[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#956532: marked as done (stretch-pu: package php-horde-data/2.1.4-3+deb9u1)

Your message dated Sat, 18 Jul 2020 13:07:00 +0100
with message-id <b8d89cdfeeda7b6d1ef96a8706a20f9525c2151b.camel@adam-barratt.org.uk>
and subject line Closing requests for fixes included in 9.13 point release
has caused the Debian Bug report #956532,
regarding stretch-pu: package php-horde-data/2.1.4-3+deb9u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
956532: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=956532
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian.org@packages.debian.org
Usertags: pu

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Please find attached a proposed debdiff for php-horde-data.  The change
fixes CVE-2020-8518, which the security team has classified as <no-dsa>,
deeming it a minor issue which can be fixed via a point release.  I have
prepared this update in coordination with the security team.  May I have
permission to upload to stretch-proposed-updates?

- -- System Information:
Debian Release: 10.3
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.19.0-8-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8), LANGUAGE=en_US.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEz9ERzDttUsU/BH8iLNd4Xt2nsg8FAl6TFtIACgkQLNd4Xt2n
sg/D4g/9H4hyiaItmqUO+JxV4EipU4stAdflWPicDJe89KSKnRsBnCipRpnEWkXK
3NduvlxIn9YSOuMN2OZ+AfdUDSCrOVSWf2JQKZtEhWrSrbIKFuLRcl0+Q1fhLAeE
qVCFi8Odh1JaNmWZ30mszbtF64Fg+THJ+RmmrpZlTXhto/1eVm1E4VvlqDtOBv7l
O7KInucO3eBItIQ8b+O/o9gDFrZ5PtlLlByu9LhTGdfurhORPJ0g1YoiJZzd1Mz8
MrgW0vxK4lBrAaccMgmV3lAkJEZXFUC/k7AxUedEu4wG8BYKeZvVjkJL8ZCG2cHm
oYlE4VzaTFNnRqzcsUGttKphXszY39bjpb9FPA7lnn1x7bv7PTSU7wLNrNUsqxBS
JFm0tZJeRtHjTrdBmlp73rSChVqf97ylaB9oihdSD5FP+62QzaLpTfCGQF/asjrZ
x/HrFD/Cc8g+aEYlimRUyUlYD3QKhq+PJsVo1fm9VEOTmODLd5r3ogbBsqxvqjhr
+lrv/xcC4JicNzs75eQhtjPd793wR85WMvWzPyG0/BMbUSsROoRQXBO4qDaddfzL
hyz2/vFieD6fcwQ3Yka1ACm1vwufcuCYfNUo+WoknrhtnnHjf3OmvDsfgUs46d3Q
yER1uIy4pSsHxVznP005nYixJ/p8zxdKp54bp2JGQVwBZ5C9aAk=
=sMeE
-----END PGP SIGNATURE-----

diff -Nru php-horde-data-2.1.4/debian/changelog php-horde-data-2.1.4/debian/changelog
--- php-horde-data-2.1.4/debian/changelog	2016-06-07 16:25:17.000000000 -0400
+++ php-horde-data-2.1.4/debian/changelog	2020-04-10 19:58:12.000000000 -0400
@@ -1,3 +1,12 @@
+php-horde-data (2.1.4-3+deb9u1) stretch; urgency=high
+
+  * Fix CVE-2020-8518:
+    The Horde Application Framework contained a remote code execution
+    vulnerability. An authenticated remote attacker could use this flaw to
+    cause execution of uploaded CSV data. (Closes: #951537)
+
+ -- Roberto C. Sanchez <roberto@debian.org>  Fri, 10 Apr 2020 19:58:12 -0400
+
 php-horde-data (2.1.4-3) unstable; urgency=medium
 
   * Update Standards-Version to 3.9.8, no change
diff -Nru php-horde-data-2.1.4/debian/patches/0001-CVE-2020-8518-Dont-use-create_function.patch php-horde-data-2.1.4/debian/patches/0001-CVE-2020-8518-Dont-use-create_function.patch
--- php-horde-data-2.1.4/debian/patches/0001-CVE-2020-8518-Dont-use-create_function.patch	1969-12-31 19:00:00.000000000 -0500
+++ php-horde-data-2.1.4/debian/patches/0001-CVE-2020-8518-Dont-use-create_function.patch	2020-04-10 19:58:12.000000000 -0400
@@ -0,0 +1,36 @@
+From 78ad0c2390176cdde7260a271bc6ddd86f4c9c0e Mon Sep 17 00:00:00 2001
+From: Jan Schneider <jan@horde.org>
+Date: Mon, 13 Feb 2017 18:38:59 +0100
+Subject: [PATCH] Don't use create_function().
+
+It's deprecated and unsafe and closures should be used instead.
+---
+ lib/Horde/Data/Csv.php | 15 ++++++++++++++-
+ 1 file changed, 14 insertions(+), 1 deletion(-)
+
+diff --git a/Horde_Data-2.1.4/lib/Horde/Data/Csv.php b/Horde_Data-2.1.4/lib/Horde/Data/Csv.php
+index c2dc7dc..c0ffa63 100644
+--- a/Horde_Data-2.1.4/lib/Horde/Data/Csv.php
++++ b/Horde_Data-2.1.4/lib/Horde/Data/Csv.php
+@@ -332,7 +332,20 @@ public static function getCsv($file, array $params = array())
+ 
+         if ($row) {
+             $row = (strlen($params['quote']) && strlen($params['escape']))
+-                ? array_map(create_function('$a', 'return str_replace(\'' . str_replace('\'', '\\\'', $params['escape'] . $params['quote']) . '\', \'' . str_replace('\'', '\\\'', $params['quote']) . '\', $a);'), $row)
++                ? array_map(
++                    function ($a) use ($params) {
++                        return str_replace(
++                            str_replace(
++                                '\'',
++                                '\\\'',
++                                $params['escape'] . $params['quote']
++                            ),
++                            str_replace('\'', '\\\'', $params['quote']),
++                            $a
++                        );
++                    },
++                    $row
++                )
+                 : array_map('trim', $row);
+ 
+             if (!empty($params['length'])) {
diff -Nru php-horde-data-2.1.4/debian/patches/series php-horde-data-2.1.4/debian/patches/series
--- php-horde-data-2.1.4/debian/patches/series	1969-12-31 19:00:00.000000000 -0500
+++ php-horde-data-2.1.4/debian/patches/series	2020-04-10 19:58:12.000000000 -0400
@@ -0,0 +1 @@
+0001-CVE-2020-8518-Dont-use-create_function.patch

--- End Message ---
--- Begin Message --- 
Package: release.debian.org
Version: 9.13

Hi,

All of these requests relate to updates that were included in today's
stretch point release.

Regards,

Adam

--- End Message ---
Reply to: