Debian Bug report logs -
#876400
php-horde-image: CVE-2017-14650: remote code execution n _raw() via $index parameter
Reported by: Salvatore Bonaccorso <carnil@debian.org>
Date: Thu, 21 Sep 2017 18:57:02 UTC
Severity: grave
Tags: patch, security, upstream
Found in version php-horde-image/2.0.1-1
Fixed in versions php-horde-image/2.5.2-1, php-horde-image/2.3.6-1+deb9u1
Done: Chris Lamb <lamby@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Horde Maintainers <pkg-horde-hackers@lists.alioth.debian.org>:
Bug#876400; Package src:php-horde-image.
(Thu, 21 Sep 2017 18:57:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Horde Maintainers <pkg-horde-hackers@lists.alioth.debian.org>.
(Thu, 21 Sep 2017 18:57:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: php-horde-image
Version: 2.0.1-1
Severity: grave
Tags: patch upstream security
Hi,
the following vulnerability was published for php-horde-image.
CVE-2017-14650[0]:
| A Remote Code Execution vulnerability has been found in the Horde_Image
| library when using the "Im" backend that utilizes ImageMagick's
| "convert" utility. It's not exploitable through any Horde application,
| because the code path to the vulnerability is not used by any Horde
| code. Custom applications using the Horde_Image library might be
| affected. This vulnerability affects all versions of Horde_Image from
| 2.0.0 to 2.5.1, and is fixed in 2.5.2. The problem is missing input
| validation of the index field in _raw() during construction of an
| ImageMagick command line.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2017-14650
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14650
[1] https://github.com/horde/horde/commit/eb3afd14c22c77ae0d29e2848f5ac726ef6e7c5b
Regards,
Salvatore
Reply sent
to Mathieu Parent <sathieu@debian.org>:
You have taken responsibility.
(Tue, 26 Sep 2017 20:57:10 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Tue, 26 Sep 2017 20:57:10 GMT) (full text, mbox, link).
Message #10 received at 876400-close@bugs.debian.org (full text, mbox, reply):
Source: php-horde-image
Source-Version: 2.5.2-1
We believe that the bug you reported is fixed in the latest version of
php-horde-image, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 876400@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Mathieu Parent <sathieu@debian.org> (supplier of updated php-horde-image package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Tue, 26 Sep 2017 22:24:21 +0200
Source: php-horde-image
Binary: php-horde-image
Architecture: source all
Version: 2.5.2-1
Distribution: unstable
Urgency: medium
Maintainer: Horde Maintainers <pkg-horde-hackers@lists.alioth.debian.org>
Changed-By: Mathieu Parent <sathieu@debian.org>
Description:
php-horde-image - ${phppear:summary}
Closes: 876400
Changes:
php-horde-image (2.5.2-1) unstable; urgency=medium
.
* New upstream version 2.5.2
- CVE-2017-14650: remote code execution n _raw() via $index parameter
(Closes: #876400)
Checksums-Sha1:
c6442da33f4e8c0b43abf92b2b49e6dd1f70629d 2113 php-horde-image_2.5.2-1.dsc
6f5fc15a2750f5bbd36d45d2c28a8a949f63e698 778627 php-horde-image_2.5.2.orig.tar.gz
85fed4eed712b2553c39d611e607c0109ab9824f 3156 php-horde-image_2.5.2-1.debian.tar.xz
a26e5c2c87a6ee67e4315d4c810be368431f8db0 171158 php-horde-image_2.5.2-1_all.deb
c4fa2490aefaea96843482a92949d1d12119a598 5796 php-horde-image_2.5.2-1_amd64.buildinfo
Checksums-Sha256:
c748d6aac2f9dc68dd4adcaee5a6f72bec70dea0ea91cf832d31bc82a66c969a 2113 php-horde-image_2.5.2-1.dsc
f52edfd4e0b476ed4bfa83e706eca4facee4313330da92a5629430d5a930d108 778627 php-horde-image_2.5.2.orig.tar.gz
9bfa27269337cf3f7ced79ca0e6c9070e059de6f27addfb103d579fd2d8f5113 3156 php-horde-image_2.5.2-1.debian.tar.xz
35a7039afe2809ac4a08c6fa4b3221a41ddc86d719c04acfec17115d3d2fed37 171158 php-horde-image_2.5.2-1_all.deb
dbc4371534973b7f83ea3efe31f9df1c62cb887fd93b745681be8d5074f83b4e 5796 php-horde-image_2.5.2-1_amd64.buildinfo
Files:
82271f7ba05b779ddbcceec73519a0fa 2113 php extra php-horde-image_2.5.2-1.dsc
dd655f397f3f7289451a7570aea962f6 778627 php extra php-horde-image_2.5.2.orig.tar.gz
5930153c07cb6d930c1a819e33855780 3156 php extra php-horde-image_2.5.2-1.debian.tar.xz
22b7e15f2a60d905648f62e19c4dfdc6 171158 php extra php-horde-image_2.5.2-1_all.deb
8c5d8d49751f3c8d9e75d04b78069c38 5796 php extra php-horde-image_2.5.2-1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQJHBAEBCAAxFiEEqIGbPTP9weQZ135HrgOYBGZoH6UFAlnKuMoTHHNhdGhpZXVA
ZGViaWFuLm9yZwAKCRCuA5gEZmgfpWKaEACr94Wg5MJr8pjrkM+6a9Ngij2ni8M3
VKNeKckuz4Jhz87WPg0BaQM7PgqZpvl6PInQhHsfhUP++bk9pqkfomfQPTonaBC8
qtBnS+Ni8TcyWx4vIN2vaazs6H5kcYf2QCpIGDdU+ALHVFzGU4zCemWg9Xl7UbEd
m1gkdY7yD4RD3cpsvJUCtGNat22o/ryIXZIuOMbul+3NN8Kniv/8yUfUU2gfGZaX
mkjDeV9eyFssnuUHNG6/yMsthO0uIC4sy5dDT33r4Xp/n/mttZVDsE7gw9+Jkn5j
bYTMX1C2GAurHGY3Lsmqk8s3V+KNbV/gPsotrVe4QyER+0YRrsJmxaNNhqZt3He9
Cv0RqgG2Xq8Lrlq/xMJ1c5p99oPwTdU1BRB6lZBucIiPRZ2vZ6l/Leud5OE9vzAi
dDCU4kOibmnjxAif1ocaamaRfqdWXPm2eTZQfHyIPQDdsxuZy8bo+n17/rMGcs7/
2s8cSoBC168ynBQVW2c5dH7eI0uDTmePkd8VJPoQU3s6sYQ/1zDjBKN1vr9QznL6
Wl4SltkzTCCAHEZd4n2NeAoGf+cz9YizF3xBSq+Z+/TmpUQKF7rQ3FmJpct0pPHu
fXx0HlYvlVrly946q5Ii6t9xbz2612p/1H2mjm9+l5D87aPS9IFodI/PhtSyLssW
Ini8iaigmvdDwg==
=K3hl
-----END PGP SIGNATURE-----
Information forwarded
to debian-bugs-dist@lists.debian.org, Horde Maintainers <pkg-horde-hackers@lists.alioth.debian.org>:
Bug#876400; Package src:php-horde-image.
(Sat, 23 Jun 2018 10:39:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Chris Lamb <lamby@debian.org>:
Extra info received and forwarded to list. Copy sent to Horde Maintainers <pkg-horde-hackers@lists.alioth.debian.org>.
(Sat, 23 Jun 2018 10:39:04 GMT) (full text, mbox, link).
Message #15 received at 876400@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Hi,
I've prepared an upload to fix the following:
php-horde-image (2.3.6-1+deb9u1) stretch-security; urgency=high
* CVE-2017-9773: Prevent a denial of service attack by ensuring an infinite
loop cannot be triggered by a malicious request. (Closes: #865504)
* CVE-2017-9774: Prevent a remote code execution vulnerability (RCE) that was
exploitable by a logged-in user sending a maliciously crafted HTTP GET
request to the image backends. Note that the fix applied upstream has a
regression in that it ignores the "force aspect ratio" option; see
<https://github.com/horde/Image/pull/1>. This has been remedied in this
fix. (Closes: #865505)
* CVE-2017-14650: Prevent another RCE that was exploitable by a logged-in
user sending a maliciously crafted GET request specifically to the "im"
image backend. (Closes: #876400)
The full debdiff is attached. Please let me know if it is okay to upload.
Regards,
--
,''`.
: :' : Chris Lamb
`. `'` lamby@debian.org / chris-lamb.co.uk
`-
[php-horde-image.debdiff.txt (text/plain, attachment)]
Information forwarded
to debian-bugs-dist@lists.debian.org, Horde Maintainers <pkg-horde-hackers@lists.alioth.debian.org>:
Bug#876400; Package src:php-horde-image.
(Thu, 16 Aug 2018 14:42:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Sébastien Delafond <seb@debian.org>:
Extra info received and forwarded to list. Copy sent to Horde Maintainers <pkg-horde-hackers@lists.alioth.debian.org>.
(Thu, 16 Aug 2018 14:42:04 GMT) (full text, mbox, link).
Message #20 received at 876400@bugs.debian.org (full text, mbox, reply):
On Jun/23, Chris Lamb wrote:
> I've prepared an upload to fix the following:
>
> php-horde-image (2.3.6-1+deb9u1) stretch-security; urgency=high
>
> * CVE-2017-9773: [...]
>
> * CVE-2017-9774: [...]
>
> * CVE-2017-14650: [...]
>
> The full debdiff is attached. Please let me know if it is okay to
> upload.
Hi Chris,
it looks OK to me, please upload to security-master.
Cheers,
--Seb
Information forwarded
to debian-bugs-dist@lists.debian.org, Horde Maintainers <pkg-horde-hackers@lists.alioth.debian.org>:
Bug#876400; Package src:php-horde-image.
(Thu, 16 Aug 2018 15:24:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Chris Lamb <lamby@debian.org>:
Extra info received and forwarded to list. Copy sent to Horde Maintainers <pkg-horde-hackers@lists.alioth.debian.org>.
(Thu, 16 Aug 2018 15:24:05 GMT) (full text, mbox, link).
Message #25 received at 876400@bugs.debian.org (full text, mbox, reply):
Dear Sébastien,
> > I've prepared an upload to fix the following:
> >
> > php-horde-image (2.3.6-1+deb9u1) stretch-security; urgency=high
> >
> > * CVE-2017-9773: [...]
> > * CVE-2017-9774: [...]
> > * CVE-2017-14650: [...]
[…]
> it looks OK to me, please upload to security-master.
Uploaded to security-master.
Regards,
--
,''`.
: :' : Chris Lamb
`. `'` lamby@debian.org / chris-lamb.co.uk
`-
Reply sent
to Chris Lamb <lamby@debian.org>:
You have taken responsibility.
(Fri, 17 Aug 2018 17:09:11 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Fri, 17 Aug 2018 17:09:11 GMT) (full text, mbox, link).
Message #30 received at 876400-close@bugs.debian.org (full text, mbox, reply):
Source: php-horde-image
Source-Version: 2.3.6-1+deb9u1
We believe that the bug you reported is fixed in the latest version of
php-horde-image, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 876400@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Chris Lamb <lamby@debian.org> (supplier of updated php-horde-image package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Sat, 23 Jun 2018 11:09:57 +0100
Source: php-horde-image
Binary: php-horde-image
Architecture: source all
Version: 2.3.6-1+deb9u1
Distribution: stretch-security
Urgency: high
Maintainer: Horde Maintainers <pkg-horde-hackers@lists.alioth.debian.org>
Changed-By: Chris Lamb <lamby@debian.org>
Description:
php-horde-image - ${phppear:summary}
Closes: 865504 865505 876400
Changes:
php-horde-image (2.3.6-1+deb9u1) stretch-security; urgency=high
.
