Bug#797906: jessie-pu: package dolibarr/3.5.5+dfsg1-2

Hi Adam.

A fix was prepared to solve several CVE. Security team already answered me they on't plan any DSA released for this patch. All fixes are already included into unstable.

Can we push it into stable ? It fixes the following CVE:

* Fix CVE-2016-1912 (Closes: #812496)

* Fix CVE-2015-8685 (Closes: #812449)

* Fix CVE-2015-3935 (Closes: #787762)

This is the debdiff.

diff -Nru dolibarr-3.5.5+dfsg1/debian/changelog dolibarr-3.5.5+dfsg1/debian/changelog

--- dolibarr-3.5.5+dfsg1/debian/changelog 2014-12-07 15:52:53.000000000 +0100

+++ dolibarr-3.5.5+dfsg1/debian/changelog 2016-02-08 21:30:58.000000000 +0100

@@ -1,3 +1,11 @@

+dolibarr (3.5.5+dfsg1-1+deb8u1) UNRELEASED; urgency=high

+ * Fix CVE-2016-1912 (Closes: #812496)

+ * Fix CVE-2015-8685 (Closes: #812449)

+ * Fix CVE-2015-3935 (Closes: #787762)

+ -- Laurent Destailleur (eldy) <eldy@users.sourceforge.net> Tue, 08 Sep 2015 15:22:52 +0200

dolibarr (3.5.5+dfsg1-1) unstable; urgency=medium

* New upstream release with 3.5.5

diff -Nru dolibarr-3.5.5+dfsg1/debian/patches/FIX-4291-GETPOSTs.patch dolibarr-3.5.5+dfsg1/debian/patches/FIX-4291-GETPOSTs.patch

--- dolibarr-3.5.5+dfsg1/debian/patches/FIX-4291-GETPOSTs.patch 1970-01-01 01:00:00.000000000 +0100

+++ dolibarr-3.5.5+dfsg1/debian/patches/FIX-4291-GETPOSTs.patch 2016-02-08 21:30:58.000000000 +0100

@@ -0,0 +1,35 @@

+diff --git a/htdocs/admin/agenda_extsites.php b/htdocs/admin/agenda_extsites.php

+index ac105cf..bf68c61 100644

+--- a/htdocs/admin/agenda_extsites.php

++++ b/htdocs/admin/agenda_extsites.php

+@@ -1,6 +1,7 @@

+ <?php

+ *

+ * This program is free software; you can redistribute it and/or modify

+ * it under the terms of the GNU General Public License as published by

+@@ -88,7 +89,7 @@

+ // Save nb of agenda

+ if (! $error)

+ {

+- $res=dolibarr_set_const($db,'AGENDA_EXT_NB',trim(GETPOST('AGENDA_EXT_NB','alpha')),'chaine',0,'',$conf->entity);

++ $res=dolibarr_set_const($db,'AGENDA_EXT_NB',trim(GETPOST('AGENDA_EXT_NB','int')),'chaine',0,'',$conf->entity);

+ if (! $res > 0) $error++;

+ if (empty($conf->global->AGENDA_EXT_NB)) $conf->global->AGENDA_EXT_NB=5;

+ $MAXAGENDA=empty($conf->global->AGENDA_EXT_NB)?5:$conf->global->AGENDA_EXT_NB;

+@@ -201,9 +202,9 @@

+ // Nb

+ print '<td width="180" class="nowrap">'.$langs->trans("AgendaExtNb",$key)."</td>";

+ // Name

+- print '<td><input type="text" class="flat hideifnotset" name="agenda_ext_name'.$key.'" value="'. (GETPOST('agenda_ext_name'.$key)?GETPOST('agenda_ext_name'.$key):$conf->global->$name) . '" size="28"></td>';

++ print '<td><input type="text" class="flat hideifnotset" name="agenda_ext_name'.$key.'" value="'. (GETPOST('agenda_ext_name'.$key)?GETPOST('agenda_ext_name'.$key, 'alpha'):$conf->global->$name) . '" size="28"></td>';

+ // URL

+- print '<td><input type="url" class="flat hideifnotset" name="agenda_ext_src'.$key.'" value="'. (GETPOST('agenda_ext_src'.$key)?GETPOST('agenda_ext_src'.$key):$conf->global->$src) . '" size="60"></td>';

++ print '<td><input type="url" class="flat hideifnotset" name="agenda_ext_src'.$key.'" value="'. (GETPOST('agenda_ext_src'.$key)?GETPOST('agenda_ext_src'.$key, 'alpha'):$conf->global->$src) . '" size="60"></td>';

+ // Color (Possible colors are limited by Google)

+ print '<td class="nowrap" align="right">';

+ //print $formadmin->selectColor($conf->global->$color, "google_agenda_color".$key, $colorlist);

diff -Nru dolibarr-3.5.5+dfsg1/debian/patches/Fix-787762-CVE20153935.patch dolibarr-3.5.5+dfsg1/debian/patches/Fix-787762-CVE20153935.patch

--- dolibarr-3.5.5+dfsg1/debian/patches/Fix-787762-CVE20153935.patch 1970-01-01 01:00:00.000000000 +0100

+++ dolibarr-3.5.5+dfsg1/debian/patches/Fix-787762-CVE20153935.patch 2016-02-08 21:30:58.000000000 +0100

@@ -0,0 +1,22 @@

+diff --git a/debian/changelog b/debian/changelog

+index 7d3e2e1..09dd3e0 100644

+--- a/htdocs/societe/societe.php

++++ b/htdocs/societe/societe.php

+@@ -272,7 +272,7 @@

+ $num = $db->num_rows($resql);

+ $i = 0;

+- $params = "&socname=".$socname."&search_nom=".$search_nom."&search_town=".$search_town;

++ $params = "&socname=".urlencode($socname)."&search_nom=".urlencode($search_nom)."&search_town=".urlencode($search_town);

+ $params.= ($sbarcode?"&sbarcode=".$sbarcode:"");

+ $params.= '&search_idprof1='.$search_idprof1;

+ $params.= '&search_idprof2='.$search_idprof2;

+@@ -348,7 +348,7 @@

+ print '<input type="hidden" name="sortfield" value="'.$sortfield.'">';

+ print '<input type="hidden" name="sortorder" value="'.$sortorder.'">';

+ if (! empty($search_nom_only) && empty($search_nom)) $search_nom=$search_nom_only;

+- print '<input class="flat" type="text" name="search_nom" value="'.$search_nom.'">';

++ print '<input class="flat" type="text" name="search_nom" value="'.dol_escape_htmltag($search_nom).'">';

+ print '</td>';

+ // Barcode

+ if (! empty($conf->barcode->enabled))

diff -Nru dolibarr-3.5.5+dfsg1/debian/patches/FIX-CVE-CVE20158685-CVE-2016-1912.patch dolibarr-3.5.5+dfsg1/debian/patches/FIX-CVE-CVE20158685-CVE-2016-1912.patch

--- dolibarr-3.5.5+dfsg1/debian/patches/FIX-CVE-CVE20158685-CVE-2016-1912.patch 1970-01-01 01:00:00.000000000 +0100

+++ dolibarr-3.5.5+dfsg1/debian/patches/FIX-CVE-CVE20158685-CVE-2016-1912.patch 2016-02-08 21:30:58.000000000 +0100

@@ -0,0 +1,37 @@

+diff --git a/htdocs/main.inc.php b/htdocs/main.inc.php

+index 7fba7f5..90eac77 100644

+--- a/htdocs/main.inc.php

++++ b/htdocs/main.inc.php

+@@ -80,13 +80,15 @@

+ // For SQL Injection (only GET and POST are used to be included into bad escaped SQL requests)

+ if ($type != 2)

+ {

+- $sql_inj += preg_match('/delete[\s]+from/i', $val);

+- $sql_inj += preg_match('/create[\s]+table/i', $val);

+- $sql_inj += preg_match('/update.+set.+=/i', $val);

+- $sql_inj += preg_match('/insert[\s]+into/i', $val);

+- $sql_inj += preg_match('/select.+from/i', $val);

+- $sql_inj += preg_match('/union.+select/i', $val);

+- $sql_inj += preg_match('/(\.\.%2f)+/i', $val);

++ $sql_inj += preg_match('/delete\s+from/i', $val);

++ $sql_inj += preg_match('/create\s+table/i', $val);

++ $sql_inj += preg_match('/update.+set.+=/i', $val);

++ $sql_inj += preg_match('/insert\s+into/i', $val);

++ $sql_inj += preg_match('/select.+from/i', $val);

++ $sql_inj += preg_match('/union.+select/i', $val);

++ $sql_inj += preg_match('/into\s+(outfile|dumpfile)/i', $val);

++ $sql_inj += preg_match('/(\.\.%2f)+/i', $val);

++ $sql_inj += preg_match('/_onerror_=/i', $val);

+ }

+ // For XSS Injection done by adding _javascript_ with script

+ // This is all cases a browser consider text is _javascript_:

+@@ -94,7 +96,8 @@

+ // All examples on page: http://ha.ckers.org/xss.html#XSScalc

+ $sql_inj += preg_match('/<script/i', $val);

+ if (! defined('NOSTYLECHECK')) $sql_inj += preg_match('/<style/i', $val);

+- $sql_inj += preg_match('/base[\s]+href/i', $val);

++ $sql_inj += preg_match('/base[\s]+href/si', $val);

++ $sql_inj += preg_match('/<.*onmouse/si', $val); // onmouseover can be set on img or any html tag like <img title='>' _onmouseover_=alert(1)>

+ if ($type == 1)

+ {

+ $sql_inj += preg_match('/_javascript_:/i', $val);

diff -Nru dolibarr-3.5.5+dfsg1/debian/patches/series dolibarr-3.5.5+dfsg1/debian/patches/series

--- dolibarr-3.5.5+dfsg1/debian/patches/series 2014-12-07 15:52:53.000000000 +0100

+++ dolibarr-3.5.5+dfsg1/debian/patches/series 2016-02-08 21:30:58.000000000 +0100

@@ -1 +1,4 @@

use-etc-dolibarr-conf.patch

+Fix-787762-CVE20153935.patch

+FIX-CVE-CVE20158685-CVE-2016-1912.patch

+FIX-4291-GETPOSTs.patch

\ Pas de fin de ligne à la fin du fichier

2015-09-03 18:43 GMT+02:00 Adam D. Barratt <adam@adam-barratt.org.uk>:

Control: tags -1 + moreinfo

On 2015-09-03 15:44, Laurent Destailleur (eldy) wrote:

A security error CVE-2015-3935 was reported for Dolibarr ERP CRM
package. This bug is fixed into official package 3.5.7 of Dolibarr.
Package 3.5.7 is a maintenance release compared to 3.5.5 and contains
only fixes. But not only bugs reported to debian, it includes also
other fixes (but they are all related to stability or security).
I think it is a better solution to validate this maintenance release
based on the new upstream version of Dolibarr than applying a patch of
the only CVE-2015-3935.

[...]

So I just need to know if it's ok to push such a version 3.5.7 (fixes
for 3.5.* branch) instead of only one fix for only the few (the only)
reported debian bugs,
since it provides more stability and is or me a more secured process.

Certainly not whilst neither the CVE fix nor 3.5.7 are in unstable (which still has 3.5.5 without the fix, afaict).

Regards,

Adam

EMail: eldy@destailleur.fr

Web: http://www.destailleur.fr

------------------------------------------------------------------------------------

Google+: https://plus.google.com/+LaurentDestailleur/
Facebook: https://www.facebook.com/Destailleur.Laurent

Twitter: http://www.twitter.com/eldy10

------------------------------------------------------------------------------------

* Dolibarr (Project leader): http://www.dolibarr.org (make a donation for Dolibarr project via Paypal: contact@destailleur.fr)

* AWStats (Author) : http://awstats.sourceforge.net (make a donation for AWStats project via Paypal: contact@destailleur.fr)

* AWBot (Author) : http://awbot.sourceforge.net

* CVSChangeLogBuilder (Author) : http://cvschangelogb.sourceforge.net