Created attachment 237299 [details] Address ZDI-20-1051 / ZDI-CAN-10436. Address ZDI-20-1051 / ZDI-CAN-10436: Prevent deserializing a class. This seems related to CVE-2022-30287. See <https://www.zerodayinitiative.com/advisories/ZDI-20-1051/>. Patche from <https://github.com/horde/imp/pull/10/files>.
A commit in branch main references this bug: URL: https://cgit.FreeBSD.org/ports/commit/?id=dfa4c773430c9297b3f54d3b1a1202e18e7f120d commit dfa4c773430c9297b3f54d3b1a1202e18e7f120d Author: Thierry Thomas <thierry@FreeBSD.org> AuthorDate: 2022-10-14 08:35:37 +0000 Commit: Thierry Thomas <thierry@FreeBSD.org> CommitDate: 2022-10-28 17:12:27 +0000 mail/horde-imp: address ZDI-20-1051 / ZDI-CAN-10436 PR: 267049 Approved by: maintainer’s time-out Obtained from: https://github.com/horde/imp/pull/10/files Fixes: Address ZDI-20-1051 / ZDI-CAN-10436 MFH: 2022Q4 Security: https://www.zerodayinitiative.com/advisories/ZDI-20-1051/ mail/horde-imp/Makefile | 1 + mail/horde-imp/files/patch-config_prefs.php | 6 +++--- mail/horde-imp/files/patch-lib_Prefs_Sort.php (new) | 19 +++++++++++++++++++ 3 files changed, 23 insertions(+), 3 deletions(-)
A commit in branch 2022Q4 references this bug: URL: https://cgit.FreeBSD.org/ports/commit/?id=f25808f72426f5644fe9a1c0d0d037aa9c16fb29 commit f25808f72426f5644fe9a1c0d0d037aa9c16fb29 Author: Thierry Thomas <thierry@FreeBSD.org> AuthorDate: 2022-10-14 08:35:37 +0000 Commit: Thierry Thomas <thierry@FreeBSD.org> CommitDate: 2022-10-28 17:15:44 +0000 mail/horde-imp: address ZDI-20-1051 / ZDI-CAN-10436 PR: 267049 Approved by: maintainer’s time-out Obtained from: https://github.com/horde/imp/pull/10/files Fixes: Address ZDI-20-1051 / ZDI-CAN-10436 MFH: 2022Q4 Security: https://www.zerodayinitiative.com/advisories/ZDI-20-1051/ (cherry picked from commit dfa4c773430c9297b3f54d3b1a1202e18e7f120d) mail/horde-imp/Makefile | 1 + mail/horde-imp/files/patch-config_prefs.php | 6 +++--- mail/horde-imp/files/patch-lib_Prefs_Sort.php (new) | 19 +++++++++++++++++++ 3 files changed, 23 insertions(+), 3 deletions(-)
Committed, after maintainer’s time-out.