[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#961944: marked as done (buster-pu: package php-horde/5.2.20+debian0-1+deb10u2)

Your message dated Sat, 01 Aug 2020 12:51:28 +0100
with message-id <43535efb498a168cf81452ca0c326f004f46adc6.camel@adam-barratt.org.uk>
and subject line Closing bugs for fixes included in 10.5 point release
has caused the Debian Bug report #961944,
regarding buster-pu: package php-horde/5.2.20+debian0-1+deb10u2
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
961944: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=961944
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian.org@packages.debian.org
Usertags: pu

Dear release team,

I have just uploaded this php-horde update to buster, fixing a no-dsa CVE:

+  * CVE-2020-8035: Don't allow to view images inline if opened directly.
+  * debian/patches/0001-Fix-rewrite-base.patch: Trivial rebase.

Greets,
Mike

-- System Information:
Debian Release: 10.4
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'proposed-updates'), (500, 'stable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.19.0-8-amd64 (SMP w/4 CPU cores)
Kernel taint flags: TAINT_WARN, TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

diff -Nru php-horde-5.2.20+debian0/debian/changelog php-horde-5.2.20+debian0/debian/changelog
--- php-horde-5.2.20+debian0/debian/changelog	2019-12-14 03:13:53.000000000 +0100
+++ php-horde-5.2.20+debian0/debian/changelog	2020-05-31 21:45:26.000000000 +0200
@@ -1,3 +1,10 @@
+php-horde (5.2.20+debian0-1+deb10u2) buster; urgency=medium
+
+  * CVE-2020-8035: Don't allow to view images inline if opened directly.
+  * debian/patches/0001-Fix-rewrite-base.patch: Trivial rebase.
+
+ -- Mike Gabriel <sunweaver@debian.org>  Sun, 31 May 2020 21:45:26 +0200
+
 php-horde (5.2.20+debian0-1+deb10u1) buster; urgency=high
 
   * Fix CVE-2019-12095: Stored XSS vuln in the Horde Cloud Block.
diff -Nru php-horde-5.2.20+debian0/debian/patches/0001-Fix-rewrite-base.patch php-horde-5.2.20+debian0/debian/patches/0001-Fix-rewrite-base.patch
--- php-horde-5.2.20+debian0/debian/patches/0001-Fix-rewrite-base.patch	2019-12-14 03:13:53.000000000 +0100
+++ php-horde-5.2.20+debian0/debian/patches/0001-Fix-rewrite-base.patch	2020-05-31 21:45:26.000000000 +0200
@@ -6,11 +6,9 @@
  horde-5.2.20/.htaccess | 1 +
  1 file changed, 1 insertion(+)
 
-diff --git a/horde-5.2.20/.htaccess b/horde-5.2.20/.htaccess
-index 89eaf0a..348046e 100644
 --- a/horde-5.2.20/.htaccess
 +++ b/horde-5.2.20/.htaccess
-@@ -5,6 +5,7 @@ allow from all
+@@ -10,6 +10,7 @@
  
  <IfModule mod_rewrite.c>
      RewriteEngine On
diff -Nru php-horde-5.2.20+debian0/debian/patches/0003-CVE-2020-8035-dont-allow-to-view-images-inline.patch php-horde-5.2.20+debian0/debian/patches/0003-CVE-2020-8035-dont-allow-to-view-images-inline.patch
--- php-horde-5.2.20+debian0/debian/patches/0003-CVE-2020-8035-dont-allow-to-view-images-inline.patch	1970-01-01 01:00:00.000000000 +0100
+++ php-horde-5.2.20+debian0/debian/patches/0003-CVE-2020-8035-dont-allow-to-view-images-inline.patch	2020-05-31 21:45:26.000000000 +0200
@@ -0,0 +1,28 @@
+From 64127fe3c2b9843c9760218e59dae9731cc56bdf Mon Sep 17 00:00:00 2001
+From: Jan Schneider <jan@horde.org>
+Date: Mon, 20 Apr 2020 23:07:51 +0200
+Subject: [PATCH] Don't allow to view images inline if opened directly.
+
+This services is supposed to process and view images inside a web page.
+---
+ services/images/view.php | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/horde-5.2.20/services/images/view.php b/horde-5.2.20/services/images/view.php
+index bc7da534..f5b0cb25 100644
+--- a/horde-5.2.20/services/images/view.php
++++ b/horde-5.2.20/services/images/view.php
+@@ -84,6 +84,7 @@
+ 
+ /* Check if no editing action required and send the image to browser. */
+ if (empty($action)) {
++    header('Content-Disposition: attachment');
+     $image->display();
+     exit;
+ }
+@@ -132,4 +133,5 @@
+ /* Write out any changes to the temporary file. */
+ file_put_contents($file_name, $image->raw());
+ 
++header('Content-Disposition: attachment');
+ $image->display();
diff -Nru php-horde-5.2.20+debian0/debian/patches/series php-horde-5.2.20+debian0/debian/patches/series
--- php-horde-5.2.20+debian0/debian/patches/series	2019-12-14 03:13:53.000000000 +0100
+++ php-horde-5.2.20+debian0/debian/patches/series	2020-05-31 21:45:26.000000000 +0200
@@ -1,2 +1,3 @@
 0001-Fix-rewrite-base.patch
 0002-CVE-2019-12095-Fix-XSS-vuln-in-the-Horde-Cloud-Block.patch
+0003-CVE-2020-8035-dont-allow-to-view-images-inline.patch

--- End Message ---
--- Begin Message --- 
Package: release.debian.org
Version: 10.5

Hi,

Each of these bugs relates to an update that was included in today's
stable point release.

Regards,

Adam

--- End Message ---
Reply to: