Bug#1098872: bookworm-pu: package php-nesbot-carbon/2.65.0-1+deb12u1

Adrian Bunk Tue, 25 Feb 2025 03:52:22 -0800

On Tue, Feb 25, 2025 at 01:35:09PM +0200, Adrian Bunk wrote:
>...
>   * CVE-2025-22145: Arbitrary file include in Carbon::setLocale
> 
> Tagged moreinfo, as question to the security team whether they want
> this in -pu or as DSA.


Updated debdiff that also Closes: #1092680 in the changelog is attached.

cu
Adrian

diffstat for php-nesbot-carbon-2.65.0 php-nesbot-carbon-2.65.0

 changelog                                  |    8 ++++++++
 patches/0001-Validate-locale-earlier.patch |   26 ++++++++++++++++++++++++++
 patches/series                             |    1 +
 3 files changed, 35 insertions(+)

diff -Nru php-nesbot-carbon-2.65.0/debian/changelog 
php-nesbot-carbon-2.65.0/debian/changelog
--- php-nesbot-carbon-2.65.0/debian/changelog   2023-01-14 23:52:26.000000000 
+0200
+++ php-nesbot-carbon-2.65.0/debian/changelog   2025-02-25 13:17:47.000000000 
+0200
@@ -1,3 +1,11 @@
+php-nesbot-carbon (2.65.0-1+deb12u1) bookworm; urgency=medium
+
+  * Non-maintainer upload.
+  * CVE-2025-22145: Arbitrary file include in Carbon::setLocale
+    (Closes: #1092680)
+
+ -- Adrian Bunk <b...@debian.org>  Tue, 25 Feb 2025 13:17:47 +0200
+
 php-nesbot-carbon (2.65.0-1) unstable; urgency=medium
 
   * New upstream version 2.65.0
diff -Nru 
php-nesbot-carbon-2.65.0/debian/patches/0001-Validate-locale-earlier.patch 
php-nesbot-carbon-2.65.0/debian/patches/0001-Validate-locale-earlier.patch
--- php-nesbot-carbon-2.65.0/debian/patches/0001-Validate-locale-earlier.patch  
1970-01-01 02:00:00.000000000 +0200
+++ php-nesbot-carbon-2.65.0/debian/patches/0001-Validate-locale-earlier.patch  
2025-02-25 13:15:28.000000000 +0200
@@ -0,0 +1,26 @@
+From bbc3bdad25f33ba4ba129043763563046ae6a36d Mon Sep 17 00:00:00 2001
+From: kylekatarnls <kylekatar...@gmail.com>
+Date: Fri, 27 Dec 2024 10:25:35 +0100
+Subject: Validate locale earlier
+
+(cherry picked from commit 129700ed449b1f02d70272d2ac802357c8c30c58)
+---
+ src/Carbon/AbstractTranslator.php | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/src/Carbon/AbstractTranslator.php 
b/src/Carbon/AbstractTranslator.php
+index 8b8fe089..ffe82e43 100644
+--- a/src/Carbon/AbstractTranslator.php
++++ b/src/Carbon/AbstractTranslator.php
+@@ -159,6 +159,8 @@ abstract class AbstractTranslator extends 
Translation\Translator
+             return true;
+         }
+ 
++        $this->assertValidLocale($locale);
++
+         foreach ($this->getDirectories() as $directory) {
+             $data = @include sprintf('%s/%s.php', rtrim($directory, '\\/'), 
$locale);
+ 
+-- 
+2.30.2
+
diff -Nru php-nesbot-carbon-2.65.0/debian/patches/series 
php-nesbot-carbon-2.65.0/debian/patches/series
--- php-nesbot-carbon-2.65.0/debian/patches/series      2023-01-14 
23:52:26.000000000 +0200
+++ php-nesbot-carbon-2.65.0/debian/patches/series      2025-02-25 
13:17:44.000000000 +0200
@@ -4,3 +4,4 @@
 0004-Drop-currently-failing-test.patch
 0005-Remove-exit-call-in-unit-tests.patch
 0006-Remove-unfinished-test.patch
+0001-Validate-locale-earlier.patch

Bug#1098872: bookworm-pu: package php-nesbot-carbon/2.65.0-1+deb12u1

Reply via email to