Bug#958850: marked as done (stretch-pu: package gosa/2.7.4+reloaded2-13+deb9u3)

Debian Bug Tracking System Sat, 18 Jul 2020 05:14:02 -0700

Your message dated Sat, 18 Jul 2020 13:07:00 +0100
with message-id 
<b8d89cdfeeda7b6d1ef96a8706a20f9525c2151b.ca...@adam-barratt.org.uk>
and subject line Closing requests for fixes included in 9.13 point release
has caused the Debian Bug report #958850,
regarding stretch-pu: package gosa/2.7.4+reloaded2-13+deb9u3
to be marked as done.


This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
958850: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=958850
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian....@packages.debian.org
Usertags: pu

Dear release team,

this is a follow-up for #927433 (about +deb9u2).

+  * debian/patches/1047_CVE-2019-14466-1_replace_unserialize_with_json_
+    encode+json_decode.patch:
+    + Replace (un)serialize with json_encode/json_decode to mitigate PHP object
+      injection (CVE-2019-14466).

Since I last uploaded the stretch-pu of gosa, one more CVE issue got
known and already addressed in the Git branch.

I will follow-up with a +deb9u3 upload on the +deb9u2 upload. Luckily,
this one is not as massive as the +deb9u2 one.

Greets,
Mike


-- System Information:
Debian Release: 10.3
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'proposed-updates'), (500, 
'stable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.19.0-8-amd64 (SMP w/4 CPU cores)
Kernel taint flags: TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), 
LANGUAGE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

diff -Nru gosa-2.7.4+reloaded2/debian/changelog 
gosa-2.7.4+reloaded2/debian/changelog
--- gosa-2.7.4+reloaded2/debian/changelog       2019-04-19 19:03:52.000000000 
+0200
+++ gosa-2.7.4+reloaded2/debian/changelog       2020-04-25 21:51:15.000000000 
+0200
@@ -1,3 +1,12 @@
+gosa (2.7.4+reloaded2-13+deb9u3) stretch; urgency=medium
+
+  * debian/patches/1047_CVE-2019-14466-1_replace_unserialize_with_json_
+    encode+json_decode.patch:
+    + Replace (un)serialize with json_encode/json_decode to mitigate PHP object
+      injection (CVE-2019-14466).
+
+ -- Mike Gabriel <sunwea...@debian.org>  Sat, 25 Apr 2020 21:51:15 +0200
+
 gosa (2.7.4+reloaded2-13+deb9u2) stretch; urgency=medium
 
   [ Mike Gabriel ]
diff -Nru 
gosa-2.7.4+reloaded2/debian/patches/1047_CVE-2019-14466-1_replace_unserialize_with_json_encode+json_decode.patch
 
gosa-2.7.4+reloaded2/debian/patches/1047_CVE-2019-14466-1_replace_unserialize_with_json_encode+json_decode.patch
--- 
gosa-2.7.4+reloaded2/debian/patches/1047_CVE-2019-14466-1_replace_unserialize_with_json_encode+json_decode.patch
    1970-01-01 01:00:00.000000000 +0100
+++ 
gosa-2.7.4+reloaded2/debian/patches/1047_CVE-2019-14466-1_replace_unserialize_with_json_encode+json_decode.patch
    2020-04-25 21:50:26.000000000 +0200
@@ -0,0 +1,47 @@
+From e1504e9765db2adde8b4685b5c93fbba57df868b Mon Sep 17 00:00:00 2001
+From: Fabian Henneke <fab...@henneke.me>
+Date: Mon, 29 Jul 2019 15:54:29 +0200
+Subject: [PATCH] Replace (un)serialize with json_encode/json_decode
+
+---
+ gosa-core/html/index.php | 4 ++--
+ gosa-core/html/main.php  | 6 +++---
+ 2 files changed, 5 insertions(+), 5 deletions(-)
+
+--- a/gosa-core/html/index.php
++++ b/gosa-core/html/index.php
+@@ -338,9 +338,9 @@
+                 if(isset($_COOKIE['GOsa_Filter_Settings']) || 
isset($HTTP_COOKIE_VARS['GOsa_Filter_Settings'])) {
+ 
+                     if(isset($_COOKIE['GOsa_Filter_Settings'])) {
+-                        $cookie_all = 
unserialize(base64_decode($_COOKIE['GOsa_Filter_Settings']));
++                        $cookie_all = 
json_decode(base64_decode($_COOKIE['GOsa_Filter_Settings']));
+                     }else{
+-                        $cookie_all = 
unserialize(base64_decode($HTTP_COOKIE_VARS['GOsa_Filter_Settings']));
++                        $cookie_all = 
json_decode(base64_decode($HTTP_COOKIE_VARS['GOsa_Filter_Settings']));
+                     }
+                     if(isset($cookie_all[$ui->dn])) {
+                         $cookie = $cookie_all[$ui->dn];
+--- a/gosa-core/html/main.php
++++ b/gosa-core/html/main.php
+@@ -480,9 +480,9 @@
+ $cookie = array();
+ 
+ if(isset($_COOKIE['GOsa_Filter_Settings'])){
+-  $cookie = unserialize(base64_decode($_COOKIE['GOsa_Filter_Settings']));
++  $cookie = json_decode(base64_decode($_COOKIE['GOsa_Filter_Settings']));
+ }elseif(isset($HTTP_COOKIE_VARS['GOsa_Filter_Settings'])){
+-  $cookie = 
unserialize(base64_decode($HTTP_COOKIE_VARS['GOsa_Filter_Settings']));
++  $cookie = 
json_decode(base64_decode($HTTP_COOKIE_VARS['GOsa_Filter_Settings']));
+ }
+ 
+ /* Save filters? */
+@@ -496,7 +496,7 @@
+   if(isset($_GET['plug'])){
+     $cookie[$ui->dn]['plug'] = $_GET['plug'];
+   }
+-  @setcookie("GOsa_Filter_Settings",base64_encode(serialize($cookie)),time() 
+ (60*60*24));
++  
@setcookie("GOsa_Filter_Settings",base64_encode(json_encode($cookie)),time() + 
(60*60*24));
+ }
+ 
+ /* Show page... */
diff -Nru 
gosa-2.7.4+reloaded2/debian/patches/1047_CVE-2019-14466-2_replace_unserialize_with_json_encode+json_decode.patch
 
