[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#785154: marked as done (jessie-pu: package phpbb3/3.0.12-5+deb8u1)

Your message dated Sat, 06 Jun 2015 13:11:11 +0100
with message-id <1433592671.2987.12.camel@adam-barratt.org.uk>
and subject line Fix released with 8.1 point release
has caused the Debian Bug report #785154,
regarding jessie-pu: package phpbb3/3.0.12-5+deb8u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
785154: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=785154
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian.org@packages.debian.org
Usertags: pu

Hi,

Please accept the fix for CVE-2015-3880 in Jessie, tagged as <no-dsa> as
agreed with the security team. Attached debdiff, similar request for
Wheezy follows.

Regards

David

diff --git a/changelog b/changelog
index f0fb324..c8b1f20 100644
--- a/changelog
+++ b/changelog
@@ -1,3 +1,11 @@
+phpbb3 (3.0.12-5+deb8u1) jessie; urgency=medium
+
+  * Fix possible redirection on Chrome: an insufficient check allowed users of
+    the Google Chrome browser to be redirected to external domains (e.g. on
+    login) [CVE-2015-3880]
+
+ -- David Prévot <taffit@debian.org>  Tue, 12 May 2015 15:52:23 -0400
+
 phpbb3 (3.0.12-5) unstable; urgency=medium
 
   * Fix authentication setup: another PHP 5.6 compatibility issue, the
diff --git a/patches/fix_CVE-2015-3880.patch b/patches/fix_CVE-2015-3880.patch
new file mode 100644
index 0000000..320d589
--- /dev/null
+++ b/patches/fix_CVE-2015-3880.patch
@@ -0,0 +1,32 @@
+Description: Fix possible redirection on Chrome
+ An insufficient check allowed users of the Google Chrome browser to be
+ redirected to external domains (e.g. on login).
+ [CVE-2015-3880]
+Author: Marc Alexander <admin@m-a-styles.de>, Joas Schilling <nickvergessen@gmx.de>
+Origin: upstream, https://github.com/phpbb/phpbb/commit/1a3350619f428d9d69d196c52128727e27ef2f04
+Reviewed-by: Andreas Fischer <bantu@phpbb.com>
+Last-Update: 2015-05-09
+--- a/includes/functions.php
++++ b/includes/functions.php
+@@ -2492,7 +2492,7 @@
+ 		// Attention: only able to redirect within the same domain if $disable_cd_check is false (yourdomain.com -> www.yourdomain.com will not work)
+ 		if (!$disable_cd_check && $url_parts['host'] !== $user->host)
+ 		{
+-			$url = generate_board_url();
++			trigger_error('Tried to redirect to potentially insecure url.', E_USER_ERROR);
+ 		}
+ 	}
+ 	else if ($url[0] == '/')
+@@ -2579,6 +2579,12 @@
+ 		}
+ 	}
+ 
++	// Make sure we don't redirect to external URLs
++	if (!$disable_cd_check && strpos($url, generate_board_url(true) . '/') !== 0)
++	{
++		trigger_error('Tried to redirect to potentially insecure url.', E_USER_ERROR);
++	}
++
+ 	// Make sure no linebreaks are there... to prevent http response splitting for PHP < 4.4.2
+ 	if (strpos(urldecode($url), "\n") !== false || strpos(urldecode($url), "\r") !== false || strpos($url, ';') !== false)
+ 	{
diff --git a/patches/series b/patches/series
index c79ff46..f3998ad 100644
--- a/patches/series
+++ b/patches/series
@@ -9,3 +9,4 @@ fix_CVE-2015-1431.patch
 fix_CVE-2015-1432.patch
 improve_php_5.6_compatibility.patch
 add_phpbb_prefix_to_ldap_escape.patch
+fix_CVE-2015-3880.patch

Attachment: signature.asc
Description: Digital signature


--- End Message ---
--- Begin Message --- 
Version: 8.1

Hi,

The fix discussed in this bug was released to stable as part of the 8.1
point release earlier today.

Regards,

Adam

--- End Message ---
Reply to: