Bug#861715: marked as done (unblock: php-horde-crypt/2.7.5-2)

[owner@bugs.debian.org (Debian Bug Tracking System)]

Your message dated Sat, 27 May 2017 22:34:17 +0000
with message-id <E1dEkHp-0004Zo-EJ@respighi.debian.org>
and subject line unblock php-horde-crypt
has caused the Debian Bug report #861715,
regarding unblock: php-horde-crypt/2.7.5-2
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
861715: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=861715
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

• To: Debian Bug Tracking System <submit@bugs.debian.org>
• Subject: unblock: php-horde-crypt/2.7.5-2
• From: Mathieu Parent <sathieu@debian.org>
• Date: Wed, 03 May 2017 07:33:48 +0200
• Message-id: <[🔎] 149378962844.31119.8655641810263017178.reportbug@ultrathieu.sathieu.net>

Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock

Please unblock package php-horde-crypt

This fixes a security issue:

  * Escape user provided recipients and charset data. Fixes CVE-2017-7413 and
    CVE-2017-7414 (Closes: #859635)

(debdiff attached)

Note that the package doesn't work correctly in stretch, because it is not
compatible with gpg v2 (#849151 and #854819). I plan to fix this later, but
maybe in a point-release. Today, I want to prevent IMP (php-horde-imp) from
being removed from testing.

unblock php-horde-crypt/2.7.5-2

Thanks!

-- System Information:
Debian Release: 9.0
  APT prefers testing-debug
  APT policy: (500, 'testing-debug'), (500, 'testing')
Architecture: amd64
 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.9.0-2-amd64 (SMP w/2 CPU cores)
Locale: LANG=fr_FR.utf8, LC_CTYPE=fr_FR.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)

diff -Nru php-horde-crypt-2.7.5/debian/changelog php-horde-crypt-2.7.5/debian/changelog
--- php-horde-crypt-2.7.5/debian/changelog	2016-12-17 23:04:22.000000000 +0100
+++ php-horde-crypt-2.7.5/debian/changelog	2017-05-03 07:15:32.000000000 +0200
@@ -1,3 +1,10 @@
+php-horde-crypt (2.7.5-2) unstable; urgency=medium
+
+  * Escape user provided recipients and charset data. Fixes CVE-2017-7413 and
+    CVE-2017-7414 (Closes: #859635)
+
+ -- Mathieu Parent <sathieu@debian.org>  Wed, 03 May 2017 07:15:32 +0200
+
 php-horde-crypt (2.7.5-1) unstable; urgency=medium
 
   * New upstream version 2.7.5
diff -Nru php-horde-crypt-2.7.5/debian/patches/0001-Escape-user-provided-recipients-and-charset-data.patch php-horde-crypt-2.7.5/debian/patches/0001-Escape-user-provided-recipients-and-charset-data.patch
--- php-horde-crypt-2.7.5/debian/patches/0001-Escape-user-provided-recipients-and-charset-data.patch	1970-01-01 01:00:00.000000000 +0100
+++ php-horde-crypt-2.7.5/debian/patches/0001-Escape-user-provided-recipients-and-charset-data.patch	2017-05-03 07:15:32.000000000 +0200
@@ -0,0 +1,34 @@
+From 5ef589a3d47f94810c8b86805723b9450867aedf Mon Sep 17 00:00:00 2001
+From: Michael J Rubinsky <mrubinsk@horde.org>
+Date: Wed, 29 Mar 2017 08:21:02 -0400
+Subject: [PATCH] Escape user provided recipients and charset data.
+
+---
+ framework/Crypt/lib/Horde/Crypt/Pgp/Backend/Binary.php | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/Horde_Crypt-2.7.5/lib/Horde/Crypt/Pgp/Backend/Binary.php b/Horde_Crypt-2.7.5/Crypt/lib/Horde/Crypt/Pgp/Backend/Binary.php
+index a340caaf62..c33c05c9a3 100644
+--- a/Horde_Crypt-2.7.5/lib/Horde/Crypt/Pgp/Backend/Binary.php
++++ b/Horde_Crypt-2.7.5/lib/Horde/Crypt/Pgp/Backend/Binary.php
+@@ -433,7 +433,7 @@ extends Horde_Crypt_Pgp_Backend
+             $cmdline[] = $keyring;
+             $cmdline[] = '--encrypt';
+             foreach (array_keys($params['recips']) as $val) {
+-                $cmdline[] = '--recipient ' . $val;
++                $cmdline[] = '--recipient ' . escapeshellarg($val);
+             }
+         } else {
+             $cmdline[] = '--symmetric';
+@@ -552,7 +552,7 @@ extends Horde_Crypt_Pgp_Backend
+             '--armor',
+             '--always-trust',
+             '--batch',
+-            '--charset ' . (isset($params['charset']) ? $params['charset'] : 'UTF-8'),
++            '--charset ' . (isset($params['charset']) ? escapeshellarg($params['charset']) : 'UTF-8'),
+             $keyring,
+             '--verify'
+         );
+-- 
+2.11.0
+
diff -Nru php-horde-crypt-2.7.5/debian/patches/series php-horde-crypt-2.7.5/debian/patches/series
--- php-horde-crypt-2.7.5/debian/patches/series	1970-01-01 01:00:00.000000000 +0100
+++ php-horde-crypt-2.7.5/debian/patches/series	2017-05-03 07:15:32.000000000 +0200
@@ -0,0 +1 @@
+0001-Escape-user-provided-recipients-and-charset-data.patch

--- End Message ---

--- Begin Message ---

• To: 861715-done@bugs.debian.org
• Subject: unblock php-horde-crypt
• From: Ivo De Decker <ivodd@respighi.debian.org>
• Date: Sat, 27 May 2017 22:34:17 +0000
• Message-id: <E1dEkHp-0004Zo-EJ@respighi.debian.org>

Unblocked php-horde-crypt.

--- End Message ---