Bug#934343: buster-pu: package fusiondirectory/1.2.3-4+deb10u1

[Mike Gabriel]

Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian....@packages.debian.org
Usertags: pu

Hi,

I just uploaded two fixes for fusiondirectory for buster targetting the 
next/first point release:

+  * debian/patches:
+    + Add 0001_CVE-2019-11187_stricter-ldap-error-check.patch.
+      Perform stricter check on LDAP success/failure (CVE-2019-11187).

Considered severe issue by upstream, assessment by the security team say:
no-dsa issue. In theory, the flaw that got fixed could let someone into
the FusionDirectory WebUI with a wrong password.

+  * debian/control:
+    + Add to D (fusiondirectory): php-xml. (Closes: #931959).

The installer setup requires php-xml.

Greets,
Mike

-- System Information:
Debian Release: 10.0
  APT prefers stable
  APT policy: (500, 'stable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.19.0-4-amd64 (SMP w/4 CPU cores)
Kernel taint flags: TAINT_WARN, TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), 
LANGUAGE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

diff -Nru fusiondirectory-1.2.3/debian/changelog 
fusiondirectory-1.2.3/debian/changelog
--- fusiondirectory-1.2.3/debian/changelog      2019-03-22 15:22:53.000000000 
+0100
+++ fusiondirectory-1.2.3/debian/changelog      2019-08-08 11:55:44.000000000 
+0200
@@ -1,3 +1,13 @@
+fusiondirectory (1.2.3-4+deb10u1) buster-security; urgency=medium
+
+  * debian/patches:
+    + Add 0001_CVE-2019-11187_stricter-ldap-error-check.patch.
+      Perform stricter check on LDAP success/failure (CVE-2019-11187).
+  * debian/control:
+    + Add to D (fusiondirectory): php-xml. (Closes: #931959).
+
+ -- Mike Gabriel <sunwea...@debian.org>  Thu, 08 Aug 2019 11:55:44 +0200
+
 fusiondirectory (1.2.3-4) unstable; urgency=medium
 
   * debian/fusiondirectory.postinst:
diff -Nru fusiondirectory-1.2.3/debian/control 
fusiondirectory-1.2.3/debian/control
--- fusiondirectory-1.2.3/debian/control        2019-01-18 11:55:58.000000000 
+0100
+++ fusiondirectory-1.2.3/debian/control        2019-08-08 11:55:44.000000000 
+0200
@@ -45,6 +45,7 @@
  php-ldap,
  php-mbstring,
  php-recode,
+ php-xml,
  schema2ldif (>= 1.3),
  smarty-gettext (>= 1.1),
  smarty3,
diff -Nru 
fusiondirectory-1.2.3/debian/patches/0001_CVE-2019-11187_stricter-ldap-error-check.patch
 
fusiondirectory-1.2.3/debian/patches/0001_CVE-2019-11187_stricter-ldap-error-check.patch
--- 
fusiondirectory-1.2.3/debian/patches/0001_CVE-2019-11187_stricter-ldap-error-check.patch
    1970-01-01 01:00:00.000000000 +0100
+++ 
fusiondirectory-1.2.3/debian/patches/0001_CVE-2019-11187_stricter-ldap-error-check.patch
    2019-08-08 11:48:56.000000000 +0200
@@ -0,0 +1,32 @@
+From f2fd17d4ddead5d3b61ddebf5fd21e043bda30be Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?C=C3=B4me=20Chilliet?= <c...@opensides.be>
+Date: Mon, 29 Jul 2019 09:32:22 +0000
+Subject: [PATCH] Merge branch 'stricter-ldap-error-check' into '1.4-dev'
+
+:ambulance: fix(ldap) Use a stricter error check in ldap::success()
+
+See merge request fusiondirectory/fd!648
+
+(cherry picked from commit 29ca9876df28e45bb8f4f8960f3760c336936dfc)
+
+23936352 :ambulance: fix(ldap) Use a stricter error check in ldap::success()
+---
+ core/include/class_ldap.inc | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/core/include/class_ldap.inc b/core/include/class_ldap.inc
+index e5b04c28..54090353 100644
+--- a/core/include/class_ldap.inc
++++ b/core/include/class_ldap.inc
+@@ -906,7 +906,7 @@ class LDAP
+    */
+   function success()
+   {
+-    return preg_match('/Success/i', $this->error);
++    return (trim($this->error) === 'Success');
+   }
+ 
+   /*!
+-- 
+2.21.0
+
diff -Nru fusiondirectory-1.2.3/debian/patches/series 
fusiondirectory-1.2.3/debian/patches/series
--- fusiondirectory-1.2.3/debian/patches/series 2018-08-24 18:43:03.000000000 
+0200
+++ fusiondirectory-1.2.3/debian/patches/series 2019-08-08 11:55:44.000000000 
+0200
@@ -2,3 +2,4 @@
 2002_fusiondirectory-headers.patch
 2003_fusiondirectory-setup.patch
 2004_fusiondirectory-apache-php7.patch
+0001_CVE-2019-11187_stricter-ldap-error-check.patch