Version in base suite: 2.0.18-3.1 Base version: php-horde-form_2.0.18-3.1 Target version: php-horde-form_2.0.18-3.1+deb10u1 Base file: /srv/ftp-master.debian.org/ftp/pool/main/p/php-horde-form/php-horde-form_2.0.18-3.1.dsc Target file: /srv/ftp-master.debian.org/policy/pool/main/p/php-horde-form/php-horde-form_2.0.18-3.1+deb10u1.dsc changelog | 11 +++ patches/0002-SECURITY-Prevent-ability-to-specify-temporary-filename.patch | 35 ++++++++++ patches/series | 1 3 files changed, 47 insertions(+) diff -Nru php-horde-form-2.0.18/debian/changelog php-horde-form-2.0.18/debian/changelog --- php-horde-form-2.0.18/debian/changelog 2019-06-16 07:29:14.000000000 +0000 +++ php-horde-form-2.0.18/debian/changelog 2020-03-24 17:55:11.000000000 +0000 @@ -1,3 +1,14 @@ +php-horde-form (2.0.18-3.1+deb10u1) buster; urgency=high + + * Fix CVE-2020-8866: + The Horde Application Framework contained a remote code execution + vulnerability. An authenticated remote attacker could use this flaw to + upload arbitrary content to an arbitrary writable location on the server + and potentially execute code in the context of the web server user. + (Closes: #955020) + + -- Roberto C. Sanchez Tue, 24 Mar 2020 13:55:11 -0400 + php-horde-form (2.0.18-3.1) unstable; urgency=high * Non-maintainer upload. diff -Nru php-horde-form-2.0.18/debian/patches/0002-SECURITY-Prevent-ability-to-specify-temporary-filename.patch php-horde-form-2.0.18/debian/patches/0002-SECURITY-Prevent-ability-to-specify-temporary-filename.patch --- php-horde-form-2.0.18/debian/patches/0002-SECURITY-Prevent-ability-to-specify-temporary-filename.patch 1970-01-01 00:00:00.000000000 +0000 +++ php-horde-form-2.0.18/debian/patches/0002-SECURITY-Prevent-ability-to-specify-temporary-filename.patch 2020-03-24 17:55:11.000000000 +0000 @@ -0,0 +1,35 @@ +From 35d382cc3a0482c07d0c2272cac89a340922e0a6 Mon Sep 17 00:00:00 2001 +From: Michael J Rubinsky +Date: Sun, 1 Mar 2020 14:46:49 -0500 +Subject: [PATCH] SECURITY: Prevent ability to specify temporary filename. + +Origin: https://github.com/horde/Form/commit/35d382cc3a0482c07d0c2272cac89a340922e0a6 +--- + lib/Horde/Form/Type.php | 11 +++++------ + 1 file changed, 5 insertions(+), 6 deletions(-) + +diff --git a/Horde_Form-2.0.18/lib/Horde/Form/Type.php b/Horde_Form-2.0.18/lib/Horde/Form/Type.php +index f1e8157..e302d8d 100644 +--- a/Horde_Form-2.0.18/lib/Horde/Form/Type.php ++++ b/Horde_Form-2.0.18/lib/Horde/Form/Type.php +@@ -1200,12 +1200,11 @@ class Horde_Form_Type_image extends Horde_Form_Type { + if (!empty($upload['hash'])) { + $upload['img'] = $session->get('horde', 'form/' . $upload['hash']); + $session->remove('horde', 'form/' . $upload['hash']); +- } +- +- /* Get the temp file if already one uploaded, otherwise create a +- * new temporary file. */ +- if (!empty($upload['img']['file'])) { +- $tmp_file = Horde::getTempDir() . '/' . basename($upload['img']['file']); ++ if (!empty($upload['img']['file'])) { ++ $tmp_file = Horde::getTempDir() . '/' . basename($upload['img']['file']); ++ } else { ++ $tmp_file = Horde::getTempFile('Horde', false); ++ } + } else { + $tmp_file = Horde::getTempFile('Horde', false); + } +-- +2.20.1 + diff -Nru php-horde-form-2.0.18/debian/patches/series php-horde-form-2.0.18/debian/patches/series --- php-horde-form-2.0.18/debian/patches/series 2019-06-16 07:23:14.000000000 +0000 +++ php-horde-form-2.0.18/debian/patches/series 2020-03-24 17:55:11.000000000 +0000 @@ -1 +1,2 @@ 0001-SECURITY-prevent-directory-traversal-vulnerability.patch +0002-SECURITY-Prevent-ability-to-specify-temporary-filename.patch