Version in base suite: 2.7.4+reloaded3-8+deb10u1

Base version: gosa_2.7.4+reloaded3-8+deb10u1
Target version: gosa_2.7.4+reloaded3-8+deb10u2
Base file: /srv/ftp-master.debian.org/ftp/pool/main/g/gosa/gosa_2.7.4+reloaded3-8+deb10u1.dsc
Target file: /srv/ftp-master.debian.org/policy/pool/main/g/gosa/gosa_2.7.4+reloaded3-8+deb10u2.dsc

 changelog                                                                            |    9 +
 patches/1047_CVE-2019-14466-1_replace_unserialize_with_json_encode+json_decode.patch |   47 +++++++++
 patches/1047_CVE-2019-14466-2_replace_unserialize_with_json_encode+json_decode.patch |   51 ++++++++++
 patches/series                                                                       |    2 
 4 files changed, 109 insertions(+)

diff -Nru gosa-2.7.4+reloaded3/debian/changelog gosa-2.7.4+reloaded3/debian/changelog
--- gosa-2.7.4+reloaded3/debian/changelog	2019-08-10 02:04:23.000000000 +0000
+++ gosa-2.7.4+reloaded3/debian/changelog	2020-04-27 11:02:28.000000000 +0000
@@ -1,3 +1,12 @@
+gosa (2.7.4+reloaded3-8+deb10u2) buster; urgency=medium
+
+  * debian/patches:
+    + Add 1047_CVE-2019-14466-{1,2}_replace_unserialize_with_json_encode+json_
+      decode.patch: Replace (un)serialize with json_encode/json_decode to
+      mitigate PHP object injection.
+
+ -- Mike Gabriel <sunweaver@debian.org>  Mon, 27 Apr 2020 13:02:28 +0200
+
 gosa (2.7.4+reloaded3-8+deb10u1) buster; urgency=medium
 
