Bug#1003018: marked as done (bullseye-pu: package php-laravel-framework/6.20.14+dfsg-2+deb11u1)

Debian Bug Tracking System Sat, 26 Mar 2022 05:05:27 -0700

Your message dated Sat, 26 Mar 2022 11:59:13 +0000
with message-id 
<c4d20274f6d76a43fb574d2177f6e3af4235e4be.ca...@adam-barratt.org.uk>
and subject line Closing p-u requests for updates in 11.3
has caused the Debian Bug report #1003018,
regarding bullseye-pu: package php-laravel-framework/6.20.14+dfsg-2+deb11u1
to be marked as done.


This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
1003018: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1003018
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian....@packages.debian.org
Usertags: pu

[ Reason ]
Security issues affecting the version in bullseye.
* Bug #1001333 (CVE-2021-43808)
* Bug #1002728 (CVE-2021-43617)

[ Impact ]
* Users of web applications using certain templating features from
  the framework may by vulnerable to XSS attacks.
* Users who host web applications relying on the framework's file upload
  validation features may be vulnerable to remote code execution attacks.

[ Tests ]
* The patches were taken from upstream; they've been tested upstream and
  are already in use through other channels.
* The test suite passes after backporting the patches.

[ Risks ]
* The tests cannot run in a clean and isolated Debian environment due to
  missing dependencies (of the tests themselves). I try to run them in a
  similar enough manner, but it could mask some types of bugs.

[ Checklist ]
  [X] *all* changes are documented in the d/changelog
  [X] I reviewed all changes and I approve them
  [X] attach debdiff against the package in (old)stable
  [X] the issue is verified as fixed in unstable

[ Changes ]
* Applies a patch from upstream to fix the XSS vulnerability by making
  the template section identifiers unpredictable.
* Applies a patch from upstream to fix the remote code upload
  vulnerability by blocking .phar files.

[ Other info ]
The security team asked me to submit the update through a stable point
release. The CVEs have been labelled as "no DSA".

diff -Nru php-laravel-framework-6.20.14+dfsg/debian/changelog 
php-laravel-framework-6.20.14+dfsg/debian/changelog
--- php-laravel-framework-6.20.14+dfsg/debian/changelog 2021-04-30 
18:23:38.000000000 +0200
+++ php-laravel-framework-6.20.14+dfsg/debian/changelog 2022-01-02 
19:58:35.000000000 +0100
@@ -1,3 +1,12 @@
+php-laravel-framework (6.20.14+dfsg-2+deb11u1) bullseye; urgency=high
+
+  * Fix security issue: XSS vulnerability in the Blade templating engine
+    (CVE-2021-43808, Closes: #1001333)
+  * Fix security issue: Failure to block the upload of executable PHP content
+    (CVE-2021-43617, Closes: #1002728)
+
+ -- Robin Gustafsson <ro...@rgson.se>  Sun, 02 Jan 2022 19:58:35 +0100
+
 php-laravel-framework (6.20.14+dfsg-2) unstable; urgency=medium

   * Fix security issue: SQL injection with Microsoft SQL Server
diff -Nru 
php-laravel-framework-6.20.14+dfsg/debian/patches/0002-Fix-parent-call.patch 
php-laravel-framework-6.20.14+dfsg/debian/patches/0002-Fix-parent-call.patch
--- 
php-laravel-framework-6.20.14+dfsg/debian/patches/0002-Fix-parent-call.patch    
    1970-01-01 01:00:00.000000000 +0100
+++ 
php-laravel-framework-6.20.14+dfsg/debian/patches/0002-Fix-parent-call.patch    
    2021-12-28 16:17:51.000000000 +0100
@@ -0,0 +1,192 @@
+From: Dries Vints <dr...@vints.io>
+Date: Mon, 6 Dec 2021 18:14:03 +0100
+Subject: Fix parent call
+
+Origin: 
https://github.com/laravel/framework/commit/b8174169b1807f36de1837751599e2828ceddb9b
+Applied-Upstream: 6.20.42
+---
+ src/Illuminate/View/Compilers/Compiler.php         |  2 +-
+ .../View/Compilers/Concerns/CompilesLayouts.php    |  6 ++---
+ src/Illuminate/View/Concerns/ManagesLayouts.php    | 26 +++++++++++++++++++++-
+ tests/View/ViewBladeCompilerTest.php               | 20 ++++++++---------
+ 4 files changed, 39 insertions(+), 15 deletions(-)
+
+diff --git a/src/Illuminate/View/Compilers/Compiler.php 
b/src/Illuminate/View/Compilers/Compiler.php
+index 08648ad..d2a9f26 100755
+--- a/src/Illuminate/View/Compilers/Compiler.php
++++ b/src/Illuminate/View/Compilers/Compiler.php
+@@ -48,7 +48,7 @@ abstract class Compiler
+      */
+     public function getCompiledPath($path)
+     {
+-        return $this->cachePath.'/'.sha1($path).'.php';
++        return $this->cachePath.'/'.sha1('v2'.$path).'.php';
+     }
+
+     /**
+diff --git a/src/Illuminate/View/Compilers/Concerns/CompilesLayouts.php 
b/src/Illuminate/View/Compilers/Concerns/CompilesLayouts.php
+index aaef617..fc6a63a 100644
+--- a/src/Illuminate/View/Compilers/Concerns/CompilesLayouts.php
++++ b/src/Illuminate/View/Compilers/Concerns/CompilesLayouts.php
+@@ -2,8 +2,6 @@
+
+ namespace Illuminate\View\Compilers\Concerns;
+
+-use Illuminate\View\Factory as ViewFactory;
+-
+ trait CompilesLayouts
+ {
+     /**
+@@ -50,7 +48,9 @@ trait CompilesLayouts
+      */
+     protected function compileParent()
+     {
+-        return ViewFactory::parentPlaceholder($this->lastSection ?: '');
++        $escapedLastSection = strtr($this->lastSection, ['\\' => '\\\\', "'" 
=> "\\'"]);
++
++        return "<?php echo 
\Illuminate\View\Factory::parentPlaceholder('{$escapedLastSection}'); ?>";
+     }
+
+     /**
+diff --git a/src/Illuminate/View/Concerns/ManagesLayouts.php 
b/src/Illuminate/View/Concerns/ManagesLayouts.php
+index 29d7155..82fb77b 100644
+--- a/src/Illuminate/View/Concerns/ManagesLayouts.php
++++ b/src/Illuminate/View/Concerns/ManagesLayouts.php
+@@ -3,6 +3,7 @@
+ namespace Illuminate\View\Concerns;
+
+ use Illuminate\Contracts\View\View;
++use Illuminate\Support\Str;
+ use InvalidArgumentException;
+
+ trait ManagesLayouts
+@@ -28,6 +29,13 @@ trait ManagesLayouts
+      */
+     protected static $parentPlaceholder = [];
+
++    /**
++     * The parent placeholder salt for the request.
++     *
++     * @var string
++     */
++    protected static $parentPlaceholderSalt;
++
+     /**
+      * Start injecting content into a section.
+      *
+@@ -168,12 +176,28 @@ trait ManagesLayouts
+     public static function parentPlaceholder($section = '')
+     {
+         if (! isset(static::$parentPlaceholder[$section])) {
+-            static::$parentPlaceholder[$section] = 
'##parent-placeholder-'.sha1($section).'##';
++            $salt = static::parentPlaceholderSalt();
++
++            static::$parentPlaceholder[$section] = 
'##parent-placeholder-'.sha1($salt.$section).'##';
+         }
+
+         return static::$parentPlaceholder[$section];
+     }
+
++    /**
++     * Get the parent placeholder salt.
++     *
++     * @return string
++     */
++    protected static function parentPlaceholderSalt()
++    {
++        if (! static::$parentPlaceholderSalt) {
++            return static::$parentPlaceholderSalt = Str::random(40);
++        }
++
++        return static::$parentPlaceholderSalt;
++    }
++
+     /**
+      * Check if section exists.
+      *
+diff --git a/tests/View/ViewBladeCompilerTest.php 
b/tests/View/ViewBladeCompilerTest.php
+index fd61b8c..eddf9e2 100644
+--- a/tests/View/ViewBladeCompilerTest.php
++++ b/tests/View/ViewBladeCompilerTest.php
+@@ -18,7 +18,7 @@ class ViewBladeCompilerTest extends TestCase
+     public function testIsExpiredReturnsTrueIfCompiledFileDoesntExist()
+     {
+         $compiler = new BladeCompiler($files = $this->getFiles(), __DIR__);
+-        
$files->shouldReceive('exists')->once()->with(__DIR__.'/'.sha1('foo').'.php')->andReturn(false);
++        
$files->shouldReceive('exists')->once()->with(__DIR__.'/'.sha1('v2foo').'.php')->andReturn(false);
+         $this->assertTrue($compiler->isExpired('foo'));
+     }
+
+@@ -33,23 +33,23 @@ class ViewBladeCompilerTest extends TestCase
+     public function testIsExpiredReturnsTrueWhenModificationTimesWarrant()
+     {
+         $compiler = new BladeCompiler($files = $this->getFiles(), __DIR__);
+-        
$files->shouldReceive('exists')->once()->with(__DIR__.'/'.sha1('foo').'.php')->andReturn(true);
++        
$files->shouldReceive('exists')->once()->with(__DIR__.'/'.sha1('v2foo').'.php')->andReturn(true);
+         
$files->shouldReceive('lastModified')->once()->with('foo')->andReturn(100);
+-        
$files->shouldReceive('lastModified')->once()->with(__DIR__.'/'.sha1('foo').'.php')->andReturn(0);
++        
$files->shouldReceive('lastModified')->once()->with(__DIR__.'/'.sha1('v2foo').'.php')->andReturn(0);
+         $this->assertTrue($compiler->isExpired('foo'));
+     }
+
+     public function testCompilePathIsProperlyCreated()
+     {
+         $compiler = new BladeCompiler($this->getFiles(), __DIR__);
+-        $this->assertEquals(__DIR__.'/'.sha1('foo').'.php', 
$compiler->getCompiledPath('foo'));
++        $this->assertEquals(__DIR__.'/'.sha1('v2foo').'.php', 
$compiler->getCompiledPath('foo'));
+     }
+
+     public function testCompileCompilesFileAndReturnsContents()
+     {
+         $compiler = new BladeCompiler($files = $this->getFiles(), __DIR__);
+         $files->shouldReceive('get')->once()->with('foo')->andReturn('Hello 
World');
+-        
$files->shouldReceive('put')->once()->with(__DIR__.'/'.sha1('foo').'.php', 
'Hello World<?php /**PATH foo ENDPATH**/ ?>');
++        
$files->shouldReceive('put')->once()->with(__DIR__.'/'.sha1('v2foo').'.php', 
'Hello World<?php /**PATH foo ENDPATH**/ ?>');
+         $compiler->compile('foo');
+     }
+
+@@ -57,7 +57,7 @@ class ViewBladeCompilerTest extends TestCase
+     {
+         $compiler = new BladeCompiler($files = $this->getFiles(), __DIR__);
+         $files->shouldReceive('get')->once()->with('foo')->andReturn('Hello 
World');
+-        
$files->shouldReceive('put')->once()->with(__DIR__.'/'.sha1('foo').'.php', 
'Hello World<?php /**PATH foo ENDPATH**/ ?>');
++        
$files->shouldReceive('put')->once()->with(__DIR__.'/'.sha1('v2foo').'.php', 
'Hello World<?php /**PATH foo ENDPATH**/ ?>');
+         $compiler->compile('foo');
+         $this->assertSame('foo', $compiler->getPath());
+     }
+@@ -73,7 +73,7 @@ class ViewBladeCompilerTest extends TestCase
+     {
+         $compiler = new BladeCompiler($files = $this->getFiles(), __DIR__);
+         $files->shouldReceive('get')->once()->with('foo')->andReturn('Hello 
World');
+-        
$files->shouldReceive('put')->once()->with(__DIR__.'/'.sha1('foo').'.php', 
'Hello World<?php /**PATH foo ENDPATH**/ ?>');
++        
$files->shouldReceive('put')->once()->with(__DIR__.'/'.sha1('v2foo').'.php', 
'Hello World<?php /**PATH foo ENDPATH**/ ?>');
+         // set path before compilation
+         $compiler->setPath('foo');
+         // trigger compilation with $path
+@@ -103,7 +103,7 @@ class ViewBladeCompilerTest extends TestCase
+     {
+         $compiler = new BladeCompiler($files = $this->getFiles(), __DIR__);
+         
$files->shouldReceive('get')->once()->with('foo')->andReturn($content);
+-        
$files->shouldReceive('put')->once()->with(__DIR__.'/'.sha1('foo').'.php', 
$compiled);
++        
$files->shouldReceive('put')->once()->with(__DIR__.'/'.sha1('v2foo').'.php', 
$compiled);
+
+         $compiler->compile('foo');
+     }
+@@ -157,7 +157,7 @@ class ViewBladeCompilerTest extends TestCase
+     {
+         $compiler = new BladeCompiler($files = $this->getFiles(), __DIR__);
+         $files->shouldReceive('get')->once()->with('')->andReturn('Hello 
World');
+-        
$files->shouldReceive('put')->once()->with(__DIR__.'/'.sha1('').'.php', 'Hello 
World');
++        
$files->shouldReceive('put')->once()->with(__DIR__.'/'.sha1('v2').'.php', 
'Hello World');
+         $compiler->setPath('');
+         $compiler->compile();
+     }
+@@ -166,7 +166,7 @@ class ViewBladeCompilerTest extends TestCase
+     {
+         $compiler = new BladeCompiler($files = $this->getFiles(), __DIR__);
+         $files->shouldReceive('get')->once()->with(null)->andReturn('Hello 
World');
+-        
$files->shouldReceive('put')->once()->with(__DIR__.'/'.sha1(null).'.php', 
'Hello World');
++        
$files->shouldReceive('put')->once()->with(__DIR__.'/'.sha1('v2').'.php', 
'Hello World');
+         $compiler->setPath(null);
+         $compiler->compile();
+     }
diff -Nru 
php-laravel-framework-6.20.14+dfsg/debian/patches/0003-Add-.phar-to-blocked-PHP-extensions-39666.patch
 
php-laravel-framework-6.20.14+dfsg/debian/patches/0003-Add-.phar-to-blocked-PHP-extensions-39666.patch
--- 
php-laravel-framework-6.20.14+dfsg/debian/patches/0003-Add-.phar-to-blocked-PHP-extensions-39666.patch
      1970-01-01 01:00:00.000000000 +0100
+++ 
php-laravel-framework-6.20.14+dfsg/debian/patches/0003-Add-.phar-to-blocked-PHP-extensions-39666.patch
      2022-01-02 19:57:55.000000000 +0100
@@ -0,0 +1,26 @@
+From: Stephen Rees-Carter <step...@rees-carter.net>
+Date: Thu, 18 Nov 2021 12:10:56 +1000
+Subject: Add .phar to blocked PHP extensions (#39666)
+
+By default Debian includes support for executing .phar files alongside
+.php and .phtml files, and should be included in the blocked list.
+
+Origin: 
https://github.com/laravel/framework/commit/ccea1bfcbb37cf923dc1bb30cdbf2effbfb1619c
+Applied-Upstream: 6.20.41
+---
+ src/Illuminate/Validation/Concerns/ValidatesAttributes.php | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/Illuminate/Validation/Concerns/ValidatesAttributes.php 
b/src/Illuminate/Validation/Concerns/ValidatesAttributes.php
+index 84e0964..6f0d8d6 100644
+--- a/src/Illuminate/Validation/Concerns/ValidatesAttributes.php
++++ b/src/Illuminate/Validation/Concerns/ValidatesAttributes.php
+@@ -1254,7 +1254,7 @@ trait ValidatesAttributes
+         }
+
+         $phpExtensions = [
+-            'php', 'php3', 'php4', 'php5', 'phtml',
++            'php', 'php3', 'php4', 'php5', 'phtml', 'phar',
+         ];
+
+         return ($value instanceof UploadedFile)
diff -Nru php-laravel-framework-6.20.14+dfsg/debian/patches/series 
php-laravel-framework-6.20.14+dfsg/debian/patches/series
--- php-laravel-framework-6.20.14+dfsg/debian/patches/series    2021-04-30 
18:23:38.000000000 +0200
+++ php-laravel-framework-6.20.14+dfsg/debian/patches/series    2022-01-02 
19:57:55.000000000 +0100
@@ -1 +1,3 @@
 0001-cast-to-int.patch
+0002-Fix-parent-call.patch
+0003-Add-.phar-to-blocked-PHP-extensions-39666.patch

--- End Message ---

--- Begin Message ---

Package: release.debian.org
Version: 11.3

Hi,

The updates referenced by these bugs were included in stable as part of
this morning's 11.3 point release.

Regards,

Adam

--- End Message ---

Bug#1003018: marked as done (bullseye-pu: package php-laravel-framework/6.20.14+dfsg-2+deb11u1)

Reply via email to