Bug#956534: Bug#956532: stretch-pu: package php-horde-data/2.1.4-3+deb9u1

[Roberto C . Sánchez]

On Sun, Apr 12, 2020 at 10:10:14PM +0100, Adam D. Barratt wrote:
> 
> Looking at the Security Tracker and the BTS, it appears that this issue
> is not yet resolved in unstable. If that's correct, please let us know
> once that's been done; if not, please ensure that the tracking /
> metadata is corrected.
> 
> Regards,
> 
> Adam
> 
Hi Adam,

You are correct that this has not been fixed in unstable; that is the
case for the updates associated with #956532, #956533, #956534, #956535,
#956536, and #956537.  I will coordinate with the maintainer to get that
done for each package and then I will follow-up to the bugs once that is
done.

Regards,

-Roberto

-- 
Roberto C. Sánchez

Bug#956532: stretch-pu: package php-horde-data/2.1.4-3+deb9u1

[Adam D. Barratt]

Control: tags -1 + moreinfo

On Sun, 2020-04-12 at 09:25 -0400, Roberto C. Sanchez wrote:
> Please find attached a proposed debdiff for php-horde-data.  The
> change fixes CVE-2020-8518, which the security team has classified as
> , deeming it a minor issue which can be fixed via a point
> release.  I have prepared this update in coordination with the
> security team.  May I have
> permission to upload to stretch-proposed-updates?
> 

Looking at the Security Tracker and the BTS, it appears that this issue
is not yet resolved in unstable. If that's correct, please let us know
once that's been done; if not, please ensure that the tracking /
metadata is corrected.

Regards,

Adam

Bug#956532: stretch-pu: package php-horde-data/2.1.4-3+deb9u1

[Roberto C. Sanchez]

Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian@packages.debian.org
Usertags: pu

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Please find attached a proposed debdiff for php-horde-data.  The change
fixes CVE-2020-8518, which the security team has classified as ,
deeming it a minor issue which can be fixed via a point release.  I have
prepared this update in coordination with the security team.  May I have
permission to upload to stretch-proposed-updates?

- -- System Information:
Debian Release: 10.3
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.19.0-8-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8), 
LANGUAGE=en_US.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

-BEGIN PGP SIGNATURE-

iQIzBAEBCgAdFiEEz9ERzDttUsU/BH8iLNd4Xt2nsg8FAl6TFtIACgkQLNd4Xt2n
sg/D4g/9H4hyiaItmqUO+JxV4EipU4stAdflWPicDJe89KSKnRsBnCipRpnEWkXK
3NduvlxIn9YSOuMN2OZ+AfdUDSCrOVSWf2JQKZtEhWrSrbIKFuLRcl0+Q1fhLAeE
qVCFi8Odh1JaNmWZ30mszbtF64Fg+THJ+RmmrpZlTXhto/1eVm1E4VvlqDtOBv7l
O7KInucO3eBItIQ8b+O/o9gDFrZ5PtlLlByu9LhTGdfurhORPJ0g1YoiJZzd1Mz8
MrgW0vxK4lBrAaccMgmV3lAkJEZXFUC/k7AxUedEu4wG8BYKeZvVjkJL8ZCG2cHm
oYlE4VzaTFNnRqzcsUGttKphXszY39bjpb9FPA7lnn1x7bv7PTSU7wLNrNUsqxBS
JFm0tZJeRtHjTrdBmlp73rSChVqf97ylaB9oihdSD5FP+62QzaLpTfCGQF/asjrZ
x/HrFD/Cc8g+aEYlimRUyUlYD3QKhq+PJsVo1fm9VEOTmODLd5r3ogbBsqxvqjhr
+lrv/xcC4JicNzs75eQhtjPd793wR85WMvWzPyG0/BMbUSsROoRQXBO4qDaddfzL
hyz2/vFieD6fcwQ3Yka1ACm1vwufcuCYfNUo+WoknrhtnnHjf3OmvDsfgUs46d3Q
yER1uIy4pSsHxVznP005nYixJ/p8zxdKp54bp2JGQVwBZ5C9aAk=
=sMeE
-END PGP SIGNATURE-
diff -Nru php-horde-data-2.1.4/debian/changelog 
php-horde-data-2.1.4/debian/changelog
--- php-horde-data-2.1.4/debian/changelog   2016-06-07 16:25:17.0 
-0400
+++ php-horde-data-2.1.4/debian/changelog   2020-04-10 19:58:12.0 
-0400
@@ -1,3 +1,12 @@
+php-horde-data (2.1.4-3+deb9u1) stretch; urgency=high
+
+  * Fix CVE-2020-8518:
+The Horde Application Framework contained a remote code execution
+vulnerability. An authenticated remote attacker could use this flaw to
+cause execution of uploaded CSV data. (Closes: #951537)
+
+ -- Roberto C. Sanchez   Fri, 10 Apr 2020 19:58:12 -0400
+
 php-horde-data (2.1.4-3) unstable; urgency=medium
 
