[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#798889: marked as done (jessie-pu: package doctrine/2.4.6-1+deb8u1)

Your message dated Sat, 23 Jan 2016 13:57:15 +0000
with message-id <1453557435.1835.52.camel@adam-barratt.org.uk>
and subject line 8.3 point release cleanup
has caused the Debian Bug report #798889,
regarding jessie-pu: package doctrine/2.4.6-1+deb8u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
798889: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=798889
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian.org@packages.debian.org
Usertags: pu
Control: clone -1 -2 -3 -4
Control: retitle -2 php-doctrine-annotations/1.2.1-1+deb8u1
Control: retitle -3 php-doctrine-cache/1.3.1-1+deb8u1
Control: retitle -4 php-doctrine-common/2.4.2-2+deb8u1

Hi,

As already discussed with the security team [1], please accept the fixes
for CVE-2015-5723 in doctrine and
php-doctrine-{annotations,cache,common}. Source debdiff attached.

1:
https://lists.alioth.debian.org/pipermail/pkg-php-pear/2015-September/005785.html

Please note there is also a bit of noise in the binary debdiff for
php-doctrine-common, because the pkg-php-tools version that was in Sid
over a year ago was not as effective as the version that made it into
Jessie (hence the php5-common version instead of plain php5 or php5-cli,
and the version boundary changes), so that was expected:

Control files: lines which differ (wdiff format)
------------------------------------------------
Depends: [-php5 (>= 5.3.2) | php5-cli-] {+php5-common+} (>= 5.3.2),
php-doctrine-inflector (>= [-1~),-] {+1),+} php-doctrine-inflector (<<
[-2~),-] {+2~~),+} php-doctrine-cache (>= [-1~),-] {+1),+}
php-doctrine-cache (<< [-2~),-] {+2~~),+} php-doctrine-collections (>=
[-1~),-] {+1),+} php-doctrine-collections (<< [-2~),-] {+2~~),+}
php-doctrine-lexer (>= [-1~),-] {+1),+} php-doctrine-lexer (<< [-2~),-]
{+2~~),+} php-doctrine-annotations (>= [-1~),-] {+1),+}
php-doctrine-annotations (<< [-2~)-] {+2~~)+}
Installed-Size: [-320-] {+255+}
Version: [-2.4.2-2-] {+2.4.2-2+deb8u1+}

Regards

David

diff --git a/debian/changelog b/debian/changelog
index dffb472..4fad3b0 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+php-doctrine-common (2.4.2-2+deb8u1) jessie; urgency=medium
+
+  * gbp.conf: Track the jessie branch
+  * Fix security misconfiguration vulnerability [CVE-2015-5723]
+
+ -- David Prévot <taffit@debian.org>  Mon, 31 Aug 2015 22:57:23 -0400
+
 php-doctrine-common (2.4.2-2) unstable; urgency=medium
 
   * Upload to unstable
diff --git a/debian/gbp.conf b/debian/gbp.conf
new file mode 100644
index 0000000..fae4302
--- /dev/null
+++ b/debian/gbp.conf
@@ -0,0 +1,2 @@
+[DEFAULT]
+debian-branch = jessie
diff --git a/debian/patches/0002-Applying-patch-for-CVE-2015-5723.patch b/debian/patches/0002-Applying-patch-for-CVE-2015-5723.patch
new file mode 100644
index 0000000..5135152
--- /dev/null
+++ b/debian/patches/0002-Applying-patch-for-CVE-2015-5723.patch
@@ -0,0 +1,23 @@
+From: Marco Pivetta <ocramius@gmail.com>
+Date: Mon, 31 Aug 2015 15:38:45 +0100
+Subject: Applying patch for CVE-2015-5723
+
+See http://www.doctrine-project.org/2015/08/31/security_misconfiguration_vulnerability_in_various_doctrine_projects.html
+
+Origin: upstream, https://github.com/doctrine/common/commit/4824569127daa9784bf35219a1cd49306c795389
+---
+ lib/Doctrine/Common/Proxy/ProxyGenerator.php | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/lib/Doctrine/Common/Proxy/ProxyGenerator.php b/lib/Doctrine/Common/Proxy/ProxyGenerator.php
+index 4c5a239..3941f17 100644
+--- a/lib/Doctrine/Common/Proxy/ProxyGenerator.php
++++ b/lib/Doctrine/Common/Proxy/ProxyGenerator.php
+@@ -302,6 +302,7 @@ class <proxyShortClassName> extends \<className> implements \<baseProxyInterface
+         $tmpFileName = $fileName . '.' . uniqid('', true);
+ 
+         file_put_contents($tmpFileName, $proxyCode);
++        chmod($tmpFileName, 0664);
+         rename($tmpFileName, $fileName);
+     }
+ 
diff --git a/debian/patches/series b/debian/patches/series
index e4166b6..5042a17 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1 +1,2 @@
 0001-Use-ClassLoader-from-Symfony-instead-of-autoload.patch
+0002-Applying-patch-for-CVE-2015-5723.patch

diff --git a/debian/changelog b/debian/changelog
index 7dc2075..f5c757f 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+php-doctrine-cache (1.3.1-1+deb8u1) jessie; urgency=medium
+
+  * gbp.conf: Track the jessie branch
+  * Fix security misconfiguration vulnerability [CVE-2015-5723]
+
+ -- David Prévot <taffit@debian.org>  Mon, 31 Aug 2015 23:07:58 -0400
+
 php-doctrine-cache (1.3.1-1) unstable; urgency=medium
 
   [ David Prévot ]
diff --git a/debian/gbp.conf b/debian/gbp.conf
new file mode 100644
index 0000000..fae4302
--- /dev/null
+++ b/debian/gbp.conf
@@ -0,0 +1,2 @@
+[DEFAULT]
+debian-branch = jessie
diff --git a/debian/patches/0002-DCOM-293-Fix-for-CVE-2015-5723-Security-Misconfigura.patch b/debian/patches/0002-DCOM-293-Fix-for-CVE-2015-5723-Security-Misconfigura.patch
new file mode 100644
index 0000000..4922520
--- /dev/null
+++ b/debian/patches/0002-DCOM-293-Fix-for-CVE-2015-5723-Security-Misconfigura.patch
@@ -0,0 +1,95 @@
+From: Benjamin Eberlei <kontakt@beberlei.de>
+Date: Mon, 31 Aug 2015 13:45:08 +0200
+Subject: [DCOM-293] Fix for CVE-2015-5723 Security Misconfiguration
+ Vulnerability that can lead to local arbitrary code execution.
+
+Origin: upstream, https://github.com/doctrine/cache/commit/2196b831e62b04986a5c4d208a1b48e0680da369
+---
+ lib/Doctrine/Common/Cache/FileCache.php       | 19 +++++++++++++++++--
+ lib/Doctrine/Common/Cache/FilesystemCache.php |  4 ++--
+ lib/Doctrine/Common/Cache/PhpFileCache.php    |  6 ++++--
+ 3 files changed, 23 insertions(+), 6 deletions(-)
+
+diff --git a/lib/Doctrine/Common/Cache/FileCache.php b/lib/Doctrine/Common/Cache/FileCache.php
+index d91d0bc..f1e4528 100644
+--- a/lib/Doctrine/Common/Cache/FileCache.php
++++ b/lib/Doctrine/Common/Cache/FileCache.php
+@@ -42,16 +42,31 @@ abstract class FileCache extends CacheProvider
+     protected $extension;
+ 
+     /**
++     * @var int
++     */
++    protected $umask;
++
++    /**
+      * Constructor.
+      *
+      * @param string      $directory The cache directory.
+      * @param string|null $extension The cache file extension.
++     * @param int         $umask
+      *
+      * @throws \InvalidArgumentException
+      */
+-    public function __construct($directory, $extension = null)
++    public function __construct($directory, $extension = null, $umask = 0002)
+     {
+-        if ( ! is_dir($directory) && ! @mkdir($directory, 0777, true)) {
++        if (!is_int($umask)) {
++            throw new \InvalidArgumentException(sprintf(
++                "Umask is required to be integer, was: %s",
++                gettype($umask)
++            ));
++        }
++
++        $this->umask = $umask;
++
++        if ( ! is_dir($directory) && ! @mkdir($directory, 0777 & ~$umask, true)) {
+             throw new \InvalidArgumentException(sprintf(
+                 'The directory "%s" does not exist and could not be created.',
+                 $directory
+diff --git a/lib/Doctrine/Common/Cache/FilesystemCache.php b/lib/Doctrine/Common/Cache/FilesystemCache.php
+index 07eda8e..b7060b5 100644
+--- a/lib/Doctrine/Common/Cache/FilesystemCache.php
++++ b/lib/Doctrine/Common/Cache/FilesystemCache.php
+@@ -105,7 +105,7 @@ class FilesystemCache extends FileCache
+         $filepath   = pathinfo($filename, PATHINFO_DIRNAME);
+ 
+         if ( ! is_dir($filepath)) {
+-            if (false === @mkdir($filepath, 0777, true) && !is_dir($filepath)) {
++            if (false === @mkdir($filepath, 0775, true) && !is_dir($filepath)) {
+                 return false;
+             }
+         } elseif ( ! is_writable($filepath)) {
+@@ -115,7 +115,7 @@ class FilesystemCache extends FileCache
+         $tmpFile = tempnam($filepath, basename($filename));
+ 
+         if ((file_put_contents($tmpFile, $lifeTime . PHP_EOL . $data) !== false) && @rename($tmpFile, $filename)) {
+-            @chmod($filename, 0666 & ~umask());
++            @chmod($filename, 0664 & ~umask());
+ 
+             return true;
+         }
+diff --git a/lib/Doctrine/Common/Cache/PhpFileCache.php b/lib/Doctrine/Common/Cache/PhpFileCache.php
+index f017d83..cc4883f 100644
+--- a/lib/Doctrine/Common/Cache/PhpFileCache.php
++++ b/lib/Doctrine/Common/Cache/PhpFileCache.php
+@@ -91,7 +91,7 @@ class PhpFileCache extends FileCache
+         $filepath   = pathinfo($filename, PATHINFO_DIRNAME);
+ 
+         if ( ! is_dir($filepath)) {
+-            mkdir($filepath, 0777, true);
++            mkdir($filepath, 0777 & ~$this->umask, true);
+         }
+ 
+         $value = array(
+@@ -102,6 +102,8 @@ class PhpFileCache extends FileCache
+         $value  = var_export($value, true);
+         $code   = sprintf('<?php return %s;', $value);
+ 
+-        return file_put_contents($filename, $code) !== false;
++        $ret = (file_put_contents($filename, $code) !== false);
++        chmod($filename, 0664);
++        return $ret;
+     }
+ }
diff --git a/debian/patches/series b/debian/patches/series
index e4166b6..ac8c6f9 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1 +1,2 @@
 0001-Use-ClassLoader-from-Symfony-instead-of-autoload.patch
+0002-DCOM-293-Fix-for-CVE-2015-5723-Security-Misconfigura.patch

diff --git a/debian/changelog b/debian/changelog
index a57803f..bbcd0f9 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+php-doctrine-annotations (1.2.1-1+deb8u1) jessie; urgency=medium
+
+  * gbp.conf: Track the jessie branch
+  * Fix security misconfiguration vulnerability [CVE-2015-5723]
+
+ -- David Prévot <taffit@debian.org>  Mon, 31 Aug 2015 23:16:28 -0400
+
 php-doctrine-annotations (1.2.1-1) unstable; urgency=medium
 
   * Drop now useless XS-Testsuite
diff --git a/debian/gbp.conf b/debian/gbp.conf
new file mode 100644
index 0000000..fae4302
--- /dev/null
+++ b/debian/gbp.conf
@@ -0,0 +1,2 @@
+[DEFAULT]
+debian-branch = jessie
diff --git a/debian/patches/0002-DCOM-293-Fix-security-misconfiguration-vulnerability.patch b/debian/patches/0002-DCOM-293-Fix-security-misconfiguration-vulnerability.patch
new file mode 100644
index 0000000..59a0691
--- /dev/null
+++ b/debian/patches/0002-DCOM-293-Fix-security-misconfiguration-vulnerability.patch
@@ -0,0 +1,48 @@
+From: Benjamin Eberlei <kontakt@beberlei.de>
+Date: Mon, 31 Aug 2015 13:54:27 +0200
+Subject: [DCOM-293] Fix security misconfiguration vulnerability that can
+ allow local arbitrary code execution.
+
+Origin: upstream, https://github.com/doctrine/annotations/commit/f25c8aab83e0c3e976fd7d19875f198ccf2f7535
+---
+ lib/Doctrine/Common/Annotations/FileCacheReader.php | 18 ++++++++++++++++--
+ 1 file changed, 16 insertions(+), 2 deletions(-)
+
+diff --git a/lib/Doctrine/Common/Annotations/FileCacheReader.php b/lib/Doctrine/Common/Annotations/FileCacheReader.php
+index e9b29af..f4ac5f2 100644
+--- a/lib/Doctrine/Common/Annotations/FileCacheReader.php
++++ b/lib/Doctrine/Common/Annotations/FileCacheReader.php
+@@ -53,6 +53,11 @@ class FileCacheReader implements Reader
+     private $classNameHashes = array();
+ 
+     /**
++     * @var int
++     */
++    private $umask;
++
++    /**
+      * Constructor.
+      *
+      * @param Reader  $reader
+@@ -61,10 +66,19 @@ class FileCacheReader implements Reader
+      *
+      * @throws \InvalidArgumentException
+      */
+-    public function __construct(Reader $reader, $cacheDir, $debug = false)
++    public function __construct(Reader $reader, $cacheDir, $debug = false, $umask = 0002)
+     {
++        if ( ! is_int($umask)) {
++            throw new \InvalidArgumentException(sprintf(
++                'The parameter umask must be an integer, was: %s',
++                gettype($umask)
++            ));
++        }
++
+         $this->reader = $reader;
+-        if (!is_dir($cacheDir) && !@mkdir($cacheDir, 0777, true)) {
++        $this->umask = $umask;
++
++        if (!is_dir($cacheDir) && !@mkdir($cacheDir, 0777 & (~$this->umask), true)) {
+             throw new \InvalidArgumentException(sprintf('The directory "%s" does not exist and could not be created.', $cacheDir));
+         }
+ 
diff --git a/debian/patches/series b/debian/patches/series
index e4166b6..96fc0f0 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1 +1,2 @@
 0001-Use-ClassLoader-from-Symfony-instead-of-autoload.patch
+0002-DCOM-293-Fix-security-misconfiguration-vulnerability.patch

diff --git a/debian/changelog b/debian/changelog
index 283f77c..fbf9f36 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+doctrine (2.4.6-1+deb8u1) jessie; urgency=medium
+
+  * gbp.conf: Track the jessie branch
+  * Fix security misconfiguration vulnerability [CVE-2015-5723]
+
+ -- David Prévot <taffit@debian.org>  Mon, 31 Aug 2015 22:34:27 -0400
+
 doctrine (2.4.6-1) unstable; urgency=medium
 
   [ Marco Pivetta ]
diff --git a/debian/gbp.conf b/debian/gbp.conf
new file mode 100644
index 0000000..fae4302
--- /dev/null
+++ b/debian/gbp.conf
@@ -0,0 +1,2 @@
+[DEFAULT]
+debian-branch = jessie
diff --git a/debian/patches/0002-DCOM-293-Fix-security-misconfiguration-vulnerability.patch b/debian/patches/0002-DCOM-293-Fix-security-misconfiguration-vulnerability.patch
new file mode 100644
index 0000000..493950d
--- /dev/null
+++ b/debian/patches/0002-DCOM-293-Fix-security-misconfiguration-vulnerability.patch
@@ -0,0 +1,107 @@
+From: Benjamin Eberlei <kontakt@beberlei.de>
+Date: Mon, 31 Aug 2015 13:57:29 +0200
+Subject: [DCOM-293] Fix security misconfiguration vulnerability allowing
+ local remote arbitrary code execution.
+
+Origin: upstream, https://github.com/doctrine/doctrine2/commit/caf30b889bb898620d843d1ec4940d01fa1d8877
+---
+ lib/Doctrine/ORM/Tools/Console/Command/ConvertMappingCommand.php  | 2 +-
+ lib/Doctrine/ORM/Tools/Console/Command/GenerateProxiesCommand.php | 2 +-
+ lib/Doctrine/ORM/Tools/EntityGenerator.php                        | 3 ++-
+ lib/Doctrine/ORM/Tools/EntityRepositoryGenerator.php              | 3 ++-
+ lib/Doctrine/ORM/Tools/Export/Driver/AbstractExporter.php         | 5 +++--
+ 5 files changed, 9 insertions(+), 6 deletions(-)
+
+diff --git a/lib/Doctrine/ORM/Tools/Console/Command/ConvertMappingCommand.php b/lib/Doctrine/ORM/Tools/Console/Command/ConvertMappingCommand.php
+index 5300783..b2aee7e 100644
+--- a/lib/Doctrine/ORM/Tools/Console/Command/ConvertMappingCommand.php
++++ b/lib/Doctrine/ORM/Tools/Console/Command/ConvertMappingCommand.php
+@@ -137,7 +137,7 @@ EOT
+ 
+         // Process destination directory
+         if ( ! is_dir($destPath = $input->getArgument('dest-path'))) {
+-            mkdir($destPath, 0777, true);
++            mkdir($destPath, 0775, true);
+         }
+         $destPath = realpath($destPath);
+ 
+diff --git a/lib/Doctrine/ORM/Tools/Console/Command/GenerateProxiesCommand.php b/lib/Doctrine/ORM/Tools/Console/Command/GenerateProxiesCommand.php
+index 5221187..21edb9d 100644
+--- a/lib/Doctrine/ORM/Tools/Console/Command/GenerateProxiesCommand.php
++++ b/lib/Doctrine/ORM/Tools/Console/Command/GenerateProxiesCommand.php
+@@ -79,7 +79,7 @@ EOT
+         }
+ 
+         if ( ! is_dir($destPath)) {
+-            mkdir($destPath, 0777, true);
++            mkdir($destPath, 0775, true);
+         }
+ 
+         $destPath = realpath($destPath);
+diff --git a/lib/Doctrine/ORM/Tools/EntityGenerator.php b/lib/Doctrine/ORM/Tools/EntityGenerator.php
+index ec3a6e1..df0ab85 100644
+--- a/lib/Doctrine/ORM/Tools/EntityGenerator.php
