Bug#1003018: bullseye-pu: package php-laravel-framework/6.20.14+dfsg-2+deb11u1
Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian.org@packages.debian.org
Usertags: pu
[ Reason ]
Security issues affecting the version in bullseye.
* Bug #1001333 (CVE-2021-43808)
* Bug #1002728 (CVE-2021-43617)
[ Impact ]
* Users of web applications using certain templating features from
the framework may by vulnerable to XSS attacks.
* Users who host web applications relying on the framework's file upload
validation features may be vulnerable to remote code execution attacks.
[ Tests ]
* The patches were taken from upstream; they've been tested upstream and
are already in use through other channels.
* The test suite passes after backporting the patches.
[ Risks ]
* The tests cannot run in a clean and isolated Debian environment due to
missing dependencies (of the tests themselves). I try to run them in a
similar enough manner, but it could mask some types of bugs.
[ Checklist ]
[X] *all* changes are documented in the d/changelog
[X] I reviewed all changes and I approve them
[X] attach debdiff against the package in (old)stable
[X] the issue is verified as fixed in unstable
[ Changes ]
* Applies a patch from upstream to fix the XSS vulnerability by making
the template section identifiers unpredictable.
* Applies a patch from upstream to fix the remote code upload
vulnerability by blocking .phar files.
[ Other info ]
The security team asked me to submit the update through a stable point
release. The CVEs have been labelled as "no DSA".
diff -Nru php-laravel-framework-6.20.14+dfsg/debian/changelog php-laravel-framework-6.20.14+dfsg/debian/changelog
--- php-laravel-framework-6.20.14+dfsg/debian/changelog 2021-04-30 18:23:38.000000000 +0200
+++ php-laravel-framework-6.20.14+dfsg/debian/changelog 2022-01-02 19:58:35.000000000 +0100
@@ -1,3 +1,12 @@
+php-laravel-framework (6.20.14+dfsg-2+deb11u1) bullseye; urgency=high
+
+ * Fix security issue: XSS vulnerability in the Blade templating engine
+ (CVE-2021-43808, Closes: #1001333)
+ * Fix security issue: Failure to block the upload of executable PHP content
+ (CVE-2021-43617, Closes: #1002728)
+
+ -- Robin Gustafsson <robin@rgson.se> Sun, 02 Jan 2022 19:58:35 +0100
+
php-laravel-framework (6.20.14+dfsg-2) unstable; urgency=medium
* Fix security issue: SQL injection with Microsoft SQL Server
diff -Nru php-laravel-framework-6.20.14+dfsg/debian/patches/0002-Fix-parent-call.patch php-laravel-framework-6.20.14+dfsg/debian/patches/0002-Fix-parent-call.patch
--- php-laravel-framework-6.20.14+dfsg/debian/patches/0002-Fix-parent-call.patch 1970-01-01 01:00:00.000000000 +0100
+++ php-laravel-framework-6.20.14+dfsg/debian/patches/0002-Fix-parent-call.patch 2021-12-28 16:17:51.000000000 +0100
@@ -0,0 +1,192 @@
+From: Dries Vints <dries@vints.io>
+Date: Mon, 6 Dec 2021 18:14:03 +0100
+Subject: Fix parent call
+
+Origin: https://github.com/laravel/framework/commit/b8174169b1807f36de1837751599e2828ceddb9b
+Applied-Upstream: 6.20.42
+---
+ src/Illuminate/View/Compilers/Compiler.php | 2 +-
+ .../View/Compilers/Concerns/CompilesLayouts.php | 6 ++---
+ src/Illuminate/View/Concerns/ManagesLayouts.php | 26 +++++++++++++++++++++-
+ tests/View/ViewBladeCompilerTest.php | 20 ++++++++---------
+ 4 files changed, 39 insertions(+), 15 deletions(-)
+
+diff --git a/src/Illuminate/View/Compilers/Compiler.php b/src/Illuminate/View/Compilers/Compiler.php
+index 08648ad..d2a9f26 100755
+--- a/src/Illuminate/View/Compilers/Compiler.php
++++ b/src/Illuminate/View/Compilers/Compiler.php
+@@ -48,7 +48,7 @@ abstract class Compiler
+ */
+ public function getCompiledPath($path)
+ {
+- return $this->cachePath.'/'.sha1($path).'.php';
++ return $this->cachePath.'/'.sha1('v2'.$path).'.php';
+ }
+
+ /**
+diff --git a/src/Illuminate/View/Compilers/Concerns/CompilesLayouts.php b/src/Illuminate/View/Compilers/Concerns/CompilesLayouts.php
+index aaef617..fc6a63a 100644
+--- a/src/Illuminate/View/Compilers/Concerns/CompilesLayouts.php
++++ b/src/Illuminate/View/Compilers/Concerns/CompilesLayouts.php
+@@ -2,8 +2,6 @@
+
+ namespace Illuminate\View\Compilers\Concerns;
+
+-use Illuminate\View\Factory as ViewFactory;
+-
+ trait CompilesLayouts
+ {
+ /**
+@@ -50,7 +48,9 @@ trait CompilesLayouts
+ */
+ protected function compileParent()
+ {
+- return ViewFactory::parentPlaceholder($this->lastSection ?: '');
++ $escapedLastSection = strtr($this->lastSection, ['\\' => '\\\\', "'" => "\\'"]);
++
++ return "<?php echo \Illuminate\View\Factory::parentPlaceholder('{$escapedLastSection}'); ?>";
+ }
+
+ /**
+diff --git a/src/Illuminate/View/Concerns/ManagesLayouts.php b/src/Illuminate/View/Concerns/ManagesLayouts.php
+index 29d7155..82fb77b 100644
+--- a/src/Illuminate/View/Concerns/ManagesLayouts.php
++++ b/src/Illuminate/View/Concerns/ManagesLayouts.php
+@@ -3,6 +3,7 @@
+ namespace Illuminate\View\Concerns;
+
+ use Illuminate\Contracts\View\View;
++use Illuminate\Support\Str;
+ use InvalidArgumentException;
+
+ trait ManagesLayouts
+@@ -28,6 +29,13 @@ trait ManagesLayouts
+ */
+ protected static $parentPlaceholder = [];
+
++ /**
++ * The parent placeholder salt for the request.
++ *
++ * @var string
++ */
++ protected static $parentPlaceholderSalt;
++
+ /**
+ * Start injecting content into a section.
+ *
+@@ -168,12 +176,28 @@ trait ManagesLayouts
+ public static function parentPlaceholder($section = '')
+ {
+ if (! isset(static::$parentPlaceholder[$section])) {
+- static::$parentPlaceholder[$section] = '##parent-placeholder-'.sha1($section).'##';
++ $salt = static::parentPlaceholderSalt();
++
++ static::$parentPlaceholder[$section] = '##parent-placeholder-'.sha1($salt.$section).'##';
+ }
+
+ return static::$parentPlaceholder[$section];
+ }
+
++ /**
++ * Get the parent placeholder salt.
++ *
++ * @return string
++ */
++ protected static function parentPlaceholderSalt()
++ {
++ if (! static::$parentPlaceholderSalt) {
++ return static::$parentPlaceholderSalt = Str::random(40);
++ }
++
++ return static::$parentPlaceholderSalt;
++ }
++
+ /**
+ * Check if section exists.
+ *
+diff --git a/tests/View/ViewBladeCompilerTest.php b/tests/View/ViewBladeCompilerTest.php
+index fd61b8c..eddf9e2 100644
+--- a/tests/View/ViewBladeCompilerTest.php
++++ b/tests/View/ViewBladeCompilerTest.php
+@@ -18,7 +18,7 @@ class ViewBladeCompilerTest extends TestCase
+ public function testIsExpiredReturnsTrueIfCompiledFileDoesntExist()
+ {
+ $compiler = new BladeCompiler($files = $this->getFiles(), __DIR__);
+- $files->shouldReceive('exists')->once()->with(__DIR__.'/'.sha1('foo').'.php')->andReturn(false);
++ $files->shouldReceive('exists')->once()->with(__DIR__.'/'.sha1('v2foo').'.php')->andReturn(false);
+ $this->assertTrue($compiler->isExpired('foo'));
+ }
+
+@@ -33,23 +33,23 @@ class ViewBladeCompilerTest extends TestCase
+ public function testIsExpiredReturnsTrueWhenModificationTimesWarrant()
+ {
+ $compiler = new BladeCompiler($files = $this->getFiles(), __DIR__);
+- $files->shouldReceive('exists')->once()->with(__DIR__.'/'.sha1('foo').'.php')->andReturn(true);
++ $files->shouldReceive('exists')->once()->with(__DIR__.'/'.sha1('v2foo').'.php')->andReturn(true);
+ $files->shouldReceive('lastModified')->once()->with('foo')->andReturn(100);
+- $files->shouldReceive('lastModified')->once()->with(__DIR__.'/'.sha1('foo').'.php')->andReturn(0);
++ $files->shouldReceive('lastModified')->once()->with(__DIR__.'/'.sha1('v2foo').'.php')->andReturn(0);
+ $this->assertTrue($compiler->isExpired('foo'));
+ }
+
+ public function testCompilePathIsProperlyCreated()
+ {
+ $compiler = new BladeCompiler($this->getFiles(), __DIR__);
+- $this->assertEquals(__DIR__.'/'.sha1('foo').'.php', $compiler->getCompiledPath('foo'));
++ $this->assertEquals(__DIR__.'/'.sha1('v2foo').'.php', $compiler->getCompiledPath('foo'));
+ }
+
+ public function testCompileCompilesFileAndReturnsContents()
+ {
+ $compiler = new BladeCompiler($files = $this->getFiles(), __DIR__);
+ $files->shouldReceive('get')->once()->with('foo')->andReturn('Hello World');
+- $files->shouldReceive('put')->once()->with(__DIR__.'/'.sha1('foo').'.php', 'Hello World<?php /**PATH foo ENDPATH**/ ?>');
++ $files->shouldReceive('put')->once()->with(__DIR__.'/'.sha1('v2foo').'.php', 'Hello World<?php /**PATH foo ENDPATH**/ ?>');
+ $compiler->compile('foo');
+ }
+
+@@ -57,7 +57,7 @@ class ViewBladeCompilerTest extends TestCase
+ {
+ $compiler = new BladeCompiler($files = $this->getFiles(), __DIR__);
+ $files->shouldReceive('get')->once()->with('foo')->andReturn('Hello World');
+- $files->shouldReceive('put')->once()->with(__DIR__.'/'.sha1('foo').'.php', 'Hello World<?php /**PATH foo ENDPATH**/ ?>');
++ $files->shouldReceive('put')->once()->with(__DIR__.'/'.sha1('v2foo').'.php', 'Hello World<?php /**PATH foo ENDPATH**/ ?>');
+ $compiler->compile('foo');
+ $this->assertSame('foo', $compiler->getPath());
+ }
+@@ -73,7 +73,7 @@ class ViewBladeCompilerTest extends TestCase
+ {
+ $compiler = new BladeCompiler($files = $this->getFiles(), __DIR__);
+ $files->shouldReceive('get')->once()->with('foo')->andReturn('Hello World');
+- $files->shouldReceive('put')->once()->with(__DIR__.'/'.sha1('foo').'.php', 'Hello World<?php /**PATH foo ENDPATH**/ ?>');
++ $files->shouldReceive('put')->once()->with(__DIR__.'/'.sha1('v2foo').'.php', 'Hello World<?php /**PATH foo ENDPATH**/ ?>');
+ // set path before compilation
+ $compiler->setPath('foo');
+ // trigger compilation with $path
+@@ -103,7 +103,7 @@ class ViewBladeCompilerTest extends TestCase
+ {
+ $compiler = new BladeCompiler($files = $this->getFiles(), __DIR__);
+ $files->shouldReceive('get')->once()->with('foo')->andReturn($content);
+- $files->shouldReceive('put')->once()->with(__DIR__.'/'.sha1('foo').'.php', $compiled);
++ $files->shouldReceive('put')->once()->with(__DIR__.'/'.sha1('v2foo').'.php', $compiled);
+
+ $compiler->compile('foo');
+ }
+@@ -157,7 +157,7 @@ class ViewBladeCompilerTest extends TestCase
+ {
+ $compiler = new BladeCompiler($files = $this->getFiles(), __DIR__);
+ $files->shouldReceive('get')->once()->with('')->andReturn('Hello World');
+- $files->shouldReceive('put')->once()->with(__DIR__.'/'.sha1('').'.php', 'Hello World');
++ $files->shouldReceive('put')->once()->with(__DIR__.'/'.sha1('v2').'.php', 'Hello World');
+ $compiler->setPath('');
+ $compiler->compile();
+ }
+@@ -166,7 +166,7 @@ class ViewBladeCompilerTest extends TestCase
+ {
+ $compiler = new BladeCompiler($files = $this->getFiles(), __DIR__);
+ $files->shouldReceive('get')->once()->with(null)->andReturn('Hello World');
+- $files->shouldReceive('put')->once()->with(__DIR__.'/'.sha1(null).'.php', 'Hello World');
++ $files->shouldReceive('put')->once()->with(__DIR__.'/'.sha1('v2').'.php', 'Hello World');
+ $compiler->setPath(null);
+ $compiler->compile();
+ }
diff -Nru php-laravel-framework-6.20.14+dfsg/debian/patches/0003-Add-.phar-to-blocked-PHP-extensions-39666.patch php-laravel-framework-6.20.14+dfsg/debian/patches/0003-Add-.phar-to-blocked-PHP-extensions-39666.patch
--- php-laravel-framework-6.20.14+dfsg/debian/patches/0003-Add-.phar-to-blocked-PHP-extensions-39666.patch 1970-01-01 01:00:00.000000000 +0100
+++ php-laravel-framework-6.20.14+dfsg/debian/patches/0003-Add-.phar-to-blocked-PHP-extensions-39666.patch 2022-01-02 19:57:55.000000000 +0100
@@ -0,0 +1,26 @@
+From: Stephen Rees-Carter <stephen@rees-carter.net>
+Date: Thu, 18 Nov 2021 12:10:56 +1000
+Subject: Add .phar to blocked PHP extensions (#39666)
+
+By default Debian includes support for executing .phar files alongside
+.php and .phtml files, and should be included in the blocked list.
+
+Origin: https://github.com/laravel/framework/commit/ccea1bfcbb37cf923dc1bb30cdbf2effbfb1619c
+Applied-Upstream: 6.20.41
+---
+ src/Illuminate/Validation/Concerns/ValidatesAttributes.php | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/Illuminate/Validation/Concerns/ValidatesAttributes.php b/src/Illuminate/Validation/Concerns/ValidatesAttributes.php
+index 84e0964..6f0d8d6 100644
+--- a/src/Illuminate/Validation/Concerns/ValidatesAttributes.php
++++ b/src/Illuminate/Validation/Concerns/ValidatesAttributes.php
+@@ -1254,7 +1254,7 @@ trait ValidatesAttributes
+ }
+
+ $phpExtensions = [
+- 'php', 'php3', 'php4', 'php5', 'phtml',
++ 'php', 'php3', 'php4', 'php5', 'phtml', 'phar',
+ ];
+
+ return ($value instanceof UploadedFile)
diff -Nru php-laravel-framework-6.20.14+dfsg/debian/patches/series php-laravel-framework-6.20.14+dfsg/debian/patches/series
--- php-laravel-framework-6.20.14+dfsg/debian/patches/series 2021-04-30 18:23:38.000000000 +0200
+++ php-laravel-framework-6.20.14+dfsg/debian/patches/series 2022-01-02 19:57:55.000000000 +0100
@@ -1 +1,3 @@
0001-cast-to-int.patch
+0002-Fix-parent-call.patch
+0003-Add-.phar-to-blocked-PHP-extensions-39666.patch
Reply to: