To fix opened securities hole into dolibarr stable package, i prepared the
following 3 patch. This patch is now already included into unstable.
It fixes the following CVE:
* Fix CVE-2016-1912 (Closes: #812496)
* Fix CVE-2015-8685 (Closes: #812449)
* Fix CVE-2015-3935 (Closes: #787762)
This is the debdiff. Can my mentor (Raphael Hertzog) push the new package
with this patch into stable ?
diff -Nru dolibarr-3.5.5+dfsg1/debian/changelog
dolibarr-3.5.5+dfsg1/debian/changelog
--- dolibarr-3.5.5+dfsg1/debian/changelog 2014-12-07 15:52:53.000000000
+0100
+++ dolibarr-3.5.5+dfsg1/debian/changelog 2016-02-08 21:30:58.000000000
+0100
@@ -1,3 +1,11 @@
+dolibarr (3.5.5+dfsg1-1+deb8u1) UNRELEASED; urgency=high
+
+ * Fix CVE-2016-1912 (Closes: #812496)
+ * Fix CVE-2015-8685 (Closes: #812449)
+ * Fix CVE-2015-3935 (Closes: #787762)
+
+ -- Laurent Destailleur (eldy) <e...@users.sourceforge.net> Tue, 08 Sep
2015 15:22:52 +0200
+
dolibarr (3.5.5+dfsg1-1) unstable; urgency=medium
* New upstream release with 3.5.5
diff -Nru dolibarr-3.5.5+dfsg1/debian/patches/FIX-4291-GETPOSTs.patch
dolibarr-3.5.5+dfsg1/debian/patches/FIX-4291-GETPOSTs.patch
--- dolibarr-3.5.5+dfsg1/debian/patches/FIX-4291-GETPOSTs.patch 1970-01-01
01:00:00.000000000 +0100
+++ dolibarr-3.5.5+dfsg1/debian/patches/FIX-4291-GETPOSTs.patch 2016-02-08
21:30:58.000000000 +0100
@@ -0,0 +1,35 @@
+diff --git a/htdocs/admin/agenda_extsites.php
b/htdocs/admin/agenda_extsites.php
+index ac105cf..bf68c61 100644
+--- a/htdocs/admin/agenda_extsites.php
++++ b/htdocs/admin/agenda_extsites.php
+@@ -1,6 +1,7 @@
+ <?php
+-/* Copyright (C) 2008-2011 Laurent Destailleur <
e...@users.sourceforge.net>
+- * Copyright (C) 2011-2014 Juanjo Menent <jmen...@2byte.es>
++/* Copyright (C) 2008-2011 Laurent Destailleur <
e...@users.sourceforge.net>
++ * Copyright (C) 2011-2014 Juanjo Menent <jmen...@2byte.es>
++ * Copyright (C) 2016 Raphaël Doursenaud <
rdoursen...@gpcsolutions.fr>
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+@@ -88,7 +89,7 @@
+ // Save nb of agenda
+ if (! $error)
+ {
+-
$res=dolibarr_set_const($db,'AGENDA_EXT_NB',trim(GETPOST('AGENDA_EXT_NB','alpha')),'chaine',0,'',$conf->entity);
++
$res=dolibarr_set_const($db,'AGENDA_EXT_NB',trim(GETPOST('AGENDA_EXT_NB','int')),'chaine',0,'',$conf->entity);
+ if (! $res > 0) $error++;
+ if (empty($conf->global->AGENDA_EXT_NB)) $conf->global->AGENDA_EXT_NB=5;
+
$MAXAGENDA=empty($conf->global->AGENDA_EXT_NB)?5:$conf->global->AGENDA_EXT_NB;
+@@ -201,9 +202,9 @@
+ // Nb
+ print '<td width="180"
class="nowrap">'.$langs->trans("AgendaExtNb",$key)."</td>";
+ // Name
+- print '<td><input type="text" class="flat hideifnotset"
name="agenda_ext_name'.$key.'" value="'.
(GETPOST('agenda_ext_name'.$key)?GETPOST('agenda_ext_name'.$key):$conf->global->$name)
. '" size="28"></td>';
++ print '<td><input type="text" class="flat hideifnotset"
name="agenda_ext_name'.$key.'" value="'.
(GETPOST('agenda_ext_name'.$key)?GETPOST('agenda_ext_name'.$key,
'alpha'):$conf->global->$name) . '" size="28"></td>';
+ // URL
+- print '<td><input type="url" class="flat hideifnotset"
name="agenda_ext_src'.$key.'" value="'.
(GETPOST('agenda_ext_src'.$key)?GETPOST('agenda_ext_src'.$key):$conf->global->$src)
. '" size="60"></td>';
++ print '<td><input type="url" class="flat hideifnotset"
name="agenda_ext_src'.$key.'" value="'.
(GETPOST('agenda_ext_src'.$key)?GETPOST('agenda_ext_src'.$key,
'alpha'):$conf->global->$src) . '" size="60"></td>';
+ // Color (Possible colors are limited by Google)
+ print '<td class="nowrap" align="right">';
+ //print $formadmin->selectColor($conf->global->$color,
"google_agenda_color".$key, $colorlist);
diff -Nru dolibarr-3.5.5+dfsg1/debian/patches/Fix-787762-CVE20153935.patch
dolibarr-3.5.5+dfsg1/debian/patches/Fix-787762-CVE20153935.patch
--- dolibarr-3.5.5+dfsg1/debian/patches/Fix-787762-CVE20153935.patch 1970-01-01
01:00:00.000000000 +0100
+++ dolibarr-3.5.5+dfsg1/debian/patches/Fix-787762-CVE20153935.patch 2016-02-08
21:30:58.000000000 +0100
@@ -0,0 +1,22 @@
+diff --git a/debian/changelog b/debian/changelog
+index 7d3e2e1..09dd3e0 100644
+--- a/htdocs/societe/societe.php
++++ b/htdocs/societe/societe.php
+@@ -272,7 +272,7 @@
+ $num = $db->num_rows($resql);
+ $i = 0;
+
+- $params =
"&socname=".$socname."&search_nom=".$search_nom."&search_town=".$search_town;
++ $params =
"&socname=".urlencode($socname)."&search_nom=".urlencode($search_nom)."&search_town=".urlencode($search_town);
+ $params.= ($sbarcode?"&sbarcode=".$sbarcode:"");
+ $params.= '&search_idprof1='.$search_idprof1;
+ $params.= '&search_idprof2='.$search_idprof2;
+@@ -348,7 +348,7 @@
+ print '<input type="hidden" name="sortfield" value="'.$sortfield.'">';
+ print '<input type="hidden" name="sortorder" value="'.$sortorder.'">';
+ if (! empty($search_nom_only) && empty($search_nom))
$search_nom=$search_nom_only;
+- print '<input class="flat" type="text" name="search_nom"
value="'.$search_nom.'">';
++ print '<input class="flat" type="text" name="search_nom"
value="'.dol_escape_htmltag($search_nom).'">';
+ print '</td>';
+ // Barcode
+ if (! empty($conf->barcode->enabled))
diff -Nru
dolibarr-3.5.5+dfsg1/debian/patches/FIX-CVE-CVE20158685-CVE-2016-1912.patch
dolibarr-3.5.5+dfsg1/debian/patches/FIX-CVE-CVE20158685-CVE-2016-1912.patch
---
dolibarr-3.5.5+dfsg1/debian/patches/FIX-CVE-CVE20158685-CVE-2016-1912.patch
1970-01-01
01:00:00.000000000 +0100
+++
dolibarr-3.5.5+dfsg1/debian/patches/FIX-CVE-CVE20158685-CVE-2016-1912.patch
2016-02-08
21:30:58.000000000 +0100
@@ -0,0 +1,37 @@
+diff --git a/htdocs/main.inc.php b/htdocs/main.inc.php
+index 7fba7f5..90eac77 100644
+--- a/htdocs/main.inc.php
++++ b/htdocs/main.inc.php
+@@ -80,13 +80,15 @@
+ // For SQL Injection (only GET and POST are used to be included into
bad escaped SQL requests)
+ if ($type != 2)
+ {
+- $sql_inj += preg_match('/delete[\s]+from/i', $val);
+- $sql_inj += preg_match('/create[\s]+table/i', $val);
+- $sql_inj += preg_match('/update.+set.+=/i', $val);
+- $sql_inj += preg_match('/insert[\s]+into/i', $val);
+- $sql_inj += preg_match('/select.+from/i', $val);
+- $sql_inj += preg_match('/union.+select/i', $val);
+- $sql_inj += preg_match('/(\.\.%2f)+/i', $val);
++ $sql_inj += preg_match('/delete\s+from/i', $val);
++ $sql_inj += preg_match('/create\s+table/i', $val);
++ $sql_inj += preg_match('/update.+set.+=/i', $val);
++ $sql_inj += preg_match('/insert\s+into/i', $val);
++ $sql_inj += preg_match('/select.+from/i', $val);
++ $sql_inj += preg_match('/union.+select/i', $val);
++ $sql_inj += preg_match('/into\s+(outfile|dumpfile)/i', $val);
++ $sql_inj += preg_match('/(\.\.%2f)+/i', $val);
++ $sql_inj += preg_match('/onerror=/i', $val);
+ }
+ // For XSS Injection done by adding javascript with script
+ // This is all cases a browser consider text is javascript:
+@@ -94,7 +96,8 @@
+ // All examples on page: http://ha.ckers.org/xss.html#XSScalc
+ $sql_inj += preg_match('/<script/i', $val);
+ if (! defined('NOSTYLECHECK')) $sql_inj += preg_match('/<style/i',
$val);
+- $sql_inj += preg_match('/base[\s]+href/i', $val);
++ $sql_inj += preg_match('/base[\s]+href/si', $val);
++ $sql_inj += preg_match('/<.*onmouse/si', $val); // onmouseover
can be set on img or any html tag like <img title='>' onmouseover=alert(1)>
+ if ($type == 1)
+ {
+ $sql_inj += preg_match('/javascript:/i', $val);
diff -Nru dolibarr-3.5.5+dfsg1/debian/patches/series
dolibarr-3.5.5+dfsg1/debian/patches/series
--- dolibarr-3.5.5+dfsg1/debian/patches/series 2014-12-07
15:52:53.000000000 +0100
+++ dolibarr-3.5.5+dfsg1/debian/patches/series 2016-02-08
21:30:58.000000000 +0100
@@ -1 +1,4 @@
use-etc-dolibarr-conf.patch
+Fix-787762-CVE20153935.patch
+FIX-CVE-CVE20158685-CVE-2016-1912.patch
+FIX-4291-GETPOSTs.patch
\ Pas de fin de ligne à la fin du fichier
--
EMail: e...@destailleur.fr
Web: http://www.destailleur.fr
------------------------------------------------------------------------------------
Google+: https://plus.google.com/+LaurentDestailleur/
Facebook: https://www.facebook.com/Destailleur.Laurent
Twitter: http://www.twitter.com/eldy10
------------------------------------------------------------------------------------
* Dolibarr (Project leader): http://www.dolibarr.org (make a donation for
Dolibarr project via Paypal: cont...@destailleur.fr)
* AWStats (Author) : http://awstats.sourceforge.net (make a donation for
AWStats project via Paypal: cont...@destailleur.fr)
* AWBot (Author) : http://awbot.sourceforge.net
* CVSChangeLogBuilder (Author) : http://cvschangelogb.sourceforge.net
