[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#777046: wheezy-pu: package phpbb3/3.0.10-4+deb7u2

Package: release.debian.org
Severity: normal
Tags: wheezy
User: release.debian.org@packages.debian.org
Usertags: pu

Hi,

Please consider this update that fixes two security issues (marked as
no-DSA, so I didn’t bother the security team for it).

Regards

David

diff -Nru phpbb3-3.0.10/debian/changelog phpbb3-3.0.10/debian/changelog
--- phpbb3-3.0.10/debian/changelog	2013-06-13 17:45:49.000000000 -0400
+++ phpbb3-3.0.10/debian/changelog	2015-02-02 20:40:24.000000000 -0400
@@ -1,3 +1,10 @@
+phpbb3 (3.0.10-4+deb7u2) wheezy; urgency=medium
+
+  * Fix CSRF vulnerability [CVE-2015-1432] and CSS injection [CVE-2015-1431]
+    (Closes: #776699)
+
+ -- David Prévot <taffit@debian.org>  Mon, 02 Feb 2015 20:40:19 -0400
+
 phpbb3 (3.0.10-4+deb7u1) wheezy-security; urgency=high
 
   * Fix chown in cache (closes: #711172)
diff -Nru phpbb3-3.0.10/debian/patches/fix_CVE-2015-1431.patch phpbb3-3.0.10/debian/patches/fix_CVE-2015-1431.patch
--- phpbb3-3.0.10/debian/patches/fix_CVE-2015-1431.patch	1969-12-31 20:00:00.000000000 -0400
+++ phpbb3-3.0.10/debian/patches/fix_CVE-2015-1431.patch	2015-02-01 22:39:51.000000000 -0400
@@ -0,0 +1,70 @@
+Description: Explicitly disallow trailing paths
+ CSRF potentially allowing an attacker to modify the private message
+ setting that determines how full folders are handled (i.e. whether to
+ delete the oldest message or hold the new message until further space
+ is available).
+ [CVE-2015-1432]
+Author: Marc Alexander <admin@m-a-styles.de>
+Origin: upstream, https://www.phpbb.com/community/viewtopic.php?f=14&t=2291456
+Bug: https://tracker.phpbb.com/browse/PHPBB3-13531, https://tracker.phpbb.com/browse/PHPBB3-13549
+Bug-Debian: https://bugs.debian.org/776699
+Applied-Upstream: commit, https://github.com/phpbb/phpbb/commit/4b9434bf1ba4c015da11309602cfccf1a9c2493c https://github.com/phpbb/phpbb/commit/e34b92882a51dc89da88464b8c751a9d93a03124 https://github.com/phpbb/phpbb/commit/74950559074d738733ac1258b07912f9ca14203a
+Reviewed-by: Andreas Fischer <bantu@phpbb.com>, Nils Adermann <naderman@naderman.de>
+Last-Update: 2015-02-01
+--- a/includes/startup.php
++++ b/includes/startup.php
+@@ -113,6 +113,54 @@
+ 	unset($input);
+ }
+ 
++/**
++ * Check if requested page uses a trailing path
++ *
++ * @param string $phpEx PHP extension
++ *
++ * @return bool True if trailing path is used, false if not
++ */
++function phpbb_has_trailing_path($phpEx)
++{
++	// Check if path_info is being used
++	if (!empty($_SERVER['PATH_INFO']) || (!empty($_SERVER['ORIG_PATH_INFO']) && $_SERVER['SCRIPT_NAME'] != $_SERVER['ORIG_PATH_INFO']))
++	{
++		return true;
++	}
++
++	// Match any trailing path appended to a php script in the REQUEST_URI.
++	// It is assumed that only actual PHP scripts use names like foo.php. Due
++	// to this, any phpBB board inside a directory that has the php extension
++	// appended to its name will stop working, i.e. if the board is at
++	// example.com/phpBB/test.php/ or example.com/test.php/
++	if (preg_match('#^[^?]+\.' . preg_quote($phpEx, '#') . '/#', $_SERVER['REQUEST_URI']))
++	{
++		return true;
++	}
++
++	return false;
++}
++
++// Check if trailing path is used
++if (phpbb_has_trailing_path($phpEx))
++{
++	if (substr(strtolower(@php_sapi_name()), 0, 3) === 'cgi')
++	{
++		$prefix = 'Status:';
++	}
++	else if (!empty($_SERVER['SERVER_PROTOCOL']))
++	{
++		$prefix = $_SERVER['SERVER_PROTOCOL'];
++	}
++	else
++	{
++		$prefix = 'HTTP/1.0';
++	}
++	header("$prefix 404 Not Found", true, 404);
++	echo 'Trailing paths and PATH_INFO is not supported by phpBB 3.0';
++	exit;
++}
++
+ // Register globals and magic quotes have been dropped in PHP 5.4
+ if (version_compare(PHP_VERSION, '5.4.0-dev', '>='))
+ {
diff -Nru phpbb3-3.0.10/debian/patches/fix_CVE-2015-1432.patch phpbb3-3.0.10/debian/patches/fix_CVE-2015-1432.patch
--- phpbb3-3.0.10/debian/patches/fix_CVE-2015-1432.patch	1969-12-31 20:00:00.000000000 -0400
+++ phpbb3-3.0.10/debian/patches/fix_CVE-2015-1432.patch	2015-02-01 22:41:25.000000000 -0400
@@ -0,0 +1,27 @@
+Description: Correctly validate the ucp_pm_options form key
+ This allows an attacker to load arbitrary CSS in Internet Explorer by
+ crafting a URL with trailing paths after a PHP file (for example
+ /path/index.php/more/path). This is only possible if the webserver
+ configuration allows accessing PHP files in this manner.
+Author: Joas Schilling <nickvergessen@gmx.de>
+Origin: upstream, https://www.phpbb.com/community/viewtopic.php?f=14&t=2291456
+Bug: https://tracker.phpbb.com/browse/PHPBB3-13526
+Bug-Debian: https://bugs.debian.org/776699
+Applied-Upstream: commit, https://github.com/phpbb/phpbb/commit/23069a13e203985ab124d1139e8de74b12778449
+Reviewed-by: Andreas Fischer <bantu@phpbb.com>
+Last-Update: 2015-02-01
+--- a/includes/ucp/ucp_pm_options.php
++++ b/includes/ucp/ucp_pm_options.php
+@@ -29,7 +29,11 @@
+ 	// Change "full folder" setting - what to do if folder is full
+ 	if (isset($_POST['fullfolder']))
+ 	{
+-		check_form_key('ucp_pm_options', $config['form_token_lifetime'], $redirect_url);
++		if (!check_form_key('ucp_pm_options'))
++		{
++			trigger_error('FORM_INVALID');
++		}
++
+ 		$full_action = request_var('full_action', 0);
+ 
+ 		$set_folder_id = 0;
diff -Nru phpbb3-3.0.10/debian/patches/series phpbb3-3.0.10/debian/patches/series
--- phpbb3-3.0.10/debian/patches/series	2013-06-13 17:45:04.000000000 -0400
+++ phpbb3-3.0.10/debian/patches/series	2015-02-01 22:41:25.000000000 -0400
@@ -6,3 +6,5 @@
 fix-czech.patch
 fix-php54.patch
 fix_chown.patch
+fix_CVE-2015-1431.patch
+fix_CVE-2015-1432.patch

Attachment: signature.asc
Description: Digital signature

Reply to: