Hi Adam.
A fix was prepared to solve several CVE. Security team already answered me
they on't plan any DSA released for this patch. All fixes are already
included into unstable.
Can we push it into stable ? It fixes the following CVE:
* Fix CVE-2016-1912 (Closes: #812496)
* Fix CVE-2015-8685 (Closes: #812449)
* Fix CVE-2015-3935 (Closes: #787762)
This is the debdiff.
diff -Nru dolibarr-3.5.5+dfsg1/debian/changelog
dolibarr-3.5.5+dfsg1/debian/changelog
--- dolibarr-3.5.5+dfsg1/debian/changelog 2014-12-07 15:52:53.000000000
+0100
+++ dolibarr-3.5.5+dfsg1/debian/changelog 2016-02-08 21:30:58.000000000
+0100
@@ -1,3 +1,11 @@
+dolibarr (3.5.5+dfsg1-1+deb8u1) UNRELEASED; urgency=high
+
+ * Fix CVE-2016-1912 (Closes: #812496)
+ * Fix CVE-2015-8685 (Closes: #812449)
+ * Fix CVE-2015-3935 (Closes: #787762)
+
+ -- Laurent Destailleur (eldy) <e...@users.sourceforge.net> Tue, 08 Sep
2015 15:22:52 +0200
+
dolibarr (3.5.5+dfsg1-1) unstable; urgency=medium
* New upstream release with 3.5.5
diff -Nru dolibarr-3.5.5+dfsg1/debian/patches/FIX-4291-GETPOSTs.patch
dolibarr-3.5.5+dfsg1/debian/patches/FIX-4291-GETPOSTs.patch
--- dolibarr-3.5.5+dfsg1/debian/patches/FIX-4291-GETPOSTs.patch 1970-01-01
01:00:00.000000000 +0100
+++ dolibarr-3.5.5+dfsg1/debian/patches/FIX-4291-GETPOSTs.patch 2016-02-08
21:30:58.000000000 +0100
@@ -0,0 +1,35 @@
+diff --git a/htdocs/admin/agenda_extsites.php
b/htdocs/admin/agenda_extsites.php
+index ac105cf..bf68c61 100644
+--- a/htdocs/admin/agenda_extsites.php
++++ b/htdocs/admin/agenda_extsites.php
+@@ -1,6 +1,7 @@
+ <?php
+-/* Copyright (C) 2008-2011 Laurent Destailleur <
e...@users.sourceforge.net>
+- * Copyright (C) 2011-2014 Juanjo Menent <jmen...@2byte.es>
++/* Copyright (C) 2008-2011 Laurent Destailleur <
e...@users.sourceforge.net>
++ * Copyright (C) 2011-2014 Juanjo Menent <jmen...@2byte.es>
++ * Copyright (C) 2016 Raphaël Doursenaud <
rdoursen...@gpcsolutions.fr>
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+@@ -88,7 +89,7 @@
+ // Save nb of agenda
+ if (! $error)
+ {
+-
$res=dolibarr_set_const($db,'AGENDA_EXT_NB',trim(GETPOST('AGENDA_EXT_NB','alpha')),'chaine',0,'',$conf->entity);
++
$res=dolibarr_set_const($db,'AGENDA_EXT_NB',trim(GETPOST('AGENDA_EXT_NB','int')),'chaine',0,'',$conf->entity);
+ if (! $res > 0) $error++;
+ if (empty($conf->global->AGENDA_EXT_NB)) $conf->global->AGENDA_EXT_NB=5;
+
$MAXAGENDA=empty($conf->global->AGENDA_EXT_NB)?5:$conf->global->AGENDA_EXT_NB;
+@@ -201,9 +202,9 @@
+ // Nb
+ print '<td width="180"
class="nowrap">'.$langs->trans("AgendaExtNb",$key)."</td>";
+ // Name
+- print '<td><input type="text" class="flat hideifnotset"
name="agenda_ext_name'.$key.'" value="'.
(GETPOST('agenda_ext_name'.$key)?GETPOST('agenda_ext_name'.$key):$conf->global->$name)
. '" size="28"></td>';
++ print '<td><input type="text" class="flat hideifnotset"
name="agenda_ext_name'.$key.'" value="'.
(GETPOST('agenda_ext_name'.$key)?GETPOST('agenda_ext_name'.$key,
'alpha'):$conf->global->$name) . '" size="28"></td>';
+ // URL
+- print '<td><input type="url" class="flat hideifnotset"
name="agenda_ext_src'.$key.'" value="'.
(GETPOST('agenda_ext_src'.$key)?GETPOST('agenda_ext_src'.$key):$conf->global->$src)
. '" size="60"></td>';
++ print '<td><input type="url" class="flat hideifnotset"
name="agenda_ext_src'.$key.'" value="'.
(GETPOST('agenda_ext_src'.$key)?GETPOST('agenda_ext_src'.$key,
'alpha'):$conf->global->$src) . '" size="60"></td>';
+ // Color (Possible colors are limited by Google)
+ print '<td class="nowrap" align="right">';
+ //print $formadmin->selectColor($conf->global->$color,
"google_agenda_color".$key, $colorlist);
diff -Nru dolibarr-3.5.5+dfsg1/debian/patches/Fix-787762-CVE20153935.patch
dolibarr-3.5.5+dfsg1/debian/patches/Fix-787762-CVE20153935.patch
--- dolibarr-3.5.5+dfsg1/debian/patches/Fix-787762-CVE20153935.patch 1970-01-01
01:00:00.000000000 +0100
+++ dolibarr-3.5.5+dfsg1/debian/patches/Fix-787762-CVE20153935.patch 2016-02-08
21:30:58.000000000 +0100
@@ -0,0 +1,22 @@
+diff --git a/debian/changelog b/debian/changelog
+index 7d3e2e1..09dd3e0 100644
+--- a/htdocs/societe/societe.php
++++ b/htdocs/societe/societe.php
+@@ -272,7 +272,7 @@
+ $num = $db->num_rows($resql);
+ $i = 0;
+
+- $params =
"&socname=".$socname."&search_nom=".$search_nom."&search_town=".$search_town;
++ $params =
"&socname=".urlencode($socname)."&search_nom=".urlencode($search_nom)."&search_town=".urlencode($search_town);
+ $params.= ($sbarcode?"&sbarcode=".$sbarcode:"");
+ $params.= '&search_idprof1='.$search_idprof1;
+ $params.= '&search_idprof2='.$search_idprof2;
+@@ -348,7 +348,7 @@
+ print '<input type="hidden" name="sortfield" value="'.$sortfield.'">';
+ print '<input type="hidden" name="sortorder" value="'.$sortorder.'">';
+ if (! empty($search_nom_only) && empty($search_nom))
$search_nom=$search_nom_only;
+- print '<input class="flat" type="text" name="search_nom"
value="'.$search_nom.'">';
++ print '<input class="flat" type="text" name="search_nom"
value="'.dol_escape_htmltag($search_nom).'">';
+ print '</td>';
+ // Barcode
+ if (! empty($conf->barcode->enabled))
diff -Nru
dolibarr-3.5.5+dfsg1/debian/patches/FIX-CVE-CVE20158685-CVE-2016-1912.patch
dolibarr-3.5.5+dfsg1/debian/patches/FIX-CVE-CVE20158685-CVE-2016-1912.patch
---
dolibarr-3.5.5+dfsg1/debian/patches/FIX-CVE-CVE20158685-CVE-2016-1912.patch
1970-01-01
01:00:00.000000000 +0100
+++
dolibarr-3.5.5+dfsg1/debian/patches/FIX-CVE-CVE20158685-CVE-2016-1912.patch
2016-02-08
21:30:58.000000000 +0100
@@ -0,0 +1,37 @@
+diff --git a/htdocs/main.inc.php b/htdocs/main.inc.php
+index 7fba7f5..90eac77 100644
+--- a/htdocs/main.inc.php
++++ b/htdocs/main.inc.php
+@@ -80,13 +80,15 @@
+ // For SQL Injection (only GET and POST are used to be included into
bad escaped SQL requests)
+ if ($type != 2)
+ {
+- $sql_inj += preg_match('/delete[\s]+from/i', $val);
+- $sql_inj += preg_match('/create[\s]+table/i', $val);
+- $sql_inj += preg_match('/update.+set.+=/i', $val);
+- $sql_inj += preg_match('/insert[\s]+into/i', $val);
+- $sql_inj += preg_match('/select.+from/i', $val);
+- $sql_inj += preg_match('/union.+select/i', $val);
+- $sql_inj += preg_match('/(\.\.%2f)+/i', $val);
++ $sql_inj += preg_match('/delete\s+from/i', $val);
