[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#956537: stretch-pu: package php-horde-trean/1.1.7-1+deb9u1

Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian.org@packages.debian.org
Usertags: pu

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Please find attached a proposed debdiff for php-horde-trean.  The change
fixes CVE-2020-8865, which the security team has classified as <no-dsa>,
deeming it a minor issue which can be fixed via a point release.  I have
prepared this update in coordination with the security team.  May I have
permission to upload to stretch-proposed-updates?

Regards,

- -Roberto

- -- System Information:
Debian Release: 10.3
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.19.0-8-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8), LANGUAGE=en_US.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEz9ERzDttUsU/BH8iLNd4Xt2nsg8FAl6TGNIACgkQLNd4Xt2n
sg/PXA//eBCpPGVarX+UZrHqBIgjEAzqc0mPE1pP/M8SQvxidQsmf4/L31ue3BTa
NcOZr2m4MS9jjrbGHhKBGUUX3fMpbuzgof+/Ncp6pvOtpmuz3pi/2UZPECOhQFrf
G5WerCU2aHGbNJlt06FqH7irIf6P+VaaJuhra088sh70AW8lkNpMSjGyBLcT3egT
YtYFxUTz/rKvHTbHJ0Hkpbx9XKxIGh1kA/bUfJCrJLTdLJaQcWiWbWEI+iJuCwCE
lg38y1MMdT9i/3ddiGFRJz+t+AzzAChwt2yNBjXCepA851qHSQNvhUBO0maC9uB8
oBlRWZRkbaEFpKiufs0SSGw7JnQK6eYdyDTnCX18nV63Ul6x6/bv3MU6IKS8TVJM
WDZJqerZy83lOnMuRuxuAHOqPQ2+E24ozaEEsYqeQxxfJgX05jvQDTa4GCqp+HA9
bB7z+eUhVuZOSNyogYWW3xa3NBqFnhl7jMQjcHRb8Uj0HhQu7qdANPdglxk6aIvB
OylBMF4VsO4uwGH2MnEe3rViZ92UjYdOyI4ORb3cr8rByTJgVdEcBF+ZL0b5/6E4
DD8i5arTrkXHmoIyZ7/mJ4REi5iGtcTNG1XsFf/r5qlKjpX3Zm/5L+uzPy0tCNtT
VyNqD7URiqBPAAuoQ+c6/M3z/eTaR7j/Y9jFzc38pT7j/F4Zirc=
=kH0t
-----END PGP SIGNATURE-----

diff -Nru php-horde-trean-1.1.7/debian/changelog php-horde-trean-1.1.7/debian/changelog
--- php-horde-trean-1.1.7/debian/changelog	2016-12-18 17:01:35.000000000 -0500
+++ php-horde-trean-1.1.7/debian/changelog	2020-04-10 20:32:35.000000000 -0400
@@ -1,3 +1,13 @@
+php-horde-trean (1.1.7-1+deb9u1) stretch; urgency=high
+
+  * Fix CVE-2020-8865:
+    The Horde Application Framework contained a directory traversal
+    vulnerability resulting from insufficient input sanitization. An
+    authenticated remote attacker could use this flaw to execute code in the
+    context of the web server user. (Closes: #955019)
+
+ -- Roberto C. Sanchez <roberto@debian.org>  Fri, 10 Apr 2020 20:32:35 -0400
+
 php-horde-trean (1.1.7-1) unstable; urgency=medium
 
   * New upstream version 1.1.7
diff -Nru php-horde-trean-1.1.7/debian/patches/0001-CVE-2020-8865-SECURITY-Fix-Directory-Traversal-Vulerability.patch php-horde-trean-1.1.7/debian/patches/0001-CVE-2020-8865-SECURITY-Fix-Directory-Traversal-Vulerability.patch
--- php-horde-trean-1.1.7/debian/patches/0001-CVE-2020-8865-SECURITY-Fix-Directory-Traversal-Vulerability.patch	1969-12-31 19:00:00.000000000 -0500
+++ php-horde-trean-1.1.7/debian/patches/0001-CVE-2020-8865-SECURITY-Fix-Directory-Traversal-Vulerability.patch	2020-04-10 20:32:35.000000000 -0400
@@ -0,0 +1,36 @@
+From db0714a0c04d87bda9e2852f1b0d259fc281ca75 Mon Sep 17 00:00:00 2001
+From: Michael J Rubinsky <mrubinsk@horde.org>
+Date: Sun, 1 Mar 2020 15:00:46 -0500
+Subject: [PATCH] SECURITY: Fix Directory Traversal Vulerability.
+
+---
+ lib/Block/Bookmarks.php   | 2 +-
+ lib/Block/Mostclicked.php | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/trean-1.1.7/lib/Block/Bookmarks.php b/trean-1.1.7/lib/Block/Bookmarks.php
+index 7027bc3..16c7ba2 100644
+--- a/trean-1.1.7/lib/Block/Bookmarks.php
++++ b/trean-1.1.7/lib/Block/Bookmarks.php
+@@ -68,7 +68,7 @@ protected function _title()
+      */
+     protected function _content()
+     {
+-        $template = TREAN_TEMPLATES . '/block/' . $this->_params['template'] . '.inc';
++        $template = TREAN_TEMPLATES . '/block/' . basename($this->_params['template']) . '.inc';
+ 
+         $sortby = 'title';
+         $sortdir = 0;
+diff --git a/trean-1.1.7/lib/Block/Mostclicked.php b/trean-1.1.7/lib/Block/Mostclicked.php
+index ffbc52b..3308110 100644
+--- a/trean-1.1.7/lib/Block/Mostclicked.php
++++ b/trean-1.1.7/lib/Block/Mostclicked.php
+@@ -58,7 +58,7 @@ protected function _title()
+      */
+     protected function _content()
+     {
+-        $template = TREAN_TEMPLATES . '/block/' . $this->_params['template'] . '.inc';
++        $template = TREAN_TEMPLATES . '/block/' . basename($this->_params['template']) . '.inc';
+ 
+         $html = '';
+         $bookmarks = $GLOBALS['trean_gateway']->listBookmarks('clicks', 1, 0, $this->_params['rows']);
diff -Nru php-horde-trean-1.1.7/debian/patches/series php-horde-trean-1.1.7/debian/patches/series
--- php-horde-trean-1.1.7/debian/patches/series	1969-12-31 19:00:00.000000000 -0500
+++ php-horde-trean-1.1.7/debian/patches/series	2020-04-10 20:32:35.000000000 -0400
@@ -0,0 +1 @@
+0001-CVE-2020-8865-SECURITY-Fix-Directory-Traversal-Vulerability.patch
Reply to: