--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: buster-pu: package php-horde-form/2.0.18-3.1+deb10u1
- From: "Roberto C. Sanchez" <roberto@debian.org>
- Date: Sun, 12 Apr 2020 09:27:01 -0400
- Message-id: <158669802163.11586.15939733371565482906.reportbug@miami.connexer.com>
Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian.org@packages.debian.org
Usertags: pu
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Please find attached a proposed debdiff for php-horde-form. The change
fixes CVE-2020-8866, which the security team has classified as <no-dsa>,
deeming it a minor issue which can be fixed via a point release. I have
prepared this update in coordination with the security team. May I have
permission to upload to buster-proposed-updates?
- -- System Information:
Debian Release: 10.3
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 4.19.0-8-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8), LANGUAGE=en_US.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEz9ERzDttUsU/BH8iLNd4Xt2nsg8FAl6TFyUACgkQLNd4Xt2n
sg+O0g/+MK8cNMqs7/njWJ7BOEz7q5M4PslbEGWEp3J03ry68NPoZxM7pWJvB+rR
e4m7s2NMWJ8CtWgaNGCJbR9i+jAUAUDYLbbjoAsEAM1EmDcqgDyeZm7L7rQk6WBW
zetL/vjiR0orkSswLUOXiwlTe/POBg6sCFM4jFtYXoiECs9k65G7gLWWafIYfkT9
AmglUyFSMAWn0ju/DC7X6fHjMCKl0TtMiZYCjmdUmqnRw3r+qR8MshKO7BLK2FAQ
oKwuZkiAMhTR593ASPMGnddWzzOubDpQlCjmM9VckOoqmLNbKtCqgNWB6knhOkOq
JOu/p1nXBGDUMCbZYxAeDPILh7FyXO8byzjftXdRplm1P27xeMKS1UkOamFqwdL0
pPfxhe9jlEQHObVgGNsYnhcvJJDtfkMXuFqE9JUX2JEhYH7fQJTxH0rDhCSo8av2
nnh27GbJLTWXlzqUX4r+9JzqRs3GT7yM8UJ5ezbYW1jNUNT6Gl5yBois0ZRnhk+H
pzQljGER2l3ol6VAhjlyVE0itvljBN1UaLU6+o3lgb/2N3wOClZSUCk0XzYt0ayy
Bg8kPaOD5wWshHnkCnjzn3j387zgnNjqp61xCWoE183XKGoeUmNj18btv9wr0qt1
Qs6Z/OgPp7usqRH/fPNCi0/aXDJlCm6gxvULEU1qBLCYQxQfE3s=
=2qMc
-----END PGP SIGNATURE-----
diff -Nru php-horde-form-2.0.18/debian/changelog php-horde-form-2.0.18/debian/changelog
--- php-horde-form-2.0.18/debian/changelog 2019-06-16 03:29:14.000000000 -0400
+++ php-horde-form-2.0.18/debian/changelog 2020-03-24 13:55:11.000000000 -0400
@@ -1,3 +1,14 @@
+php-horde-form (2.0.18-3.1+deb10u1) buster; urgency=high
+
+ * Fix CVE-2020-8866:
+ The Horde Application Framework contained a remote code execution
+ vulnerability. An authenticated remote attacker could use this flaw to
+ upload arbitrary content to an arbitrary writable location on the server
+ and potentially execute code in the context of the web server user.
+ (Closes: #955020)
+
+ -- Roberto C. Sanchez <roberto@debian.org> Tue, 24 Mar 2020 13:55:11 -0400
+
php-horde-form (2.0.18-3.1) unstable; urgency=high
* Non-maintainer upload.
diff -Nru php-horde-form-2.0.18/debian/patches/0002-SECURITY-Prevent-ability-to-specify-temporary-filename.patch php-horde-form-2.0.18/debian/patches/0002-SECURITY-Prevent-ability-to-specify-temporary-filename.patch
--- php-horde-form-2.0.18/debian/patches/0002-SECURITY-Prevent-ability-to-specify-temporary-filename.patch 1969-12-31 19:00:00.000000000 -0500
+++ php-horde-form-2.0.18/debian/patches/0002-SECURITY-Prevent-ability-to-specify-temporary-filename.patch 2020-03-24 13:55:11.000000000 -0400
@@ -0,0 +1,35 @@
+From 35d382cc3a0482c07d0c2272cac89a340922e0a6 Mon Sep 17 00:00:00 2001
+From: Michael J Rubinsky <mrubinsk@horde.org>
+Date: Sun, 1 Mar 2020 14:46:49 -0500
+Subject: [PATCH] SECURITY: Prevent ability to specify temporary filename.
+
+Origin: https://github.com/horde/Form/commit/35d382cc3a0482c07d0c2272cac89a340922e0a6
+---
+ lib/Horde/Form/Type.php | 11 +++++------
+ 1 file changed, 5 insertions(+), 6 deletions(-)
+
+diff --git a/Horde_Form-2.0.18/lib/Horde/Form/Type.php b/Horde_Form-2.0.18/lib/Horde/Form/Type.php
+index f1e8157..e302d8d 100644
+--- a/Horde_Form-2.0.18/lib/Horde/Form/Type.php
++++ b/Horde_Form-2.0.18/lib/Horde/Form/Type.php
+@@ -1200,12 +1200,11 @@ class Horde_Form_Type_image extends Horde_Form_Type {
+ if (!empty($upload['hash'])) {
+ $upload['img'] = $session->get('horde', 'form/' . $upload['hash']);
+ $session->remove('horde', 'form/' . $upload['hash']);
+- }
+-
+- /* Get the temp file if already one uploaded, otherwise create a
+- * new temporary file. */
+- if (!empty($upload['img']['file'])) {
+- $tmp_file = Horde::getTempDir() . '/' . basename($upload['img']['file']);
++ if (!empty($upload['img']['file'])) {
++ $tmp_file = Horde::getTempDir() . '/' . basename($upload['img']['file']);
++ } else {
++ $tmp_file = Horde::getTempFile('Horde', false);
++ }
+ } else {
+ $tmp_file = Horde::getTempFile('Horde', false);
+ }
+--
+2.20.1
+
diff -Nru php-horde-form-2.0.18/debian/patches/series php-horde-form-2.0.18/debian/patches/series
--- php-horde-form-2.0.18/debian/patches/series 2019-06-16 03:23:14.000000000 -0400
+++ php-horde-form-2.0.18/debian/patches/series 2020-03-24 13:55:11.000000000 -0400
@@ -1 +1,2 @@
0001-SECURITY-prevent-directory-traversal-vulnerability.patch
+0002-SECURITY-Prevent-ability-to-specify-temporary-filename.patch
--- End Message ---