Bug#956535: buster-pu: package php-horde-data/2.1.4-5+deb10u1

Roberto C. Sanchez Sun, 12 Apr 2020 06:33:19 -0700

Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian....@packages.debian.org
Usertags: pu


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Please find attached a proposed debdiff for php-horde-data.  The change
fixes CVE-2020-8518, which the security team has classified as <no-dsa>,
deeming it a minor issue which can be fixed via a point release.  May I
have permission to upload to stretch-proposed-updates?

- -- System Information:
Debian Release: 10.3
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.19.0-8-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8), 
LANGUAGE=en_US.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEz9ERzDttUsU/BH8iLNd4Xt2nsg8FAl6TFk8ACgkQLNd4Xt2n
sg+sYg//TsXLF5Ww2+2Ubc12mXOIAOtrbjgjZaZMpgXqCV3cxnQcIygUOHkwLG2N
eT3mXO90y1qryjhK0H7jUuhdBMG9VA0FHmlhcScoecpOHU3dJekSz0tEa+ySewy3
ZP4pxVRq6TzYnk6HvtqUZ81GFJymWhN3HmGjkMlI25nmIN7udlWiMoYtqtzd3ZZA
cxskKlaLCqnowC1L2QZQdSdgqj2ZBjWtmZRxeEwalkBDsx+aeu2wUR1lg2ibwNvD
S6nR4d3ZwwmDd0RrGJemFRc0MXaAbIhpXjUT5OC35MQP7hgHqwzbtIY7CBt6s1z4
+aqLvev128e5R8bAJzgsOrWwvxJ2SeHJ5NsW5mfNDn+/1DcCu4KJmjTKzNHCGlL9
815DvmvD+l1s6Ls0E6+HvIN0GcVyOFvT7zhg2VaHcxCQxExkR05vFMxb51Bbd8zk
uTt/Xj2GBXZiURRfxibB8GP6GinB8a3V0LYHAPDVx3rjqkCi2+h0zH0Y2fsQVEJ8
tdSCiNAsFDH7H6S5I6Wd3kIRpcDsIfRowsjLaUiDTNfg/ZQxbuqnFlY623Y13cO1
QEPqCq+cqMqbnVCBA/9ZFLR3DNhobqksLQzEtGTzKrKx8q9cpxqlMehNhgBX8q5j
PUSOTm8kG1uuOziYe1d6WchObze2YxxNcV37Oq/N5gZ59hX1TCI=
=wKCR
-----END PGP SIGNATURE-----

diff -Nru php-horde-data-2.1.4/debian/changelog 
php-horde-data-2.1.4/debian/changelog
--- php-horde-data-2.1.4/debian/changelog       2018-05-14 18:16:00.000000000 
-0400
+++ php-horde-data-2.1.4/debian/changelog       2020-04-10 19:57:00.000000000 
-0400
@@ -1,3 +1,12 @@
+php-horde-data (2.1.4-5+deb10u1) buster; urgency=high
+
+  * Fix CVE-2020-8518:
+    The Horde Application Framework contained a remote code execution
+    vulnerability. An authenticated remote attacker could use this flaw to
+    cause execution of uploaded CSV data. (Closes: #951537)
+
+ -- Roberto C. Sanchez <robe...@debian.org>  Fri, 10 Apr 2020 19:57:00 -0400
+
 php-horde-data (2.1.4-5) unstable; urgency=medium
 
   * Update Standards-Version to 4.1.4, no change
diff -Nru 
php-horde-data-2.1.4/debian/patches/0001-CVE-2020-8518-Dont-use-create_function.patch
 
php-horde-data-2.1.4/debian/patches/0001-CVE-2020-8518-Dont-use-create_function.patch
--- 
php-horde-data-2.1.4/debian/patches/0001-CVE-2020-8518-Dont-use-create_function.patch
       1969-12-31 19:00:00.000000000 -0500
+++ 
php-horde-data-2.1.4/debian/patches/0001-CVE-2020-8518-Dont-use-create_function.patch
       2020-04-10 19:57:00.000000000 -0400
@@ -0,0 +1,36 @@
+From 78ad0c2390176cdde7260a271bc6ddd86f4c9c0e Mon Sep 17 00:00:00 2001
+From: Jan Schneider <j...@horde.org>
+Date: Mon, 13 Feb 2017 18:38:59 +0100
+Subject: [PATCH] Don't use create_function().
+
+It's deprecated and unsafe and closures should be used instead.
+---
+ lib/Horde/Data/Csv.php | 15 ++++++++++++++-
+ 1 file changed, 14 insertions(+), 1 deletion(-)
+
+diff --git a/Horde_Data-2.1.4/lib/Horde/Data/Csv.php 
b/Horde_Data-2.1.4/lib/Horde/Data/Csv.php
+index c2dc7dc..c0ffa63 100644
+--- a/Horde_Data-2.1.4/lib/Horde/Data/Csv.php
++++ b/Horde_Data-2.1.4/lib/Horde/Data/Csv.php
+@@ -332,7 +332,20 @@ public static function getCsv($file, array $params = 
array())
+ 
+         if ($row) {
+             $row = (strlen($params['quote']) && strlen($params['escape']))
+-                ? array_map(create_function('$a', 'return str_replace(\'' . 
str_replace('\'', '\\\'', $params['escape'] . $params['quote']) . '\', \'' . 
str_replace('\'', '\\\'', $params['quote']) . '\', $a);'), $row)
++                ? array_map(
++                    function ($a) use ($params) {
++                        return str_replace(
++                            str_replace(
++                                '\'',
++                                '\\\'',
++                                $params['escape'] . $params['quote']
++                            ),
++                            str_replace('\'', '\\\'', $params['quote']),
++                            $a
++                        );
++                    },
++                    $row
++                )
+                 : array_map('trim', $row);
+ 
+             if (!empty($params['length'])) {
diff -Nru php-horde-data-2.1.4/debian/patches/series 
php-horde-data-2.1.4/debian/patches/series
--- php-horde-data-2.1.4/debian/patches/series  1969-12-31 19:00:00.000000000 
-0500
+++ php-horde-data-2.1.4/debian/patches/series  2020-04-10 19:57:00.000000000 
-0400
@@ -0,0 +1 @@
+0001-CVE-2020-8518-Dont-use-create_function.patch

Bug#956535: buster-pu: package php-horde-data/2.1.4-5+deb10u1

Reply via email to