gosa-2.7.4+reloaded2/debian/patches/1047_CVE-2019-14466-2_replace_unserialize_with_json_encode+json_decode.patch
--- 
gosa-2.7.4+reloaded2/debian/patches/1047_CVE-2019-14466-2_replace_unserialize_with_json_encode+json_decode.patch
    1970-01-01 01:00:00.000000000 +0100
+++ 
gosa-2.7.4+reloaded2/debian/patches/1047_CVE-2019-14466-2_replace_unserialize_with_json_encode+json_decode.patch
    2020-04-25 21:50:26.000000000 +0200
@@ -0,0 +1,51 @@
+From 90b674960335d888c76ca5e99027df8e7fa66f3a Mon Sep 17 00:00:00 2001
+From: Fabian Henneke <fab...@henneke.me>
+Date: Fri, 16 Aug 2019 20:27:47 +0200
+Subject: [PATCH] Fix the decoding of filter settings cookie
+
+Previously, the use of json_decode without a second paramter meant that an
+stdClass was returned, which does not allow access to properties via the index
+operator. Instead, we now use json_decode(..., true) to return an associative
+array.
+
+In order to prevent any type shenanigans, we also ensure whether the returned
+value is an array and if not, replace it with an empty one.
+---
+ gosa-core/html/index.php | 7 +++++--
+ gosa-core/html/main.php  | 7 +++++--
+ 2 files changed, 10 insertions(+), 4 deletions(-)
+
+--- a/gosa-core/html/index.php
++++ b/gosa-core/html/index.php
+@@ -338,9 +338,12 @@
+                 if(isset($_COOKIE['GOsa_Filter_Settings']) || 
isset($HTTP_COOKIE_VARS['GOsa_Filter_Settings'])) {
+ 
+                     if(isset($_COOKIE['GOsa_Filter_Settings'])) {
+-                        $cookie_all = 
json_decode(base64_decode($_COOKIE['GOsa_Filter_Settings']));
++                        $cookie_all = 
json_decode(base64_decode($_COOKIE['GOsa_Filter_Settings']), true);
+                     }else{
+-                        $cookie_all = 
json_decode(base64_decode($HTTP_COOKIE_VARS['GOsa_Filter_Settings']));
++                        $cookie_all = 
json_decode(base64_decode($HTTP_COOKIE_VARS['GOsa_Filter_Settings']), true);
++                    }
++                    if(!is_array($cookie_all)) {
++                        $cookie_all = [];
+                     }
+                     if(isset($cookie_all[$ui->dn])) {
+                         $cookie = $cookie_all[$ui->dn];
+--- a/gosa-core/html/main.php
++++ b/gosa-core/html/main.php
+@@ -480,9 +480,12 @@
+ $cookie = array();
+ 
+ if(isset($_COOKIE['GOsa_Filter_Settings'])){
+-  $cookie = json_decode(base64_decode($_COOKIE['GOsa_Filter_Settings']));
++  $cookie = json_decode(base64_decode($_COOKIE['GOsa_Filter_Settings']), 
true);
+ }elseif(isset($HTTP_COOKIE_VARS['GOsa_Filter_Settings'])){
+-  $cookie = 
json_decode(base64_decode($HTTP_COOKIE_VARS['GOsa_Filter_Settings']));
++  $cookie = 
json_decode(base64_decode($HTTP_COOKIE_VARS['GOsa_Filter_Settings']), true);
++}
++if(!is_array($cookie)) {
++  $cookie = [];
+ }
+ 
+ /* Save filters? */
diff -Nru gosa-2.7.4+reloaded2/debian/patches/series 
gosa-2.7.4+reloaded2/debian/patches/series
--- gosa-2.7.4+reloaded2/debian/patches/series  2019-04-19 19:03:52.000000000 
+0200
+++ gosa-2.7.4+reloaded2/debian/patches/series  2020-04-25 21:50:26.000000000 
+0200
@@ -55,3 +55,5 @@
 1043_smarty-add-on-function-param-types.patch
 1045_dont_use_filter_caching.patch
 1046_CVE-2019-11187_stricter-ldap-error-check.patch
+1047_CVE-2019-14466-1_replace_unserialize_with_json_encode+json_decode.patch
+1047_CVE-2019-14466-2_replace_unserialize_with_json_encode+json_decode.patch

--- End Message ---

--- Begin Message ---

Package: release.debian.org
Version: 9.13

Hi,

All of these requests relate to updates that were included in today's
stretch point release.

Regards,

Adam

--- End Message ---

Bug#958850: marked as done (stretch-pu: package gosa/2.7.4+reloaded2-13+deb9u3)

Reply via email to