Bug#956535: buster-pu: package php-horde-data/2.1.4-5+deb10u1
On Tue, Apr 21, 2020 at 06:55:41PM +0100, Adam D. Barratt wrote: > On Sun, 2020-04-19 at 16:39 -0400, Roberto C.Sánchez wrote: > > Hi Mathieu & Adam, > > > > On Wed, Apr 15, 2020 at 03:07:00PM +0200, Mathieu Parent (Debian) > > wrote: > > > > > > Thanks Roberto! > > > > > > Hello Salvatore, > > > > > > > Mathieu, but are you still planning to request removals? > > > > > > Done as #956808. > > > > > Given that the removal has been requested, I'll not prepare new > > uploads for unstable. Adam, could you weigh in on whether I may > > proceed with the uploads (all six) or whether I need to wait for the > > removal to take place? > > On the assumption that the removal won't take too long, please go > ahead. > Thanks. I have uploaded to ftp-master. However, I did notice one peculiarity. I had this near the end of the output: ** Uploading php-horde-data_2.1.4.orig.tar.gz Upload permissions error You either don't have the rights to upload a file, or, if this is on ftp-master, you may have tried to overwrite a file already on the server. Continuing anyway in case you want to recover from an incomplete upload. No file was uploaded, however. ** That is interesting because I noticed that one of the packages, php-horde-data, had the same upstream version, 2.1.4, for both stretch and buster. Since this was the first stable update for both, I built them each with -sa to include the .orig.tar.gz. I guess it will be evident soon whether that is a problem when I receive the receipt message from dak, but I thought to bring it up just in case. Regards, -Roberto -- Roberto C. Sánchez
Bug#956535: buster-pu: package php-horde-data/2.1.4-5+deb10u1
On Sun, 2020-04-19 at 16:39 -0400, Roberto C.Sánchez wrote: > Hi Mathieu & Adam, > > On Wed, Apr 15, 2020 at 03:07:00PM +0200, Mathieu Parent (Debian) > wrote: > > > > Thanks Roberto! > > > > Hello Salvatore, > > > > > Mathieu, but are you still planning to request removals? > > > > Done as #956808. > > > Given that the removal has been requested, I'll not prepare new > uploads for unstable. Adam, could you weigh in on whether I may > proceed with the uploads (all six) or whether I need to wait for the > removal to take place? On the assumption that the removal won't take too long, please go ahead. Regards, Adam
Bug#956535: buster-pu: package php-horde-data/2.1.4-5+deb10u1
Hi Mathieu & Adam, On Wed, Apr 15, 2020 at 03:07:00PM +0200, Mathieu Parent (Debian) wrote: > > > Thanks Roberto! > > Hello Salvatore, > > > Mathieu, but are you still planning to request removals? > > Done as #956808. > Given that the removal has been requested, I'll not prepare new uploads for unstable. Adam, could you weigh in on whether I may proceed with the uploads (all six) or whether I need to wait for the removal to take place? Regards, -Roberto -- Roberto C. Sánchez
Bug#956535: buster-pu: package php-horde-data/2.1.4-5+deb10u1
Le mer. 15 avr. 2020 à 08:40, Salvatore Bonaccorso a écrit : > > Hi Roberto, > > On Tue, Apr 14, 2020 at 05:45:54PM -0400, Roberto C. Sánchez wrote: > > On Tue, Apr 14, 2020 at 10:04:00PM +0200, Salvatore Bonaccorso wrote: > > > Control: tags -1 - moreinfo > > > > > > Hi Adam, > > > > > > On Sun, Apr 12, 2020 at 10:05:55PM +0100, Adam D. Barratt wrote: > > > > Control: tags -1 + moreinfo > > > > > > > > On Sun, 2020-04-12 at 09:23 -0400, Roberto C. Sanchez wrote: > > > > > Please find attached a proposed debdiff for php-horde-data. The > > > > > change fixes CVE-2020-8518, which the security team has classified as > > > > > , deeming it a minor issue which can be fixed via a point > > > > > release. > > > > > > > > The Security Tracker indicates that this issue affects the package in > > > > unstable and is not yet fixed there; is that correct? > > > > > > This is correct, the issue has not been fixed in unstable "yet". The > > > horde ecosystem is currently unmaintained, and previous maintainer > > > indicated to ask actually for removal if nobody steps up. See #942282 > > > for context. > > > > > > That said, it's possible to either wait for a fix in unstable or the > > > removal of the php-horde* packages first before accepting the upload > > > for a buster point release (same for the other updates proposed by > > > Roberto). > > > > > > Does this make sense? > > > > > Hi Salvatore, > > > > I've communicated with Mathieu Parent (the php-horde-* maintainer) > > regarding his intentions for unstable uploads of these three packages. > > He has asked that I go ahead and perform the uploads. However, if you > > think that a removal request is forthcoming in the very near future, I > > will wait and not make those uploads. > > > > My intent was to have them done in the next 24 hours. Please advise if > > I should proceed or if I should wait for removal. > > That's fine if you communicated with Mathieu and he agreed then go > ahead and fix it as well in unstable. > Thanks Roberto! Hello Salvatore, > Mathieu, but are you still planning to request removals? Done as #956808. Cheers! -- Mathieu Parent
Bug#956535: buster-pu: package php-horde-data/2.1.4-5+deb10u1
Hi Roberto, On Tue, Apr 14, 2020 at 05:45:54PM -0400, Roberto C. Sánchez wrote: > On Tue, Apr 14, 2020 at 10:04:00PM +0200, Salvatore Bonaccorso wrote: > > Control: tags -1 - moreinfo > > > > Hi Adam, > > > > On Sun, Apr 12, 2020 at 10:05:55PM +0100, Adam D. Barratt wrote: > > > Control: tags -1 + moreinfo > > > > > > On Sun, 2020-04-12 at 09:23 -0400, Roberto C. Sanchez wrote: > > > > Please find attached a proposed debdiff for php-horde-data. The > > > > change fixes CVE-2020-8518, which the security team has classified as > > > > , deeming it a minor issue which can be fixed via a point > > > > release. > > > > > > The Security Tracker indicates that this issue affects the package in > > > unstable and is not yet fixed there; is that correct? > > > > This is correct, the issue has not been fixed in unstable "yet". The > > horde ecosystem is currently unmaintained, and previous maintainer > > indicated to ask actually for removal if nobody steps up. See #942282 > > for context. > > > > That said, it's possible to either wait for a fix in unstable or the > > removal of the php-horde* packages first before accepting the upload > > for a buster point release (same for the other updates proposed by > > Roberto). > > > > Does this make sense? > > > Hi Salvatore, > > I've communicated with Mathieu Parent (the php-horde-* maintainer) > regarding his intentions for unstable uploads of these three packages. > He has asked that I go ahead and perform the uploads. However, if you > think that a removal request is forthcoming in the very near future, I > will wait and not make those uploads. > > My intent was to have them done in the next 24 hours. Please advise if > I should proceed or if I should wait for removal. That's fine if you communicated with Mathieu and he agreed then go ahead and fix it as well in unstable. Mathieu, but are you still planning to request removals? Regards, Salvatore
Bug#956535: buster-pu: package php-horde-data/2.1.4-5+deb10u1
