Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian.org@packages.debian.org
Usertags: pu
Control: clone -1 -2 -3 -4
Control: retitle -2 php-doctrine-annotations/1.2.1-1+deb8u1
Control: retitle -3 php-doctrine-cache/1.3.1-1+deb8u1
Control: retitle -4 php-doctrine-common/2.4.2-2+deb8u1
Hi,
As already discussed with the security team [1], please accept the fixes
for CVE-2015-5723 in doctrine and
php-doctrine-{annotations,cache,common}. Source debdiff attached.
1:
https://lists.alioth.debian.org/pipermail/pkg-php-pear/2015-September/005785.html
Please note there is also a bit of noise in the binary debdiff for
php-doctrine-common, because the pkg-php-tools version that was in Sid
over a year ago was not as effective as the version that made it into
Jessie (hence the php5-common version instead of plain php5 or php5-cli,
and the version boundary changes), so that was expected:
Control files: lines which differ (wdiff format)
------------------------------------------------
Depends: [-php5 (>= 5.3.2) | php5-cli-] {+php5-common+} (>= 5.3.2),
php-doctrine-inflector (>= [-1~),-] {+1),+} php-doctrine-inflector (<<
[-2~),-] {+2~~),+} php-doctrine-cache (>= [-1~),-] {+1),+}
php-doctrine-cache (<< [-2~),-] {+2~~),+} php-doctrine-collections (>=
[-1~),-] {+1),+} php-doctrine-collections (<< [-2~),-] {+2~~),+}
php-doctrine-lexer (>= [-1~),-] {+1),+} php-doctrine-lexer (<< [-2~),-]
{+2~~),+} php-doctrine-annotations (>= [-1~),-] {+1),+}
php-doctrine-annotations (<< [-2~)-] {+2~~)+}
Installed-Size: [-320-] {+255+}
Version: [-2.4.2-2-] {+2.4.2-2+deb8u1+}
Regards
David
diff --git a/debian/changelog b/debian/changelog
index dffb472..4fad3b0 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+php-doctrine-common (2.4.2-2+deb8u1) jessie; urgency=medium
+
+ * gbp.conf: Track the jessie branch
+ * Fix security misconfiguration vulnerability [CVE-2015-5723]
+
+ -- David Prévot <taffit@debian.org> Mon, 31 Aug 2015 22:57:23 -0400
+
php-doctrine-common (2.4.2-2) unstable; urgency=medium
* Upload to unstable
diff --git a/debian/gbp.conf b/debian/gbp.conf
new file mode 100644
index 0000000..fae4302
--- /dev/null
+++ b/debian/gbp.conf
@@ -0,0 +1,2 @@
+[DEFAULT]
+debian-branch = jessie
diff --git a/debian/patches/0002-Applying-patch-for-CVE-2015-5723.patch b/debian/patches/0002-Applying-patch-for-CVE-2015-5723.patch
new file mode 100644
index 0000000..5135152
--- /dev/null
+++ b/debian/patches/0002-Applying-patch-for-CVE-2015-5723.patch
@@ -0,0 +1,23 @@
+From: Marco Pivetta <ocramius@gmail.com>
+Date: Mon, 31 Aug 2015 15:38:45 +0100
+Subject: Applying patch for CVE-2015-5723
+
+See http://www.doctrine-project.org/2015/08/31/security_misconfiguration_vulnerability_in_various_doctrine_projects.html
+
+Origin: upstream, https://github.com/doctrine/common/commit/4824569127daa9784bf35219a1cd49306c795389
+---
+ lib/Doctrine/Common/Proxy/ProxyGenerator.php | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/lib/Doctrine/Common/Proxy/ProxyGenerator.php b/lib/Doctrine/Common/Proxy/ProxyGenerator.php
+index 4c5a239..3941f17 100644
+--- a/lib/Doctrine/Common/Proxy/ProxyGenerator.php
++++ b/lib/Doctrine/Common/Proxy/ProxyGenerator.php
+@@ -302,6 +302,7 @@ class <proxyShortClassName> extends \<className> implements \<baseProxyInterface
+ $tmpFileName = $fileName . '.' . uniqid('', true);
+
+ file_put_contents($tmpFileName, $proxyCode);
++ chmod($tmpFileName, 0664);
