[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#989024: marked as done (buster-pu: package php-horde-text-filter/2.3.5-3+deb10u2)

Your message dated Sat, 19 Jun 2021 10:56:39 +0100
with message-id <5c65c3ad2ac9b1b1f78bf73b1cf073041e619b51.camel@adam-barratt.org.uk>
and subject line Closing p-u requests for fixes included in 10.10 point release
has caused the Debian Bug report #989024,
regarding buster-pu: package php-horde-text-filter/2.3.5-3+deb10u2
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
989024: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=989024
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian.org@packages.debian.org
Usertags: pu

[ Reason ]
<nodsa> security fix for CVE-2021-26929. This is a forward port of
Sylvain Beucler's team of the LTS team.

[ Impact ]
XSS vulnerability in html2text converter of Horde.

[ Tests ]
Unfortunately, unit tests have been unreliable in Debian buster's
version of Horde. I have tested the package as best as possible
on a live Horde instance installed via Debian packages (based on
Debian buster).

[ Risks ]
Breakage of Horde websites if they have been set up with Debian
packages as provided in Debian buster.

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
  [x] the issue is verified as fixed in unstable

[ Changes ]

+  * CVE-2021-26929: An XSS issue was discovered in Horde Groupware Webmail
+    Edition (where the Horde_Text_Filter library is used). The attacker
+    can send a plain text e-mail message, with JavaScript encoded as a
+    link or email that is mishandled by preProcess in Text2html.php,
+    because bespoke use of \x00\x00\x00 and \x01\x01\x01 interferes with
+    XSS defenses. (Closes: #982769).

Additionally, I have dropped the Debian QA Group from the Uploaders: field
and put myself there (as I had taken over Horde maintenance during the
Debian 11 cycle.

[ Other info ]
None.

diff -Nru php-horde-text-filter-2.3.5/debian/changelog php-horde-text-filter-2.3.5/debian/changelog
--- php-horde-text-filter-2.3.5/debian/changelog	2020-01-28 10:41:46.000000000 +0100
+++ php-horde-text-filter-2.3.5/debian/changelog	2021-05-24 00:02:12.000000000 +0200
@@ -1,3 +1,19 @@
+php-horde-text-filter (2.3.5-3+deb10u2) buster; urgency=medium
+
+  [ Mike Gabriel ]
+  * debian/control:
+    +  Drop Debian QA Group from Uploaders: field, add myself instead.
+
+  [ Sylvain Beucler ]
+  * CVE-2021-26929: An XSS issue was discovered in Horde Groupware Webmail
+    Edition (where the Horde_Text_Filter library is used). The attacker
+    can send a plain text e-mail message, with JavaScript encoded as a
+    link or email that is mishandled by preProcess in Text2html.php,
+    because bespoke use of \x00\x00\x00 and \x01\x01\x01 interferes with
+    XSS defenses. (Closes: #982769).
+
+ -- Mike Gabriel <sunweaver@debian.org>  Mon, 24 May 2021 00:02:12 +0200
+
 php-horde-text-filter (2.3.5-3+deb10u1) buster; urgency=medium
 
   * QA upload.
diff -Nru php-horde-text-filter-2.3.5/debian/control php-horde-text-filter-2.3.5/debian/control
--- php-horde-text-filter-2.3.5/debian/control	2020-01-28 10:41:46.000000000 +0100
+++ php-horde-text-filter-2.3.5/debian/control	2021-05-24 00:00:51.000000000 +0200
@@ -2,8 +2,8 @@
 Section: php
 Priority: optional
 Maintainer: Horde Maintainers <team+debian-horde-team@tracker.debian.org>
-Uploaders: Debian QA Group <packages@qa.debian.org>
-Build-Depends: debhelper (>= 11), pkg-php-tools (>= 1.1), pear-horde-channel
+Uploaders: Mike Gabriel <sunweaver@debian.org>
+Build-Depends: debhelper (>= 11), pkg-php-tools (>= 1.1), pear-horde-channel, php-horde-secret
 Standards-Version: 4.1.4
 Homepage: http://www.horde.org/
 Vcs-Git: https://salsa.debian.org/horde-team/php-horde-text-filter.git
diff -Nru php-horde-text-filter-2.3.5/debian/patches/CVE-2021-26929.patch php-horde-text-filter-2.3.5/debian/patches/CVE-2021-26929.patch
--- php-horde-text-filter-2.3.5/debian/patches/CVE-2021-26929.patch	1970-01-01 01:00:00.000000000 +0100
+++ php-horde-text-filter-2.3.5/debian/patches/CVE-2021-26929.patch	2021-05-23 23:59:28.000000000 +0200
@@ -0,0 +1,202 @@
+Origin: https://github.com/horde/Text_Filter/commit/a2f67da064d7a91440b7a2448e56a6387ab94c67
+Reviewed-by: Sylvain Beucler <beuc@debian.org>
+Last-Update: 2021-02-18
+
+From a2f67da064d7a91440b7a2448e56a6387ab94c67 Mon Sep 17 00:00:00 2001
+From: Michael J Rubinsky <mrubinsk@horde.org>
+Date: Sat, 13 Feb 2021 11:44:42 -0500
+Subject: [PATCH] [mjr] SECURITY: Fix XSS via Text2Html filter
+
+Reported by: Alex Birnberg<birnbergalex@gmail.com, CVE-2021-26929
+---
+ .horde.yml                               |  1 +
+ composer.json                            |  1 +
+ lib/Horde/Text/Filter/Emails.php         | 23 +++++++++++++++------
+ lib/Horde/Text/Filter/Linkurls.php       | 26 ++++++++++++++++++++----
+ lib/Horde/Text/Filter/Text2html.php      | 13 +++++++-----
+ test/Horde/Text/Filter/Text2htmlTest.php |  6 ++++--
+ 6 files changed, 53 insertions(+), 17 deletions(-)
+
+Index: php-horde-text-filter-2.3.5/Horde_Text_Filter-2.3.5/lib/Horde/Text/Filter/Emails.php
+===================================================================
+--- php-horde-text-filter-2.3.5.orig/Horde_Text_Filter-2.3.5/lib/Horde/Text/Filter/Emails.php
++++ php-horde-text-filter-2.3.5/Horde_Text_Filter-2.3.5/lib/Horde/Text/Filter/Emails.php
+@@ -34,7 +34,8 @@ class Horde_Text_Filter_Emails extends H
+      */
+     protected $_params = array(
+         'class' => '',
+-        'encode' => false
++        'encode' => false,
++        'secret' => null
+     );
+ 
+     /**
+@@ -85,9 +86,12 @@ EOR;
+     public function regexCallback($matches)
+     {
+         $data = $this->_regexCallback($matches);
+-
++        $secret = new Horde_Secret();
++        if (empty($this->_params['secretKey'])) {
++            $this->_params['secretKey'] = $secret->setKey();
++        }
+         if ($this->_params['encode']) {
+-            $data = "\01\01\01" . base64_encode($data) . "\01\01\01";
++            $data = "\01\01\01" . base64_encode($secret->write($this->_params['secretKey'], $data)) . "\01\01\01";
+         }
+ 
+         return $matches[1] . $matches[2] . (isset($matches[9]) ? $matches[9] : '') .
+@@ -119,15 +123,22 @@ EOR;
+      * "Decodes" the text formerly encoded by using the "encode" parameter.
+      *
+      * @param string $text  An encoded text.
++     * @param string $key   An optional key to use with Horde_Secret encryption.
++     *                      If omitted a key will be fetched from a Horde_Secret
++     *                      instance.
+      *
+      * @return string  The decoded text.
+      */
+-    public static function decode($text)
++    public static function decode($text, $key = null)
+     {
++        $secret = new Horde_Secret();
++        if (empty($key)) {
++            $key = $secret->getKey();
++        }
+         return preg_replace_callback(
+             '/\01\01\01([\w=+\/]*)\01\01\01/',
+-            function($hex) {
+-                return base64_decode($hex[1]);
++            function($hex) use ($secret, $key) {
++                return  $secret->read($key, base64_decode($hex[1]));
+             },
+             $text);
+     }
+Index: php-horde-text-filter-2.3.5/Horde_Text_Filter-2.3.5/lib/Horde/Text/Filter/Linkurls.php
+===================================================================
+--- php-horde-text-filter-2.3.5.orig/Horde_Text_Filter-2.3.5/lib/Horde/Text/Filter/Linkurls.php
++++ php-horde-text-filter-2.3.5/Horde_Text_Filter-2.3.5/lib/Horde/Text/Filter/Linkurls.php
+@@ -29,6 +29,10 @@
+  *               DEFAULT: false
+  *   - target: (string) The link target.
+  *             DEFAULT: '_blank'
++ *   - secretKey: (string) A key to use for Horde_Secret encryption of encoded
++ *                html tags (see the 'encode' paramter).
++ *             DEFAULT: A default key will be created by an instance of
++ *             Horde_Secret.
+  *
+  * Copyright 2003-2016 Horde LLC (http://www.horde.org/)
+  *
+@@ -60,6 +64,7 @@ class Horde_Text_Filter_Linkurls extends
+         'encode' => false,
+         'nofollow' => false,
+         'target' => '_blank',
++        'secretKey' => null
+     );
+ 
+     /**
+@@ -172,8 +177,13 @@ END_OF_REGEX;
+                 '<meta http-equiv="x-dns-prefetch-control" value="on" />';
+         }
+ 
++        $secret = new Horde_Secret();
++        if (empty($this->_params['secretKey'])) {
++            $this->_params['secretKey'] = $secret->setKey();
++        }
++
+         if ($this->_params['encode']) {
+-            $replacement = chr(0) . chr(0) . chr(0) . base64_encode($replacement) . chr(0) . chr(0) . chr(0);
++            $replacement = chr(0) . chr(0) . chr(0) . base64_encode($secret->write($this->_params['secretKey'], $replacement)) . chr(0) . chr(0) . chr(0);
+         }
+ 
+         return $replacement;
+@@ -183,15 +193,23 @@ END_OF_REGEX;
+      * "Decodes" the text formerly encoded by using the "encode" parameter.
+      *
+      * @param string $text  An encoded text.
++     * @param string $key   An optional key to use with Horde_Secret encryption.
++     *                      If omitted a key will be fetched from a Horde_Secret
++     *                      instance.
+      *
+      * @return string  The decoded text.
+      */
+-    public static function decode($text)
++    public static function decode($text, $key = null)
+     {
++        $secret = new Horde_Secret();
++        if (empty($key)) {
++            $key = $secret->getKey();
++        }
++
+         return preg_replace_callback(
+             '/\00\00\00([\w=+\/]*)\00\00\00/',
+-            function($hex) {
+-                return base64_decode($hex[1]);
++            function($hex) use ($secret, $key) {
++                return $secret->read($key, base64_decode($hex[1]));
+             },
+             $text);
+     }
+Index: php-horde-text-filter-2.3.5/Horde_Text_Filter-2.3.5/lib/Horde/Text/Filter/Text2html.php
+===================================================================
+--- php-horde-text-filter-2.3.5.orig/Horde_Text_Filter-2.3.5/lib/Horde/Text/Filter/Text2html.php
++++ php-horde-text-filter-2.3.5/Horde_Text_Filter-2.3.5/lib/Horde/Text/Filter/Text2html.php
+@@ -37,7 +37,8 @@ class Horde_Text_Filter_Text2html extend
+         'linkurls' => false,
+         'text2html' => false,
+         'parselevel' => 0,
+-        'space2html' => false
++        'space2html' => false,
++        'secretKey' => null
+     );
+ 
+     /**
+@@ -144,7 +145,8 @@ class Horde_Text_Filter_Text2html extend
+                 $filters = $this->_params['linkurls'];
+             } else {
+                 $filters['linkurls'] = array(
+-                    'encode' => true
++                    'encode' => true,
++                    'secretKey' => $this->_params['secretKey']
+                 );
+             }
+ 
+@@ -155,7 +157,8 @@ class Horde_Text_Filter_Text2html extend
+                     $filters += $this->_params['emails'];
+                 } else {
+                     $filters['emails'] = array(
+-                        'encode' => true
++                        'encode' => true,
++                        'secretKey' => $this->_params['secretKey']
+                     );
+                 }
+             }
+@@ -201,9 +204,9 @@ class Horde_Text_Filter_Text2html extend
+ 
+         /* Do in-lining of http://xxx.xxx to link, xxx@xxx.xxx to email. */
+         if ($this->_params['parselevel'] < self::NOHTML) {
+-            $text = Horde_Text_Filter_Linkurls::decode($text);
++            $text = Horde_Text_Filter_Linkurls::decode($text, $this->_params['secretKey']);
+             if ($this->_params['parselevel'] < self::MICRO_LINKURL) {
+-                $text = Horde_Text_Filter_Emails::decode($text);
++                $text = Horde_Text_Filter_Emails::decode($text, $this->_params['secretKey']);
+             }
+ 
+             if ($this->_params['space2html']) {
+Index: php-horde-text-filter-2.3.5/Horde_Text_Filter-2.3.5/test/Horde/Text/Filter/Text2htmlTest.php
+===================================================================
+--- php-horde-text-filter-2.3.5.orig/Horde_Text_Filter-2.3.5/test/Horde/Text/Filter/Text2htmlTest.php
++++ php-horde-text-filter-2.3.5/Horde_Text_Filter-2.3.5/test/Horde/Text/Filter/Text2htmlTest.php
+@@ -19,8 +19,10 @@ class Horde_Text_Filter_Text2htmlTest ex
+         $this->assertEquals(
+             $expected,
+             Horde_Text_Filter::filter($input, 'text2html', array(
+-                'parselevel' => $level
+-            ))
++                'parselevel' => $level,
++                'secretKey' => "mGmEXue4Az0YurdMK6p3alB"
++                )
++            )
+         );
+     }
+ 
diff -Nru php-horde-text-filter-2.3.5/debian/patches/series php-horde-text-filter-2.3.5/debian/patches/series
--- php-horde-text-filter-2.3.5/debian/patches/series	2020-01-28 10:41:46.000000000 +0100
+++ php-horde-text-filter-2.3.5/debian/patches/series	2021-05-24 00:01:05.000000000 +0200
@@ -1 +1,2 @@
 0001_protect_the_-_this_is_not_a_range.patch
+CVE-2021-26929.patch

--- End Message ---
--- Begin Message --- 
Package: release.debian.org
Version: 10.10

Hi,

Each of the updates referenced in these bugs was included in the 10.10
point release today.

Regards,

Adam

--- End Message ---
Reply to: