Your message dated Sat, 15 Mar 2025 09:44:44 +0000
with message-id <e1tto4s-005km0...@coccia.debian.org>
and subject line Close 1098872
has caused the Debian Bug report #1098872,
regarding bookworm-pu: package php-nesbot-carbon/2.65.0-1+deb12u1
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
1098872: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1098872
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: bookworm moreinfo
User: release.debian....@packages.debian.org
Usertags: pu
X-Debbugs-Cc: secur...@debian.org, Debian PHP PEAR Maintainers
<pkg-php-p...@lists.alioth.debian.org>
* CVE-2025-22145: Arbitrary file include in Carbon::setLocale
Tagged moreinfo, as question to the security team whether they want
this in -pu or as DSA.
diffstat for php-nesbot-carbon-2.65.0 php-nesbot-carbon-2.65.0
changelog | 7 +++++++
patches/0001-Validate-locale-earlier.patch | 26 ++++++++++++++++++++++++++
patches/series | 1 +
3 files changed, 34 insertions(+)
diff -Nru php-nesbot-carbon-2.65.0/debian/changelog
php-nesbot-carbon-2.65.0/debian/changelog
--- php-nesbot-carbon-2.65.0/debian/changelog 2023-01-14 23:52:26.000000000
+0200
+++ php-nesbot-carbon-2.65.0/debian/changelog 2025-02-25 13:17:47.000000000
+0200
@@ -1,3 +1,10 @@
+php-nesbot-carbon (2.65.0-1+deb12u1) bookworm; urgency=medium
+
+ * Non-maintainer upload.
+ * CVE-2025-22145: Arbitrary file include in Carbon::setLocale
+
+ -- Adrian Bunk <b...@debian.org> Tue, 25 Feb 2025 13:17:47 +0200
+
php-nesbot-carbon (2.65.0-1) unstable; urgency=medium
* New upstream version 2.65.0
diff -Nru
php-nesbot-carbon-2.65.0/debian/patches/0001-Validate-locale-earlier.patch
php-nesbot-carbon-2.65.0/debian/patches/0001-Validate-locale-earlier.patch
--- php-nesbot-carbon-2.65.0/debian/patches/0001-Validate-locale-earlier.patch
1970-01-01 02:00:00.000000000 +0200
+++ php-nesbot-carbon-2.65.0/debian/patches/0001-Validate-locale-earlier.patch
2025-02-25 13:15:28.000000000 +0200
@@ -0,0 +1,26 @@
+From bbc3bdad25f33ba4ba129043763563046ae6a36d Mon Sep 17 00:00:00 2001
+From: kylekatarnls <kylekatar...@gmail.com>
+Date: Fri, 27 Dec 2024 10:25:35 +0100
+Subject: Validate locale earlier
+
+(cherry picked from commit 129700ed449b1f02d70272d2ac802357c8c30c58)
+---
+ src/Carbon/AbstractTranslator.php | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/src/Carbon/AbstractTranslator.php
b/src/Carbon/AbstractTranslator.php
+index 8b8fe089..ffe82e43 100644
+--- a/src/Carbon/AbstractTranslator.php
++++ b/src/Carbon/AbstractTranslator.php
+@@ -159,6 +159,8 @@ abstract class AbstractTranslator extends
Translation\Translator
+ return true;
+ }
+
++ $this->assertValidLocale($locale);
++
+ foreach ($this->getDirectories() as $directory) {
+ $data = @include sprintf('%s/%s.php', rtrim($directory, '\\/'),
$locale);
+
+--
+2.30.2
+
diff -Nru php-nesbot-carbon-2.65.0/debian/patches/series
php-nesbot-carbon-2.65.0/debian/patches/series
--- php-nesbot-carbon-2.65.0/debian/patches/series 2023-01-14
23:52:26.000000000 +0200
+++ php-nesbot-carbon-2.65.0/debian/patches/series 2025-02-25
13:17:44.000000000 +0200
@@ -4,3 +4,4 @@
0004-Drop-currently-failing-test.patch
0005-Remove-exit-call-in-unit-tests.patch
0006-Remove-unfinished-test.patch
+0001-Validate-locale-earlier.patch
--- End Message ---
--- Begin Message ---
Version: 12.10
This update has been released as part of 12.10. Thank you for your contribution.
--- End Message ---