+ rename($tmpFileName, $fileName);
+ }
+
diff --git a/debian/patches/series b/debian/patches/series
index e4166b6..5042a17 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1 +1,2 @@
0001-Use-ClassLoader-from-Symfony-instead-of-autoload.patch
+0002-Applying-patch-for-CVE-2015-5723.patch
diff --git a/debian/changelog b/debian/changelog
index 7dc2075..f5c757f 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+php-doctrine-cache (1.3.1-1+deb8u1) jessie; urgency=medium
+
+ * gbp.conf: Track the jessie branch
+ * Fix security misconfiguration vulnerability [CVE-2015-5723]
+
+ -- David Prévot <taffit@debian.org> Mon, 31 Aug 2015 23:07:58 -0400
+
php-doctrine-cache (1.3.1-1) unstable; urgency=medium
[ David Prévot ]
diff --git a/debian/gbp.conf b/debian/gbp.conf
new file mode 100644
index 0000000..fae4302
--- /dev/null
+++ b/debian/gbp.conf
@@ -0,0 +1,2 @@
+[DEFAULT]
+debian-branch = jessie
diff --git a/debian/patches/0002-DCOM-293-Fix-for-CVE-2015-5723-Security-Misconfigura.patch b/debian/patches/0002-DCOM-293-Fix-for-CVE-2015-5723-Security-Misconfigura.patch
new file mode 100644
index 0000000..4922520
--- /dev/null
+++ b/debian/patches/0002-DCOM-293-Fix-for-CVE-2015-5723-Security-Misconfigura.patch
@@ -0,0 +1,95 @@
+From: Benjamin Eberlei <kontakt@beberlei.de>
+Date: Mon, 31 Aug 2015 13:45:08 +0200
+Subject: [DCOM-293] Fix for CVE-2015-5723 Security Misconfiguration
+ Vulnerability that can lead to local arbitrary code execution.
+
+Origin: upstream, https://github.com/doctrine/cache/commit/2196b831e62b04986a5c4d208a1b48e0680da369
+---
+ lib/Doctrine/Common/Cache/FileCache.php | 19 +++++++++++++++++--
+ lib/Doctrine/Common/Cache/FilesystemCache.php | 4 ++--
+ lib/Doctrine/Common/Cache/PhpFileCache.php | 6 ++++--
+ 3 files changed, 23 insertions(+), 6 deletions(-)
+
+diff --git a/lib/Doctrine/Common/Cache/FileCache.php b/lib/Doctrine/Common/Cache/FileCache.php
+index d91d0bc..f1e4528 100644
+--- a/lib/Doctrine/Common/Cache/FileCache.php
++++ b/lib/Doctrine/Common/Cache/FileCache.php
+@@ -42,16 +42,31 @@ abstract class FileCache extends CacheProvider
+ protected $extension;
+
+ /**
++ * @var int
++ */
++ protected $umask;
++
++ /**
+ * Constructor.
+ *
+ * @param string $directory The cache directory.
+ * @param string|null $extension The cache file extension.
++ * @param int $umask
+ *
+ * @throws \InvalidArgumentException
+ */
+- public function __construct($directory, $extension = null)
++ public function __construct($directory, $extension = null, $umask = 0002)
+ {
+- if ( ! is_dir($directory) && ! @mkdir($directory, 0777, true)) {
++ if (!is_int($umask)) {
++ throw new \InvalidArgumentException(sprintf(
++ "Umask is required to be integer, was: %s",
++ gettype($umask)
++ ));
++ }
++
++ $this->umask = $umask;
++
++ if ( ! is_dir($directory) && ! @mkdir($directory, 0777 & ~$umask, true)) {
+ throw new \InvalidArgumentException(sprintf(
+ 'The directory "%s" does not exist and could not be created.',
+ $directory
+diff --git a/lib/Doctrine/Common/Cache/FilesystemCache.php b/lib/Doctrine/Common/Cache/FilesystemCache.php
+index 07eda8e..b7060b5 100644
+--- a/lib/Doctrine/Common/Cache/FilesystemCache.php
++++ b/lib/Doctrine/Common/Cache/FilesystemCache.php
+@@ -105,7 +105,7 @@ class FilesystemCache extends FileCache
+ $filepath = pathinfo($filename, PATHINFO_DIRNAME);
+
+ if ( ! is_dir($filepath)) {
+- if (false === @mkdir($filepath, 0777, true) && !is_dir($filepath)) {
++ if (false === @mkdir($filepath, 0775, true) && !is_dir($filepath)) {
+ return false;
+ }
+ } elseif ( ! is_writable($filepath)) {
+@@ -115,7 +115,7 @@ class FilesystemCache extends FileCache
+ $tmpFile = tempnam($filepath, basename($filename));
+
+ if ((file_put_contents($tmpFile, $lifeTime . PHP_EOL . $data) !== false) && @rename($tmpFile, $filename)) {
+- @chmod($filename, 0666 & ~umask());
++ @chmod($filename, 0664 & ~umask());
+
+ return true;
+ }
+diff --git a/lib/Doctrine/Common/Cache/PhpFileCache.php b/lib/Doctrine/Common/Cache/PhpFileCache.php
+index f017d83..cc4883f 100644
+--- a/lib/Doctrine/Common/Cache/PhpFileCache.php
++++ b/lib/Doctrine/Common/Cache/PhpFileCache.php
+@@ -91,7 +91,7 @@ class PhpFileCache extends FileCache
+ $filepath = pathinfo($filename, PATHINFO_DIRNAME);
+
+ if ( ! is_dir($filepath)) {
+- mkdir($filepath, 0777, true);
++ mkdir($filepath, 0777 & ~$this->umask, true);
+ }
+
+ $value = array(
+@@ -102,6 +102,8 @@ class PhpFileCache extends FileCache
+ $value = var_export($value, true);
+ $code = sprintf('<?php return %s;', $value);
+
+- return file_put_contents($filename, $code) !== false;
++ $ret = (file_put_contents($filename, $code) !== false);
++ chmod($filename, 0664);
++ return $ret;
+ }
+ }
diff --git a/debian/patches/series b/debian/patches/series
index e4166b6..ac8c6f9 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1 +1,2 @@
0001-Use-ClassLoader-from-Symfony-instead-of-autoload.patch
+0002-DCOM-293-Fix-for-CVE-2015-5723-Security-Misconfigura.patch
diff --git a/debian/changelog b/debian/changelog
index a57803f..bbcd0f9 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+php-doctrine-annotations (1.2.1-1+deb8u1) jessie; urgency=medium
+
+ * gbp.conf: Track the jessie branch
+ * Fix security misconfiguration vulnerability [CVE-2015-5723]
+
+ -- David Prévot <taffit@debian.org> Mon, 31 Aug 2015 23:16:28 -0400
+
php-doctrine-annotations (1.2.1-1) unstable; urgency=medium
* Drop now useless XS-Testsuite
diff --git a/debian/gbp.conf b/debian/gbp.conf
new file mode 100644
index 0000000..fae4302
--- /dev/null
+++ b/debian/gbp.conf
@@ -0,0 +1,2 @@
+[DEFAULT]
+debian-branch = jessie
diff --git a/debian/patches/0002-DCOM-293-Fix-security-misconfiguration-vulnerability.patch b/debian/patches/0002-DCOM-293-Fix-security-misconfiguration-vulnerability.patch
new file mode 100644
index 0000000..59a0691
--- /dev/null
+++ b/debian/patches/0002-DCOM-293-Fix-security-misconfiguration-vulnerability.patch
@@ -0,0 +1,48 @@
+From: Benjamin Eberlei <kontakt@beberlei.de>
+Date: Mon, 31 Aug 2015 13:54:27 +0200
+Subject: [DCOM-293] Fix security misconfiguration vulnerability that can
+ allow local arbitrary code execution.
+
+Origin: upstream, https://github.com/doctrine/annotations/commit/f25c8aab83e0c3e976fd7d19875f198ccf2f7535
+---
+ lib/Doctrine/Common/Annotations/FileCacheReader.php | 18 ++++++++++++++++--
+ 1 file changed, 16 insertions(+), 2 deletions(-)
+
+diff --git a/lib/Doctrine/Common/Annotations/FileCacheReader.php b/lib/Doctrine/Common/Annotations/FileCacheReader.php
+index e9b29af..f4ac5f2 100644
+--- a/lib/Doctrine/Common/Annotations/FileCacheReader.php
++++ b/lib/Doctrine/Common/Annotations/FileCacheReader.php
+@@ -53,6 +53,11 @@ class FileCacheReader implements Reader
+ private $classNameHashes = array();
+
+ /**
++ * @var int
++ */
++ private $umask;
++
++ /**
+ * Constructor.
+ *
+ * @param Reader $reader
+@@ -61,10 +66,19 @@ class FileCacheReader implements Reader
+ *
+ * @throws \InvalidArgumentException
+ */
+- public function __construct(Reader $reader, $cacheDir, $debug = false)
++ public function __construct(Reader $reader, $cacheDir, $debug = false, $umask = 0002)
+ {
++ if ( ! is_int($umask)) {
++ throw new \InvalidArgumentException(sprintf(
++ 'The parameter umask must be an integer, was: %s',
++ gettype($umask)
++ ));
++ }
++
+ $this->reader = $reader;
+- if (!is_dir($cacheDir) && !@mkdir($cacheDir, 0777, true)) {
++ $this->umask = $umask;
++
++ if (!is_dir($cacheDir) && !@mkdir($cacheDir, 0777 & (~$this->umask), true)) {
+ throw new \InvalidArgumentException(sprintf('The directory "%s" does not exist and could not be created.', $cacheDir));
+ }
+
diff --git a/debian/patches/series b/debian/patches/series
index e4166b6..96fc0f0 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1 +1,2 @@
0001-Use-ClassLoader-from-Symfony-instead-of-autoload.patch
+0002-DCOM-293-Fix-security-misconfiguration-vulnerability.patch
diff --git a/debian/changelog b/debian/changelog
index 283f77c..fbf9f36 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+doctrine (2.4.6-1+deb8u1) jessie; urgency=medium
+
+ * gbp.conf: Track the jessie branch
+ * Fix security misconfiguration vulnerability [CVE-2015-5723]
+
+ -- David Prévot <taffit@debian.org> Mon, 31 Aug 2015 22:34:27 -0400
+
doctrine (2.4.6-1) unstable; urgency=medium
[ Marco Pivetta ]
diff --git a/debian/gbp.conf b/debian/gbp.conf
new file mode 100644
index 0000000..fae4302
--- /dev/null
+++ b/debian/gbp.conf
@@ -0,0 +1,2 @@
+[DEFAULT]
+debian-branch = jessie
diff --git a/debian/patches/0002-DCOM-293-Fix-security-misconfiguration-vulnerability.patch b/debian/patches/0002-DCOM-293-Fix-security-misconfiguration-vulnerability.patch
new file mode 100644
index 0000000..493950d
--- /dev/null
+++ b/debian/patches/0002-DCOM-293-Fix-security-misconfiguration-vulnerability.patch
@@ -0,0 +1,107 @@
+From: Benjamin Eberlei <kontakt@beberlei.de>
+Date: Mon, 31 Aug 2015 13:57:29 +0200
+Subject: [DCOM-293] Fix security misconfiguration vulnerability allowing
+ local remote arbitrary code execution.
+
+Origin: upstream, https://github.com/doctrine/doctrine2/commit/caf30b889bb898620d843d1ec4940d01fa1d8877
+---
+ lib/Doctrine/ORM/Tools/Console/Command/ConvertMappingCommand.php | 2 +-
+ lib/Doctrine/ORM/Tools/Console/Command/GenerateProxiesCommand.php | 2 +-
+ lib/Doctrine/ORM/Tools/EntityGenerator.php | 3 ++-
+ lib/Doctrine/ORM/Tools/EntityRepositoryGenerator.php | 3 ++-
+ lib/Doctrine/ORM/Tools/Export/Driver/AbstractExporter.php | 5 +++--
+ 5 files changed, 9 insertions(+), 6 deletions(-)
+
+diff --git a/lib/Doctrine/ORM/Tools/Console/Command/ConvertMappingCommand.php b/lib/Doctrine/ORM/Tools/Console/Command/ConvertMappingCommand.php
+index 5300783..b2aee7e 100644
+--- a/lib/Doctrine/ORM/Tools/Console/Command/ConvertMappingCommand.php
++++ b/lib/Doctrine/ORM/Tools/Console/Command/ConvertMappingCommand.php
+@@ -137,7 +137,7 @@ EOT
+
+ // Process destination directory
+ if ( ! is_dir($destPath = $input->getArgument('dest-path'))) {
