Bug#930321: php-horde-form: diff for NMU version 2.0.18-3.1

2019-06-18 Thread Salvatore Bonaccorso 
Hi Mathieu,

On Tue, Jun 18, 2019 at 10:03:21PM +0200, Mathieu Parent wrote:
> Le dim. 16 juin 2019 à 17:48, Salvatore Bonaccorso  a 
> écrit :
> >
> > Control: tags 930321 + pending
> >
> > Hi Mathieu,
> >
> > I've prepared an NMU for php-horde-form (versioned as 2.0.18-3.1) and
> > uploaded it to DELAYED/2. Please feel free to tell me if I
> > should cancel it or feel free to override it with a maintainer upload!
> >
> > Decided to go ahead with a DELAYED/2 only given the approaching
> > release for buster.
> 
> Thanks.
> 
> I've also pushed your changes to salsa.

Thanks!

> Usually, the release team handle those security patches automaticaly.
> Otherwise an unblock request is needed in 2 days.

Jupp, to be on safe side I will fill one shortly after the all build
is done.

Regards,
Salvatore

Bug#930321: php-horde-form: diff for NMU version 2.0.18-3.1

2019-06-18 Thread Mathieu Parent 
Le dim. 16 juin 2019 à 17:48, Salvatore Bonaccorso  a écrit :
>
> Control: tags 930321 + pending
>
> Hi Mathieu,
>
> I've prepared an NMU for php-horde-form (versioned as 2.0.18-3.1) and
> uploaded it to DELAYED/2. Please feel free to tell me if I
> should cancel it or feel free to override it with a maintainer upload!
>
> Decided to go ahead with a DELAYED/2 only given the approaching
> release for buster.

Thanks.

I've also pushed your changes to salsa.

Usually, the release team handle those security patches automaticaly.
Otherwise an unblock request is needed in 2 days.

Cheers
-- 
Mathieu Parent

Bug#930321: php-horde-form: diff for NMU version 2.0.18-3.1

2019-06-16 Thread Salvatore Bonaccorso 
Control: tags 930321 + pending

Hi Mathieu,

I've prepared an NMU for php-horde-form (versioned as 2.0.18-3.1) and
uploaded it to DELAYED/2. Please feel free to tell me if I
should cancel it or feel free to override it with a maintainer upload!

Decided to go ahead with a DELAYED/2 only given the approaching
release for buster.

Regards,
Salvatore
diff -Nru php-horde-form-2.0.18/debian/changelog php-horde-form-2.0.18/debian/changelog
--- php-horde-form-2.0.18/debian/changelog	2018-05-15 10:43:28.0 +0200
+++ php-horde-form-2.0.18/debian/changelog	2019-06-16 09:29:14.0 +0200
@@ -1,3 +1,11 @@
+php-horde-form (2.0.18-3.1) unstable; urgency=high
+
+  * Non-maintainer upload.
+  * Prevent directory traversal vulnerability (CVE-2019-9858)
+(Closes: #930321)
+
+ -- Salvatore Bonaccorso   Sun, 16 Jun 2019 09:29:14 +0200
+
 php-horde-form (2.0.18-3) unstable; urgency=medium
 
   * Update Standards-Version to 4.1.4, no change
diff -Nru php-horde-form-2.0.18/debian/patches/0001-SECURITY-prevent-directory-traversal-vulnerability.patch php-horde-form-2.0.18/debian/patches/0001-SECURITY-prevent-directory-traversal-vulnerability.patch
--- php-horde-form-2.0.18/debian/patches/0001-SECURITY-prevent-directory-traversal-vulnerability.patch	1970-01-01 01:00:00.0 +0100
+++ php-horde-form-2.0.18/debian/patches/0001-SECURITY-prevent-directory-traversal-vulnerability.patch	2019-06-16 09:24:04.0 +0200
@@ -0,0 +1,27 @@
+From: Michael J Rubinsky 
+Date: Thu, 3 Jan 2019 19:22:56 -0500
+Subject: SECURITY: prevent directory traversal vulnerability.
+Origin: https://github.com/horde/Form/commit/c916ba979ad1613d76a9407dd0b67968a9594c0e
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2019-9858
+Bug-Debian: https://bugs.debian.org/930321
+
+---
+ Horde_Form-2.0.18/lib/Horde/Form/Type.php | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/Horde_Form-2.0.18/lib/Horde/Form/Type.php b/Horde_Form-2.0.18/lib/Horde/Form/Type.php
+index e92c7903915b..f1e8157f0b68 100644
+--- a/Horde_Form-2.0.18/lib/Horde/Form/Type.php
 b/Horde_Form-2.0.18/lib/Horde/Form/Type.php
+@@ -1205,7 +1205,7 @@ class Horde_Form_Type_image extends Horde_Form_Type {
+ /* Get the temp file if already one uploaded, otherwise create a
+  * new temporary file. */
+ if (!empty($upload['img']['file'])) {
+-$tmp_file = Horde::getTempDir() . '/' . $upload['img']['file'];
++$tmp_file = Horde::getTempDir() . '/' . basename($upload['img']['file']);
+ } else {
+ $tmp_file = Horde::getTempFile('Horde', false);
+ }
+-- 
+2.20.1
+
diff -Nru php-horde-form-2.0.18/debian/patches/series php-horde-form-2.0.18/debian/patches/series
--- php-horde-form-2.0.18/debian/patches/series	1970-01-01 01:00:00.0 +0100
+++ php-horde-form-2.0.18/debian/patches/series	2019-06-16 09:23:14.0 +0200
@@ -0,0 +1 @@
+0001-SECURITY-prevent-directory-traversal-vulnerability.patch