Bug#1010531: Acknowledgement (bullseye-pu: package ldap-account-manager/7.4-1)
Hi team,
here is the debdiff for the changes.
Best regards
Roland
diff -Nru ldap-account-manager-7.4/debian/changelog ldap-account-manager-7.4/debian/changelog
--- ldap-account-manager-7.4/debian/changelog 2020-12-06 09:05:33.000000000 +0100
+++ ldap-account-manager-7.4/debian/changelog 2022-04-15 19:33:40.000000000 +0200
@@ -1,3 +1,9 @@
+ldap-account-manager (7.4-1+deb11u1) stable-security; urgency=medium
+
+ * fixes CVE-2022-24851
+
+ -- Roland Gruber <post@rolandgruber.de> Fri, 15 Apr 2022 19:33:40 +0200
+
ldap-account-manager (7.4-1) unstable; urgency=medium
* new upstream release
diff -Nru ldap-account-manager-7.4/debian/patches/01_CVE-2022-24851.patch ldap-account-manager-7.4/debian/patches/01_CVE-2022-24851.patch
--- ldap-account-manager-7.4/debian/patches/01_CVE-2022-24851.patch 1970-01-01 01:00:00.000000000 +0100
+++ ldap-account-manager-7.4/debian/patches/01_CVE-2022-24851.patch 2022-04-15 19:29:02.000000000 +0200
@@ -0,0 +1,87 @@
+Description: CVE-2022-24851
+ Security fix for stored XSS and reading of arbitary images.
+Author: Roland Gruber <post@rolandgruber.de>
+Origin: upstream
+Bug: https://github.com/LDAPAccountManager/lam/issues/170
+Applied-Upstream: 7.9.1
+Reviewed-by: Roland Gruber <post@rolandgruber.de>
+Last-Update: 2022-04-15
+---
+This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
+Index: ldap-account-manager-7.4/lib/html.inc
+===================================================================
+--- ldap-account-manager-7.4.orig/lib/html.inc
++++ ldap-account-manager-7.4/lib/html.inc
+@@ -525,10 +525,10 @@ class htmlInputField extends htmlElement
+ }
+ if (isset($values[$this->fieldName])) {
+ if (isObfuscatedText($values[$this->fieldName][0])) {
+- $this->fieldValue = deobfuscateText($values[$this->fieldName][0]);
++ $this->fieldValue = htmlspecialchars(deobfuscateText($values[$this->fieldName][0]));
+ }
+ else {
+- $this->fieldValue = $values[$this->fieldName][0];
++ $this->fieldValue = htmlspecialchars($values[$this->fieldName][0]);
+ }
+ }
+ $validators = array();
+@@ -2588,7 +2588,7 @@ class htmlInputTextarea extends htmlElem
+ function generateHTML($module, $input, $values, $restricted, &$tabindex, $scope) {
+ $this->cssClasses[] = 'ui-corner-all';
+ if (isset($values[$this->name])) {
+- $this->value = implode("\r\n", $values[$this->name]);
++ $this->value = htmlspecialchars(implode("\r\n", $values[$this->name]));
+ }
+ $colCount = ($this->colCount != null) ? ' cols="' . $this->colCount . '"' : '';
+ $rowCount = ($this->rowCount != null) ? ' rows="' . $this->rowCount . '"' : '';
+Index: ldap-account-manager-7.4/templates/pdfedit/pdfpage.php
+===================================================================
+--- ldap-account-manager-7.4.orig/templates/pdfedit/pdfpage.php
++++ ldap-account-manager-7.4/templates/pdfedit/pdfpage.php
+@@ -121,8 +121,9 @@ if(!isset($_SESSION['currentPDFStructure
+ }
+ }
+
++$logoFiles = \LAM\PDF\getAvailableLogos($_SESSION['config']->getName());
+ if (!empty($_POST['form_submit'])) {
+- updateBasicSettings($_SESSION['currentPDFStructure']);
++ updateBasicSettings($_SESSION['currentPDFStructure'], $logoFiles);
+ updateSectionTitles($_SESSION['currentPDFStructure']);
+ addSection($_SESSION['currentPDFStructure']);
+ addSectionEntry($_SESSION['currentPDFStructure']);
+@@ -218,7 +219,6 @@ else if (isset($_POST['pdfname'])) {
+ // headline
+ $headline = $_SESSION['currentPDFStructure']->getTitle();
+ // logo
+-$logoFiles = \LAM\PDF\getAvailableLogos($_SESSION['config']->getName());
+ $logos = array(_('No logo') => 'none');
+ foreach($logoFiles as $logoFile) {
+ $logos[$logoFile['filename'] . ' (' . $logoFile['infos'][0] . ' x ' . $logoFile['infos'][1] . ")"] = $logoFile['filename'];
+@@ -509,14 +509,25 @@ function translateFieldIDToName($id, $sc
+ *
+ * @param PDFStructure $structure
+ */
+-function updateBasicSettings(PDFStructure &$structure) {
++function updateBasicSettings(PDFStructure &$structure, $logoFiles) {
+ // set headline
+ if (isset($_POST['headline'])) {
+ $structure->setTitle(str_replace('<', '', str_replace('>', '', $_POST['headline'])));
+ }
+ // set logo
+ if (isset($_POST['logoFile'])) {
+- $structure->setLogo($_POST['logoFile']);
++ $fileName = $_POST['logoFile'];
++ $found = false;
++ foreach ($logoFiles as $logoFile) {
++ if ($logoFile['filename'] === $fileName) {
++ $found = true;
++ }
++ }
++ if (!$found) {
++ logNewMessage(LOG_ERR, 'Invalid PDF logo file: ' . $fileName);
++ return;
++ }
++ $structure->setLogo($fileName);
+ }
+ // set folding marks
+ if (isset($_POST['foldingmarks'])) {
diff -Nru ldap-account-manager-7.4/debian/patches/series ldap-account-manager-7.4/debian/patches/series
--- ldap-account-manager-7.4/debian/patches/series 1970-01-01 01:00:00.000000000 +0100
+++ ldap-account-manager-7.4/debian/patches/series 2022-04-15 19:14:10.000000000 +0200
@@ -0,0 +1 @@
+01_CVE-2022-24851.patch
Reply to: