Package: release.debian.org Severity: normal Tags: jessie User: release.debian.org@packages.debian.org Usertags: pu Control: clone -1 -2 -3 -4 Control: retitle -2 php-doctrine-annotations/1.2.1-1+deb8u1 Control: retitle -3 php-doctrine-cache/1.3.1-1+deb8u1 Control: retitle -4 php-doctrine-common/2.4.2-2+deb8u1 Hi, As already discussed with the security team [1], please accept the fixes for CVE-2015-5723 in doctrine and php-doctrine-{annotations,cache,common}. Source debdiff attached. 1: https://lists.alioth.debian.org/pipermail/pkg-php-pear/2015-September/005785.html Please note there is also a bit of noise in the binary debdiff for php-doctrine-common, because the pkg-php-tools version that was in Sid over a year ago was not as effective as the version that made it into Jessie (hence the php5-common version instead of plain php5 or php5-cli, and the version boundary changes), so that was expected: Control files: lines which differ (wdiff format) ------------------------------------------------ Depends: [-php5 (>= 5.3.2) | php5-cli-] {+php5-common+} (>= 5.3.2), php-doctrine-inflector (>= [-1~),-] {+1),+} php-doctrine-inflector (<< [-2~),-] {+2~~),+} php-doctrine-cache (>= [-1~),-] {+1),+} php-doctrine-cache (<< [-2~),-] {+2~~),+} php-doctrine-collections (>= [-1~),-] {+1),+} php-doctrine-collections (<< [-2~),-] {+2~~),+} php-doctrine-lexer (>= [-1~),-] {+1),+} php-doctrine-lexer (<< [-2~),-] {+2~~),+} php-doctrine-annotations (>= [-1~),-] {+1),+} php-doctrine-annotations (<< [-2~)-] {+2~~)+} Installed-Size: [-320-] {+255+} Version: [-2.4.2-2-] {+2.4.2-2+deb8u1+} Regards David
diff --git a/debian/changelog b/debian/changelog index dffb472..4fad3b0 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,10 @@ +php-doctrine-common (2.4.2-2+deb8u1) jessie; urgency=medium + + * gbp.conf: Track the jessie branch + * Fix security misconfiguration vulnerability [CVE-2015-5723] + + -- David Prévot <taffit@debian.org> Mon, 31 Aug 2015 22:57:23 -0400 + php-doctrine-common (2.4.2-2) unstable; urgency=medium * Upload to unstable diff --git a/debian/gbp.conf b/debian/gbp.conf new file mode 100644 index 0000000..fae4302 --- /dev/null +++ b/debian/gbp.conf @@ -0,0 +1,2 @@ +[DEFAULT] +debian-branch = jessie diff --git a/debian/patches/0002-Applying-patch-for-CVE-2015-5723.patch b/debian/patches/0002-Applying-patch-for-CVE-2015-5723.patch new file mode 100644 index 0000000..5135152 --- /dev/null +++ b/debian/patches/0002-Applying-patch-for-CVE-2015-5723.patch @@ -0,0 +1,23 @@ +From: Marco Pivetta <ocramius@gmail.com> +Date: Mon, 31 Aug 2015 15:38:45 +0100 +Subject: Applying patch for CVE-2015-5723 + +See http://www.doctrine-project.org/2015/08/31/security_misconfiguration_vulnerability_in_various_doctrine_projects.html + +Origin: upstream, https://github.com/doctrine/common/commit/4824569127daa9784bf35219a1cd49306c795389 +--- + lib/Doctrine/Common/Proxy/ProxyGenerator.php | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/lib/Doctrine/Common/Proxy/ProxyGenerator.php b/lib/Doctrine/Common/Proxy/ProxyGenerator.php +index 4c5a239..3941f17 100644 +--- a/lib/Doctrine/Common/Proxy/ProxyGenerator.php ++++ b/lib/Doctrine/Common/Proxy/ProxyGenerator.php +@@ -302,6 +302,7 @@ class <proxyShortClassName> extends \<className> implements \<baseProxyInterface + $tmpFileName = $fileName . '.' . uniqid('', true); + + file_put_contents($tmpFileName, $proxyCode); ++ chmod($tmpFileName, 0664); + rename($tmpFileName, $fileName); + } + diff --git a/debian/patches/series b/debian/patches/series index e4166b6..5042a17 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -1 +1,2 @@ 0001-Use-ClassLoader-from-Symfony-instead-of-autoload.patch +0002-Applying-patch-for-CVE-2015-5723.patch
diff --git a/debian/changelog b/debian/changelog index 7dc2075..f5c757f 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,10 @@ +php-doctrine-cache (1.3.1-1+deb8u1) jessie; urgency=medium + + * gbp.conf: Track the jessie branch + * Fix security misconfiguration vulnerability [CVE-2015-5723] + + -- David Prévot <taffit@debian.org> Mon, 31 Aug 2015 23:07:58 -0400 + php-doctrine-cache (1.3.1-1) unstable; urgency=medium [ David Prévot ] diff --git a/debian/gbp.conf b/debian/gbp.conf new file mode 100644 index 0000000..fae4302 --- /dev/null +++ b/debian/gbp.conf @@ -0,0 +1,2 @@ +[DEFAULT] +debian-branch = jessie diff --git a/debian/patches/0002-DCOM-293-Fix-for-CVE-2015-5723-Security-Misconfigura.patch b/debian/patches/0002-DCOM-293-Fix-for-CVE-2015-5723-Security-Misconfigura.patch new file mode 100644 index 0000000..4922520 --- /dev/null +++ b/debian/patches/0002-DCOM-293-Fix-for-CVE-2015-5723-Security-Misconfigura.patch @@ -0,0 +1,95 @@ +From: Benjamin Eberlei <kontakt@beberlei.de> +Date: Mon, 31 Aug 2015 13:45:08 +0200 +Subject: [DCOM-293] Fix for CVE-2015-5723 Security Misconfiguration + Vulnerability that can lead to local arbitrary code execution. + +Origin: upstream, https://github.com/doctrine/cache/commit/2196b831e62b04986a5c4d208a1b48e0680da369 +--- + lib/Doctrine/Common/Cache/FileCache.php | 19 +++++++++++++++++-- + lib/Doctrine/Common/Cache/FilesystemCache.php | 4 ++-- + lib/Doctrine/Common/Cache/PhpFileCache.php | 6 ++++-- + 3 files changed, 23 insertions(+), 6 deletions(-) + +diff --git a/lib/Doctrine/Common/Cache/FileCache.php b/lib/Doctrine/Common/Cache/FileCache.php +index d91d0bc..f1e4528 100644 +--- a/lib/Doctrine/Common/Cache/FileCache.php ++++ b/lib/Doctrine/Common/Cache/FileCache.php +@@ -42,16 +42,31 @@ abstract class FileCache extends CacheProvider + protected $extension; + + /** ++ * @var int ++ */ ++ protected $umask; ++ ++ /** + * Constructor. + * + * @param string $directory The cache directory. + * @param string|null $extension The cache file extension. ++ * @param int $umask + * + * @throws \InvalidArgumentException + */ +- public function __construct($directory, $extension = null) ++ public function __construct($directory, $extension = null, $umask = 0002) + { +- if ( ! is_dir($directory) && ! @mkdir($directory, 0777, true)) { ++ if (!is_int($umask)) { ++ throw new \InvalidArgumentException(sprintf( ++ "Umask is required to be integer, was: %s", ++ gettype($umask) ++ )); ++ } ++ ++ $this->umask = $umask; ++ ++ if ( ! is_dir($directory) && ! @mkdir($directory, 0777 & ~$umask, true)) { + throw new \InvalidArgumentException(sprintf( + 'The directory "%s" does not exist and could not be created.', + $directory +diff --git a/lib/Doctrine/Common/Cache/FilesystemCache.php b/lib/Doctrine/Common/Cache/FilesystemCache.php +index 07eda8e..b7060b5 100644 +--- a/lib/Doctrine/Common/Cache/FilesystemCache.php ++++ b/lib/Doctrine/Common/Cache/FilesystemCache.php +@@ -105,7 +105,7 @@ class FilesystemCache extends FileCache + $filepath = pathinfo($filename, PATHINFO_DIRNAME); + + if ( ! is_dir($filepath)) { +- if (false === @mkdir($filepath, 0777, true) && !is_dir($filepath)) { ++ if (false === @mkdir($filepath, 0775, true) && !is_dir($filepath)) { + return false; + } + } elseif ( ! is_writable($filepath)) { +@@ -115,7 +115,7 @@ class FilesystemCache extends FileCache + $tmpFile = tempnam($filepath, basename($filename)); + + if ((file_put_contents($tmpFile, $lifeTime . PHP_EOL . $data) !== false) && @rename($tmpFile, $filename)) { +- @chmod($filename, 0666 & ~umask()); ++ @chmod($filename, 0664 & ~umask()); + + return true; + } +diff --git a/lib/Doctrine/Common/Cache/PhpFileCache.php b/lib/Doctrine/Common/Cache/PhpFileCache.php +index f017d83..cc4883f 100644 +--- a/lib/Doctrine/Common/Cache/PhpFileCache.php ++++ b/lib/Doctrine/Common/Cache/PhpFileCache.php +@@ -91,7 +91,7 @@ class PhpFileCache extends FileCache + $filepath = pathinfo($filename, PATHINFO_DIRNAME); + + if ( ! is_dir($filepath)) { +- mkdir($filepath, 0777, true); ++ mkdir($filepath, 0777 & ~$this->umask, true); + } + + $value = array( +@@ -102,6 +102,8 @@ class PhpFileCache extends FileCache + $value = var_export($value, true); + $code = sprintf('<?php return %s;', $value); + +- return file_put_contents($filename, $code) !== false; ++ $ret = (file_put_contents($filename, $code) !== false); ++ chmod($filename, 0664); ++ return $ret; + } + } diff --git a/debian/patches/series b/debian/patches/series index e4166b6..ac8c6f9 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -1 +1,2 @@ 0001-Use-ClassLoader-from-Symfony-instead-of-autoload.patch +0002-DCOM-293-Fix-for-CVE-2015-5723-Security-Misconfigura.patch
diff --git a/debian/changelog b/debian/changelog index a57803f..bbcd0f9 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,10 @@ +php-doctrine-annotations (1.2.1-1+deb8u1) jessie; urgency=medium + + * gbp.conf: Track the jessie branch + * Fix security misconfiguration vulnerability [CVE-2015-5723] + + -- David Prévot <taffit@debian.org> Mon, 31 Aug 2015 23:16:28 -0400 + php-doctrine-annotations (1.2.1-1) unstable; urgency=medium * Drop now useless XS-Testsuite diff --git a/debian/gbp.conf b/debian/gbp.conf new file mode 100644 index 0000000..fae4302 --- /dev/null +++ b/debian/gbp.conf @@ -0,0 +1,2 @@ +[DEFAULT] +debian-branch = jessie diff --git a/debian/patches/0002-DCOM-293-Fix-security-misconfiguration-vulnerability.patch b/debian/patches/0002-DCOM-293-Fix-security-misconfiguration-vulnerability.patch new file mode 100644 index 0000000..59a0691 --- /dev/null +++ b/debian/patches/0002-DCOM-293-Fix-security-misconfiguration-vulnerability.patch @@ -0,0 +1,48 @@ +From: Benjamin Eberlei <kontakt@beberlei.de> +Date: Mon, 31 Aug 2015 13:54:27 +0200 +Subject: [DCOM-293] Fix security misconfiguration vulnerability that can + allow local arbitrary code execution. + +Origin: upstream, https://github.com/doctrine/annotations/commit/f25c8aab83e0c3e976fd7d19875f198ccf2f7535 +--- + lib/Doctrine/Common/Annotations/FileCacheReader.php | 18 ++++++++++++++++-- + 1 file changed, 16 insertions(+), 2 deletions(-) + +diff --git a/lib/Doctrine/Common/Annotations/FileCacheReader.php b/lib/Doctrine/Common/Annotations/FileCacheReader.php +index e9b29af..f4ac5f2 100644 +--- a/lib/Doctrine/Common/Annotations/FileCacheReader.php ++++ b/lib/Doctrine/Common/Annotations/FileCacheReader.php +@@ -53,6 +53,11 @@ class FileCacheReader implements Reader + private $classNameHashes = array(); + + /** ++ * @var int ++ */ ++ private $umask; ++ ++ /** + * Constructor. + * + * @param Reader $reader +@@ -61,10 +66,19 @@ class FileCacheReader implements Reader + * + * @throws \InvalidArgumentException + */ +- public function __construct(Reader $reader, $cacheDir, $debug = false) ++ public function __construct(Reader $reader, $cacheDir, $debug = false, $umask = 0002) + { ++ if ( ! is_int($umask)) { ++ throw new \InvalidArgumentException(sprintf( ++ 'The parameter umask must be an integer, was: %s', ++ gettype($umask) ++ )); ++ } ++ + $this->reader = $reader; +- if (!is_dir($cacheDir) && !@mkdir($cacheDir, 0777, true)) { ++ $this->umask = $umask; ++ ++ if (!is_dir($cacheDir) && !@mkdir($cacheDir, 0777 & (~$this->umask), true)) { + throw new \InvalidArgumentException(sprintf('The directory "%s" does not exist and could not be created.', $cacheDir)); + } + diff --git a/debian/patches/series b/debian/patches/series index e4166b6..96fc0f0 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -1 +1,2 @@ 0001-Use-ClassLoader-from-Symfony-instead-of-autoload.patch +0002-DCOM-293-Fix-security-misconfiguration-vulnerability.patch
diff --git a/debian/changelog b/debian/changelog index 283f77c..fbf9f36 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,10 @@ +doctrine (2.4.6-1+deb8u1) jessie; urgency=medium + + * gbp.conf: Track the jessie branch + * Fix security misconfiguration vulnerability [CVE-2015-5723] + + -- David Prévot <taffit@debian.org> Mon, 31 Aug 2015 22:34:27 -0400 + doctrine (2.4.6-1) unstable; urgency=medium [ Marco Pivetta ] diff --git a/debian/gbp.conf b/debian/gbp.conf new file mode 100644 index 0000000..fae4302 --- /dev/null +++ b/debian/gbp.conf @@ -0,0 +1,2 @@ +[DEFAULT] +debian-branch = jessie diff --git a/debian/patches/0002-DCOM-293-Fix-security-misconfiguration-vulnerability.patch b/debian/patches/0002-DCOM-293-Fix-security-misconfiguration-vulnerability.patch new file mode 100644 index 0000000..493950d --- /dev/null +++ b/debian/patches/0002-DCOM-293-Fix-security-misconfiguration-vulnerability.patch @@ -0,0 +1,107 @@ +From: Benjamin Eberlei <kontakt@beberlei.de> +Date: Mon, 31 Aug 2015 13:57:29 +0200 +Subject: [DCOM-293] Fix security misconfiguration vulnerability allowing + local remote arbitrary code execution. + +Origin: upstream, https://github.com/doctrine/doctrine2/commit/caf30b889bb898620d843d1ec4940d01fa1d8877 +--- + lib/Doctrine/ORM/Tools/Console/Command/ConvertMappingCommand.php | 2 +- + lib/Doctrine/ORM/Tools/Console/Command/GenerateProxiesCommand.php | 2 +- + lib/Doctrine/ORM/Tools/EntityGenerator.php | 3 ++- + lib/Doctrine/ORM/Tools/EntityRepositoryGenerator.php | 3 ++- + lib/Doctrine/ORM/Tools/Export/Driver/AbstractExporter.php | 5 +++-- + 5 files changed, 9 insertions(+), 6 deletions(-) + +diff --git a/lib/Doctrine/ORM/Tools/Console/Command/ConvertMappingCommand.php b/lib/Doctrine/ORM/Tools/Console/Command/ConvertMappingCommand.php +index 5300783..b2aee7e 100644 +--- a/lib/Doctrine/ORM/Tools/Console/Command/ConvertMappingCommand.php ++++ b/lib/Doctrine/ORM/Tools/Console/Command/ConvertMappingCommand.php +@@ -137,7 +137,7 @@ EOT + + // Process destination directory + if ( ! is_dir($destPath = $input->getArgument('dest-path'))) { +- mkdir($destPath, 0777, true); ++ mkdir($destPath, 0775, true); + } + $destPath = realpath($destPath); + +diff --git a/lib/Doctrine/ORM/Tools/Console/Command/GenerateProxiesCommand.php b/lib/Doctrine/ORM/Tools/Console/Command/GenerateProxiesCommand.php +index 5221187..21edb9d 100644 +--- a/lib/Doctrine/ORM/Tools/Console/Command/GenerateProxiesCommand.php ++++ b/lib/Doctrine/ORM/Tools/Console/Command/GenerateProxiesCommand.php +@@ -79,7 +79,7 @@ EOT + } + + if ( ! is_dir($destPath)) { +- mkdir($destPath, 0777, true); ++ mkdir($destPath, 0775, true); + } + + $destPath = realpath($destPath); +diff --git a/lib/Doctrine/ORM/Tools/EntityGenerator.php b/lib/Doctrine/ORM/Tools/EntityGenerator.php +index ec3a6e1..df0ab85 100644 +--- a/lib/Doctrine/ORM/Tools/EntityGenerator.php ++++ b/lib/Doctrine/ORM/Tools/EntityGenerator.php +@@ -340,7 +340,7 @@ public function __construct() + $dir = dirname($path); + + if ( ! is_dir($dir)) { +- mkdir($dir, 0777, true); ++ mkdir($dir, 0775, true); + } + + $this->isNew = !file_exists($path) || (file_exists($path) && $this->regenerateEntityIfExists); +@@ -365,6 +365,7 @@ public function __construct() + } elseif ( ! $this->isNew && $this->updateEntityIfExists) { + file_put_contents($path, $this->generateUpdatedEntityClass($metadata, $path)); + } ++ chmod($path, 0664); + } + + /** +diff --git a/lib/Doctrine/ORM/Tools/EntityRepositoryGenerator.php b/lib/Doctrine/ORM/Tools/EntityRepositoryGenerator.php +index 5093cd5..2bcc40c 100644 +--- a/lib/Doctrine/ORM/Tools/EntityRepositoryGenerator.php ++++ b/lib/Doctrine/ORM/Tools/EntityRepositoryGenerator.php +@@ -96,11 +96,12 @@ class <className> extends EntityRepository + $dir = dirname($path); + + if ( ! is_dir($dir)) { +- mkdir($dir, 0777, true); ++ mkdir($dir, 0775, true); + } + + if ( ! file_exists($path)) { + file_put_contents($path, $code); ++ chmod($path, 0664); + } + } + } +diff --git a/lib/Doctrine/ORM/Tools/Export/Driver/AbstractExporter.php b/lib/Doctrine/ORM/Tools/Export/Driver/AbstractExporter.php +index d40d078..546b576 100644 +--- a/lib/Doctrine/ORM/Tools/Export/Driver/AbstractExporter.php ++++ b/lib/Doctrine/ORM/Tools/Export/Driver/AbstractExporter.php +@@ -130,7 +130,7 @@ abstract class AbstractExporter + public function export() + { + if ( ! is_dir($this->_outputDir)) { +- mkdir($this->_outputDir, 0777, true); ++ mkdir($this->_outputDir, 0775, true); + } + + foreach ($this->_metadata as $metadata) { +@@ -139,12 +139,13 @@ abstract class AbstractExporter + $path = $this->_generateOutputPath($metadata); + $dir = dirname($path); + if ( ! is_dir($dir)) { +- mkdir($dir, 0777, true); ++ mkdir($dir, 0775, true); + } + if (file_exists($path) && !$this->_overwriteExistingFiles) { + throw ExportException::attemptOverwriteExistingFile($path); + } + file_put_contents($path, $output); ++ chmod($path, 0664); + } + } + } diff --git a/debian/patches/series b/debian/patches/series index fa85d5f..17fc21a 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -1 +1,2 @@ 0001-Drop-Unicode-character.patch +0002-DCOM-293-Fix-security-misconfiguration-vulnerability.patch
Attachment:
signature.asc
Description: OpenPGP digital signature