Package: release.debian.org Severity: normal Tags: stretch User: release.debian....@packages.debian.org Usertags: pu
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Please find attached a proposed debdiff for php-horde-data. The change fixes CVE-2020-8518, which the security team has classified as <no-dsa>, deeming it a minor issue which can be fixed via a point release. I have prepared this update in coordination with the security team. May I have permission to upload to stretch-proposed-updates? - -- System Information: Debian Release: 10.3 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.19.0-8-amd64 (SMP w/4 CPU cores) Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8), LANGUAGE=en_US.utf8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEz9ERzDttUsU/BH8iLNd4Xt2nsg8FAl6TFtIACgkQLNd4Xt2n sg/D4g/9H4hyiaItmqUO+JxV4EipU4stAdflWPicDJe89KSKnRsBnCipRpnEWkXK 3NduvlxIn9YSOuMN2OZ+AfdUDSCrOVSWf2JQKZtEhWrSrbIKFuLRcl0+Q1fhLAeE qVCFi8Odh1JaNmWZ30mszbtF64Fg+THJ+RmmrpZlTXhto/1eVm1E4VvlqDtOBv7l O7KInucO3eBItIQ8b+O/o9gDFrZ5PtlLlByu9LhTGdfurhORPJ0g1YoiJZzd1Mz8 MrgW0vxK4lBrAaccMgmV3lAkJEZXFUC/k7AxUedEu4wG8BYKeZvVjkJL8ZCG2cHm oYlE4VzaTFNnRqzcsUGttKphXszY39bjpb9FPA7lnn1x7bv7PTSU7wLNrNUsqxBS JFm0tZJeRtHjTrdBmlp73rSChVqf97ylaB9oihdSD5FP+62QzaLpTfCGQF/asjrZ x/HrFD/Cc8g+aEYlimRUyUlYD3QKhq+PJsVo1fm9VEOTmODLd5r3ogbBsqxvqjhr +lrv/xcC4JicNzs75eQhtjPd793wR85WMvWzPyG0/BMbUSsROoRQXBO4qDaddfzL hyz2/vFieD6fcwQ3Yka1ACm1vwufcuCYfNUo+WoknrhtnnHjf3OmvDsfgUs46d3Q yER1uIy4pSsHxVznP005nYixJ/p8zxdKp54bp2JGQVwBZ5C9aAk= =sMeE -----END PGP SIGNATURE-----
diff -Nru php-horde-data-2.1.4/debian/changelog php-horde-data-2.1.4/debian/changelog --- php-horde-data-2.1.4/debian/changelog 2016-06-07 16:25:17.000000000 -0400 +++ php-horde-data-2.1.4/debian/changelog 2020-04-10 19:58:12.000000000 -0400 @@ -1,3 +1,12 @@ +php-horde-data (2.1.4-3+deb9u1) stretch; urgency=high + + * Fix CVE-2020-8518: + The Horde Application Framework contained a remote code execution + vulnerability. An authenticated remote attacker could use this flaw to + cause execution of uploaded CSV data. (Closes: #951537) + + -- Roberto C. Sanchez <robe...@debian.org> Fri, 10 Apr 2020 19:58:12 -0400 + php-horde-data (2.1.4-3) unstable; urgency=medium * Update Standards-Version to 3.9.8, no change diff -Nru php-horde-data-2.1.4/debian/patches/0001-CVE-2020-8518-Dont-use-create_function.patch php-horde-data-2.1.4/debian/patches/0001-CVE-2020-8518-Dont-use-create_function.patch --- php-horde-data-2.1.4/debian/patches/0001-CVE-2020-8518-Dont-use-create_function.patch 1969-12-31 19:00:00.000000000 -0500 +++ php-horde-data-2.1.4/debian/patches/0001-CVE-2020-8518-Dont-use-create_function.patch 2020-04-10 19:58:12.000000000 -0400 @@ -0,0 +1,36 @@ +From 78ad0c2390176cdde7260a271bc6ddd86f4c9c0e Mon Sep 17 00:00:00 2001 +From: Jan Schneider <j...@horde.org> +Date: Mon, 13 Feb 2017 18:38:59 +0100 +Subject: [PATCH] Don't use create_function(). + +It's deprecated and unsafe and closures should be used instead. +--- + lib/Horde/Data/Csv.php | 15 ++++++++++++++- + 1 file changed, 14 insertions(+), 1 deletion(-) + +diff --git a/Horde_Data-2.1.4/lib/Horde/Data/Csv.php b/Horde_Data-2.1.4/lib/Horde/Data/Csv.php +index c2dc7dc..c0ffa63 100644 +--- a/Horde_Data-2.1.4/lib/Horde/Data/Csv.php ++++ b/Horde_Data-2.1.4/lib/Horde/Data/Csv.php +@@ -332,7 +332,20 @@ public static function getCsv($file, array $params = array()) + + if ($row) { + $row = (strlen($params['quote']) && strlen($params['escape'])) +- ? array_map(create_function('$a', 'return str_replace(\'' . str_replace('\'', '\\\'', $params['escape'] . $params['quote']) . '\', \'' . str_replace('\'', '\\\'', $params['quote']) . '\', $a);'), $row) ++ ? array_map( ++ function ($a) use ($params) { ++ return str_replace( ++ str_replace( ++ '\'', ++ '\\\'', ++ $params['escape'] . $params['quote'] ++ ), ++ str_replace('\'', '\\\'', $params['quote']), ++ $a ++ ); ++ }, ++ $row ++ ) + : array_map('trim', $row); + + if (!empty($params['length'])) { diff -Nru php-horde-data-2.1.4/debian/patches/series php-horde-data-2.1.4/debian/patches/series --- php-horde-data-2.1.4/debian/patches/series 1969-12-31 19:00:00.000000000 -0500 +++ php-horde-data-2.1.4/debian/patches/series 2020-04-10 19:58:12.000000000 -0400 @@ -0,0 +1 @@ +0001-CVE-2020-8518-Dont-use-create_function.patch