--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: buster-pu: package php-horde/5.2.20+debian0-1+deb10u2
- From: Mike Gabriel <sunweaver@debian.org>
- Date: Sun, 31 May 2020 22:45:04 +0200
- Message-id: <159095790491.2512.13836188180187204129.reportbug@minobo.das-netzwerkteam.de>
Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian.org@packages.debian.org
Usertags: pu
Dear release team,
I have just uploaded this php-horde update to buster, fixing a no-dsa CVE:
+ * CVE-2020-8035: Don't allow to view images inline if opened directly.
+ * debian/patches/0001-Fix-rewrite-base.patch: Trivial rebase.
Greets,
Mike
-- System Information:
Debian Release: 10.4
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'proposed-updates'), (500, 'stable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 4.19.0-8-amd64 (SMP w/4 CPU cores)
Kernel taint flags: TAINT_WARN, TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
diff -Nru php-horde-5.2.20+debian0/debian/changelog php-horde-5.2.20+debian0/debian/changelog
--- php-horde-5.2.20+debian0/debian/changelog 2019-12-14 03:13:53.000000000 +0100
+++ php-horde-5.2.20+debian0/debian/changelog 2020-05-31 21:45:26.000000000 +0200
@@ -1,3 +1,10 @@
+php-horde (5.2.20+debian0-1+deb10u2) buster; urgency=medium
+
+ * CVE-2020-8035: Don't allow to view images inline if opened directly.
+ * debian/patches/0001-Fix-rewrite-base.patch: Trivial rebase.
+
+ -- Mike Gabriel <sunweaver@debian.org> Sun, 31 May 2020 21:45:26 +0200
+
php-horde (5.2.20+debian0-1+deb10u1) buster; urgency=high
* Fix CVE-2019-12095: Stored XSS vuln in the Horde Cloud Block.
diff -Nru php-horde-5.2.20+debian0/debian/patches/0001-Fix-rewrite-base.patch php-horde-5.2.20+debian0/debian/patches/0001-Fix-rewrite-base.patch
--- php-horde-5.2.20+debian0/debian/patches/0001-Fix-rewrite-base.patch 2019-12-14 03:13:53.000000000 +0100
+++ php-horde-5.2.20+debian0/debian/patches/0001-Fix-rewrite-base.patch 2020-05-31 21:45:26.000000000 +0200
@@ -6,11 +6,9 @@
horde-5.2.20/.htaccess | 1 +
1 file changed, 1 insertion(+)
-diff --git a/horde-5.2.20/.htaccess b/horde-5.2.20/.htaccess
-index 89eaf0a..348046e 100644
--- a/horde-5.2.20/.htaccess
+++ b/horde-5.2.20/.htaccess
-@@ -5,6 +5,7 @@ allow from all
+@@ -10,6 +10,7 @@
<IfModule mod_rewrite.c>
RewriteEngine On
diff -Nru php-horde-5.2.20+debian0/debian/patches/0003-CVE-2020-8035-dont-allow-to-view-images-inline.patch php-horde-5.2.20+debian0/debian/patches/0003-CVE-2020-8035-dont-allow-to-view-images-inline.patch
--- php-horde-5.2.20+debian0/debian/patches/0003-CVE-2020-8035-dont-allow-to-view-images-inline.patch 1970-01-01 01:00:00.000000000 +0100
+++ php-horde-5.2.20+debian0/debian/patches/0003-CVE-2020-8035-dont-allow-to-view-images-inline.patch 2020-05-31 21:45:26.000000000 +0200
@@ -0,0 +1,28 @@
+From 64127fe3c2b9843c9760218e59dae9731cc56bdf Mon Sep 17 00:00:00 2001
+From: Jan Schneider <jan@horde.org>
+Date: Mon, 20 Apr 2020 23:07:51 +0200
+Subject: [PATCH] Don't allow to view images inline if opened directly.
+
+This services is supposed to process and view images inside a web page.
+---
+ services/images/view.php | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/horde-5.2.20/services/images/view.php b/horde-5.2.20/services/images/view.php
+index bc7da534..f5b0cb25 100644
+--- a/horde-5.2.20/services/images/view.php
++++ b/horde-5.2.20/services/images/view.php
+@@ -84,6 +84,7 @@
+
+ /* Check if no editing action required and send the image to browser. */
+ if (empty($action)) {
++ header('Content-Disposition: attachment');
+ $image->display();
+ exit;
+ }
+@@ -132,4 +133,5 @@
+ /* Write out any changes to the temporary file. */
+ file_put_contents($file_name, $image->raw());
+
++header('Content-Disposition: attachment');
+ $image->display();
diff -Nru php-horde-5.2.20+debian0/debian/patches/series php-horde-5.2.20+debian0/debian/patches/series
--- php-horde-5.2.20+debian0/debian/patches/series 2019-12-14 03:13:53.000000000 +0100
+++ php-horde-5.2.20+debian0/debian/patches/series 2020-05-31 21:45:26.000000000 +0200
@@ -1,2 +1,3 @@
0001-Fix-rewrite-base.patch
0002-CVE-2019-12095-Fix-XSS-vuln-in-the-Horde-Cloud-Block.patch
+0003-CVE-2020-8035-dont-allow-to-view-images-inline.patch
--- End Message ---