+- mkdir($destPath, 0777, true);
++ mkdir($destPath, 0775, true);
+ }
+ $destPath = realpath($destPath);
+
+diff --git a/lib/Doctrine/ORM/Tools/Console/Command/GenerateProxiesCommand.php b/lib/Doctrine/ORM/Tools/Console/Command/GenerateProxiesCommand.php
+index 5221187..21edb9d 100644
+--- a/lib/Doctrine/ORM/Tools/Console/Command/GenerateProxiesCommand.php
++++ b/lib/Doctrine/ORM/Tools/Console/Command/GenerateProxiesCommand.php
+@@ -79,7 +79,7 @@ EOT
+ }
+
+ if ( ! is_dir($destPath)) {
+- mkdir($destPath, 0777, true);
++ mkdir($destPath, 0775, true);
+ }
+
+ $destPath = realpath($destPath);
+diff --git a/lib/Doctrine/ORM/Tools/EntityGenerator.php b/lib/Doctrine/ORM/Tools/EntityGenerator.php
+index ec3a6e1..df0ab85 100644
+--- a/lib/Doctrine/ORM/Tools/EntityGenerator.php
++++ b/lib/Doctrine/ORM/Tools/EntityGenerator.php
+@@ -340,7 +340,7 @@ public function __construct()
+ $dir = dirname($path);
+
+ if ( ! is_dir($dir)) {
+- mkdir($dir, 0777, true);
++ mkdir($dir, 0775, true);
+ }
+
+ $this->isNew = !file_exists($path) || (file_exists($path) && $this->regenerateEntityIfExists);
+@@ -365,6 +365,7 @@ public function __construct()
+ } elseif ( ! $this->isNew && $this->updateEntityIfExists) {
+ file_put_contents($path, $this->generateUpdatedEntityClass($metadata, $path));
+ }
++ chmod($path, 0664);
+ }
+
+ /**
+diff --git a/lib/Doctrine/ORM/Tools/EntityRepositoryGenerator.php b/lib/Doctrine/ORM/Tools/EntityRepositoryGenerator.php
+index 5093cd5..2bcc40c 100644
+--- a/lib/Doctrine/ORM/Tools/EntityRepositoryGenerator.php
++++ b/lib/Doctrine/ORM/Tools/EntityRepositoryGenerator.php
+@@ -96,11 +96,12 @@ class <className> extends EntityRepository
+ $dir = dirname($path);
+
+ if ( ! is_dir($dir)) {
+- mkdir($dir, 0777, true);
++ mkdir($dir, 0775, true);
+ }
+
+ if ( ! file_exists($path)) {
+ file_put_contents($path, $code);
++ chmod($path, 0664);
+ }
+ }
+ }
+diff --git a/lib/Doctrine/ORM/Tools/Export/Driver/AbstractExporter.php b/lib/Doctrine/ORM/Tools/Export/Driver/AbstractExporter.php
+index d40d078..546b576 100644
+--- a/lib/Doctrine/ORM/Tools/Export/Driver/AbstractExporter.php
++++ b/lib/Doctrine/ORM/Tools/Export/Driver/AbstractExporter.php
+@@ -130,7 +130,7 @@ abstract class AbstractExporter
+ public function export()
+ {
+ if ( ! is_dir($this->_outputDir)) {
+- mkdir($this->_outputDir, 0777, true);
++ mkdir($this->_outputDir, 0775, true);
+ }
+
+ foreach ($this->_metadata as $metadata) {
+@@ -139,12 +139,13 @@ abstract class AbstractExporter
+ $path = $this->_generateOutputPath($metadata);
+ $dir = dirname($path);
+ if ( ! is_dir($dir)) {
+- mkdir($dir, 0777, true);
++ mkdir($dir, 0775, true);
+ }
+ if (file_exists($path) && !$this->_overwriteExistingFiles) {
+ throw ExportException::attemptOverwriteExistingFile($path);
+ }
+ file_put_contents($path, $output);
++ chmod($path, 0664);
+ }
+ }
+ }
diff --git a/debian/patches/series b/debian/patches/series
index fa85d5f..17fc21a 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1 +1,2 @@
0001-Drop-Unicode-character.patch
+0002-DCOM-293-Fix-security-misconfiguration-vulnerability.patch
Attachment:
signature.asc
Description: OpenPGP digital signature