--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: unblock: php-laravel-framework/6.20.14+dfsg-2
- From: Robin Gustafsson <robin@rgson.se>
- Date: Fri, 30 Apr 2021 20:00:05 +0000
- Message-id: <161981280503.17738.11292017499105068124.reportbug@freyja>
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock
Please unblock package php-laravel-framework
[ Reason ]
Security fix. See bug #987831 [1].
[ Impact ]
If the security vulnerability remains, users could be vulnerable
to SQL injections.
[ Tests ]
Tested with a subset* of upstream's automated test suite.
The patch is taken from upstream and has passed their QA.
* The test suite is not yet functional in Debian due to its
dependencies, thus no autopkgtest yet, but I can run much of it
locally.
[ Risks ]
I consider it a low-risk change.
The patch was taken from upstream. Their code is still close to the
packaged version in general and identical in this case. The change
is also small and uncomplicated.
Additionally, while the source package builds many binary packages,
only one of them is actually affected by this.
[1] https://bugs.debian.org/987831
Regards,
Robin
====================
diff -Nru php-laravel-framework-6.20.14+dfsg/debian/changelog php-laravel-framework-6.20.14+dfsg/debian/changelog
--- php-laravel-framework-6.20.14+dfsg/debian/changelog 2021-01-22 17:39:34.000000000 +0000
+++ php-laravel-framework-6.20.14+dfsg/debian/changelog 2021-04-30 16:23:38.000000000 +0000
@@ -1,6 +1,14 @@
+php-laravel-framework (6.20.14+dfsg-2) unstable; urgency=medium
+
+ * Fix security issue: SQL injection with Microsoft SQL Server
+ (Closes: #987831)
+
+ -- Robin Gustafsson <robin@rgson.se> Fri, 30 Apr 2021 18:23:38 +0200
+
php-laravel-framework (6.20.14+dfsg-1) unstable; urgency=medium
* New upstream version 6.20.14+dfsg
+ - Fix security issue: More unexpected bindings in QueryBuilder
* Replace git attributes with uscan's gitexport=all
-- Robin Gustafsson <robin@rgson.se> Fri, 22 Jan 2021 18:39:34 +0100
@@ -9,7 +17,8 @@
* Set upstream metadata fields: Security-Contact.
* New upstream version 6.20.11+dfsg
- - Fix security issue: Unexpected bindings in QueryBuilder (Closes: #980095)
+ - Fix security issue: Unexpected bindings in QueryBuilder
+ (CVE-2021-21263, Closes: #980095)
* Bump Standards-Version
-- Robin Gustafsson <robin@rgson.se> Fri, 15 Jan 2021 00:35:41 +0100
diff -Nru php-laravel-framework-6.20.14+dfsg/debian/patches/0001-cast-to-int.patch php-laravel-framework-6.20.14+dfsg/debian/patches/0001-cast-to-int.patch
--- php-laravel-framework-6.20.14+dfsg/debian/patches/0001-cast-to-int.patch 1970-01-01 00:00:00.000000000 +0000
+++ php-laravel-framework-6.20.14+dfsg/debian/patches/0001-cast-to-int.patch 2021-04-30 16:23:38.000000000 +0000
@@ -0,0 +1,38 @@
+From: Taylor Otwell <taylorotwell@gmail.com>
+Date: Wed, 28 Apr 2021 08:18:19 -0500
+Subject: cast to int
+
+Origin: https://github.com/laravel/framework/commit/09bf1457e9df53e172e6fd5929cbafb539677c7c
+Applied-Upstream: 6.20.26
+---
+ src/Illuminate/Database/Query/Grammars/SqlServerGrammar.php | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/src/Illuminate/Database/Query/Grammars/SqlServerGrammar.php b/src/Illuminate/Database/Query/Grammars/SqlServerGrammar.php
+index f0a0bfc..88a7df3 100755
+--- a/src/Illuminate/Database/Query/Grammars/SqlServerGrammar.php
++++ b/src/Illuminate/Database/Query/Grammars/SqlServerGrammar.php
+@@ -60,8 +60,8 @@ class SqlServerGrammar extends Grammar
+ // If there is a limit on the query, but not an offset, we will add the top
+ // clause to the query, which serves as a "limit" type clause within the
+ // SQL Server system similar to the limit keywords available in MySQL.
+- if ($query->limit > 0 && $query->offset <= 0) {
+- $select .= 'top '.$query->limit.' ';
++ if (is_numeric($query->limit) && $query->limit > 0 && $query->offset <= 0) {
++ $select .= 'top '.((int) $query->limit).' ';
+ }
+
+ return $select.$this->columnize($columns);
+@@ -221,10 +221,10 @@ class SqlServerGrammar extends Grammar
+ */
+ protected function compileRowConstraint($query)
+ {
+- $start = $query->offset + 1;
++ $start = (int) $query->offset + 1;
+
+ if ($query->limit > 0) {
+- $finish = $query->offset + $query->limit;
++ $finish = (int) $query->offset + (int) $query->limit;
+
+ return "between {$start} and {$finish}";
+ }
diff -Nru php-laravel-framework-6.20.14+dfsg/debian/patches/series php-laravel-framework-6.20.14+dfsg/debian/patches/series
--- php-laravel-framework-6.20.14+dfsg/debian/patches/series 1970-01-01 00:00:00.000000000 +0000
+++ php-laravel-framework-6.20.14+dfsg/debian/patches/series 2021-04-30 16:23:38.000000000 +0000
@@ -0,0 +1 @@
+0001-cast-to-int.patch
====================
unblock php-laravel-framework/6.20.14+dfsg-2
--- End Message ---