++++ b/lib/Doctrine/ORM/Tools/EntityGenerator.php
+@@ -340,7 +340,7 @@ public function __construct()
+         $dir = dirname($path);
+ 
+         if ( ! is_dir($dir)) {
+-            mkdir($dir, 0777, true);
++            mkdir($dir, 0775, true);
+         }
+ 
+         $this->isNew = !file_exists($path) || (file_exists($path) && $this->regenerateEntityIfExists);
+@@ -365,6 +365,7 @@ public function __construct()
+         } elseif ( ! $this->isNew && $this->updateEntityIfExists) {
+             file_put_contents($path, $this->generateUpdatedEntityClass($metadata, $path));
+         }
++        chmod($path, 0664);
+     }
+ 
+     /**
+diff --git a/lib/Doctrine/ORM/Tools/EntityRepositoryGenerator.php b/lib/Doctrine/ORM/Tools/EntityRepositoryGenerator.php
+index 5093cd5..2bcc40c 100644
+--- a/lib/Doctrine/ORM/Tools/EntityRepositoryGenerator.php
++++ b/lib/Doctrine/ORM/Tools/EntityRepositoryGenerator.php
+@@ -96,11 +96,12 @@ class <className> extends EntityRepository
+         $dir = dirname($path);
+ 
+         if ( ! is_dir($dir)) {
+-            mkdir($dir, 0777, true);
++            mkdir($dir, 0775, true);
+         }
+ 
+         if ( ! file_exists($path)) {
+             file_put_contents($path, $code);
++            chmod($path, 0664);
+         }
+     }
+ }
+diff --git a/lib/Doctrine/ORM/Tools/Export/Driver/AbstractExporter.php b/lib/Doctrine/ORM/Tools/Export/Driver/AbstractExporter.php
+index d40d078..546b576 100644
+--- a/lib/Doctrine/ORM/Tools/Export/Driver/AbstractExporter.php
++++ b/lib/Doctrine/ORM/Tools/Export/Driver/AbstractExporter.php
+@@ -130,7 +130,7 @@ abstract class AbstractExporter
+     public function export()
+     {
+         if ( ! is_dir($this->_outputDir)) {
+-            mkdir($this->_outputDir, 0777, true);
++            mkdir($this->_outputDir, 0775, true);
+         }
+ 
+         foreach ($this->_metadata as $metadata) {
+@@ -139,12 +139,13 @@ abstract class AbstractExporter
+                 $path = $this->_generateOutputPath($metadata);
+                 $dir = dirname($path);
+                 if ( ! is_dir($dir)) {
+-                    mkdir($dir, 0777, true);
++                    mkdir($dir, 0775, true);
+                 }
+                 if (file_exists($path) && !$this->_overwriteExistingFiles) {
+                     throw ExportException::attemptOverwriteExistingFile($path);
+                 }
+                 file_put_contents($path, $output);
++                chmod($path, 0664);
+             }
+         }
+     }
diff --git a/debian/patches/series b/debian/patches/series
index fa85d5f..17fc21a 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1 +1,2 @@
 0001-Drop-Unicode-character.patch
+0002-DCOM-293-Fix-security-misconfiguration-vulnerability.patch

Attachment: signature.asc
Description: OpenPGP digital signature


--- End Message ---
--- Begin Message --- 
Version: 8.3

Hi,

The updates referred to in these bugs were included in today's 8.3
Jessie point release.

Regards,

Adam

--- End Message ---
Reply to: