--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: buster-pu: package gosa/2.7.4+reloaded3-8+deb10u2
- From: Mike Gabriel <sunweaver@debian.org>
- Date: Mon, 27 Apr 2020 13:05:42 +0200
- Message-id: <158798554269.22498.5733759454027293692.reportbug@minobo.das-netzwerkteam.de>
Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian.org@packages.debian.org
Usertags: pu
Dear release team,
please accept this no-dsa security update for GOsa for the next point
release of Debian buster.
+ * debian/patches:
+ + Add 1047_CVE-2019-14466-{1,2}_replace_unserialize_with_json_encode+json_
+ decode.patch: Replace (un)serialize with json_encode/json_decode to
+ mitigate PHP object injection.
Thanks,
Mike
-- System Information:
Debian Release: 10.3
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'proposed-updates'), (500, 'stable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 4.19.0-8-amd64 (SMP w/4 CPU cores)
Kernel taint flags: TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
diff -Nru gosa-2.7.4+reloaded3/debian/changelog gosa-2.7.4+reloaded3/debian/changelog
--- gosa-2.7.4+reloaded3/debian/changelog 2019-08-10 04:04:23.000000000 +0200
+++ gosa-2.7.4+reloaded3/debian/changelog 2020-04-27 13:02:28.000000000 +0200
@@ -1,3 +1,12 @@
+gosa (2.7.4+reloaded3-8+deb10u2) buster; urgency=medium
+
+ * debian/patches:
+ + Add 1047_CVE-2019-14466-{1,2}_replace_unserialize_with_json_encode+json_
+ decode.patch: Replace (un)serialize with json_encode/json_decode to
+ mitigate PHP object injection.
+
+ -- Mike Gabriel <sunweaver@debian.org> Mon, 27 Apr 2020 13:02:28 +0200
+
gosa (2.7.4+reloaded3-8+deb10u1) buster; urgency=medium
* debian/changelog:
diff -Nru gosa-2.7.4+reloaded3/debian/patches/1047_CVE-2019-14466-1_replace_unserialize_with_json_encode+json_decode.patch gosa-2.7.4+reloaded3/debian/patches/1047_CVE-2019-14466-1_replace_unserialize_with_json_encode+json_decode.patch
--- gosa-2.7.4+reloaded3/debian/patches/1047_CVE-2019-14466-1_replace_unserialize_with_json_encode+json_decode.patch 1970-01-01 01:00:00.000000000 +0100
+++ gosa-2.7.4+reloaded3/debian/patches/1047_CVE-2019-14466-1_replace_unserialize_with_json_encode+json_decode.patch 2020-04-25 21:50:26.000000000 +0200
@@ -0,0 +1,47 @@
+From e1504e9765db2adde8b4685b5c93fbba57df868b Mon Sep 17 00:00:00 2001
+From: Fabian Henneke <fabian@henneke.me>
+Date: Mon, 29 Jul 2019 15:54:29 +0200
+Subject: [PATCH] Replace (un)serialize with json_encode/json_decode
+
+---
+ gosa-core/html/index.php | 4 ++--
+ gosa-core/html/main.php | 6 +++---
+ 2 files changed, 5 insertions(+), 5 deletions(-)
+
+--- a/gosa-core/html/index.php
++++ b/gosa-core/html/index.php
+@@ -338,9 +338,9 @@
+ if(isset($_COOKIE['GOsa_Filter_Settings']) || isset($HTTP_COOKIE_VARS['GOsa_Filter_Settings'])) {
+
+ if(isset($_COOKIE['GOsa_Filter_Settings'])) {
+- $cookie_all = unserialize(base64_decode($_COOKIE['GOsa_Filter_Settings']));
++ $cookie_all = json_decode(base64_decode($_COOKIE['GOsa_Filter_Settings']));
+ }else{
+- $cookie_all = unserialize(base64_decode($HTTP_COOKIE_VARS['GOsa_Filter_Settings']));
++ $cookie_all = json_decode(base64_decode($HTTP_COOKIE_VARS['GOsa_Filter_Settings']));
+ }
+ if(isset($cookie_all[$ui->dn])) {
+ $cookie = $cookie_all[$ui->dn];
+--- a/gosa-core/html/main.php
++++ b/gosa-core/html/main.php
+@@ -480,9 +480,9 @@
+ $cookie = array();
+
+ if(isset($_COOKIE['GOsa_Filter_Settings'])){
+- $cookie = unserialize(base64_decode($_COOKIE['GOsa_Filter_Settings']));
++ $cookie = json_decode(base64_decode($_COOKIE['GOsa_Filter_Settings']));
+ }elseif(isset($HTTP_COOKIE_VARS['GOsa_Filter_Settings'])){
+- $cookie = unserialize(base64_decode($HTTP_COOKIE_VARS['GOsa_Filter_Settings']));
