Your message dated Fri, 05 Jul 2019 11:47:23 +0000 with message-id <e1hjmgv-000ghg...@fasolo.debian.org> and subject line Bug#930321: fixed in php-horde-form 2.0.15-1+deb9u1 has caused the Debian Bug report #930321, regarding php-horde-form: CVE-2019-9858 to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 930321: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=930321 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: php-horde-form Version: 2.0.18-3 Severity: grave Tags: security upstream Justification: user security hole Hi, The following vulnerability was published for php-horde-form. CVE-2019-9858[0]: | Remote code execution was discovered in Horde Groupware Webmail 5.2.22 | and 5.2.17. Horde/Form/Type.php contains a vulnerable class that | handles image upload in forms. When the Horde_Form_Type_image method | onSubmit() is called on uploads, it invokes the functions getImage() | and _getUpload(), which uses unsanitized user input as a path to save | the image. The unsanitized POST parameter object[photo][img][file] is | saved in the $upload[img][file] PHP variable, allowing an attacker to | manipulate the $tmp_file passed to move_uploaded_file() to save the | uploaded file. By setting the parameter to (for example) | ../usr/share/horde/static/bd.php, one can write a PHP backdoor inside | the web root. The static/ destination folder is a good candidate to | drop the backdoor because it is always writable in Horde | installations. (The unsanitized POST parameter went probably unnoticed | because it's never submitted by the forms, which default to securely | using a random path.) If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2019-9858 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9858 [1] https://github.com/horde/Form/commit/c916ba979ad1613d76a9407dd0b67968a9594c0e Please adjust the affected versions in the BTS as needed. Regards, Salvatore
--- End Message ---
--- Begin Message ---Source: php-horde-form Source-Version: 2.0.15-1+deb9u1 We believe that the bug you reported is fixed in the latest version of php-horde-form, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 930...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Salvatore Bonaccorso <car...@debian.org> (supplier of updated php-horde-form package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Sun, 16 Jun 2019 13:47:48 +0200 Source: php-horde-form Architecture: source Version: 2.0.15-1+deb9u1 Distribution: stretch-security Urgency: high Maintainer: Horde Maintainers <pkg-horde-hack...@lists.alioth.debian.org> Changed-By: Salvatore Bonaccorso <car...@debian.org> Closes: 930321 Changes: php-horde-form (2.0.15-1+deb9u1) stretch-security; urgency=high . * Non-maintainer upload by the Security Team. * Prevent directory traversal vulnerability (CVE-2019-9858) (Closes: #930321) Checksums-Sha1: dafddca05a926ee33583cf5e73e104ddf9907bd6 2196 php-horde-form_2.0.15-1+deb9u1.dsc 00943397c80622f0ebc24d25b7b4cd29c02fb300 196141 php-horde-form_2.0.15.orig.tar.gz cdc8edfc34e419a71d0bd281b4039619e446e2c9 3184 php-horde-form_2.0.15-1+deb9u1.debian.tar.xz 762f8f8d45d22f6f02c083c6e33128e031e10834 6127 php-horde-form_2.0.15-1+deb9u1_source.buildinfo Checksums-Sha256: ca7a26d5ebcf71fd1821fbae139c113bbb06bd93b7d089555576164c0a69746d 2196 php-horde-form_2.0.15-1+deb9u1.dsc 12d757311995346c487dde98af795cbbaf2d520ab902a320d3a607ce8881666d 196141 php-horde-form_2.0.15.orig.tar.gz 6149c3ecb911feab399fcac6b26b1c5668374e36bdfa06feebbc3251aa33def9 3184 php-horde-form_2.0.15-1+deb9u1.debian.tar.xz fed9a6794fdbb0a4a0b728564e82c31a5e5ae03ffc494818e95955e44d283915 6127 php-horde-form_2.0.15-1+deb9u1_source.buildinfo Files: bc201c3bb16ceedad1bb7f3eabf9db74 2196 php extra php-horde-form_2.0.15-1+deb9u1.dsc 403bd1b37af061548bc51db5a90f358c 196141 php extra php-horde-form_2.0.15.orig.tar.gz be7c23d1b2f6e8f16d6df8b20f4dd2ad 3184 php extra php-horde-form_2.0.15-1+deb9u1.debian.tar.xz 28a87a26e527dd8db0acd89b2752c75e 6127 php extra php-horde-form_2.0.15-1+deb9u1_source.buildinfo -----BEGIN PGP SIGNATURE----- iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAl0GLMVfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk ZWJpYW4ub3JnAAoJEAVMuPMTQ89EVygP/idHjU3X8OKbpbDul5EYKR8H124VBDP5 yKA+aYdObwN516SnRvK3yzZ7Z0eVHQiTaKuc5g4HsTW4bhfyVPSvgc1VK9Q4SICM J5RvQ04hgbDiCKbLMArLsV/D6vPfHrh4JY+YWntX9pNKr1E7Fhvetlt9P/kdNzvv Enf9M6g8uNbipQgAs/qK5vzNiP9yKA6ogwD1MEAAfPP1Hx4fEaTDnfDj81kZemPm iZHjzlAg1YBVRr/2hfSCOP77GZSGGqggcs+OnBmfNrc6XzL3E/Ye1/+pMwcoQfAB goetD6Z3jIdxI96aJJdM/2oWLsbQ4uxCN86sntwlq5c7/lA7iDJ3f4xoNGjGt3IJ XgJVyMXbC47ZmxOgz9Wv1albvzf9Q6lKwb5QSXxs/1oUwnVnGlRpqnbU3qDZWw9M akJhgtha1lmZUO/L2Aycngl0x94FNWUQF87CB6kefMBhzgcSFjTPLCP+LC+t2+u3 7WJfclcLLM8by31jaEKpSAEzRcP5iJCzMKXQO9bZPlFefJu9SF6fcsxV+XnvSsrc 1B+EDjY81M1fYB2yHC2WWl8VM4zLXdmAvX1LWfwas/0LliXcsOkUxsPefLfFDi0U aOjNx8co6+LBJcnP/2zxw0vwynqS+eX/ZYfr1BE2mb3IztUsc2OimWJJ8Aldvty1 BBqUn1JC+R8v =Rxko -----END PGP SIGNATURE-----
--- End Message ---
