[pkg-horde] [SCM] Debian Horde Packages repository: horde3 package branch, debian-lenny, updated. a3873329efa3ed5797678626638afbb2bb4f48d0

Gregory Colpart gcolpart at ioakim2.evolix.net
Sun Sep 20 17:13:29 UTC 2009


The following commit has been merged in the debian-lenny branch:
commit a3873329efa3ed5797678626638afbb2bb4f48d0
Author: Gregory Colpart <gcolpart at ioakim2.evolix.net>
Date:   Sun Sep 20 18:29:19 2009 +0200

    Backport security patches from 3.3.5

diff --git a/debian/changelog b/debian/changelog
index 0342afc..8b37d08 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,8 +1,11 @@
 horde3 (3.2.2+debian0-3) stable-security; urgency=high
 
   * Add patch stuff on debian/rules to have clean security patches.
+  * Backport security patches from 3.3.5, mainly fix vulnerability in image
+    form fields that allows overwriting of arbitrary local files. See
+    CVE-2009-3236 for more information. (Closes: #547318)
 
- -- Gregory Colpart <reg at debian.org>  Sun, 20 Sep 2009 18:21:44 +0200
+ -- Gregory Colpart <reg at debian.org>  Sun, 20 Sep 2009 18:24:12 +0200
 
 horde3 (3.2.2+debian0-2) unstable; urgency=high
 
diff --git a/debian/patches/0001-backport-security-patches-from-3.3.5.patch b/debian/patches/0001-backport-security-patches-from-3.3.5.patch
new file mode 100644
index 0000000..ce5740e
--- /dev/null
+++ b/debian/patches/0001-backport-security-patches-from-3.3.5.patch
@@ -0,0 +1,288 @@
+diff -uNr horde-3.2.4/lib/Horde/Form.php horde-3.2.5/lib/Horde/Form.php
+--- horde-3.2.4/lib/Horde/Form.php	2009-09-14 10:12:53.000000000 +0200
++++ horde-3.2.5/lib/Horde/Form.php	2009-09-14 10:10:30.000000000 +0200
+@ -1648,7 +1648,14 @@
+      *
+      * @var array
+      */
+-    var $_img = array();
++    var $_img;
++
++    /**
++     * A random id that identifies the image information in the session data.
++     *
++     * @var string
++     */
++    var $_random;
+ 
+     function init($show_upload = true, $show_keeporig = false, $max_filesize = null)
+     {
+@@ -1660,7 +1667,7 @@
+     function onSubmit(&$var, &$vars)
+     {
+         /* Get the upload. */
+-        $this->_getUpload($vars, $var);
++        $this->getImage($vars, $var);
+ 
+         /* If this was done through the upload button override the submitted
+          * value of the form. */
+@@ -1671,25 +1678,24 @@
+ 
+     function isValid(&$var, &$vars, $value, &$message)
+     {
+-        $field = $vars->get($var->getVarName());
+-
+         /* Get the upload. */
+-        $this->_getUpload($vars, $var);
++        $this->getImage($vars, $var);
++        $field = $vars->get($var->getVarName());
+ 
+         /* The upload generated a PEAR Error. */
+         if (is_a($this->_uploaded, 'PEAR_Error')) {
+             /* Not required and no image upload attempted. */
+-            if (!$var->isRequired() && empty($field['img']) &&
++            if (!$var->isRequired() && empty($field['hash']) &&
+                 $this->_uploaded->getCode() == UPLOAD_ERR_NO_FILE) {
+                 return true;
+             }
+ 
+             if (($this->_uploaded->getCode() == UPLOAD_ERR_NO_FILE) &&
+-                empty($field['img'])) {
++                empty($field['hash'])) {
+                 /* Nothing uploaded and no older upload. */
+                 $message = _("This field is required.");
+                 return false;
+-            } elseif (!empty($field['img'])) {
++            } elseif (!empty($field['hash'])) {
+                 /* Nothing uploaded but older upload present. */
+                 return true;
+             } else {
+@@ -1697,11 +1703,11 @@
+                 $message = $this->_uploaded->getMessage();
+                 return false;
+             }
+-        } elseif (empty($this->_img['size'])) {
++        } elseif (empty($this->_img['img']['size'])) {
+             $message = _("The image file size could not be determined or it was 0 bytes. The upload may have been interrupted.");
+             return false;
+         } elseif ($this->_max_filesize &&
+-                  $this->_img['size'] > $this->_max_filesize) {
++                  $this->_img['img']['size'] > $this->_max_filesize) {
+             $message = sprintf(_("The image file was larger than the maximum allowed size (%d bytes)."), $this->_max_filesize);
+             return false;
+         }
+@@ -1712,11 +1718,11 @@
+     function getInfo(&$vars, &$var, &$info)
+     {
+         /* Get the upload. */
+-        $this->_getUpload($vars, $var);
++        $this->getImage($vars, $var);
+ 
+         /* Get image params stored in the hidden field. */
+         $value = $var->getValue($vars);
+-        $info = $this->_img;
++        $info = $this->_img['img'];
+         if (empty($info['file'])) {
+             unset($info['file']);
+             return;
+@@ -1771,7 +1777,7 @@
+         if ($this->_uploaded === true) {
+             /* A file has been uploaded on this submit. Save to temp dir for
+              * preview work. */
+-            $this->_img['type'] = $this->getUploadedFileType($varname . '[new]');
++            $this->_img['img']['type'] = $this->getUploadedFileType($varname . '[new]');
+ 
+             /* Get the other parts of the upload. */
+             require_once 'Horde/Array.php';
+@@ -1779,19 +1785,22 @@
+ 
+             /* Get the temporary file name. */
+             $keys_path = array_merge(array($base, 'tmp_name'), $keys);
+-            $this->_img['file'] = Horde_Array::getElement($_FILES, $keys_path);
++            $this->_img['img']['file'] = Horde_Array::getElement($_FILES, $keys_path);
+ 
+             /* Get the actual file name. */
+-            $keys_path= array_merge(array($base, 'name'), $keys);
+-            $this->_img['name'] = Horde_Array::getElement($_FILES, $keys_path);
++            $keys_path = array_merge(array($base, 'name'), $keys);
++            $this->_img['img']['name'] = Horde_Array::getElement($_FILES, $keys_path);
+ 
+             /* Get the file size. */
+-            $keys_path= array_merge(array($base, 'size'), $keys);
+-            $this->_img['size'] = Horde_Array::getElement($_FILES, $keys_path);
++            $keys_path = array_merge(array($base, 'size'), $keys);
++            $this->_img['img']['size'] = Horde_Array::getElement($_FILES, $keys_path);
+ 
+             /* Get any existing values for the image upload field. */
+             $upload = $vars->get($var->getVarName());
+-            $upload['img'] = @unserialize($upload['img']);
++            if (!empty($upload['hash'])) {
++                $upload['img'] = $_SESSION['horde_form'][$upload['hash']];
++                unset($_SESSION['horde_form'][$upload['hash']]);
++            }
+ 
+             /* Get the temp file if already one uploaded, otherwise create a
+              * new temporary file. */
+@@ -1802,19 +1811,21 @@
+             }
+ 
+             /* Move the browser created temp file to the new temp file. */
+-            move_uploaded_file($this->_img['file'], $tmp_file);
+-            $this->_img['file'] = basename($tmp_file);
+-
+-            /* Store the uploaded image file data to the hidden field. */
+-            $upload['img'] = serialize($this->_img);
+-            $vars->set($var->getVarName(), $upload);
++            move_uploaded_file($this->_img['img']['file'], $tmp_file);
++            $this->_img['img']['file'] = basename($tmp_file);
+         } elseif ($this->_uploaded) {
+             /* File has not been uploaded. */
+             $upload = $vars->get($var->getVarName());
+-            if ($this->_uploaded->getCode() == 4 && !empty($upload['img'])) {
+-                $this->_img = @unserialize($upload['img']);
++            if ($this->_uploaded->getCode() == 4 &&
++                !empty($upload['hash']) &&
++                isset($_SESSION['horde_form'][$upload['hash']])) {
++                $this->_img['img'] = $_SESSION['horde_form'][$upload['hash']];
++                unset($_SESSION['horde_form'][$upload['hash']]);
+             }
+         }
++        if (isset($this->_img['img'])) {
++            $_SESSION['horde_form'][$this->getRandomId()] = $this->_img['img'];
++        }
+     }
+ 
+     function getUploadedFileType($field)
+@@ -1865,6 +1876,27 @@
+     }
+ 
+     /**
++     * Returns the current image information.
++     *
++     * @return array  The current image hash.
++     */
++    function getImage($vars, $var)
++    {
++        $this->_getUpload($vars, $var);
++        if (!isset($this->_img)) {
++            $image = $vars->get($var->getVarName());
++            if ($image) {
++                $this->loadImageData($image);
++                if (isset($image['img'])) {
++                    $this->_img = $image;
++                    $_SESSION['horde_form'][$this->getRandomId()] = $this->_img['img'];
++                }
++            }
++        }
++        return $this->_img;
++    }
++
++    /**
+      * Loads any existing image data into the image field. Requires that the
+      * array $image passed to it contains the structure:
+      *   $image['load']['file'] - the filename of the image;
+@@ -1886,10 +1918,18 @@
+             fclose($fd);
+         }
+ 
+-        $image['img'] = serialize(array('file' => $image['load']['file']));
++        $image['img'] = array('file' => $image['load']['file']);
+         unset($image['load']);
+     }
+ 
++    function getRandomId()
++    {
++        if (!isset($this->_random)) {
++            $this->_random = uniqid(mt_rand());
++        }
++        return $this->_random;
++    }
++
+     /**
+      * Return info about field type.
+      */
+diff -uNr horde-3.2.4/lib/Horde/MIME/Viewer/simple.php horde-3.2.5/lib/Horde/MIME/Viewer/simple.php
+--- horde-3.2.4/lib/Horde/MIME/Viewer/simple.php	2009-09-14 10:12:54.000000000 +0200
++++ horde-3.2.5/lib/Horde/MIME/Viewer/simple.php	2009-09-14 10:10:30.000000000 +0200
+@@ -17,6 +17,21 @@
+ class MIME_Viewer_simple extends MIME_Viewer {
+ 
+     /**
++     * Renders out the contents.
++     *
++     * @param array $params  Any parameters the Viewer may need.
++     *
++     * @return string  The rendered contents.
++     */
++    function render($params = array())
++    {
++        // Bug #8311: Unknown text parts should not be rendered inline.
++        return MIME_Contents::viewAsAttachment()
++            ? parent::render($params)
++            : _("Can not display contents of text part inline.");
++    }
++
++    /**
+      * Return the MIME type of the rendered content.
+      *
+      * @return string  MIME-type of the output content.
+diff -uNr horde-3.2.4/lib/Horde/Prefs/UI.php horde-3.2.5/lib/Horde/Prefs/UI.php
+--- horde-3.2.4/lib/Horde/Prefs/UI.php	2009-09-14 10:12:56.000000000 +0200
++++ horde-3.2.5/lib/Horde/Prefs/UI.php	2009-09-14 10:10:32.000000000 +0200
+@@ -120,9 +120,9 @@
+ 
+                         case 'number':
+                             $num = Util::getPost($pref);
+-                            if (intval($num) != $num) {
++                            if ((string)(double)$num !== $num) {
+                                 $notification->push(_("This value must be a number."), 'horde.error');
+-                            } elseif ($num == 0) {
++                            } elseif (empty($num)) {
+                                 $notification->push(_("This number must be at least one."), 'horde.error');
+                             } else {
+                                 $updated = $updated | $save->setValue($pref, $num);
+diff -uNr horde-3.2.4/lib/Horde/UI/VarRenderer/html.php horde-3.2.5/lib/Horde/UI/VarRenderer/html.php
+--- horde-3.2.4/lib/Horde/UI/VarRenderer/html.php	2009-09-14 10:12:51.000000000 +0200
++++ horde-3.2.5/lib/Horde/UI/VarRenderer/html.php	2009-09-14 10:10:26.000000000 +0200
+@@ -146,10 +146,7 @@
+     function _renderVarInput_image($form, &$var, &$vars)
+     {
+         $varname = htmlspecialchars($var->getVarName());
+-        $image = $var->getValue($vars);
+-
+-        /* Check if existing image data is being loaded. */
+-        $var->type->loadImageData($image);
++        $image = $var->type->getImage($vars, $var);
+ 
+         Horde::addScriptFile('image.js', 'horde', true);
+         $graphics_dir = $GLOBALS['registry']->getImageDir('horde');
+@@ -159,13 +156,11 @@
+ 
+         /* Check if there is existing img information stored. */
+         if (isset($image['img'])) {
+-            /* Hidden tag to store the preview image filename. */
++            /* Hidden tag to store the preview image id. */
+             $html = sprintf('<input type="hidden" name="%s" id="%s" value="%s" />',
+-                            $varname . '[img]',
+-                            $varname . '[img]',
+-                            @htmlspecialchars($image['img'], ENT_QUOTES, $this->_charset));
+-            /* Unserialize the img information to get the full array. */
+-            $image['img'] = @unserialize($image['img']);
++                            $varname . '[hash]',
++                            $varname . '[hash]',
++                            $var->type->getRandomId());
+         }
+ 
+         /* Output MAX_FILE_SIZE parameter to limit large files. */
+diff -uNr horde-3.2.4/lib/prefs.php horde-3.2.5/lib/prefs.php
+--- horde-3.2.4/lib/prefs.php	2008-03-18 18:54:39.000000000 +0100
++++ horde-3.2.5/lib/prefs.php	2009-07-12 01:39:12.000000000 +0200
+@@ -121,7 +121,7 @@
+     }
+ 
+     if ($prefs->isDirty('sidebar_width')) {
+-        $notification->push('if (window.parent && window.parent.document.getElementById(\'hf\') && window.parent.horde_menu && window.parent.horde_menu.document.getElementById(\'expandedSidebar\').style.display != \'hidden\') window.parent.document.getElementById(\'hf\').cols = window.parent.horde_menu.rtl ? \'*,' . $prefs->getValue('sidebar_width') . '\' : \'' . $prefs->getValue('sidebar_width') . ',*\';', 'javascript');
++        $notification->push('if (window.parent && window.parent.document.getElementById(\'hf\') && window.parent.horde_menu && window.parent.horde_menu.document.getElementById(\'expandedSidebar\').style.display != \'hidden\') window.parent.document.getElementById(\'hf\').cols = window.parent.horde_menu.rtl ? \'*,' . (int)$prefs->getValue('sidebar_width') . '\' : \'' . (int)$prefs->getValue('sidebar_width') . ',*\';', 'javascript');
+     }
+ 
+     if ($prefs->isDirty('theme') ||

-- 
Debian Horde Packages repository: horde3 package



More information about the pkg-horde-hackers mailing list