On Tue, Apr 14, 2020 at 10:04:00PM +0200, Salvatore Bonaccorso wrote: > Control: tags -1 - moreinfo > > Hi Adam, > > On Sun, Apr 12, 2020 at 10:05:55PM +0100, Adam D. Barratt wrote: > > Control: tags -1 + moreinfo > > > > On Sun, 2020-04-12 at 09:23 -0400, Roberto C. Sanchez wrote: > > > Please find attached a proposed debdiff for php-horde-data. The > > > change fixes CVE-2020-8518, which the security team has classified as > > > , deeming it a minor issue which can be fixed via a point > > > release. > > > > The Security Tracker indicates that this issue affects the package in > > unstable and is not yet fixed there; is that correct? > > This is correct, the issue has not been fixed in unstable "yet". The > horde ecosystem is currently unmaintained, and previous maintainer > indicated to ask actually for removal if nobody steps up. See #942282 > for context. > > That said, it's possible to either wait for a fix in unstable or the > removal of the php-horde* packages first before accepting the upload > for a buster point release (same for the other updates proposed by > Roberto). > > Does this make sense? > Hi Salvatore, I've communicated with Mathieu Parent (the php-horde-* maintainer) regarding his intentions for unstable uploads of these three packages. He has asked that I go ahead and perform the uploads. However, if you think that a removal request is forthcoming in the very near future, I will wait and not make those uploads. My intent was to have them done in the next 24 hours. Please advise if I should proceed or if I should wait for removal. Regards, -Roberto -- Roberto C. Sánchez
Bug#956535: buster-pu: package php-horde-data/2.1.4-5+deb10u1
Control: tags -1 - moreinfo Hi Adam, On Sun, Apr 12, 2020 at 10:05:55PM +0100, Adam D. Barratt wrote: > Control: tags -1 + moreinfo > > On Sun, 2020-04-12 at 09:23 -0400, Roberto C. Sanchez wrote: > > Please find attached a proposed debdiff for php-horde-data. The > > change fixes CVE-2020-8518, which the security team has classified as > > , deeming it a minor issue which can be fixed via a point > > release. > > The Security Tracker indicates that this issue affects the package in > unstable and is not yet fixed there; is that correct? This is correct, the issue has not been fixed in unstable "yet". The horde ecosystem is currently unmaintained, and previous maintainer indicated to ask actually for removal if nobody steps up. See #942282 for context. That said, it's possible to either wait for a fix in unstable or the removal of the php-horde* packages first before accepting the upload for a buster point release (same for the other updates proposed by Roberto). Does this make sense? Regards, Salvatore
Bug#956535: buster-pu: package php-horde-data/2.1.4-5+deb10u1
Control: tags -1 + moreinfo On Sun, 2020-04-12 at 09:23 -0400, Roberto C. Sanchez wrote: > Please find attached a proposed debdiff for php-horde-data. The > change fixes CVE-2020-8518, which the security team has classified as > , deeming it a minor issue which can be fixed via a point > release. The Security Tracker indicates that this issue affects the package in unstable and is not yet fixed there; is that correct? Regards, Adam
Bug#956535: buster-pu: package php-horde-data/2.1.4-5+deb10u1
owner 956535 ! thanks On Sun, Apr 12, 2020 at 09:23:37AM -0400, Roberto C. Sanchez wrote: > Package: release.debian.org > Severity: normal > Tags: buster > User: release.debian@packages.debian.org > Usertags: pu > > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA512 > > Please find attached a proposed debdiff for php-horde-data. The change > fixes CVE-2020-8518, which the security team has classified as , > deeming it a minor issue which can be fixed via a point release. May I > have permission to upload to stretch-proposed-updates? ^^^ That should read: buster-proposed updates. Regards, -Roberto -- Roberto C. Sánchez signature.asc Description: PGP signature
Bug#956535: buster-pu: package php-horde-data/2.1.4-5+deb10u1
Package: release.debian.org Severity: normal Tags: buster User: release.debian@packages.debian.org Usertags: pu -BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Please find attached a proposed debdiff for php-horde-data. The change fixes CVE-2020-8518, which the security team has classified as , deeming it a minor issue which can be fixed via a point release. May I have permission to upload to stretch-proposed-updates? - -- System Information: Debian Release: 10.3 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.19.0-8-amd64 (SMP w/4 CPU cores) Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8), LANGUAGE=en_US.utf8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEEz9ERzDttUsU/BH8iLNd4Xt2nsg8FAl6TFk8ACgkQLNd4Xt2n sg+sYg//TsXLF5Ww2+2Ubc12mXOIAOtrbjgjZaZMpgXqCV3cxnQcIygUOHkwLG2N eT3mXO90y1qryjhK0H7jUuhdBMG9VA0FHmlhcScoecpOHU3dJekSz0tEa+ySewy3 ZP4pxVRq6TzYnk6HvtqUZ81GFJymWhN3HmGjkMlI25nmIN7udlWiMoYtqtzd3ZZA cxskKlaLCqnowC1L2QZQdSdgqj2ZBjWtmZRxeEwalkBDsx+aeu2wUR1lg2ibwNvD S6nR4d3ZwwmDd0RrGJemFRc0MXaAbIhpXjUT5OC35MQP7hgHqwzbtIY7CBt6s1z4 +aqLvev128e5R8bAJzgsOrWwvxJ2SeHJ5NsW5mfNDn+/1DcCu4KJmjTKzNHCGlL9 815DvmvD+l1s6Ls0E6+HvIN0GcVyOFvT7zhg2VaHcxCQxExkR05vFMxb51Bbd8zk uTt/Xj2GBXZiURRfxibB8GP6GinB8a3V0LYHAPDVx3rjqkCi2+h0zH0Y2fsQVEJ8 tdSCiNAsFDH7H6S5I6Wd3kIRpcDsIfRowsjLaUiDTNfg/ZQxbuqnFlY623Y13cO1 QEPqCq+cqMqbnVCBA/9ZFLR3DNhobqksLQzEtGTzKrKx8q9cpxqlMehNhgBX8q5j PUSOTm8kG1uuOziYe1d6WchObze2YxxNcV37Oq/N5gZ59hX1TCI= =wKCR -END PGP SIGNATURE- diff -Nru php-horde-data-2.1.4/debian/changelog php-horde-data-2.1.4/debian/changelog --- php-horde-data-2.1.4/debian/changelog 2018-05-14 18:16:00.0 -0400 +++ php-horde-data-2.1.4/debian/changelog 2020-04-10 19:57:00.0 -0400 @@ -1,3 +1,12 @@ +php-horde-data (2.1.4-5+deb10u1) buster; urgency=high + + * Fix CVE-2020-8518: +The Horde Application Framework contained a remote code execution +vulnerability. An authenticated remote attacker could use this flaw to +cause execution of uploaded CSV data. (Closes: #951537) + + -- Roberto C. Sanchez Fri, 10 Apr 2020 19:57:00 -0400 + php-horde-data (2.1.4-5) unstable; urgency=medium * Update Standards-Version to 4.1.4, no change diff -Nru php-horde-data-2.1.4/debian/patches/0001-CVE-2020-8518-Dont-use-create_function.patch php-horde-data-2.1.4/debian/patches/0001-CVE-2020-8518-Dont-use-create_function.patch --- php-horde-data-2.1.4/debian/patches/0001-CVE-2020-8518-Dont-use-create_function.patch 1969-12-31 19:00:00.0 -0500 +++ php-horde-data-2.1.4/debian/patches/0001-CVE-2020-8518-Dont-use-create_function.patch 2020-04-10 19:57:00.0 -0400 @@ -0,0 +1,36 @@ +From 78ad0c2390176cdde7260a271bc6ddd86f4c9c0e Mon Sep 17 00:00:00 2001 +From: Jan Schneider +Date: Mon, 13 Feb 2017 18:38:59 +0100 +Subject: [PATCH] Don't use create_function(). + +It's deprecated and unsafe and closures should be used instead. +--- + lib/Horde/Data/Csv.php | 15 ++- + 1 file changed, 14 insertions(+), 1 deletion(-) + +diff --git a/Horde_Data-2.1.4/lib/Horde/Data/Csv.php b/Horde_Data-2.1.4/lib/Horde/Data/Csv.php +index c2dc7dc..c0ffa63 100644 +--- a/Horde_Data-2.1.4/lib/Horde/Data/Csv.php b/Horde_Data-2.1.4/lib/Horde/Data/Csv.php +@@ -332,7 +332,20 @@ public static function getCsv($file, array $params = array()) + + if ($row) { + $row = (strlen($params['quote']) && strlen($params['escape'])) +-? array_map(create_function('$a', 'return str_replace(\'' . str_replace('\'', '\\\'', $params['escape'] . $params['quote']) . '\', \'' . str_replace('\'', '\\\'', $params['quote']) . '\', $a);'), $row) ++? array_map( ++function ($a) use ($params) { ++return str_replace( ++str_replace( ++'\'', ++'\\\'', ++$params['escape'] . $params['quote'] ++), ++str_replace('\'', '\\\'', $params['quote']), ++$a ++); ++}, ++$row ++) + : array_map('trim', $row); + + if (!empty($params['length'])) { diff -Nru php-horde-data-2.1.4/debian/patches/series php-horde-data-2.1.4/debian/patches/series --- php-horde-data-2.1.4/debian/patches/series 1969-12-31 19:00:00.0 -0500 +++ php-horde-data-2.1.4/debian/patches/series 2020-04-10 19:57:00.0 -0400 @@ -0,0 +1 @@ +0001-CVE-2020-8518-Dont-use-create_function.patch