Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian....@packages.debian.org
Usertags: pu
Dear release team,
this is a follow-up for #927433 (about +deb9u2).
+ * debian/patches/1047_CVE-2019-14466-1_replace_unserialize_with_json_
+ encode+json_decode.patch:
+ + Replace (un)serialize with json_encode/json_decode to mitigate PHP object
+ injection (CVE-2019-14466).
Since I last uploaded the stretch-pu of gosa, one more CVE issue got
known and already addressed in the Git branch.
I will follow-up with a +deb9u3 upload on the +deb9u2 upload. Luckily,
this one is not as massive as the +deb9u2 one.
Greets,
Mike
-- System Information:
Debian Release: 10.3
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'proposed-updates'), (500,
'stable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 4.19.0-8-amd64 (SMP w/4 CPU cores)
Kernel taint flags: TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8),
LANGUAGE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
diff -Nru gosa-2.7.4+reloaded2/debian/changelog
gosa-2.7.4+reloaded2/debian/changelog
--- gosa-2.7.4+reloaded2/debian/changelog 2019-04-19 19:03:52.000000000
+0200
+++ gosa-2.7.4+reloaded2/debian/changelog 2020-04-25 21:51:15.000000000
+0200
@@ -1,3 +1,12 @@
+gosa (2.7.4+reloaded2-13+deb9u3) stretch; urgency=medium
+
+ * debian/patches/1047_CVE-2019-14466-1_replace_unserialize_with_json_
+ encode+json_decode.patch:
+ + Replace (un)serialize with json_encode/json_decode to mitigate PHP object
+ injection (CVE-2019-14466).
+
+ -- Mike Gabriel <sunwea...@debian.org> Sat, 25 Apr 2020 21:51:15 +0200
+
gosa (2.7.4+reloaded2-13+deb9u2) stretch; urgency=medium
[ Mike Gabriel ]
diff -Nru
gosa-2.7.4+reloaded2/debian/patches/1047_CVE-2019-14466-1_replace_unserialize_with_json_encode+json_decode.patch
gosa-2.7.4+reloaded2/debian/patches/1047_CVE-2019-14466-1_replace_unserialize_with_json_encode+json_decode.patch
---
gosa-2.7.4+reloaded2/debian/patches/1047_CVE-2019-14466-1_replace_unserialize_with_json_encode+json_decode.patch
1970-01-01 01:00:00.000000000 +0100
+++
gosa-2.7.4+reloaded2/debian/patches/1047_CVE-2019-14466-1_replace_unserialize_with_json_encode+json_decode.patch
2020-04-25 21:50:26.000000000 +0200
@@ -0,0 +1,47 @@
+From e1504e9765db2adde8b4685b5c93fbba57df868b Mon Sep 17 00:00:00 2001
+From: Fabian Henneke <fab...@henneke.me>
+Date: Mon, 29 Jul 2019 15:54:29 +0200
+Subject: [PATCH] Replace (un)serialize with json_encode/json_decode
+
+---
+ gosa-core/html/index.php | 4 ++--
+ gosa-core/html/main.php | 6 +++---
+ 2 files changed, 5 insertions(+), 5 deletions(-)
+
+--- a/gosa-core/html/index.php
++++ b/gosa-core/html/index.php
+@@ -338,9 +338,9 @@
+ if(isset($_COOKIE['GOsa_Filter_Settings']) ||
isset($HTTP_COOKIE_VARS['GOsa_Filter_Settings'])) {
+
+ if(isset($_COOKIE['GOsa_Filter_Settings'])) {
+- $cookie_all =
unserialize(base64_decode($_COOKIE['GOsa_Filter_Settings']));
++ $cookie_all =
json_decode(base64_decode($_COOKIE['GOsa_Filter_Settings']));
+ }else{
+- $cookie_all =
unserialize(base64_decode($HTTP_COOKIE_VARS['GOsa_Filter_Settings']));
++ $cookie_all =
json_decode(base64_decode($HTTP_COOKIE_VARS['GOsa_Filter_Settings']));
+ }
+ if(isset($cookie_all[$ui->dn])) {
+ $cookie = $cookie_all[$ui->dn];
+--- a/gosa-core/html/main.php
++++ b/gosa-core/html/main.php
+@@ -480,9 +480,9 @@
+ $cookie = array();
+
+ if(isset($_COOKIE['GOsa_Filter_Settings'])){
+- $cookie = unserialize(base64_decode($_COOKIE['GOsa_Filter_Settings']));
++ $cookie = json_decode(base64_decode($_COOKIE['GOsa_Filter_Settings']));
+ }elseif(isset($HTTP_COOKIE_VARS['GOsa_Filter_Settings'])){
+- $cookie =
unserialize(base64_decode($HTTP_COOKIE_VARS['GOsa_Filter_Settings']));
++ $cookie =
json_decode(base64_decode($HTTP_COOKIE_VARS['GOsa_Filter_Settings']));
+ }
+
+ /* Save filters? */
+@@ -496,7 +496,7 @@
+ if(isset($_GET['plug'])){
+ $cookie[$ui->dn]['plug'] = $_GET['plug'];
+ }
+- @setcookie("GOsa_Filter_Settings",base64_encode(serialize($cookie)),time()
+ (60*60*24));
++
@setcookie("GOsa_Filter_Settings",base64_encode(json_encode($cookie)),time() +
(60*60*24));
+ }
+
+ /* Show page... */
diff -Nru
gosa-2.7.4+reloaded2/debian/patches/1047_CVE-2019-14466-2_replace_unserialize_with_json_encode+json_decode.patch
gosa-2.7.4+reloaded2/debian/patches/1047_CVE-2019-14466-2_replace_unserialize_with_json_encode+json_decode.patch
---
gosa-2.7.4+reloaded2/debian/patches/1047_CVE-2019-14466-2_replace_unserialize_with_json_encode+json_decode.patch
1970-01-01 01:00:00.000000000 +0100
+++
gosa-2.7.4+reloaded2/debian/patches/1047_CVE-2019-14466-2_replace_unserialize_with_json_encode+json_decode.patch
2020-04-25 21:50:26.000000000 +0200
@@ -0,0 +1,51 @@
+From 90b674960335d888c76ca5e99027df8e7fa66f3a Mon Sep 17 00:00:00 2001
+From: Fabian Henneke <fab...@henneke.me>
+Date: Fri, 16 Aug 2019 20:27:47 +0200
+Subject: [PATCH] Fix the decoding of filter settings cookie
+
+Previously, the use of json_decode without a second paramter meant that an
+stdClass was returned, which does not allow access to properties via the index
+operator. Instead, we now use json_decode(..., true) to return an associative
+array.
+
+In order to prevent any type shenanigans, we also ensure whether the returned
+value is an array and if not, replace it with an empty one.
+---
+ gosa-core/html/index.php | 7 +++++--
+ gosa-core/html/main.php | 7 +++++--
+ 2 files changed, 10 insertions(+), 4 deletions(-)
+
+--- a/gosa-core/html/index.php
++++ b/gosa-core/html/index.php
+@@ -338,9 +338,12 @@
+ if(isset($_COOKIE['GOsa_Filter_Settings']) ||
isset($HTTP_COOKIE_VARS['GOsa_Filter_Settings'])) {
+
+ if(isset($_COOKIE['GOsa_Filter_Settings'])) {
+- $cookie_all =
json_decode(base64_decode($_COOKIE['GOsa_Filter_Settings']));
++ $cookie_all =
json_decode(base64_decode($_COOKIE['GOsa_Filter_Settings']), true);
+ }else{
+- $cookie_all =
json_decode(base64_decode($HTTP_COOKIE_VARS['GOsa_Filter_Settings']));
++ $cookie_all =
json_decode(base64_decode($HTTP_COOKIE_VARS['GOsa_Filter_Settings']), true);
++ }
++ if(!is_array($cookie_all)) {
++ $cookie_all = [];
+ }
+ if(isset($cookie_all[$ui->dn])) {
+ $cookie = $cookie_all[$ui->dn];
+--- a/gosa-core/html/main.php
++++ b/gosa-core/html/main.php
+@@ -480,9 +480,12 @@
+ $cookie = array();
+
+ if(isset($_COOKIE['GOsa_Filter_Settings'])){
+- $cookie = json_decode(base64_decode($_COOKIE['GOsa_Filter_Settings']));
++ $cookie = json_decode(base64_decode($_COOKIE['GOsa_Filter_Settings']),
true);
+ }elseif(isset($HTTP_COOKIE_VARS['GOsa_Filter_Settings'])){
+- $cookie =
json_decode(base64_decode($HTTP_COOKIE_VARS['GOsa_Filter_Settings']));
++ $cookie =
json_decode(base64_decode($HTTP_COOKIE_VARS['GOsa_Filter_Settings']), true);
++}
++if(!is_array($cookie)) {
++ $cookie = [];
+ }
+
+ /* Save filters? */
diff -Nru gosa-2.7.4+reloaded2/debian/patches/series
gosa-2.7.4+reloaded2/debian/patches/series
--- gosa-2.7.4+reloaded2/debian/patches/series 2019-04-19 19:03:52.000000000
+0200
+++ gosa-2.7.4+reloaded2/debian/patches/series 2020-04-25 21:50:26.000000000
+0200
@@ -55,3 +55,5 @@
1043_smarty-add-on-function-param-types.patch
1045_dont_use_filter_caching.patch
1046_CVE-2019-11187_stricter-ldap-error-check.patch
+1047_CVE-2019-14466-1_replace_unserialize_with_json_encode+json_decode.patch
+1047_CVE-2019-14466-2_replace_unserialize_with_json_encode+json_decode.patch
