Bug#1006417: marked as done (buster-pu: package php-illuminate-database/5.7.27-1+deb10u1)

Sat, 26 Mar 2022 05:17:23 -0700 

Your message dated Sat, 26 Mar 2022 12:02:22 +0000
with message-id 
<540de30a27d37c3ff416b94b1adf7ff2a2cab257.ca...@adam-barratt.org.uk>
and subject line Closing requests for updates in 10.12
has caused the Debian Bug report #1006417,
regarding buster-pu: package php-illuminate-database/5.7.27-1+deb10u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
1006417: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1006417
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian....@packages.debian.org
Usertags: pu
X-Debbugs-Cc: t...@mirbsd.de

[ Reason ]
These are two security-related backports by the new maintainer
of these binary packages for bullseye and up. I’ve been asked
to do this via the upcoming point release by the security team.

[ Impact ]
Two pending security fixes of SQL injection type not applied.

[ Tests ]
The new maintainer, who backported these fixes, has tested them
with upstream’s testsuite and provided tests for the issues
themselves.

[ Risks ]
These are backports of the patches for later versions, so
the risk is low, I guess. I’m not sufficiently familiar with
the codebase to judge myself, but they look plausible at a
quick glance.

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
  [x] the issue is verified as fixed in unstable

[ Changes ]
Apply two patches prepared by the new maintainer and change
the Maintainer field to them.

diff -Nru php-illuminate-database-5.7.27/debian/changelog 
php-illuminate-database-5.7.27/debian/changelog
--- php-illuminate-database-5.7.27/debian/changelog     2019-02-22 
20:06:21.000000000 +0100
+++ php-illuminate-database-5.7.27/debian/changelog     2022-02-25 
00:53:26.000000000 +0100
@@ -1,3 +1,15 @@
+php-illuminate-database (5.7.27-1+deb10u1) buster; urgency=medium
+
+  [ Robin Gustafsson ]
+  * Security fix: Query Binding Exploitation (Closes: #980899)
+    Fixes CVE-2021-21263
+  * Security fix: SQL injection with Microsoft SQL Server (Closes: #987848)
+
+  [ Thorsten Glaser ]
+  * Update Maintainer, upload to oldstable as security fixpack
+
+ -- Thorsten Glaser <t...@mirbsd.de>  Fri, 25 Feb 2022 00:53:26 +0100
+
 php-illuminate-database (5.7.27-1) unstable; urgency=medium
 
   * New upstream version.
diff -Nru php-illuminate-database-5.7.27/debian/control 
php-illuminate-database-5.7.27/debian/control
--- php-illuminate-database-5.7.27/debian/control       2019-02-22 
20:06:21.000000000 +0100
+++ php-illuminate-database-5.7.27/debian/control       2022-02-25 
00:53:26.000000000 +0100
@@ -1,7 +1,7 @@
 Source: php-illuminate-database
 Section: php
 Priority: optional
-Maintainer: Teckids Debian Task Force <t...@lists.teckids.org>
+Maintainer: Robin Gustafsson <ro...@rgson.se>
 Uploaders: Thorsten Glaser <t...@mirbsd.de>, Dominik George 
<naturesha...@debian.org>
 Build-Depends: debhelper (>= 11~), pkg-php-tools (>= 1.7~)
 Standards-Version: 4.3.0
diff -Nru 
php-illuminate-database-5.7.27/debian/patches/0001-6.x-Limit-expected-bindings-35865.patch
 
php-illuminate-database-5.7.27/debian/patches/0001-6.x-Limit-expected-bindings-35865.patch
--- 
php-illuminate-database-5.7.27/debian/patches/0001-6.x-Limit-expected-bindings-35865.patch
  1970-01-01 01:00:00.000000000 +0100
+++ 
php-illuminate-database-5.7.27/debian/patches/0001-6.x-Limit-expected-bindings-35865.patch
  2022-02-25 00:51:21.000000000 +0100
@@ -0,0 +1,96 @@
+From: Taylor Otwell <tay...@laravel.com>
+Date: Wed, 13 Jan 2021 07:35:45 -0600
+Subject: [6.x] Limit expected bindings (#35865)
+
+* limit expected bindings
+
+* limit more bindings
+
+Origin: 
https://github.com/laravel/framework/commit/d0954f4574f315f0c2e9e65e92cc74b80eadcac1
+---
+ Query/Builder.php | 18 ++++++++++++++----
+ 1 file changed, 14 insertions(+), 4 deletions(-)
+
+--- a/Query/Builder.php
++++ b/Query/Builder.php
+@@ -654,7 +654,7 @@ class Builder
+         );
+ 
+         if (! $value instanceof Expression) {
+-            $this->addBinding($value, 'where');
++            $this->addBinding(is_array($value) ? head($value) : $value, 
'where');
+         }
+ 
+         return $this;
+@@ -1051,7 +1051,7 @@ class Builder
+ 
+         $this->wheres[] = compact('type', 'column', 'values', 'boolean', 
'not');
+ 
+-        $this->addBinding($this->cleanBindings($values), 'where');
++        $this->addBinding(array_slice($this->cleanBindings($values), 0, 2), 
'where');
+ 
+         return $this;
+     }
+@@ -1119,6 +1119,8 @@ class Builder
+             $value, $operator, func_num_args() === 2
+         );
+ 
++        $value = is_array($value) ? head($value) : $value;
++
+         if ($value instanceof DateTimeInterface) {
+             $value = $value->format('Y-m-d');
+         }
+@@ -1158,6 +1160,8 @@ class Builder
+             $value, $operator, func_num_args() === 2
+         );
+ 
++        $value = is_array($value) ? head($value) : $value;
++
+         if ($value instanceof DateTimeInterface) {
+             $value = $value->format('H:i:s');
+         }
+@@ -1197,6 +1201,8 @@ class Builder
+             $value, $operator, func_num_args() === 2
+         );
+ 
++        $value = is_array($value) ? head($value) : $value;
++
+         if ($value instanceof DateTimeInterface) {
+             $value = $value->format('d');
+         }
+@@ -1236,6 +1242,8 @@ class Builder
+             $value, $operator, func_num_args() === 2
+         );
+ 
++        $value = is_array($value) ? head($value) : $value;
++
+         if ($value instanceof DateTimeInterface) {
+             $value = $value->format('m');
+         }
+@@ -1275,6 +1283,8 @@ class Builder
+             $value, $operator, func_num_args() === 2
+         );
+ 
++        $value = is_array($value) ? head($value) : $value;
++
+         if ($value instanceof DateTimeInterface) {
+             $value = $value->format('Y');
+         }
+@@ -1581,7 +1591,7 @@ class Builder
+         $this->wheres[] = compact('type', 'column', 'operator', 'value', 
'boolean');
+ 
+         if (! $value instanceof Expression) {
+-            $this->addBinding($value);
++            $this->addBinding((int) $value);
+         }
+ 
+         return $this;
+@@ -1714,7 +1724,7 @@ class Builder
+         $this->havings[] = compact('type', 'column', 'operator', 'value', 
'boolean');
+ 
+         if (! $value instanceof Expression) {
+-            $this->addBinding($value, 'having');
++            $this->addBinding(is_array($value) ? head($value) : $value, 
'having');
+         }
+ 
+         return $this;
diff -Nru 
php-illuminate-database-5.7.27/debian/patches/0002-Limit-expected-bindingx-v2.patch
 
php-illuminate-database-5.7.27/debian/patches/0002-Limit-expected-bindingx-v2.patch
--- 
php-illuminate-database-5.7.27/debian/patches/0002-Limit-expected-bindingx-v2.patch
 1970-01-01 01:00:00.000000000 +0100
+++ 
php-illuminate-database-5.7.27/debian/patches/0002-Limit-expected-bindingx-v2.patch
 2022-02-25 00:51:21.000000000 +0100
@@ -0,0 +1,92 @@
+From: Kane Cohen <kaneco...@gmail.com>
+Date: Thu, 21 Jan 2021 08:44:52 +0000
+Subject: Limit expected bindingx v2.
+
+Origin: 
https://github.com/laravel/framework/commit/9d3752ca5f29c4cb1c0384fb01847820b6ac492c
+---
+ Query/Builder.php | 25 ++++++++++++++++++-------
+ 1 file changed, 18 insertions(+), 7 deletions(-)
+
+--- a/Query/Builder.php
++++ b/Query/Builder.php
+@@ -293,6 +293,17 @@ class Builder
+     }
+ 
+     /**
++     * Returns scalar type value from an unknown type of input.
++     *
++     * @param  mixed  $value
++     * @return mixed
++     */
++    protected function scalarValue($value)
++    {
++        return is_array($value) ? head(Arr::flatten($value)) : $value;
++    }
++
++    /**
+      * Creates a subquery and parse it.
+      *
+      * @param  \Closure|\Illuminate\Database\Query\Builder|string $query
+@@ -654,7 +665,7 @@ class Builder
+         );
+ 
+         if (! $value instanceof Expression) {
+-            $this->addBinding(is_array($value) ? head($value) : $value, 
'where');
++            $this->addBinding($this->scalarValue($value), 'where');
+         }
+ 
+         return $this;
+@@ -1051,7 +1062,7 @@ class Builder
+ 
+         $this->wheres[] = compact('type', 'column', 'values', 'boolean', 
'not');
+ 
+-        $this->addBinding(array_slice($this->cleanBindings($values), 0, 2), 
'where');
++        
$this->addBinding(array_slice($this->cleanBindings(Arr::flatten($values)), 0, 
2), 'where');
+ 
+         return $this;
+     }
+@@ -1119,7 +1130,7 @@ class Builder
+             $value, $operator, func_num_args() === 2
+         );
+ 
+-        $value = is_array($value) ? head($value) : $value;
++        $value = $this->scalarValue($value);
+ 
+         if ($value instanceof DateTimeInterface) {
+             $value = $value->format('Y-m-d');
+@@ -1160,7 +1171,7 @@ class Builder
+             $value, $operator, func_num_args() === 2
+         );
+ 
+-        $value = is_array($value) ? head($value) : $value;
++        $value = $this->scalarValue($value);
+ 
+         if ($value instanceof DateTimeInterface) {
+             $value = $value->format('H:i:s');
+@@ -1242,7 +1253,7 @@ class Builder
+             $value, $operator, func_num_args() === 2
+         );
+ 
+-        $value = is_array($value) ? head($value) : $value;
++        $value = $this->scalarValue($value);
+ 
+         if ($value instanceof DateTimeInterface) {
+             $value = $value->format('m');
+@@ -1591,7 +1602,7 @@ class Builder
+         $this->wheres[] = compact('type', 'column', 'operator', 'value', 
'boolean');
+ 
+         if (! $value instanceof Expression) {
+-            $this->addBinding((int) $value);
++            $this->addBinding((int) $this->scalarValue($value));
+         }
+ 
+         return $this;
+@@ -1724,7 +1735,7 @@ class Builder
+         $this->havings[] = compact('type', 'column', 'operator', 'value', 
'boolean');
+ 
+         if (! $value instanceof Expression) {
+-            $this->addBinding(is_array($value) ? head($value) : $value, 
'having');
++            $this->addBinding($this->scalarValue($value), 'having');
+         }
+ 
+         return $this;
diff -Nru 
php-illuminate-database-5.7.27/debian/patches/0003-Update-whereDay-and-whereYear-to-clean-value.patch
 
php-illuminate-database-5.7.27/debian/patches/0003-Update-whereDay-and-whereYear-to-clean-value.patch
--- 
php-illuminate-database-5.7.27/debian/patches/0003-Update-whereDay-and-whereYear-to-clean-value.patch
       1970-01-01 01:00:00.000000000 +0100
+++ 
php-illuminate-database-5.7.27/debian/patches/0003-Update-whereDay-and-whereYear-to-clean-value.patch
       2022-02-25 00:51:22.000000000 +0100
@@ -0,0 +1,29 @@
+From: Kane Cohen <kaneco...@gmail.com>
+Date: Thu, 21 Jan 2021 10:48:50 +0000
+Subject: Update whereDay and whereYear to clean value.
+
+Origin: 
https://github.com/laravel/framework/commit/dbbb1c1c8a1fa0a51677b5a74fcfe0e2561ced91
+---
+ Query/Builder.php | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/Query/Builder.php
++++ b/Query/Builder.php
+@@ -1212,7 +1212,7 @@ class Builder
+             $value, $operator, func_num_args() === 2
+         );
+ 
+-        $value = is_array($value) ? head($value) : $value;
++        $value = $this->scalarValue($value);
+ 
+         if ($value instanceof DateTimeInterface) {
+             $value = $value->format('d');
+@@ -1294,7 +1294,7 @@ class Builder
+             $value, $operator, func_num_args() === 2
+         );
+ 
+-        $value = is_array($value) ? head($value) : $value;
++        $value = $this->scalarValue($value);
+ 
+         if ($value instanceof DateTimeInterface) {
+             $value = $value->format('Y');
diff -Nru 
php-illuminate-database-5.7.27/debian/patches/0004-Add-limit-bindings-for-having-between-tests.patch
 
php-illuminate-database-5.7.27/debian/patches/0004-Add-limit-bindings-for-having-between-tests.patch
--- 
php-illuminate-database-5.7.27/debian/patches/0004-Add-limit-bindings-for-having-between-tests.patch
        1970-01-01 01:00:00.000000000 +0100
+++ 
php-illuminate-database-5.7.27/debian/patches/0004-Add-limit-bindings-for-having-between-tests.patch
        2022-02-25 00:51:22.000000000 +0100
@@ -0,0 +1,20 @@
+From: Kane Cohen <kaneco...@gmail.com>
+Date: Thu, 21 Jan 2021 12:08:38 +0000
+Subject: Add limit bindings for having between + tests.
+
+Origin: 
https://github.com/laravel/framework/commit/c6b8168e6cbbe339fdc3af5ccdded545779965df
+---
+ Query/Builder.php | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/Query/Builder.php
++++ b/Query/Builder.php
+@@ -1773,7 +1773,7 @@ class Builder
+ 
+         $this->havings[] = compact('type', 'column', 'values', 'boolean', 
'not');
+ 
+-        $this->addBinding($this->cleanBindings($values), 'having');
++        
$this->addBinding(array_slice($this->cleanBindings(Arr::flatten($values)), 0, 
2), 'having');
+ 
+         return $this;
+     }
diff -Nru 
php-illuminate-database-5.7.27/debian/patches/0005-Clean-value-in-orWhereDay-Month-Year.patch
 
php-illuminate-database-5.7.27/debian/patches/0005-Clean-value-in-orWhereDay-Month-Year.patch
--- 
php-illuminate-database-5.7.27/debian/patches/0005-Clean-value-in-orWhereDay-Month-Year.patch
       1970-01-01 01:00:00.000000000 +0100
+++ 
php-illuminate-database-5.7.27/debian/patches/0005-Clean-value-in-orWhereDay-Month-Year.patch
       2022-02-25 00:51:22.000000000 +0100
@@ -0,0 +1,40 @@
+From: Robin Gustafsson <ro...@rgson.se>
+Date: Sat, 1 May 2021 15:52:36 +0200
+Subject: Clean value in orWhereDay/Month/Year
+
+In 6.x these methods call the whereDay/Month/Year methods where
+the value is cleaned. In 5.x they don't, and so the value must
+be cleaned here too.
+---
+ Query/Builder.php | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+--- a/Query/Builder.php
++++ b/Query/Builder.php
+@@ -1235,6 +1235,8 @@ class Builder
+             $value, $operator, func_num_args() === 2
+         );
+ 
++        $value = $this->scalarValue($value);
++
+         return $this->addDateBasedWhere('Day', $column, $operator, $value, 
'or');
+     }
+ 
+@@ -1276,6 +1278,8 @@ class Builder
+             $value, $operator, func_num_args() === 2
+         );
+ 
++        $value = $this->scalarValue($value);
++
+         return $this->addDateBasedWhere('Month', $column, $operator, $value, 
'or');
+     }
+ 
+@@ -1317,6 +1321,8 @@ class Builder
+             $value, $operator, func_num_args() === 2
+         );
+ 
++        $value = $this->scalarValue($value);
++
+         return $this->addDateBasedWhere('Year', $column, $operator, $value, 
'or');
+     }
+ 
diff -Nru php-illuminate-database-5.7.27/debian/patches/0006-cast-to-int.patch 
php-illuminate-database-5.7.27/debian/patches/0006-cast-to-int.patch
--- php-illuminate-database-5.7.27/debian/patches/0006-cast-to-int.patch        
1970-01-01 01:00:00.000000000 +0100
+++ php-illuminate-database-5.7.27/debian/patches/0006-cast-to-int.patch        
2022-02-25 00:51:23.000000000 +0100
@@ -0,0 +1,35 @@
+From: Taylor Otwell <taylorotw...@gmail.com>
+Date: Wed, 28 Apr 2021 08:18:19 -0500
+Subject: cast to int
+
+Origin: 
https://github.com/laravel/framework/commit/09bf1457e9df53e172e6fd5929cbafb539677c7c
+---
+ Query/Grammars/SqlServerGrammar.php | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+--- a/Query/Grammars/SqlServerGrammar.php
++++ b/Query/Grammars/SqlServerGrammar.php
+@@ -60,8 +60,8 @@ class SqlServerGrammar extends Grammar
+         // If there is a limit on the query, but not an offset, we will add 
the top
+         // clause to the query, which serves as a "limit" type clause within 
the
+         // SQL Server system similar to the limit keywords available in MySQL.
+-        if ($query->limit > 0 && $query->offset <= 0) {
+-            $select .= 'top '.$query->limit.' ';
++        if (is_numeric($query->limit) && $query->limit > 0 && $query->offset 
<= 0) {
++            $select .= 'top '.((int) $query->limit).' ';
+         }
+ 
+         return $select.$this->columnize($columns);
+@@ -221,10 +221,10 @@ class SqlServerGrammar extends Grammar
+      */
+     protected function compileRowConstraint($query)
+     {
+-        $start = $query->offset + 1;
++        $start = (int) $query->offset + 1;
+ 
+         if ($query->limit > 0) {
+-            $finish = $query->offset + $query->limit;
++            $finish = (int) $query->offset + (int) $query->limit;
+ 
+             return "between {$start} and {$finish}";
+         }
diff -Nru php-illuminate-database-5.7.27/debian/patches/series 
php-illuminate-database-5.7.27/debian/patches/series
--- php-illuminate-database-5.7.27/debian/patches/series        1970-01-01 
01:00:00.000000000 +0100
+++ php-illuminate-database-5.7.27/debian/patches/series        2022-02-25 
00:52:01.000000000 +0100
@@ -0,0 +1,6 @@
+0001-6.x-Limit-expected-bindings-35865.patch
+0002-Limit-expected-bindingx-v2.patch
+0003-Update-whereDay-and-whereYear-to-clean-value.patch
+0004-Add-limit-bindings-for-having-between-tests.patch
+0005-Clean-value-in-orWhereDay-Month-Year.patch
+0006-cast-to-int.patch

--- End Message ---
--- Begin Message --- 
Package: release.debian.org
Version: 10.12

Hi,

The updates referenced in these requests were included in oldstable as
part of today's 10.12 point release.

Regards,

Adam

--- End Message ---

Reply via email to