* CVE-2017-9773: Prevent a denial of service attack by ensuring an infinite
loop cannot be triggered by a malicious request. (Closes: #865504)
* CVE-2017-9774: Prevent a remote code execution vulnerability (RCE) that was
exploitable by a logged-in user sending a maliciously crafted HTTP GET
request to the image backends. Note that the fix applied upstream has a
regression in that it ignores the "force aspect ratio" option; see
<https://github.com/horde/Image/pull/1>. This has been remedied in this
fix. (Closes: #865505)
* CVE-2017-14650: Prevent another RCE that was exploitable by a logged-in
user sending a maliciously crafted GET request specifically to the "im"
image backend. (Closes: #876400)
Checksums-Sha1:
47d78aaa68d3afd9fc0deb5c4c12419d1eeec577 2112 php-horde-image_2.3.6-1+deb9u1.dsc
3c2e1237dc532c1e40cf46d7bc59cd75d5794a3f 769650 php-horde-image_2.3.6.orig.tar.gz
7f35c6186f0e8c24c87374427c06cd9a74c56631 4816 php-horde-image_2.3.6-1+deb9u1.debian.tar.xz
967e0e206efe2b61cea3064fd29306405567fa26 165020 php-horde-image_2.3.6-1+deb9u1_all.deb
95df2167f336e96b8218cb2f132ab205d9044116 6343 php-horde-image_2.3.6-1+deb9u1_amd64.buildinfo
Checksums-Sha256:
fedd93b4e0580e98abc1fa9343d06c8dc29c7a8b93e8478b17424b3d9047196b 2112 php-horde-image_2.3.6-1+deb9u1.dsc
d5c8953df1a7d4bef9fa65e33f4e6945c554eaa261a4233fab08593de5f82b60 769650 php-horde-image_2.3.6.orig.tar.gz
a5eba44a63a43b178a1df042e9e6e27fa5d0ddbfbd7599a4adae1ddeaf40ce57 4816 php-horde-image_2.3.6-1+deb9u1.debian.tar.xz
da869c96cd620231c697a9b02584efea9f01a37d134fc8e2309978a1b8fc256d 165020 php-horde-image_2.3.6-1+deb9u1_all.deb
07c7575bc25b2779acfb624828bc59081a88dbd011bf49f555e6797600343c30 6343 php-horde-image_2.3.6-1+deb9u1_amd64.buildinfo
Files:
38e2ebfcc1c58e581c31a81e6a5dcb17 2112 php extra php-horde-image_2.3.6-1+deb9u1.dsc
3314aa612d97ee9c92ec47652601bba0 769650 php extra php-horde-image_2.3.6.orig.tar.gz
ab94d6f57be315863bd3a9ee8944e290 4816 php extra php-horde-image_2.3.6-1+deb9u1.debian.tar.xz
ac03f6dd0d26d05d93c12831bf95aece 165020 php extra php-horde-image_2.3.6-1+deb9u1_all.deb
e4b9f653e06e706d60e8b86749900a55 6343 php extra php-horde-image_2.3.6-1+deb9u1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEwv5L0nHBObhsUz5GHpU+J9QxHlgFAlt1lf4ACgkQHpU+J9Qx
HlgYwQ//RKHjOa0CY6A7pdzjrOheIAfx6+SB+N1AHPh4BV8v9tnZFrmTBzNk7G6A
5xXBhDdQT0pSQpB3hWteFF7zmZvGGrnXcgJQI0mjWAasNyqHO+XE4w2LkN8KLZA5
NLoZx1pWhHiUgUryMv4l6ivpbAK1aeFYB8/KFuhD11/1FeXsFkRl/ctV0yY1is78
4mybxkT1jWXBEdTLOoyFwu8dMXlgtKSZS6cR4JoBVJcAOxTwkFqC6moNnkEg7V4f
xKhygvVfWbZN+Xwf4tEJ/GkkUvmffiACSX2jdG6vEb1aaCLJMooS8dundLwer9O/
6ocpBGrT/VkAGehpCKSC0cic9k8byyuQD2XvkHEfD7Jue76CZDOGnECbUK90aVkB
7SqQbGPcmGg8ZAW8lVsj+iWp2y35OjSB/z426D74AgsenMIG6qKZ7mtjgN6ub04A
iZrsrIw6VvCq4uxDaSW2MlKSCaVdcbs1OwWNk18hysZ7VAInXcNop0npxNlbuvDW
lPHv9KvCFHKMKD8a4SgrxNiRBs713cv2V5WwAYH87O2hvoRwA7f9GMjtfaRqMpne
l7kKrM/gj39//T9cbWNzAoKjDyXG9MzRHN8SpzaFIltFGuZVvs+gSvNLrqL/m6ny
haecT1LVZxsMVafMIFg8VIY1iFzoP7NPGNxMeJPJwFS0RjOprHk=
=8w3R
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Wed, 28 Nov 2018 07:24:52 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 17:40:54 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon