (Mnemo_Exception $e) {
+             $notification->push($e);
++            Horde::url('list.php', true)->redirect();
+         }
+     }
+-    try {
+-        $share = $mnemo_shares->getShare($memolist_id);
+-    } catch (Horde_Share_Exception $e) {
+-        $notification->push($e);
+-        Horde::url('list.php', true)->redirect();
+-    }
+-    if (!$share->hasPermission($registry->getAuth(), Horde_Perms::EDIT)) {
++    if (!getShare($memolist_id)->hasPermission($registry->getAuth(), Horde_Perms::EDIT)) {
+         $notification->push(_("Access denied addings notes to this notepad."), 'horde.error');
+         Horde::url('list.php', true)->redirect();
+     }
+     $memo_id = null;
+     $memo_body = '';
+     $memo_encrypted = $show_passphrase = false;
+-    $storage = $GLOBALS['injector']->getInstance('Mnemo_Factory_Driver')->create();
++    $storage = $injector->getInstance('Mnemo_Factory_Driver')->create();
+     $memo_tags = array();
+ 
+     $title = _("New Note");
+     break;
+ 
+ case 'modify_memo':
++    if (!getShare($memolist_id)->hasPermission($registry->getAuth(), Horde_Perms::EDIT)) {
++        $notification->push(_("Access denied editing note."), 'horde.error');
++        Horde::url('list.php', true)->redirect();
++    }
++
+     /* Check if a passphrase has been sent. */
+     $passphrase = Horde_Util::getFormData('memo_passphrase');
+ 
+@@ -113,7 +125,8 @@ case 'modify_memo':
+         $notification->push(_("Note not found."), 'horde.error');
+         Horde::url('list.php', true)->redirect();
+     }
+-    $storage = $GLOBALS['injector']->getInstance('Mnemo_Factory_Driver')->create($memolist_id);
++    $storage = $injector->getInstance('Mnemo_Factory_Driver')
++        ->create($memolist_id);
+ 
+     /* Encryption tests. */
+     $show_passphrase = showPassphrase($memo);
+@@ -138,15 +151,11 @@ case 'save_memo':
+     // Save the memolist in case saving fails Bug: 12855
+     $memolist_id = $notepad_target;
+ 
+-    try {
+-        $share = $mnemo_shares->getShare($notepad_target);
+-    } catch (Horde_Share_Exception $e) {
+-        $notification->push($e);
+-        Horde::url('list.php', true)->redirect();
+-    }
+-
+-    if (!$share->hasPermission($registry->getAuth(), Horde_Perms::EDIT)) {
+-        $notification->push(_("Access denied saving note to this notepad."), 'horde.error');
++    if (!getShare($notepad_target)->hasPermission($registry->getAuth(), Horde_Perms::EDIT)) {
++        $notification->push(
++            _("Access denied saving note to this notepad."),
++            'horde.error'
++        );
+     } elseif ($memo_passphrase != $memo_passphrase2) {
+         $notification->push(_("The passwords don't match."), 'horde.error');
+         if (empty($memo_id)) {
+@@ -163,38 +172,28 @@ case 'save_memo':
+             $memo_encrypted = $memo['encrypted'];
+             $memolist_id = $memolist_original;
+         }
+-        $storage = $GLOBALS['injector']->getInstance('Mnemo_Factory_Driver')->create($memolist_original);
++        $storage = $injector->getInstance('Mnemo_Factory_Driver')
++            ->create($memolist_original);
+         break;
+     } else {
+         /* If $memo_id is set, we're modifying an existing note.  Otherwise,
+          * we're adding a new note with the provided attributes. */
+         if (!empty($memo_id)) {
+-            $storage = $GLOBALS['injector']->getInstance('Mnemo_Factory_Driver')->create($memolist_original);
++            $storage = $injector->getInstance('Mnemo_Factory_Driver')
++                ->create($memolist_original);
+             if ($memolist_original != $notepad_target) {
+                 /* Moving the note to another notepad. */
+-                try {
+-                    $share = $mnemo_shares->getShare($memolist_original);
+-                } catch (Horde_Share_Exception $e) {
+-                    throw new Mnemo_Exception($e);
+-                }
+-                if ($share->hasPermission($registry->getAuth(), Horde_Perms::DELETE)) {
