Debian Long Term Support / LTS Security Information / 2018 / Security Information -- DLA-1395-1 php-horde-image

Debian Security Advisory

DLA-1395-1 php-horde-image -- LTS security update

Date Reported:

22 Jun 2018

Affected Packages:

php-horde-image

Vulnerable:

Yes

Security database references:

In the Debian bugtracking system: Bug 876400.
In Mitre's CVE dictionary: CVE-2017-9774, CVE-2017-14650.

More information:

It was discovered that there were two remote code execution vulnerabilities in php-horde-image, the image processing library for the Horde https://www.horde.org/ groupware tool:

• CVE-2017-9774

  A remote code execution vulnerability (RCE) that was exploitable by a logged-in user sending a maliciously crafted HTTP GET request to various image backends.

  Note that the fix applied upstream has a regression in that it ignores the force aspect ratio option; see https://github.com/horde/Image/pull/1.

• CVE-2017-14650

  Another RCE that was exploitable by a logged-in user sending a maliciously crafted GET request specifically to the im image backend.

For Debian 8 Jessie, these issues have been fixed in php-horde-image version 2.1.0-4+deb8u1.

We recommend that you upgrade your php-horde-image packages.