Version in base suite: 2.0.13+1-6sarge3
Version in overlay suite: 2.0.13+1-6sarge4

Base version: phpbb2_2.0.13+1-6sarge3
Target version: phpbb2_2.0.13+1-6sarge4
Base file: /org/ftp.debian.org/ftp/pool/main/p/phpbb2/phpbb2_2.0.13+1-6sarge3.dsc
Target file: /org/ftp.debian.org/ftp/pool/main/p/phpbb2/phpbb2_2.0.13+1-6sarge4.dsc

diff -u phpbb2-2.0.13+1/debian/po/templates.pot phpbb2-2.0.13+1/debian/po/templates.pot
--- phpbb2-2.0.13+1/debian/po/templates.pot
+++ phpbb2-2.0.13+1/debian/po/templates.pot
@@ -14,7 +14,7 @@
 #, fuzzy
 msgid ""
 msgstr ""
-"Project-Id-Version: phpbb2 2.0.13-6sarge3\n"
+"Project-Id-Version: phpbb2 2.0.13-6sarge4\n"
 "Report-Msgid-Bugs-To: Jeroen van Wolffelaar <jeroen@wolffelaar.nl>\n"
 "POT-Creation-Date: 2004-09-12 13:21+0200\n"
 "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
diff -u phpbb2-2.0.13+1/debian/changelog phpbb2-2.0.13+1/debian/changelog
--- phpbb2-2.0.13+1/debian/changelog
+++ phpbb2-2.0.13+1/debian/changelog
@@ -1,3 +1,15 @@
+phpbb2 (2.0.13+1-6sarge4) oldstable-security; urgency=high
+
+  * Upload to sarge to address security issues.
+  * CVE-2006-4758: authenticated admin may upload arbitrary files
+    (very minor issue, closes: 388120).
+  * CVE-2006-6839: update criteria for redirection targets.
+  * CVE-2006-6840: fix negative start parameter.
+  * CVE-2006-6508/CVE-2006-6841: fix csrf (closes: 405980).
+  * CVE-2008-0471: fix csrf (closes: 463589).
+
+ -- Thijs Kinkhorst <thijs@debian.org>  Sat,  9 Feb 2008 01:16:49 +0100
+
 phpbb2 (2.0.13+1-6sarge3) stable-security; urgency=high
 
   * Non-maintainer upload by the Security Team.
only in patch2:
unchanged:
--- phpbb2-2.0.13+1.orig/debian/patches/201_CVE-2008-0471.diff
+++ phpbb2-2.0.13+1/debian/patches/201_CVE-2008-0471.diff
@@ -0,0 +1,20 @@
+diff -Nur phpBB2.orig/privmsg.php phpBB2/privmsg.php
+--- phpBB2.orig/privmsg.php	2005-02-27 20:30:46.000000000 +0100
++++ phpBB2/privmsg.php	2008-02-09 00:51:53.000000000 +0100
+@@ -666,6 +667,7 @@
+ 	{
+ 		$s_hidden_fields = '<input type="hidden" name="mode" value="' . $mode . '" />';
+ 		$s_hidden_fields .= ( isset($HTTP_POST_VARS['delete']) ) ? '<input type="hidden" name="delete" value="true" />' : '<input type="hidden" name="deleteall" value="true" />';
++		$s_hidden_fields .= '<input type="hidden" name="sid" value="' . $userdata['session_id'] . '" />';
+ 
+ 		for($i = 0; $i < count($mark_list); $i++)
+ 		{
+@@ -696,7 +698,7 @@
+ 		include($phpbb_root_path . 'includes/page_tail.'.$phpEx);
+ 
+ 	}
+-	else if ( $confirm )
++	else if ( $confirm && $sid === $userdata['session_id'] )
+ 	{
+ 		if ( $delete_all )
+ 		{
only in patch2:
unchanged:
--- phpbb2-2.0.13+1.orig/debian/patches/200_CVE-2006-6840.diff
+++ phpbb2-2.0.13+1/debian/patches/200_CVE-2006-6840.diff
@@ -0,0 +1,77 @@
+diff -Nur phpBB2.0.21/groupcp.php phpBB2/groupcp.php
+--- phpBB2.0.21/groupcp.php	2006-06-09 16:29:42.000000000 +0200
++++ phpBB2/groupcp.php	2006-12-19 18:29:16.000000000 +0100
+@@ -148,6 +148,7 @@
+ $cancel = ( isset($HTTP_POST_VARS['cancel']) ) ? TRUE : 0;
+ 
+ $start = ( isset($HTTP_GET_VARS['start']) ) ? intval($HTTP_GET_VARS['start']) : 0;
++$start = ($start < 0) ? 0 : $start;
+ 
+ //
+ // Default var values
+diff -Nur phpBB2.0.21/memberlist.php phpBB2/memberlist.php
+--- phpBB2.0.21/memberlist.php	2006-06-09 16:29:43.000000000 +0200
++++ phpBB2/memberlist.php	2006-12-19 18:29:16.000000000 +0100
+@@ -34,6 +34,7 @@
+ //
+ 
+ $start = ( isset($HTTP_GET_VARS['start']) ) ? intval($HTTP_GET_VARS['start']) : 0;
++$start = ($start < 0) ? 0 : $start;
+ 
+ if ( isset($HTTP_GET_VARS['mode']) || isset($HTTP_POST_VARS['mode']) )
+ {
+diff -Nur phpBB2.0.21/modcp.php phpBB2/modcp.php
+--- phpBB2.0.21/modcp.php	2006-06-09 16:29:43.000000000 +0200
++++ phpBB2/modcp.php	2006-12-19 18:29:16.000000000 +0100
+@@ -71,6 +71,7 @@
+ // Continue var definitions
+ //
+ $start = ( isset($HTTP_GET_VARS['start']) ) ? intval($HTTP_GET_VARS['start']) : 0;
++$start = ($start < 0) ? 0 : $start;
+ 
+ $delete = ( isset($HTTP_POST_VARS['delete']) ) ? TRUE : FALSE;
+ $move = ( isset($HTTP_POST_VARS['move']) ) ? TRUE : FALSE;
+diff -Nur phpBB2.0.21/privmsg.php phpBB2/privmsg.php
+--- phpBB2.0.21/privmsg.php	2006-06-09 16:29:43.000000000 +0200
++++ phpBB2/privmsg.php	2006-12-19 18:29:16.000000000 +0100
+@@ -101,6 +102,7 @@
+ }
+ 
+ $start = ( !empty($HTTP_GET_VARS['start']) ) ? intval($HTTP_GET_VARS['start']) : 0;
++$start = ($start < 0) ? 0 : $start;
+ 
+ if ( isset($HTTP_POST_VARS[POST_POST_URL]) || isset($HTTP_GET_VARS[POST_POST_URL]) )
+ {
+diff -Nur phpBB2.0.21/search.php phpBB2/search.php
+--- phpBB2.0.21/search.php	2006-06-09 16:29:43.000000000 +0200
++++ phpBB2/search.php	2006-12-19 18:29:16.000000000 +0100
+@@ -118,6 +118,7 @@
+ }
+ 
+ $start = ( isset($HTTP_GET_VARS['start']) ) ? intval($HTTP_GET_VARS['start']) : 0;
++$start = ($start < 0) ? 0 : $start;
+ 
+ $sort_by_types = array($lang['Sort_Time'], $lang['Sort_Post_Subject'], $lang['Sort_Topic_Title'], $lang['Sort_Author'], $lang['Sort_Forum']);
+ 
+diff -Nur phpBB2.0.21/viewforum.php phpBB2/viewforum.php
+--- phpBB2.0.21/viewforum.php	2006-06-09 16:29:43.000000000 +0200
++++ phpBB2/viewforum.php	2006-12-19 18:29:16.000000000 +0100
+@@ -42,6 +42,7 @@
+ }
+ 
+ $start = ( isset($HTTP_GET_VARS['start']) ) ? intval($HTTP_GET_VARS['start']) : 0;
++$start = ($start < 0) ? 0 : $start;
+ 
+ if ( isset($HTTP_GET_VARS['mark']) || isset($HTTP_POST_VARS['mark']) )
+ {
+diff -Nur phpBB2.0.21/viewtopic.php phpBB2/viewtopic.php
+--- phpBB2.0.21/viewtopic.php	2006-06-09 16:29:43.000000000 +0200
++++ phpBB2/viewtopic.php	2006-12-19 18:29:16.000000000 +0100
+@@ -46,6 +46,7 @@
+ 
+ 
+ $start = ( isset($HTTP_GET_VARS['start']) ) ? intval($HTTP_GET_VARS['start']) : 0;
++$start = ($start < 0) ? 0 : $start;
+ 
+ if (!$topic_id && !$post_id)
+ {
only in patch2:
unchanged:
--- phpbb2-2.0.13+1.orig/debian/patches/200_CVE-2006-6841.diff
+++ phpbb2-2.0.13+1/debian/patches/200_CVE-2006-6841.diff
@@ -0,0 +1,130 @@
+diff -Nur phpBB2.0.21/includes/usercp_register.php phpBB2/includes/usercp_register.php
+--- phpBB2.0.21/includes/usercp_register.php	2006-06-09 16:29:41.000000000 +0200
++++ phpBB2/includes/usercp_register.php	2006-12-19 18:29:15.000000000 +0100
+@@ -144,6 +144,7 @@
+ 	$notifyreply = ( isset($HTTP_POST_VARS['notifyreply']) ) ? ( ($HTTP_POST_VARS['notifyreply']) ? TRUE : 0 ) : 0;
+ 	$notifypm = ( isset($HTTP_POST_VARS['notifypm']) ) ? ( ($HTTP_POST_VARS['notifypm']) ? TRUE : 0 ) : TRUE;
+ 	$popup_pm = ( isset($HTTP_POST_VARS['popup_pm']) ) ? ( ($HTTP_POST_VARS['popup_pm']) ? TRUE : 0 ) : TRUE;
++	$sid = (isset($HTTP_POST_VARS['sid'])) ? $HTTP_POST_VARS['sid'] : 0;
+ 
+ 	if ( $mode == 'register' )
+ 	{
+@@ -253,6 +254,13 @@
+ {
+ 	include($phpbb_root_path . 'includes/usercp_avatar.'.$phpEx);
+ 
++	// session id check
++	if ($sid == '' || $sid != $userdata['session_id'])
++	{
++		$error = true;
++		$error_msg .= ( ( isset($error_msg) ) ? '<br />' : '' ) . $lang['Session_invalid'];
++	}
++
+ 	$passwd_sql = '';
+ 	if ( $mode == 'editprofile' )
+ 	{
+@@ -893,6 +901,7 @@
+ 	}
+ 
+ 	$s_hidden_fields = '<input type="hidden" name="mode" value="' . $mode . '" /><input type="hidden" name="agreed" value="true" /><input type="hidden" name="coppa" value="' . $coppa . '" />';
++	$s_hidden_fields .= '<input type="hidden" name="sid" value="' . $userdata['session_id'] . '" />';
+ 	if( $mode == 'editprofile' )
+ 	{
+ 		$s_hidden_fields .= '<input type="hidden" name="user_id" value="' . $userdata['user_id'] . '" />';
+diff -Nur phpBB2.0.21/language/lang_english/lang_main.php phpBB2/language/lang_english/lang_main.php
+--- phpBB2.0.21/language/lang_english/lang_main.php	2006-06-09 16:29:42.000000000 +0200
++++ phpBB2/language/lang_english/lang_main.php	2006-12-19 18:29:15.000000000 +0100
+@@ -1018,6 +1018,8 @@
+ $lang['Login_attempts_exceeded'] = 'The maximum number of %s login attempts has been exceeded. You are not allowed to login for the next %s minutes.';
+ $lang['Please_remove_install_contrib'] = 'Please ensure both the install/ and contrib/ directories are deleted';
+ 
++$lang['Session_invalid'] = 'Invalid Session. Please resubmit the form.';
++
+ //
+ // That's all, Folks!
+ // -------------------------------------------------
+diff -Nur phpBB2.0.21/posting.php phpBB2/posting.php
+--- phpBB2.0.21/posting.php	2006-06-09 16:29:43.000000000 +0200
++++ phpBB2/posting.php	2006-12-19 18:29:16.000000000 +0100
+@@ -44,6 +44,7 @@
+ }
+ 
+ $confirm = isset($HTTP_POST_VARS['confirm']) ? true : false;
++$sid = (isset($HTTP_POST_VARS['sid'])) ? $HTTP_POST_VARS['sid'] : 0;
+ 
+ $params = array('forum_id' => POST_FORUM_URL, 'topic_id' => POST_TOPIC_URL, 'post_id' => POST_POST_URL);
+ while( list($var, $param) = @each($params) )
+@@ -431,6 +431,7 @@
+ 	//
+ 	$s_hidden_fields = '<input type="hidden" name="' . POST_POST_URL . '" value="' . $post_id . '" />';
+ 	$s_hidden_fields .= ( $delete || $mode == "delete" ) ? '<input type="hidden" name="mode" value="delete" />' : '<input type="hidden" name="mode" value="poll_delete" />';
++	$s_hidden_fields .= '<input type="hidden" name="sid" value="' . $userdata['session_id'] . '" />';
+ 
+ 	$l_confirm = ( $delete || $mode == 'delete' ) ? $lang['Confirm_delete'] : $lang['Confirm_delete_poll'];
+ 
+@@ -542,6 +543,12 @@
+ 	$return_message = '';
+ 	$return_meta = '';
+ 
++	// session id check
++	if ($sid == '' || $sid != $userdata['session_id'])
++	{
++		$error_msg .= (!empty($error_msg)) ? '<br />' . $lang['Session_invalid'] : $lang['Session_invalid'];
++	}
++
+ 	switch ( $mode )
+ 	{
+ 		case 'editpost':
+@@ -567,6 +574,11 @@
+ 
+ 		case 'delete':
+ 		case 'poll_delete':
++			if ($error_msg != '')
++			{
++				message_die(GENERAL_MESSAGE, $error_msg);
++			}
++
+ 			delete_post($mode, $post_data, $return_message, $return_meta, $forum_id, $topic_id, $post_id, $poll_id);
+ 			break;
+ 	}
+@@ -929,6 +941,7 @@
+ }
+ 
+ $hidden_form_fields = '<input type="hidden" name="mode" value="' . $mode . '" />';
++$hidden_form_fields .= '<input type="hidden" name="sid" value="' . $userdata['session_id'] . '" />';
+ 
+ switch( $mode )
+ {
+diff -Nur phpBB2.0.21/privmsg.php phpBB2/privmsg.php
+--- phpBB2.0.21/privmsg.php	2006-06-09 16:29:43.000000000 +0200
++++ phpBB2/privmsg.php	2006-12-19 18:29:16.000000000 +0100
+@@ -50,6 +50,7 @@
+ $delete = ( isset($HTTP_POST_VARS['delete']) ) ? TRUE : 0;
+ $delete_all = ( isset($HTTP_POST_VARS['deleteall']) ) ? TRUE : 0;
+ $save = ( isset($HTTP_POST_VARS['save']) ) ? TRUE : 0;
++$sid = (isset($HTTP_POST_VARS['sid'])) ? $HTTP_POST_VARS['sid'] : 0;
+ 
+ $refresh = $preview || $submit_search;
+ 
+@@ -1161,6 +1163,13 @@
+ 
+ 	if ( $submit )
+ 	{
++		// session id check
++		if ($sid == '' || $sid != $userdata['session_id'])
++		{
++			$error = true;
++			$error_msg .= ( ( !empty($error_msg) ) ? '<br />' : '' ) . $lang['Session_invalid'];
++		}
++
+ 		if ( !empty($HTTP_POST_VARS['username']) )
+ 		{
+ 			$to_username = phpbb_clean_username($HTTP_POST_VARS['username']);
+@@ -1736,6 +1746,7 @@
+ 
+ 	$s_hidden_fields = '<input type="hidden" name="folder" value="' . $folder . '" />';
+ 	$s_hidden_fields .= '<input type="hidden" name="mode" value="' . $mode . '" />';
++	$s_hidden_fields .= '<input type="hidden" name="sid" value="' . $userdata['session_id'] . '" />';
+ 	if ( $mode == 'edit' )
+ 	{
+ 		$s_hidden_fields .= '<input type="hidden" name="' . POST_POST_URL . '" value="' . $privmsg_id . '" />';
only in patch2:
unchanged:
--- phpbb2-2.0.13+1.orig/debian/patches/200_CVE-2006-4758.diff
+++ phpbb2-2.0.13+1/debian/patches/200_CVE-2006-4758.diff
@@ -0,0 +1,18 @@
+diff -ur phpBB2.orig/admin/admin_board.php phpBB2/admin/admin_board.php
+--- phpBB2.orig/admin/admin_board.php	2006-07-05 20:53:54.000000000 +0200
++++ phpBB2/admin/admin_board.php	2006-10-01 13:04:16.945403176 +0200
+@@ -59,6 +59,14 @@
+ 			$new['server_name'] = str_replace('http://', '', $new['server_name']);
+ 		}
+ 
++		// Make sure paths don't contain weirdness (like the NUL character) CVE-2006-4758
++		foreach ( array('avatar_path', 'smilies_path', 'avatar_gallery_path') as $path ) {
++			if ($config_name == $path)
++			{
++				$new[$path] = preg_replace('/[^A-Za-z0-9.\/_+=~-]/', '', $new[$path]);
++			}
++		}
++
+ 		if( isset($HTTP_POST_VARS['submit']) )
+ 		{
+ 			$sql = "UPDATE " . CONFIG_TABLE . " SET
only in patch2:
unchanged:
--- phpbb2-2.0.13+1.orig/debian/patches/200_CVE-2006-6839.diff
+++ phpbb2-2.0.13+1/debian/patches/200_CVE-2006-6839.diff
@@ -0,0 +1,33 @@
+diff -Nur phpBB2.orig/includes/functions.php phpBB2/includes/functions.php
+--- phpBB2.orig/includes/functions.php	2005-02-27 20:30:44.000000000 +0100
++++ phpBB2/includes/functions.php	2008-02-09 01:08:27.000000000 +0100
+@@ -779,7 +779,7 @@
+ 		$db->sql_close();
+ 	}
+ 
+-	if (strstr(urldecode($url), "\n") || strstr(urldecode($url), "\r"))
++	if (strstr(urldecode($url), "\n") || strstr(urldecode($url), "\r") || strstr(urldecode($url), ';url'))
+ 	{
+ 		message_die(GENERAL_ERROR, 'Tried to redirect to potentially insecure url.');
+ 	}
+diff -Nur phpBB2.orig/login.php phpBB2/login.php
+--- phpBB2.orig/login.php	2005-02-27 20:30:46.000000000 +0100
++++ phpBB2/login.php	2008-02-09 01:09:16.000000000 +0100
+@@ -94,7 +94,7 @@
+ 					$redirect = ( !empty($HTTP_POST_VARS['redirect']) ) ? str_replace('&amp;', '&', htmlspecialchars($HTTP_POST_VARS['redirect'])) : '';
+ 					$redirect = str_replace('?', '&', $redirect);
+ 
+-					if (strstr(urldecode($redirect), "\n") || strstr(urldecode($redirect), "\r"))
++					if (strstr(urldecode($redirect), "\n") || strstr(urldecode($redirect), "\r") || strstr(urldecode($redirect), ';url'))
+ 					{
+ 						message_die(GENERAL_ERROR, 'Tried to redirect to potentially insecure url.');
+ 					}
+@@ -114,7 +114,7 @@
+ 			$redirect = ( !empty($HTTP_POST_VARS['redirect']) ) ? str_replace('&amp;', '&', htmlspecialchars($HTTP_POST_VARS['redirect'])) : "";
+ 			$redirect = str_replace("?", "&", $redirect);
+ 
+-			if (strstr(urldecode($redirect), "\n") || strstr(urldecode($redirect), "\r"))
++			if (strstr(urldecode($redirect), "\n") || strstr(urldecode($redirect), "\r") || strstr(urldecode($redirect), ';url'))
+ 			{
+ 				message_die(GENERAL_ERROR, 'Tried to redirect to potentially insecure url.');
+ 			}