+-                    try {
+-                        $share = $mnemo_shares->getShare($notepad_target);
+-                    } catch (Horde_Share_Exception $e) {
+-                        throw new Mnemo_Exception($e);
+-                    }
+-                    if ($share->hasPermission($registry->getAuth(), Horde_Perms::EDIT)) {
+-                        $storage->move($memo_id, $notepad_target);
+-                        $storage = $GLOBALS['injector']->getInstance('Mnemo_Factory_Driver')->create($notepad_target);
+-                    } else {
+-                        $notification->push(_("Access denied moving the note."), 'horde.error');
+-                    }
+-                } else {
++                if (!getShare($memolist_original)->hasPermission($registry->getAuth(), Horde_Perms::DELETE)) {
+                     $notification->push(_("Access denied moving the note."), 'horde.error');
++                } else {
++                    $storage->move($memo_id, $notepad_target);
++                    $storage = $injector->getInstance('Mnemo_Factory_Driver')
++                        ->create($notepad_target);
+                 }
+             }
+             $memo_desc = $storage->getMemoDescription($memo_body);
+-            if (!strlen($memo_passphrase) && Horde_Util::getFormData('memo_encrypt') == 'on') {
++            if (!strlen($memo_passphrase) &&
++                Horde_Util::getFormData('memo_encrypt') == 'on') {
+                 $memo_passphrase = Mnemo::getPassphrase($memo_id);
+             }
+             try {
+@@ -212,7 +211,8 @@ case 'save_memo':
+                 Horde::url('list.php', true)->redirect();
+             }
+             /* Creating a new note. */
+-            $storage = $GLOBALS['injector']->getInstance('Mnemo_Factory_Driver')->create($notepad_target);
++            $storage = $injector->getInstance('Mnemo_Factory_Driver')
++                ->create($notepad_target);
+             $memo_desc = $storage->getMemoDescription($memo_body);
+             try {
+                 $memo_id = $storage->add(
+@@ -236,17 +236,10 @@ case 'save_memo':
+ 
+ case 'delete_memos':
+     /* Delete the note if we're provided with a valid note ID. */
+-    $memo_id = Horde_Util::getFormData('memo');
+-    $memolist_id = Horde_Util::getFormData('memolist');
+-
+     if (!is_null($memo_id) && Mnemo::getMemo($memolist_id, $memo_id)) {
+-        try {
+-            $share = $mnemo_shares->getShare($memolist_id);
+-        } catch (Horde_Share_Exception $e) {
+-            throw new Mnemo_Exception($e);
+-        }
+-        if ($share->hasPermission($registry->getAuth(), Horde_Perms::DELETE)) {
+-            $storage = $GLOBALS['injector']->getInstance('Mnemo_Factory_Driver')->create($memolist_id);
++        if (getShare($memolist_id)->hasPermission($registry->getAuth(), Horde_Perms::DELETE)) {
++            $storage = $injector->getInstance('Mnemo_Factory_Driver')
++                ->create($memolist_id);
+             try {
+                 $storage->delete($memo_id);
+                 $notification->push(_("The note was deleted."), 'horde.success');
diff --git a/debian/patches/series b/debian/patches/series
new file mode 100644
index 0000000..42140b1
--- /dev/null
+++ b/debian/patches/series
@@ -0,0 +1 @@
+0001-SECURITY-Check-permission-when-editing-notes.patch

--- End Message ---

--- Begin Message ---

• To: Mathieu Parent <sathieu@debian.org>, 774259-done@bugs.debian.org
• Subject: Re: Bug#774259: unblock: php-horde-mnemo/4.2.1-5
• From: Ivo De Decker <ivodd@debian.org>
• Date: Fri, 2 Jan 2015 23:54:25 +0100
• Message-id: <20150102225425.GJ8727@ugent.be>
• In-reply-to: <20141230204143.20573.98813.reportbug@ultrathieu.sathieu.net>
• References: <20141230204143.20573.98813.reportbug@ultrathieu.sathieu.net>

Hi,

On Tue, Dec 30, 2014 at 09:41:43PM +0100, Mathieu Parent wrote:
> Please unblock package php-horde-mnemo.

Unblocked.

Cheers,

Ivo

--- End Message ---