php-horde-form: CVE-2019-9858

Debian Bug report logs - #930321
php-horde-form: CVE-2019-9858

Reply or subscribe to this bug.

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: php-horde-form: CVE-2019-9858

Date: Mon, 10 Jun 2019 16:26:18 +0200

Source: php-horde-form
Version: 2.0.18-3
Severity: grave
Tags: security upstream
Justification: user security hole

Hi,

The following vulnerability was published for php-horde-form.

CVE-2019-9858[0]:
| Remote code execution was discovered in Horde Groupware Webmail 5.2.22
| and 5.2.17. Horde/Form/Type.php contains a vulnerable class that
| handles image upload in forms. When the Horde_Form_Type_image method
| onSubmit() is called on uploads, it invokes the functions getImage()
| and _getUpload(), which uses unsanitized user input as a path to save
| the image. The unsanitized POST parameter object[photo][img][file] is
| saved in the $upload[img][file] PHP variable, allowing an attacker to
| manipulate the $tmp_file passed to move_uploaded_file() to save the
| uploaded file. By setting the parameter to (for example)
| ../usr/share/horde/static/bd.php, one can write a PHP backdoor inside
| the web root. The static/ destination folder is a good candidate to
| drop the backdoor because it is always writable in Horde
| installations. (The unsanitized POST parameter went probably unnoticed
| because it's never submitted by the forms, which default to securely
| using a random path.)


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2019-9858
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9858
[1] https://github.com/horde/Form/commit/c916ba979ad1613d76a9407dd0b67968a9594c0e

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

Message #12 received at 930321@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: 930321@bugs.debian.org

Cc: Mathieu Parent <sathieu@debian.org>

Subject: Re: Bug#930321: php-horde-form: CVE-2019-9858

Date: Sun, 16 Jun 2019 09:36:15 +0200

[Message part 1 (text/plain, inline)]

Control: tags -1 + patch

Hi Mathieu,

On Mon, Jun 10, 2019 at 04:26:18PM +0200, Salvatore Bonaccorso wrote:
> Source: php-horde-form
> Version: 2.0.18-3
> Severity: grave
> Tags: security upstream
> Justification: user security hole
> 
> Hi,
> 
> The following vulnerability was published for php-horde-form.
[...]

Attached debdiff which should be fine for sid/buster (keeping in mind
the deadline for unblock requests is approaching very fast).

Regards,
Salvatore

[php-horde-form_2.0.18-3.1.debdiff (text/plain, attachment)]

Message #19 received at 930321@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: 930321@bugs.debian.org

Subject: php-horde-form: diff for NMU version 2.0.18-3.1

Date: Sun, 16 Jun 2019 17:44:34 +0200

[Message part 1 (text/plain, inline)]

Control: tags 930321 + pending

Hi Mathieu,

I've prepared an NMU for php-horde-form (versioned as 2.0.18-3.1) and
uploaded it to DELAYED/2. Please feel free to tell me if I
should cancel it or feel free to override it with a maintainer upload!

Decided to go ahead with a DELAYED/2 only given the approaching
release for buster.

Regards,
Salvatore

[php-horde-form-2.0.18-3.1-nmu.diff (text/x-diff, attachment)]

Message #26 received at 930321-close@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: 930321-close@bugs.debian.org

Subject: Bug#930321: fixed in php-horde-form 2.0.18-3.1

Date: Tue, 18 Jun 2019 19:14:05 +0000

Source: php-horde-form
Source-Version: 2.0.18-3.1

We believe that the bug you reported is fixed in the latest version of
php-horde-form, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 930321@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Salvatore Bonaccorso <carnil@debian.org> (supplier of updated php-horde-form package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sun, 16 Jun 2019 09:29:14 +0200
Source: php-horde-form
Architecture: source
Version: 2.0.18-3.1
Distribution: unstable
Urgency: high
Maintainer: Horde Maintainers <team+debian-horde-team@tracker.debian.org>
Changed-By: Salvatore Bonaccorso <carnil@debian.org>
Closes: 930321
Changes:
 php-horde-form (2.0.18-3.1) unstable; urgency=high
 .
   * Non-maintainer upload.
   * Prevent directory traversal vulnerability (CVE-2019-9858)
     (Closes: #930321)
Checksums-Sha1:
 63ce4b1e6713c2f598a2cecca90296ad2f38083f 2155 php-horde-form_2.0.18-3.1.dsc
 6abeb5a6738bc33457189f48c2cfc499640de351 3292 php-horde-form_2.0.18-3.1.debian.tar.xz
 63b4daf40d0edc1ef950923980d67b74f49397c8 6107 php-horde-form_2.0.18-3.1_source.buildinfo
Checksums-Sha256:
 4d2be8d9cd04fd7b0b5fd5c49775f86ad06e9b85e5d72ec19a3010716fb71f27 2155 php-horde-form_2.0.18-3.1.dsc
 33a31e601450432691b03761868428e213c789c75133911a8c6a2c999ccd27b6 3292 php-horde-form_2.0.18-3.1.debian.tar.xz
 0a67fb6cc24d9dd06b18abda3a0300daab7c9174cf114cab8e11a806369e3a28 6107 php-horde-form_2.0.18-3.1_source.buildinfo
Files:
 abfc1093deedb6582a5dc573a49adf8d 2155 php optional php-horde-form_2.0.18-3.1.dsc
 f2a641aa7d55c088b7d050ad6af227da 3292 php optional php-horde-form_2.0.18-3.1.debian.tar.xz
 bc41fc1d5c280113b02a493efd6aa515 6107 php optional php-horde-form_2.0.18-3.1_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAl0F8C9fFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk
ZWJpYW4ub3JnAAoJEAVMuPMTQ89E+rcP/3Z7jwwtHDZzfF9jsFXE2krcRT7lwvAx
cJxOEiIICu3dmEAFTG1mBKlfRWfYt2lQIXPmFKpewoxveXMqAmFJWlNXzyNDGgYA
LjDu0ENMV99+asQnUiQXzFEUGw78Yrdmtp0gl/rjASk1XmfaQjv4MUC9cgDPvVOg
AX8ZDOcZX+CQAFnwiVrvSELSfmwb6HTdk8/xSuaqASmY4XfLGYDyOBtla5RN1NE8
cvByO4QSu9GD3UEZMyKhSTTr+k/D2udztrCg2xAY/XdX1zLY0DjtfOKClDXqaN0/
rH7NdQhxG3wcDOP0SPAoAYHCr6j0EhBemJcfc+CxORcpRV/eoVm5YupZpeDosoMx
rSRLo28Sz1n0p2GW3Ue0LRTuEGqIuKVIHOsxRO/mekE/VXdDtc14Lf5JNtfGHHwJ
uWpwppIaPtatysFyvAKBi+anCLqi11mHsEBBB6JjtmgTH07tMiShSsHyjnaS3+Wb
5EhVzvGTpo/LprRsPFQktHqat7XdYoXbNgMxhXHPMaRCKlu13cwbf90uebaQNsYh
2HWptrB2UjOU2HOE8DTquZgbT7bFQPuRX4KxPG5MyD93+iHpjOeQ+CRA/E86GeeB
ebzgshjlJzc+xje7qkD2jJvxE6ZO6y6AD1I/iOXCxDo8RKxIPmaE0wyvfc7AKriQ
ZLdDJVT7Nosr
=MHx2
-----END PGP SIGNATURE-----

Message #31 received at 930321@bugs.debian.org (full text, mbox, reply):

From: Mathieu Parent <math.parent@gmail.com>

To: Salvatore Bonaccorso <carnil@debian.org>, 930321@bugs.debian.org

Subject: Re: Bug#930321: php-horde-form: diff for NMU version 2.0.18-3.1

Date: Tue, 18 Jun 2019 22:03:21 +0200

Le dim. 16 juin 2019 à 17:48, Salvatore Bonaccorso <carnil@debian.org> a écrit :
>
> Control: tags 930321 + pending
>
> Hi Mathieu,
>
> I've prepared an NMU for php-horde-form (versioned as 2.0.18-3.1) and
> uploaded it to DELAYED/2. Please feel free to tell me if I
> should cancel it or feel free to override it with a maintainer upload!
>
> Decided to go ahead with a DELAYED/2 only given the approaching
> release for buster.

Thanks.

I've also pushed your changes to salsa.

Usually, the release team handle those security patches automaticaly.
Otherwise an unblock request is needed in 2 days.

Cheers
-- 
Mathieu Parent

Message #36 received at 930321@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Mathieu Parent <math.parent@gmail.com>

Cc: 930321@bugs.debian.org

Subject: Re: Bug#930321: php-horde-form: diff for NMU version 2.0.18-3.1

Date: Tue, 18 Jun 2019 22:10:53 +0200

Hi Mathieu,

On Tue, Jun 18, 2019 at 10:03:21PM +0200, Mathieu Parent wrote:
> Le dim. 16 juin 2019 à 17:48, Salvatore Bonaccorso <carnil@debian.org> a écrit :
> >
> > Control: tags 930321 + pending
> >
> > Hi Mathieu,
> >
> > I've prepared an NMU for php-horde-form (versioned as 2.0.18-3.1) and
> > uploaded it to DELAYED/2. Please feel free to tell me if I
> > should cancel it or feel free to override it with a maintainer upload!
> >
> > Decided to go ahead with a DELAYED/2 only given the approaching
> > release for buster.
> 
> Thanks.
> 
> I've also pushed your changes to salsa.

Thanks!

> Usually, the release team handle those security patches automaticaly.
> Otherwise an unblock request is needed in 2 days.

Jupp, to be on safe side I will fill one shortly after the all build
is done.

Regards,
Salvatore

Send a report that this bug log contains spam.