--- Begin Message ---
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock
Please unblock package php-horde-crypt
This fixes a security issue:
* Escape user provided recipients and charset data. Fixes CVE-2017-7413 and
CVE-2017-7414 (Closes: #859635)
(debdiff attached)
Note that the package doesn't work correctly in stretch, because it is not
compatible with gpg v2 (#849151 and #854819). I plan to fix this later, but
maybe in a point-release. Today, I want to prevent IMP (php-horde-imp) from
being removed from testing.
unblock php-horde-crypt/2.7.5-2
Thanks!
-- System Information:
Debian Release: 9.0
APT prefers testing-debug
APT policy: (500, 'testing-debug'), (500, 'testing')
Architecture: amd64
(x86_64)
Foreign Architectures: i386
Kernel: Linux 4.9.0-2-amd64 (SMP w/2 CPU cores)
Locale: LANG=fr_FR.utf8, LC_CTYPE=fr_FR.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
diff -Nru php-horde-crypt-2.7.5/debian/changelog php-horde-crypt-2.7.5/debian/changelog
--- php-horde-crypt-2.7.5/debian/changelog 2016-12-17 23:04:22.000000000 +0100
+++ php-horde-crypt-2.7.5/debian/changelog 2017-05-03 07:15:32.000000000 +0200
@@ -1,3 +1,10 @@
+php-horde-crypt (2.7.5-2) unstable; urgency=medium
+
+ * Escape user provided recipients and charset data. Fixes CVE-2017-7413 and
+ CVE-2017-7414 (Closes: #859635)
+
+ -- Mathieu Parent <sathieu@debian.org> Wed, 03 May 2017 07:15:32 +0200
+
php-horde-crypt (2.7.5-1) unstable; urgency=medium
* New upstream version 2.7.5
diff -Nru php-horde-crypt-2.7.5/debian/patches/0001-Escape-user-provided-recipients-and-charset-data.patch php-horde-crypt-2.7.5/debian/patches/0001-Escape-user-provided-recipients-and-charset-data.patch
--- php-horde-crypt-2.7.5/debian/patches/0001-Escape-user-provided-recipients-and-charset-data.patch 1970-01-01 01:00:00.000000000 +0100
+++ php-horde-crypt-2.7.5/debian/patches/0001-Escape-user-provided-recipients-and-charset-data.patch 2017-05-03 07:15:32.000000000 +0200
@@ -0,0 +1,34 @@
+From 5ef589a3d47f94810c8b86805723b9450867aedf Mon Sep 17 00:00:00 2001
+From: Michael J Rubinsky <mrubinsk@horde.org>
+Date: Wed, 29 Mar 2017 08:21:02 -0400
+Subject: [PATCH] Escape user provided recipients and charset data.
+
+---
+ framework/Crypt/lib/Horde/Crypt/Pgp/Backend/Binary.php | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/Horde_Crypt-2.7.5/lib/Horde/Crypt/Pgp/Backend/Binary.php b/Horde_Crypt-2.7.5/Crypt/lib/Horde/Crypt/Pgp/Backend/Binary.php
+index a340caaf62..c33c05c9a3 100644
+--- a/Horde_Crypt-2.7.5/lib/Horde/Crypt/Pgp/Backend/Binary.php
++++ b/Horde_Crypt-2.7.5/lib/Horde/Crypt/Pgp/Backend/Binary.php
+@@ -433,7 +433,7 @@ extends Horde_Crypt_Pgp_Backend
+ $cmdline[] = $keyring;
+ $cmdline[] = '--encrypt';
+ foreach (array_keys($params['recips']) as $val) {
+- $cmdline[] = '--recipient ' . $val;
++ $cmdline[] = '--recipient ' . escapeshellarg($val);
+ }
+ } else {
+ $cmdline[] = '--symmetric';
+@@ -552,7 +552,7 @@ extends Horde_Crypt_Pgp_Backend
+ '--armor',
+ '--always-trust',
+ '--batch',
+- '--charset ' . (isset($params['charset']) ? $params['charset'] : 'UTF-8'),
++ '--charset ' . (isset($params['charset']) ? escapeshellarg($params['charset']) : 'UTF-8'),
+ $keyring,
+ '--verify'
+ );
+--
+2.11.0
+
diff -Nru php-horde-crypt-2.7.5/debian/patches/series php-horde-crypt-2.7.5/debian/patches/series
--- php-horde-crypt-2.7.5/debian/patches/series 1970-01-01 01:00:00.000000000 +0100
+++ php-horde-crypt-2.7.5/debian/patches/series 2017-05-03 07:15:32.000000000 +0200
@@ -0,0 +1 @@
+0001-Escape-user-provided-recipients-and-charset-data.patch
--- End Message ---