Bug#606386: cakephp: diff for NMU version 1.3.2-1.1

tags 606386 + patch
tags 606386 + pending
thanks

Dear maintainer,

I've prepared an NMU for cakephp (versioned as 1.3.2-1.1) and
uploaded it to DELAYED/2. Please feel free to tell me if I
should delay it longer.

Jonathan Wiltshire (jmw)


diff -Nru cakephp-1.3.2/debian/changelog cakephp-1.3.2/debian/changelog
cakephp-1.3.2/debian/changelog 2010-06-15 10:05:27.000000000 +0100
+++ cakephp-1.3.2/debian/changelog 2010-12-14 15:45:50.000000000 +0000
@@ -1,3 +1,11 @@
+cakephp (1.3.2-1.1) unstable; urgency=high
+
+ * Non-maintainer upload.
+ * Patch for CVE-2010-4335 (unsafe unserialize)
+ Closes: #606386
+
+ -- Jonathan Wiltshire <jmw@debian.org> Tue, 14 Dec 2010 15:41:20 +0000
+
cakephp (1.3.2-1) unstable; urgency=low

* New upstream release (Closes: #585684)
diff -Nru cakephp-1.3.2/debian/patches/03-CVE-2010-4335.diff cakephp-1.3.2/debian/patches/03-CVE-2010-4335.diff
cakephp-1.3.2/debian/patches/03-CVE-2010-4335.diff 1970-01-01 01:00:00.000000000 +0100
+++ cakephp-1.3.2/debian/patches/03-CVE-2010-4335.diff 2010-12-14 15:49:52.000000000 +0000
@@ -0,0 +1,61 @@
+Description: protect against an unsafe serialise CVE-2010-4335
+Origin: https://github.com/cakephp/cakephp/...62cbb353cb
+Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug`6386
+Last-Update: 2010-12-14
+
+diff --git a/cake/libs/controller/components/security.php b/cake/libs/controller/components/security.php
+index c267c6c..7e5b3b2 100644
+ a/cake/libs/controller/components/security.php
++++ b/cake/libs/controller/components/security.php
+@@ -618,10 +618,15 @@ class SecurityComponent extends Object {
+ }
+ unset($check['_Token']);
+
++ $locked = str_rot13($locked);
++ if (preg_match('/(\A|;|{|})O\:[0-9]+/', $locked)) {
++ return false;
++ }
++
+ $lockedFields = array();
+ $fields = Set::flatten($check);
+ $fieldList = array_keys($fields);
+- $locked = unserialize(str_rot13($locked));
++ $locked = unserialize($locked);
+ $multi = array();
+
+ foreach ($fieldList as $i => $key) {
+diff --git a/cake/tests/cases/libs/controller/components/security.test.php b/cake/tests/cases/libs/controller/components/security.test.php
+index 883f1c8..bbd5141 100644
+ a/cake/tests/cases/libs/controller/components/security.test.php
++++ b/cake/tests/cases/libs/controller/components/security.test.php
+@@ -608,6 +608,30 @@ DIGEST;
+ $result = $this->Controller->Security->validatePost($this->Controller);
+ $this->assertFalse($result, 'validatePost passed when key was missing. %s');
+ }
++
++/**
++ * Test that objects can't be passed into the serialized string. This was a vector for RFI and LFI
++ * attacks. Thanks to Felix Wilhelm
++ *
++ * @return void
++ */
++ function testValidatePostObjectDeserialize() {
++ $this->Controller->Security->startup($this->Controller);
++ $key = $this->Controller->params['_Token']['key'];
++ $fields = 'a5475372b40f6e3ccbf9f8af191f20e1642fd877';
++
++ // a corrupted serialized object, so we can see if it ever gets to deserialize
++ $attack = 'O:3:"App":1:{s:5:"__map";a:1:{s:3:"foo";s:7:"Hacked!";s:1:"fail"}}';
++ $fields .= urlencode(':' . str_rot13($attack));
++
++ $this->Controller->data = array(
++ 'Model' => array('username' => 'mark', 'password' => 'foo', 'valid' => '0'),
++ '_Token' => compact('key', 'fields')
++ );
++ $result = $this->Controller->Security->validatePost($this->Controller);
++ $this->assertFalse($result, 'validatePost passed when key was missing. %s');
++ }
++
+ /**
+ * Tests validation of checkbox arrays
+ *
diff -Nru cakephp-1.3.2/debian/patches/series cakephp-1.3.2/debian/patches/series
cakephp-1.3.2/debian/patches/series 2010-06-15 10:05:27.000000000 +0100
+++ cakephp-1.3.2/debian/patches/series 2010-12-14 15:40:13.000000000 +0000
@@ -1,2 +1,3 @@
01-remove-shebang.diff
02-cake-binary-libs.diff
+03-CVE-2010-4335.diff



To UNSUBSCRIBE, email to debian-bugs-dist-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org