Package: release.debian.org Severity: normal User: release.debian....@packages.debian.org Usertags: unblock
Please unblock package php-horde-crypt This fixes a security issue: * Escape user provided recipients and charset data. Fixes CVE-2017-7413 and CVE-2017-7414 (Closes: #859635) (debdiff attached) Note that the package doesn't work correctly in stretch, because it is not compatible with gpg v2 (#849151 and #854819). I plan to fix this later, but maybe in a point-release. Today, I want to prevent IMP (php-horde-imp) from being removed from testing. unblock php-horde-crypt/2.7.5-2 Thanks! -- System Information: Debian Release: 9.0 APT prefers testing-debug APT policy: (500, 'testing-debug'), (500, 'testing') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.9.0-2-amd64 (SMP w/2 CPU cores) Locale: LANG=fr_FR.utf8, LC_CTYPE=fr_FR.utf8 (charmap=UTF-8) Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system)
diff -Nru php-horde-crypt-2.7.5/debian/changelog php-horde-crypt-2.7.5/debian/changelog --- php-horde-crypt-2.7.5/debian/changelog 2016-12-17 23:04:22.000000000 +0100 +++ php-horde-crypt-2.7.5/debian/changelog 2017-05-03 07:15:32.000000000 +0200 @@ -1,3 +1,10 @@ +php-horde-crypt (2.7.5-2) unstable; urgency=medium + + * Escape user provided recipients and charset data. Fixes CVE-2017-7413 and + CVE-2017-7414 (Closes: #859635) + + -- Mathieu Parent <sath...@debian.org> Wed, 03 May 2017 07:15:32 +0200 + php-horde-crypt (2.7.5-1) unstable; urgency=medium * New upstream version 2.7.5 diff -Nru php-horde-crypt-2.7.5/debian/patches/0001-Escape-user-provided-recipients-and-charset-data.patch php-horde-crypt-2.7.5/debian/patches/0001-Escape-user-provided-recipients-and-charset-data.patch --- php-horde-crypt-2.7.5/debian/patches/0001-Escape-user-provided-recipients-and-charset-data.patch 1970-01-01 01:00:00.000000000 +0100 +++ php-horde-crypt-2.7.5/debian/patches/0001-Escape-user-provided-recipients-and-charset-data.patch 2017-05-03 07:15:32.000000000 +0200 @@ -0,0 +1,34 @@ +From 5ef589a3d47f94810c8b86805723b9450867aedf Mon Sep 17 00:00:00 2001 +From: Michael J Rubinsky <mrubi...@horde.org> +Date: Wed, 29 Mar 2017 08:21:02 -0400 +Subject: [PATCH] Escape user provided recipients and charset data. + +--- + framework/Crypt/lib/Horde/Crypt/Pgp/Backend/Binary.php | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/Horde_Crypt-2.7.5/lib/Horde/Crypt/Pgp/Backend/Binary.php b/Horde_Crypt-2.7.5/Crypt/lib/Horde/Crypt/Pgp/Backend/Binary.php +index a340caaf62..c33c05c9a3 100644 +--- a/Horde_Crypt-2.7.5/lib/Horde/Crypt/Pgp/Backend/Binary.php ++++ b/Horde_Crypt-2.7.5/lib/Horde/Crypt/Pgp/Backend/Binary.php +@@ -433,7 +433,7 @@ extends Horde_Crypt_Pgp_Backend + $cmdline[] = $keyring; + $cmdline[] = '--encrypt'; + foreach (array_keys($params['recips']) as $val) { +- $cmdline[] = '--recipient ' . $val; ++ $cmdline[] = '--recipient ' . escapeshellarg($val); + } + } else { + $cmdline[] = '--symmetric'; +@@ -552,7 +552,7 @@ extends Horde_Crypt_Pgp_Backend + '--armor', + '--always-trust', + '--batch', +- '--charset ' . (isset($params['charset']) ? $params['charset'] : 'UTF-8'), ++ '--charset ' . (isset($params['charset']) ? escapeshellarg($params['charset']) : 'UTF-8'), + $keyring, + '--verify' + ); +-- +2.11.0 + diff -Nru php-horde-crypt-2.7.5/debian/patches/series php-horde-crypt-2.7.5/debian/patches/series --- php-horde-crypt-2.7.5/debian/patches/series 1970-01-01 01:00:00.000000000 +0100 +++ php-horde-crypt-2.7.5/debian/patches/series 2017-05-03 07:15:32.000000000 +0200 @@ -0,0 +1 @@ +0001-Escape-user-provided-recipients-and-charset-data.patch