   * Update Standards-Version to 3.9.8, no change
diff -Nru 
php-horde-data-2.1.4/debian/patches/0001-CVE-2020-8518-Dont-use-create_function.patch
 
php-horde-data-2.1.4/debian/patches/0001-CVE-2020-8518-Dont-use-create_function.patch
--- 
php-horde-data-2.1.4/debian/patches/0001-CVE-2020-8518-Dont-use-create_function.patch
   1969-12-31 19:00:00.0 -0500
+++ 
php-horde-data-2.1.4/debian/patches/0001-CVE-2020-8518-Dont-use-create_function.patch
   2020-04-10 19:58:12.0 -0400
@@ -0,0 +1,36 @@
+From 78ad0c2390176cdde7260a271bc6ddd86f4c9c0e Mon Sep 17 00:00:00 2001
+From: Jan Schneider 
+Date: Mon, 13 Feb 2017 18:38:59 +0100
+Subject: [PATCH] Don't use create_function().
+
+It's deprecated and unsafe and closures should be used instead.
+---
+ lib/Horde/Data/Csv.php | 15 ++-
+ 1 file changed, 14 insertions(+), 1 deletion(-)
+
+diff --git a/Horde_Data-2.1.4/lib/Horde/Data/Csv.php 
b/Horde_Data-2.1.4/lib/Horde/Data/Csv.php
+index c2dc7dc..c0ffa63 100644
+--- a/Horde_Data-2.1.4/lib/Horde/Data/Csv.php
 b/Horde_Data-2.1.4/lib/Horde/Data/Csv.php
+@@ -332,7 +332,20 @@ public static function getCsv($file, array $params = 
array())
+ 
+ if ($row) {
+ $row = (strlen($params['quote']) && strlen($params['escape']))
+-? array_map(create_function('$a', 'return str_replace(\'' . 
str_replace('\'', '\\\'', $params['escape'] . $params['quote']) . '\', \'' . 
str_replace('\'', '\\\'', $params['quote']) . '\', $a);'), $row)
++? array_map(
++function ($a) use ($params) {
++return str_replace(
++str_replace(
++'\'',
++'\\\'',
++$params['escape'] . $params['quote']
++),
++str_replace('\'', '\\\'', $params['quote']),
++$a
++);
++},
++$row
++)
+ : array_map('trim', $row);
+ 
+ if (!empty($params['length'])) {
diff -Nru php-horde-data-2.1.4/debian/patches/series 
php-horde-data-2.1.4/debian/patches/series
--- php-horde-data-2.1.4/debian/patches/series  1969-12-31 19:00:00.0 
-0500
+++ php-horde-data-2.1.4/debian/patches/series  2020-04-10 19:58:12.0 
-0400
@@ -0,0 +1 @@
+0001-CVE-2020-8518-Dont-use-create_function.patch