Your message dated Tue, 26 Sep 2017 20:55:44 +0000 with message-id <e1dwwtm-00069a...@fasolo.debian.org> and subject line Bug#876400: fixed in php-horde-image 2.5.2-1 has caused the Debian Bug report #876400, regarding php-horde-image: CVE-2017-14650: remote code execution n _raw() via $index parameter to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 876400: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=876400 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: php-horde-image Version: 2.0.1-1 Severity: grave Tags: patch upstream security Hi, the following vulnerability was published for php-horde-image. CVE-2017-14650[0]: | A Remote Code Execution vulnerability has been found in the Horde_Image | library when using the "Im" backend that utilizes ImageMagick's | "convert" utility. It's not exploitable through any Horde application, | because the code path to the vulnerability is not used by any Horde | code. Custom applications using the Horde_Image library might be | affected. This vulnerability affects all versions of Horde_Image from | 2.0.0 to 2.5.1, and is fixed in 2.5.2. The problem is missing input | validation of the index field in _raw() during construction of an | ImageMagick command line. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2017-14650 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14650 [1] https://github.com/horde/horde/commit/eb3afd14c22c77ae0d29e2848f5ac726ef6e7c5b Regards, Salvatore
--- End Message ---
--- Begin Message ---Source: php-horde-image Source-Version: 2.5.2-1 We believe that the bug you reported is fixed in the latest version of php-horde-image, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 876...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Mathieu Parent <sath...@debian.org> (supplier of updated php-horde-image package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Tue, 26 Sep 2017 22:24:21 +0200 Source: php-horde-image Binary: php-horde-image Architecture: source all Version: 2.5.2-1 Distribution: unstable Urgency: medium Maintainer: Horde Maintainers <pkg-horde-hack...@lists.alioth.debian.org> Changed-By: Mathieu Parent <sath...@debian.org> Description: php-horde-image - ${phppear:summary} Closes: 876400 Changes: php-horde-image (2.5.2-1) unstable; urgency=medium . * New upstream version 2.5.2 - CVE-2017-14650: remote code execution n _raw() via $index parameter (Closes: #876400) Checksums-Sha1: c6442da33f4e8c0b43abf92b2b49e6dd1f70629d 2113 php-horde-image_2.5.2-1.dsc 6f5fc15a2750f5bbd36d45d2c28a8a949f63e698 778627 php-horde-image_2.5.2.orig.tar.gz 85fed4eed712b2553c39d611e607c0109ab9824f 3156 php-horde-image_2.5.2-1.debian.tar.xz a26e5c2c87a6ee67e4315d4c810be368431f8db0 171158 php-horde-image_2.5.2-1_all.deb c4fa2490aefaea96843482a92949d1d12119a598 5796 php-horde-image_2.5.2-1_amd64.buildinfo Checksums-Sha256: c748d6aac2f9dc68dd4adcaee5a6f72bec70dea0ea91cf832d31bc82a66c969a 2113 php-horde-image_2.5.2-1.dsc f52edfd4e0b476ed4bfa83e706eca4facee4313330da92a5629430d5a930d108 778627 php-horde-image_2.5.2.orig.tar.gz 9bfa27269337cf3f7ced79ca0e6c9070e059de6f27addfb103d579fd2d8f5113 3156 php-horde-image_2.5.2-1.debian.tar.xz 35a7039afe2809ac4a08c6fa4b3221a41ddc86d719c04acfec17115d3d2fed37 171158 php-horde-image_2.5.2-1_all.deb dbc4371534973b7f83ea3efe31f9df1c62cb887fd93b745681be8d5074f83b4e 5796 php-horde-image_2.5.2-1_amd64.buildinfo Files: 82271f7ba05b779ddbcceec73519a0fa 2113 php extra php-horde-image_2.5.2-1.dsc dd655f397f3f7289451a7570aea962f6 778627 php extra php-horde-image_2.5.2.orig.tar.gz 5930153c07cb6d930c1a819e33855780 3156 php extra php-horde-image_2.5.2-1.debian.tar.xz 22b7e15f2a60d905648f62e19c4dfdc6 171158 php extra php-horde-image_2.5.2-1_all.deb 8c5d8d49751f3c8d9e75d04b78069c38 5796 php extra php-horde-image_2.5.2-1_amd64.buildinfo -----BEGIN PGP SIGNATURE----- iQJHBAEBCAAxFiEEqIGbPTP9weQZ135HrgOYBGZoH6UFAlnKuMoTHHNhdGhpZXVA ZGViaWFuLm9yZwAKCRCuA5gEZmgfpWKaEACr94Wg5MJr8pjrkM+6a9Ngij2ni8M3 VKNeKckuz4Jhz87WPg0BaQM7PgqZpvl6PInQhHsfhUP++bk9pqkfomfQPTonaBC8 qtBnS+Ni8TcyWx4vIN2vaazs6H5kcYf2QCpIGDdU+ALHVFzGU4zCemWg9Xl7UbEd m1gkdY7yD4RD3cpsvJUCtGNat22o/ryIXZIuOMbul+3NN8Kniv/8yUfUU2gfGZaX mkjDeV9eyFssnuUHNG6/yMsthO0uIC4sy5dDT33r4Xp/n/mttZVDsE7gw9+Jkn5j bYTMX1C2GAurHGY3Lsmqk8s3V+KNbV/gPsotrVe4QyER+0YRrsJmxaNNhqZt3He9 Cv0RqgG2Xq8Lrlq/xMJ1c5p99oPwTdU1BRB6lZBucIiPRZ2vZ6l/Leud5OE9vzAi dDCU4kOibmnjxAif1ocaamaRfqdWXPm2eTZQfHyIPQDdsxuZy8bo+n17/rMGcs7/ 2s8cSoBC168ynBQVW2c5dH7eI0uDTmePkd8VJPoQU3s6sYQ/1zDjBKN1vr9QznL6 Wl4SltkzTCCAHEZd4n2NeAoGf+cz9YizF3xBSq+Z+/TmpUQKF7rQ3FmJpct0pPHu fXx0HlYvlVrly946q5Ii6t9xbz2612p/1H2mjm9+l5D87aPS9IFodI/PhtSyLssW Ini8iaigmvdDwg== =K3hl -----END PGP SIGNATURE-----
--- End Message ---