++ $sql_inj += preg_match('/create\s+table/i', $val);
++ $sql_inj += preg_match('/update.+set.+=/i', $val);
++ $sql_inj += preg_match('/insert\s+into/i', $val);
++ $sql_inj += preg_match('/select.+from/i', $val);
++ $sql_inj += preg_match('/union.+select/i', $val);
++ $sql_inj += preg_match('/into\s+(outfile|dumpfile)/i', $val);
++ $sql_inj += preg_match('/(\.\.%2f)+/i', $val);
++ $sql_inj += preg_match('/onerror=/i', $val);
+ }
+ // For XSS Injection done by adding javascript with script
+ // This is all cases a browser consider text is javascript:
+@@ -94,7 +96,8 @@
+ // All examples on page: http://ha.ckers.org/xss.html#XSScalc
+ $sql_inj += preg_match('/<script/i', $val);
+ if (! defined('NOSTYLECHECK')) $sql_inj += preg_match('/<style/i',
$val);
+- $sql_inj += preg_match('/base[\s]+href/i', $val);
++ $sql_inj += preg_match('/base[\s]+href/si', $val);
++ $sql_inj += preg_match('/<.*onmouse/si', $val); // onmouseover
can be set on img or any html tag like <img title='>' onmouseover=alert(1)>
+ if ($type == 1)
+ {
+ $sql_inj += preg_match('/javascript:/i', $val);
diff -Nru dolibarr-3.5.5+dfsg1/debian/patches/series
dolibarr-3.5.5+dfsg1/debian/patches/series
--- dolibarr-3.5.5+dfsg1/debian/patches/series 2014-12-07
15:52:53.000000000 +0100
+++ dolibarr-3.5.5+dfsg1/debian/patches/series 2016-02-08
21:30:58.000000000 +0100
@@ -1 +1,4 @@
use-etc-dolibarr-conf.patch
+Fix-787762-CVE20153935.patch
+FIX-CVE-CVE20158685-CVE-2016-1912.patch
+FIX-4291-GETPOSTs.patch
\ Pas de fin de ligne à la fin du fichier
2015-09-03 18:43 GMT+02:00 Adam D. Barratt <a...@adam-barratt.org.uk>:
> Control: tags -1 + moreinfo
>
> On 2015-09-03 15:44, Laurent Destailleur (eldy) wrote:
>
>> A security error CVE-2015-3935 was reported for Dolibarr ERP CRM
>> package. This bug is fixed into official package 3.5.7 of Dolibarr.
>> Package 3.5.7 is a maintenance release compared to 3.5.5 and contains
>> only fixes. But not only bugs reported to debian, it includes also
>> other fixes (but they are all related to stability or security).
>> I think it is a better solution to validate this maintenance release
>> based on the new upstream version of Dolibarr than applying a patch of
>> the only CVE-2015-3935.
>>
> [...]
>
>> So I just need to know if it's ok to push such a version 3.5.7 (fixes
>> for 3.5.* branch) instead of only one fix for only the few (the only)
>> reported debian bugs,
>> since it provides more stability and is or me a more secured process.
>>
>
> Certainly not whilst neither the CVE fix nor 3.5.7 are in unstable (which
> still has 3.5.5 without the fix, afaict).
>
> Regards,
>
> Adam
>
--
EMail: e...@destailleur.fr
Web: http://www.destailleur.fr
------------------------------------------------------------------------------------
Google+: https://plus.google.com/+LaurentDestailleur/
Facebook: https://www.facebook.com/Destailleur.Laurent
Twitter: http://www.twitter.com/eldy10
------------------------------------------------------------------------------------
* Dolibarr (Project leader): http://www.dolibarr.org (make a donation for
Dolibarr project via Paypal: cont...@destailleur.fr)
* AWStats (Author) : http://awstats.sourceforge.net (make a donation for
AWStats project via Paypal: cont...@destailleur.fr)
* AWBot (Author) : http://awbot.sourceforge.net
* CVSChangeLogBuilder (Author) : http://cvschangelogb.sourceforge.net