++ $cookie = json_decode(base64_decode($HTTP_COOKIE_VARS['GOsa_Filter_Settings']));
+ }
+
+ /* Save filters? */
+@@ -496,7 +496,7 @@
+ if(isset($_GET['plug'])){
+ $cookie[$ui->dn]['plug'] = $_GET['plug'];
+ }
+- @setcookie("GOsa_Filter_Settings",base64_encode(serialize($cookie)),time() + (60*60*24));
++ @setcookie("GOsa_Filter_Settings",base64_encode(json_encode($cookie)),time() + (60*60*24));
+ }
+
+ /* Show page... */
diff -Nru gosa-2.7.4+reloaded3/debian/patches/1047_CVE-2019-14466-2_replace_unserialize_with_json_encode+json_decode.patch gosa-2.7.4+reloaded3/debian/patches/1047_CVE-2019-14466-2_replace_unserialize_with_json_encode+json_decode.patch
--- gosa-2.7.4+reloaded3/debian/patches/1047_CVE-2019-14466-2_replace_unserialize_with_json_encode+json_decode.patch 1970-01-01 01:00:00.000000000 +0100
+++ gosa-2.7.4+reloaded3/debian/patches/1047_CVE-2019-14466-2_replace_unserialize_with_json_encode+json_decode.patch 2020-04-25 21:50:26.000000000 +0200
@@ -0,0 +1,51 @@
+From 90b674960335d888c76ca5e99027df8e7fa66f3a Mon Sep 17 00:00:00 2001
+From: Fabian Henneke <fabian@henneke.me>
+Date: Fri, 16 Aug 2019 20:27:47 +0200
+Subject: [PATCH] Fix the decoding of filter settings cookie
+
+Previously, the use of json_decode without a second paramter meant that an
+stdClass was returned, which does not allow access to properties via the index
+operator. Instead, we now use json_decode(..., true) to return an associative
+array.
+
+In order to prevent any type shenanigans, we also ensure whether the returned
+value is an array and if not, replace it with an empty one.
+---
+ gosa-core/html/index.php | 7 +++++--
+ gosa-core/html/main.php | 7 +++++--
+ 2 files changed, 10 insertions(+), 4 deletions(-)
+
+--- a/gosa-core/html/index.php
++++ b/gosa-core/html/index.php
+@@ -338,9 +338,12 @@
+ if(isset($_COOKIE['GOsa_Filter_Settings']) || isset($HTTP_COOKIE_VARS['GOsa_Filter_Settings'])) {
+
+ if(isset($_COOKIE['GOsa_Filter_Settings'])) {
+- $cookie_all = json_decode(base64_decode($_COOKIE['GOsa_Filter_Settings']));
++ $cookie_all = json_decode(base64_decode($_COOKIE['GOsa_Filter_Settings']), true);
+ }else{
+- $cookie_all = json_decode(base64_decode($HTTP_COOKIE_VARS['GOsa_Filter_Settings']));
++ $cookie_all = json_decode(base64_decode($HTTP_COOKIE_VARS['GOsa_Filter_Settings']), true);
++ }
++ if(!is_array($cookie_all)) {
++ $cookie_all = [];
+ }
+ if(isset($cookie_all[$ui->dn])) {
+ $cookie = $cookie_all[$ui->dn];
+--- a/gosa-core/html/main.php
++++ b/gosa-core/html/main.php
+@@ -480,9 +480,12 @@
+ $cookie = array();
+
+ if(isset($_COOKIE['GOsa_Filter_Settings'])){
+- $cookie = json_decode(base64_decode($_COOKIE['GOsa_Filter_Settings']));
++ $cookie = json_decode(base64_decode($_COOKIE['GOsa_Filter_Settings']), true);
+ }elseif(isset($HTTP_COOKIE_VARS['GOsa_Filter_Settings'])){
+- $cookie = json_decode(base64_decode($HTTP_COOKIE_VARS['GOsa_Filter_Settings']));
++ $cookie = json_decode(base64_decode($HTTP_COOKIE_VARS['GOsa_Filter_Settings']), true);
++}
++if(!is_array($cookie)) {
++ $cookie = [];
+ }
+
+ /* Save filters? */
diff -Nru gosa-2.7.4+reloaded3/debian/patches/series gosa-2.7.4+reloaded3/debian/patches/series
--- gosa-2.7.4+reloaded3/debian/patches/series 2019-08-10 04:04:23.000000000 +0200
+++ gosa-2.7.4+reloaded3/debian/patches/series 2020-04-27 12:59:23.000000000 +0200
@@ -64,3 +64,5 @@
1044_crypto-transition-without-mcrypt.patch
1045_dont_use_filter_caching.patch
1046_CVE-2019-11187_stricter-ldap-error-check.patch
+1047_CVE-2019-14466-1_replace_unserialize_with_json_encode+json_decode.patch
+1047_CVE-2019-14466-2_replace_unserialize_with_json_encode+json_decode.patch
--- End Message ---