   * debian/changelog:
diff -Nru gosa-2.7.4+reloaded3/debian/patches/1047_CVE-2019-14466-1_replace_unserialize_with_json_encode+json_decode.patch gosa-2.7.4+reloaded3/debian/patches/1047_CVE-2019-14466-1_replace_unserialize_with_json_encode+json_decode.patch
--- gosa-2.7.4+reloaded3/debian/patches/1047_CVE-2019-14466-1_replace_unserialize_with_json_encode+json_decode.patch	1970-01-01 00:00:00.000000000 +0000
+++ gosa-2.7.4+reloaded3/debian/patches/1047_CVE-2019-14466-1_replace_unserialize_with_json_encode+json_decode.patch	2020-04-25 19:50:26.000000000 +0000
@@ -0,0 +1,47 @@
+From e1504e9765db2adde8b4685b5c93fbba57df868b Mon Sep 17 00:00:00 2001
+From: Fabian Henneke <fabian@henneke.me>
+Date: Mon, 29 Jul 2019 15:54:29 +0200
+Subject: [PATCH] Replace (un)serialize with json_encode/json_decode
+
+---
+ gosa-core/html/index.php | 4 ++--
+ gosa-core/html/main.php  | 6 +++---
+ 2 files changed, 5 insertions(+), 5 deletions(-)
+
+--- a/gosa-core/html/index.php
++++ b/gosa-core/html/index.php
+@@ -338,9 +338,9 @@
+                 if(isset($_COOKIE['GOsa_Filter_Settings']) || isset($HTTP_COOKIE_VARS['GOsa_Filter_Settings'])) {
+ 
+                     if(isset($_COOKIE['GOsa_Filter_Settings'])) {
+-                        $cookie_all = unserialize(base64_decode($_COOKIE['GOsa_Filter_Settings']));
++                        $cookie_all = json_decode(base64_decode($_COOKIE['GOsa_Filter_Settings']));
+                     }else{
+-                        $cookie_all = unserialize(base64_decode($HTTP_COOKIE_VARS['GOsa_Filter_Settings']));
++                        $cookie_all = json_decode(base64_decode($HTTP_COOKIE_VARS['GOsa_Filter_Settings']));
+                     }
+                     if(isset($cookie_all[$ui->dn])) {
+                         $cookie = $cookie_all[$ui->dn];
+--- a/gosa-core/html/main.php
++++ b/gosa-core/html/main.php
+@@ -480,9 +480,9 @@
+ $cookie = array();
+ 
+ if(isset($_COOKIE['GOsa_Filter_Settings'])){
+-  $cookie = unserialize(base64_decode($_COOKIE['GOsa_Filter_Settings']));
++  $cookie = json_decode(base64_decode($_COOKIE['GOsa_Filter_Settings']));
+ }elseif(isset($HTTP_COOKIE_VARS['GOsa_Filter_Settings'])){
+-  $cookie = unserialize(base64_decode($HTTP_COOKIE_VARS['GOsa_Filter_Settings']));
++  $cookie = json_decode(base64_decode($HTTP_COOKIE_VARS['GOsa_Filter_Settings']));
+ }
+ 
+ /* Save filters? */
+@@ -496,7 +496,7 @@
+   if(isset($_GET['plug'])){
+     $cookie[$ui->dn]['plug'] = $_GET['plug'];
+   }
+-  @setcookie("GOsa_Filter_Settings",base64_encode(serialize($cookie)),time() + (60*60*24));
++  @setcookie("GOsa_Filter_Settings",base64_encode(json_encode($cookie)),time() + (60*60*24));
+ }
+ 
+ /* Show page... */
diff -Nru gosa-2.7.4+reloaded3/debian/patches/1047_CVE-2019-14466-2_replace_unserialize_with_json_encode+json_decode.patch gosa-2.7.4+reloaded3/debian/patches/1047_CVE-2019-14466-2_replace_unserialize_with_json_encode+json_decode.patch
--- gosa-2.7.4+reloaded3/debian/patches/1047_CVE-2019-14466-2_replace_unserialize_with_json_encode+json_decode.patch	1970-01-01 00:00:00.000000000 +0000
+++ gosa-2.7.4+reloaded3/debian/patches/1047_CVE-2019-14466-2_replace_unserialize_with_json_encode+json_decode.patch	2020-04-25 19:50:26.000000000 +0000
@@ -0,0 +1,51 @@
+From 90b674960335d888c76ca5e99027df8e7fa66f3a Mon Sep 17 00:00:00 2001
+From: Fabian Henneke <fabian@henneke.me>
+Date: Fri, 16 Aug 2019 20:27:47 +0200
+Subject: [PATCH] Fix the decoding of filter settings cookie
+
+Previously, the use of json_decode without a second paramter meant that an
+stdClass was returned, which does not allow access to properties via the index
+operator. Instead, we now use json_decode(..., true) to return an associative
+array.
+
+In order to prevent any type shenanigans, we also ensure whether the returned
+value is an array and if not, replace it with an empty one.
+---
+ gosa-core/html/index.php | 7 +++++--
+ gosa-core/html/main.php  | 7 +++++--
+ 2 files changed, 10 insertions(+), 4 deletions(-)
+
+--- a/gosa-core/html/index.php
++++ b/gosa-core/html/index.php
+@@ -338,9 +338,12 @@
+                 if(isset($_COOKIE['GOsa_Filter_Settings']) || isset($HTTP_COOKIE_VARS['GOsa_Filter_Settings'])) {
+ 
+                     if(isset($_COOKIE['GOsa_Filter_Settings'])) {
+-                        $cookie_all = json_decode(base64_decode($_COOKIE['GOsa_Filter_Settings']));
++                        $cookie_all = json_decode(base64_decode($_COOKIE['GOsa_Filter_Settings']), true);
+                     }else{
+-                        $cookie_all = json_decode(base64_decode($HTTP_COOKIE_VARS['GOsa_Filter_Settings']));
++                        $cookie_all = json_decode(base64_decode($HTTP_COOKIE_VARS['GOsa_Filter_Settings']), true);
++                    }
++                    if(!is_array($cookie_all)) {
++                        $cookie_all = [];
+                     }
+                     if(isset($cookie_all[$ui->dn])) {
+                         $cookie = $cookie_all[$ui->dn];
+--- a/gosa-core/html/main.php
++++ b/gosa-core/html/main.php
+@@ -480,9 +480,12 @@
+ $cookie = array();
+ 
+ if(isset($_COOKIE['GOsa_Filter_Settings'])){
+-  $cookie = json_decode(base64_decode($_COOKIE['GOsa_Filter_Settings']));
++  $cookie = json_decode(base64_decode($_COOKIE['GOsa_Filter_Settings']), true);
+ }elseif(isset($HTTP_COOKIE_VARS['GOsa_Filter_Settings'])){
+-  $cookie = json_decode(base64_decode($HTTP_COOKIE_VARS['GOsa_Filter_Settings']));
++  $cookie = json_decode(base64_decode($HTTP_COOKIE_VARS['GOsa_Filter_Settings']), true);
++}
++if(!is_array($cookie)) {
++  $cookie = [];
+ }
+ 
+ /* Save filters? */
diff -Nru gosa-2.7.4+reloaded3/debian/patches/series gosa-2.7.4+reloaded3/debian/patches/series
--- gosa-2.7.4+reloaded3/debian/patches/series	2019-08-10 02:04:05.000000000 +0000
+++ gosa-2.7.4+reloaded3/debian/patches/series	2020-04-27 10:59:23.000000000 +0000
@@ -64,3 +64,5 @@
 1044_crypto-transition-without-mcrypt.patch
 1045_dont_use_filter_caching.patch
 1046_CVE-2019-11187_stricter-ldap-error-check.patch
+1047_CVE-2019-14466-1_replace_unserialize_with_json_encode+json_decode.patch
+1047_CVE-2019-14466-2_replace_unserialize_with_json_encode+json_decode.patch