tags 606386 + patch tags 606386 + pending thanks Dear maintainer,
I've prepared an NMU for cakephp (versioned as 1.3.2-1.1) and uploaded it to DELAYED/2. Please feel free to tell me if I should delay it longer. -- Jonathan Wiltshire (jmw) diff -Nru cakephp-1.3.2/debian/changelog cakephp-1.3.2/debian/changelog --- cakephp-1.3.2/debian/changelog 2010-06-15 10:05:27.000000000 +0100 +++ cakephp-1.3.2/debian/changelog 2010-12-14 15:45:50.000000000 +0000 @@ -1,3 +1,11 @@ +cakephp (1.3.2-1.1) unstable; urgency=high + + * Non-maintainer upload. + * Patch for CVE-2010-4335 (unsafe unserialize) + Closes: #606386 + + -- Jonathan Wiltshire <j...@debian.org> Tue, 14 Dec 2010 15:41:20 +0000 + cakephp (1.3.2-1) unstable; urgency=low * New upstream release (Closes: #585684) diff -Nru cakephp-1.3.2/debian/patches/03-CVE-2010-4335.diff cakephp-1.3.2/debian/patches/03-CVE-2010-4335.diff --- cakephp-1.3.2/debian/patches/03-CVE-2010-4335.diff 1970-01-01 01:00:00.000000000 +0100 +++ cakephp-1.3.2/debian/patches/03-CVE-2010-4335.diff 2010-12-14 15:49:52.000000000 +0000 @@ -0,0 +1,61 @@ +Description: protect against an unsafe serialise CVE-2010-4335 +Origin: https://github.com/cakephp/cakephp/commit/e431e86aa4301ced4273dc7919b59362cbb353cb +Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=606386 +Last-Update: 2010-12-14 + +diff --git a/cake/libs/controller/components/security.php b/cake/libs/controller/components/security.php +index c267c6c..7e5b3b2 100644 +--- a/cake/libs/controller/components/security.php ++++ b/cake/libs/controller/components/security.php +@@ -618,10 +618,15 @@ class SecurityComponent extends Object { + } + unset($check['_Token']); + ++ $locked = str_rot13($locked); ++ if (preg_match('/(\A|;|{|})O\:[0-9]+/', $locked)) { ++ return false; ++ } ++ + $lockedFields = array(); + $fields = Set::flatten($check); + $fieldList = array_keys($fields); +- $locked = unserialize(str_rot13($locked)); ++ $locked = unserialize($locked); + $multi = array(); + + foreach ($fieldList as $i => $key) { +diff --git a/cake/tests/cases/libs/controller/components/security.test.php b/cake/tests/cases/libs/controller/components/security.test.php +index 883f1c8..bbd5141 100644 +--- a/cake/tests/cases/libs/controller/components/security.test.php ++++ b/cake/tests/cases/libs/controller/components/security.test.php +@@ -608,6 +608,30 @@ DIGEST; + $result = $this->Controller->Security->validatePost($this->Controller); + $this->assertFalse($result, 'validatePost passed when key was missing. %s'); + } ++ ++/** ++ * Test that objects can't be passed into the serialized string. This was a vector for RFI and LFI ++ * attacks. Thanks to Felix Wilhelm ++ * ++ * @return void ++ */ ++ function testValidatePostObjectDeserialize() { ++ $this->Controller->Security->startup($this->Controller); ++ $key = $this->Controller->params['_Token']['key']; ++ $fields = 'a5475372b40f6e3ccbf9f8af191f20e1642fd877'; ++ ++ // a corrupted serialized object, so we can see if it ever gets to deserialize ++ $attack = 'O:3:"App":1:{s:5:"__map";a:1:{s:3:"foo";s:7:"Hacked!";s:1:"fail"}}'; ++ $fields .= urlencode(':' . str_rot13($attack)); ++ ++ $this->Controller->data = array( ++ 'Model' => array('username' => 'mark', 'password' => 'foo', 'valid' => '0'), ++ '_Token' => compact('key', 'fields') ++ ); ++ $result = $this->Controller->Security->validatePost($this->Controller); ++ $this->assertFalse($result, 'validatePost passed when key was missing. %s'); ++ } ++ + /** + * Tests validation of checkbox arrays + * diff -Nru cakephp-1.3.2/debian/patches/series cakephp-1.3.2/debian/patches/series --- cakephp-1.3.2/debian/patches/series 2010-06-15 10:05:27.000000000 +0100 +++ cakephp-1.3.2/debian/patches/series 2010-12-14 15:40:13.000000000 +0000 @@ -1,2 +1,3 @@ 01-remove-shebang.diff 02-cake-binary-libs.diff +03-CVE-2010-4335.diff -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
