Comment 1 Michael Orlitzky 2020-04-21 13:33:53 UTC

It looks like an easy fix. These are the only changes in v0.61:

2020-04-13 Florian Schlichting <fsfs@debian.org>
	* release awl 0.61
	* Update AUTHORS and ChangeLog

2020-04-04 Florian Schlichting <fsfs@debian.org>
	* Disallow current time as a session key (fix: #19, CVE-2020-11728)
	* Drop LSIDLogin function (fix: #18, CVE-2020-11729)

2019-02-27 Jamie McClymont <jamiemcclymont@catalyst.net.nz>
	* Make olson_from_tzstring faster by caching timezone_identifiers_list

2019-12-06 Florian Schlichting <fsfs@debian.org>
	* myComponentTest.php: drop empty setUp function, which causes make test to fail with PHPUnit 8
	* use foreach() instead of deprecated each() (see davical-project/davical#190)

2019-01-30 Florian Schlichting <fsfs@debian.org>
	* release awl 0.60
	* Update AUTHORS and ChangeLog

Comment 2 Larry the Git Cow 2020-04-21 13:39:33 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=9eab139bd32fb43fb2d42f02a942a1e2baccfebd

commit 9eab139bd32fb43fb2d42f02a942a1e2baccfebd
Author:     Michael Orlitzky <mjo@gentoo.org>
AuthorDate: 2020-04-21 13:37:04 +0000
Commit:     Michael Orlitzky <mjo@gentoo.org>
CommitDate: 2020-04-21 13:38:45 +0000

    dev-php/awl: remove old vulnerable versions.
    
    Bug: https://bugs.gentoo.org/718736
    Package-Manager: Portage-2.3.89, Repoman-2.3.20
    Signed-off-by: Michael Orlitzky <mjo@gentoo.org>

 dev-php/awl/Manifest        |  2 --
 dev-php/awl/awl-0.59.ebuild | 33 ---------------------------------
 dev-php/awl/awl-0.60.ebuild | 33 ---------------------------------
 3 files changed, 68 deletions(-)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=53db769dc5145930f52953843761c4b81225060c

commit 53db769dc5145930f52953843761c4b81225060c
Author:     Michael Orlitzky <mjo@gentoo.org>
AuthorDate: 2020-04-21 13:36:00 +0000
Commit:     Michael Orlitzky <mjo@gentoo.org>
CommitDate: 2020-04-21 13:38:44 +0000

    dev-php/awl: new v0.61 to address CVE-2020-{11728,11729}.
    
    Bug: https://bugs.gentoo.org/718736
    Package-Manager: Portage-2.3.89, Repoman-2.3.20
    Signed-off-by: Michael Orlitzky <mjo@gentoo.org>

 dev-php/awl/Manifest        |  1 +
 dev-php/awl/awl-0.61.ebuild | 33 +++++++++++++++++++++++++++++++++
 2 files changed, 34 insertions(+)

Comment 3 Michael Orlitzky 2020-04-21 13:39:56 UTC

All done.

Comment 4 Sam James 2020-04-21 13:41:49 UTC

Thanks mjo, very quick. :)

uh, davical needs to be updated to 1.1.9.3 at the same time, which is the only reason for awl to exist in the portage tree afaik .. 
why not wait a day for the proxy maintainer to comment on this?

see https://gitlab.com/davical-project/davical/-/commit/55d485045f43b52ccdbedbded2bfebb33b781d57#00fe7828d56d7a3ee4030d6cea057cf13f50e70c

(In reply to Till Schäfer from comment #5)
> uh, davical needs to be updated to 1.1.9.3 at the same time, which is the
> only reason for awl to exist in the portage tree afaik .. 
> why not wait a day for the proxy maintainer to comment on this?
> 
> see
> https://gitlab.com/davical-project/davical/-/commit/
> 55d485045f43b52ccdbedbded2bfebb33b781d57#00fe7828d56d7a3ee4030d6cea057cf13f50
> e70c

will create a pull request on github

Comment 7 Sam James 2020-04-21 14:19:35 UTC

(In reply to Till Schäfer from comment #5)
> uh, davical needs to be updated to 1.1.9.3 at the same time, which is the
> only reason for awl to exist in the portage tree afaik .. 
> why not wait a day for the proxy maintainer to comment on this?
> 
> see
> https://gitlab.com/davical-project/davical/-/commit/
> 55d485045f43b52ccdbedbded2bfebb33b781d57#00fe7828d56d7a3ee4030d6cea057cf13f50
> e70c

I saw a vulnerability in AWL and reported it. I hadn't seen DAViCal is also in tree.

Obviously this has already been cleaned up so this needs a new bug. I assume DAViCal isn't vulnerable, just currently left in a broken state? 

If it depends on a specific version, it should be specified in the ebuild (is it? have not checked) so removals would trigger a CI problem.

Typically, davical is compatible with newer awl version, thus there is a >= dependency. But this time LSID was removed.

create Bug 718750 to track this.

Comment 9 Michael Orlitzky 2020-04-21 14:51:04 UTC

(In reply to Till Schäfer from comment #5) 
> why not wait a day for the proxy maintainer to comment on this?
> 
> see
> https://gitlab.com/davical-project/davical/-/commit/
> 55d485045f43b52ccdbedbded2bfebb33b781d57#00fe7828d56d7a3ee4030d6cea057cf13f50
> e70c

I apologize, I tested the update on our davical-1.1.8 and it didn't hurt anything. That commit above looks only cosmetic? In any case, I didn't mean to step on your toes, just stuck at home overly-bored.

(In reply to Michael Orlitzky from comment #9)
> (In reply to Till Schäfer from comment #5) 
> > why not wait a day for the proxy maintainer to comment on this?
> > 
> > see
> > https://gitlab.com/davical-project/davical/-/commit/
> > 55d485045f43b52ccdbedbded2bfebb33b781d57#00fe7828d56d7a3ee4030d6cea057cf13f50
> > e70c
> 
> I apologize, I tested the update on our davical-1.1.8 and it didn't hurt
> anything. That commit above looks only cosmetic? In any case, I didn't mean
> to step on your toes, just stuck at home overly-bored.

I guess it is not utterly broken, just some corner cases. Just created the pull request (see the referenced bug). All fine, stay healthy! Thee is no need for another virus stepping through a awl vulnerability here, too :).

BTW: is there a reason you are sticking with an outdated, not in tree version of davical with other security flaws (e.g. CVE-2019-18345)? If so, please report a bug report (maybe it is fixable from my side).

Comment 11 Michael Orlitzky 2020-04-21 15:04:47 UTC

(In reply to Till Schäfer from comment #10)
> 
> BTW: is there a reason you are sticking with an outdated, not in tree
> version of davical with other security flaws (e.g. CVE-2019-18345)? If so,
> please report a bug report (maybe it is fixable from my side).

Personal laziness, I'll upgrade today, I promise.