Version in base suite: 5.2.20+debian0-1 Base version: php-horde_5.2.20+debian0-1 Target version: php-horde_5.2.20+debian0-1+deb10u1 Base file: /srv/ftp-master.debian.org/ftp/pool/main/p/php-horde/php-horde_5.2.20+debian0-1.dsc Target file: /srv/ftp-master.debian.org/policy/pool/main/p/php-horde/php-horde_5.2.20+debian0-1+deb10u1.dsc changelog | 6 + patches/0002-CVE-2019-12095-Fix-XSS-vuln-in-the-Horde-Cloud-Block.patch | 50 ++++++++++ patches/series | 1 3 files changed, 57 insertions(+) diff -Nru php-horde-5.2.20+debian0/debian/changelog php-horde-5.2.20+debian0/debian/changelog --- php-horde-5.2.20+debian0/debian/changelog 2018-10-25 19:08:21.000000000 +0000 +++ php-horde-5.2.20+debian0/debian/changelog 2019-12-14 02:13:53.000000000 +0000 @@ -1,3 +1,9 @@ +php-horde (5.2.20+debian0-1+deb10u1) buster; urgency=high + + * Fix CVE-2019-12095: Stored XSS vuln in the Horde Cloud Block. + + -- Roberto C. Sanchez Fri, 13 Dec 2019 21:13:53 -0500 + php-horde (5.2.20+debian0-1) unstable; urgency=medium * New upstream version 5.2.20+debian0 diff -Nru php-horde-5.2.20+debian0/debian/patches/0002-CVE-2019-12095-Fix-XSS-vuln-in-the-Horde-Cloud-Block.patch php-horde-5.2.20+debian0/debian/patches/0002-CVE-2019-12095-Fix-XSS-vuln-in-the-Horde-Cloud-Block.patch --- php-horde-5.2.20+debian0/debian/patches/0002-CVE-2019-12095-Fix-XSS-vuln-in-the-Horde-Cloud-Block.patch 1970-01-01 00:00:00.000000000 +0000 +++ php-horde-5.2.20+debian0/debian/patches/0002-CVE-2019-12095-Fix-XSS-vuln-in-the-Horde-Cloud-Block.patch 2019-12-14 02:13:53.000000000 +0000 @@ -0,0 +1,50 @@ +From 81a7b53973506856db67e7f0b0263be29528aa75 Mon Sep 17 00:00:00 2001 +From: Michael J Rubinsky +Date: Sat, 20 Apr 2019 17:34:41 -0400 +Subject: [PATCH] Fix XSS vuln in the Horde Cloud Block. + +--- + horde-5.2.20/lib/Block/Cloud.php | 6 +++++- + horde-5.2.20/services/portal/cloud_search.php | 2 +- + 2 files changed, 6 insertions(+), 2 deletions(-) + +diff --git a/horde-5.2.20/lib/Block/Cloud.php b/horde-5.2.20/lib/Block/Cloud.php +index 92a44255..9df5bf3c 100644 +--- a/horde-5.2.20/lib/Block/Cloud.php ++++ b/horde-5.2.20/lib/Block/Cloud.php +@@ -13,6 +13,10 @@ class Horde_Block_Cloud extends Horde_Core_Block + $this->_name = _("Tag Cloud"); + } + ++ protected function _escapeJs($string) ++ { ++ return str_replace("\n", '\n', str_replace('"', '\"', addcslashes(str_replace("\r", '', (string)$string), "\0..\37'\\"))); ++ } + /** + */ + protected function _content() +@@ -21,7 +25,7 @@ class Horde_Block_Cloud extends Horde_Core_Block + foreach ($this->_getTags() as $tag) { + $cloud->addElement( + $tag['tag_name'], '#', $tag['count'], null, +- 'doSearch(\'' . $tag['tag_name'] . '\'); return false;'); ++ 'doSearch(\'' . htmlspecialchars($this->_escapeJs($tag['tag_name'])) . '\'); return false;'); + } + + Horde::startBuffer(); +diff --git a/horde-5.2.20/services/portal/cloud_search.php b/horde-5.2.20/services/portal/cloud_search.php +index d72da96e..0d44b5a5 100644 +--- a/horde-5.2.20/services/portal/cloud_search.php ++++ b/horde-5.2.20/services/portal/cloud_search.php +@@ -43,7 +43,7 @@ foreach ($results as $result) { + echo '
  • ' . + (empty($result['icon']) ? Horde_Themes_Image::tag(Horde_Themes::img($result['app'] . '.png', array('app' => $result['app'])), array('alt' => $result['app'])) : '') . + Horde::link($result['view_url'], '', '', '', '', '', '', array('style' => 'margin:4px')) . +- (empty($result['icon']) ? $result['title'] : '') . ++ (empty($result['icon']) ? htmlspecialchars($result['title']) : '') . + '' . $result['desc'] . '
    • '; + } + echo ''; +-- +2.20.1 + diff -Nru php-horde-5.2.20+debian0/debian/patches/series php-horde-5.2.20+debian0/debian/patches/series --- php-horde-5.2.20+debian0/debian/patches/series 2018-10-25 19:08:21.000000000 +0000 +++ php-horde-5.2.20+debian0/debian/patches/series 2019-12-14 02:13:53.000000000 +0000 @@ -1 +1,2 @@ 0001-Fix-rewrite-base.patch +0002-CVE-2019-12095-Fix-XSS-vuln-in-the-Horde-Cloud-Block.patch