[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#987847: marked as done (unblock: php-laravel-framework/6.20.14+dfsg-2)

Your message dated Sun, 02 May 2021 08:18:27 +0000
with message-id <E1ld7J5-0001qQ-B1@respighi.debian.org>
and subject line unblock php-laravel-framework
has caused the Debian Bug report #987847,
regarding unblock: php-laravel-framework/6.20.14+dfsg-2
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
987847: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=987847
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock

Please unblock package php-laravel-framework

[ Reason ]
Security fix. See bug #987831 [1].

[ Impact ]
If the security vulnerability remains, users could be vulnerable
to SQL injections.

[ Tests ]
Tested with a subset* of upstream's automated test suite.
The patch is taken from upstream and has passed their QA.

* The test suite is not yet functional in Debian due to its
dependencies, thus no autopkgtest yet, but I can run much of it
locally.

[ Risks ]
I consider it a low-risk change.

The patch was taken from upstream. Their code is still close to the
packaged version in general and identical in this case. The change
is also small and uncomplicated.

Additionally, while the source package builds many binary packages,
only one of them is actually affected by this.


[1] https://bugs.debian.org/987831

Regards,
Robin


====================
diff -Nru php-laravel-framework-6.20.14+dfsg/debian/changelog php-laravel-framework-6.20.14+dfsg/debian/changelog
--- php-laravel-framework-6.20.14+dfsg/debian/changelog	2021-01-22 17:39:34.000000000 +0000
+++ php-laravel-framework-6.20.14+dfsg/debian/changelog	2021-04-30 16:23:38.000000000 +0000
@@ -1,6 +1,14 @@
+php-laravel-framework (6.20.14+dfsg-2) unstable; urgency=medium
+
+  * Fix security issue: SQL injection with Microsoft SQL Server
+    (Closes: #987831)
+
+ -- Robin Gustafsson <robin@rgson.se>  Fri, 30 Apr 2021 18:23:38 +0200
+
 php-laravel-framework (6.20.14+dfsg-1) unstable; urgency=medium

   * New upstream version 6.20.14+dfsg
+    - Fix security issue: More unexpected bindings in QueryBuilder
   * Replace git attributes with uscan's gitexport=all

  -- Robin Gustafsson <robin@rgson.se>  Fri, 22 Jan 2021 18:39:34 +0100
@@ -9,7 +17,8 @@

   * Set upstream metadata fields: Security-Contact.
   * New upstream version 6.20.11+dfsg
-    - Fix security issue: Unexpected bindings in QueryBuilder (Closes: #980095)
+    - Fix security issue: Unexpected bindings in QueryBuilder
+      (CVE-2021-21263, Closes: #980095)
   * Bump Standards-Version

  -- Robin Gustafsson <robin@rgson.se>  Fri, 15 Jan 2021 00:35:41 +0100
diff -Nru php-laravel-framework-6.20.14+dfsg/debian/patches/0001-cast-to-int.patch php-laravel-framework-6.20.14+dfsg/debian/patches/0001-cast-to-int.patch
--- php-laravel-framework-6.20.14+dfsg/debian/patches/0001-cast-to-int.patch	1970-01-01 00:00:00.000000000 +0000
+++ php-laravel-framework-6.20.14+dfsg/debian/patches/0001-cast-to-int.patch	2021-04-30 16:23:38.000000000 +0000
@@ -0,0 +1,38 @@
+From: Taylor Otwell <taylorotwell@gmail.com>
+Date: Wed, 28 Apr 2021 08:18:19 -0500
+Subject: cast to int
+
+Origin: https://github.com/laravel/framework/commit/09bf1457e9df53e172e6fd5929cbafb539677c7c
+Applied-Upstream: 6.20.26
+---
+ src/Illuminate/Database/Query/Grammars/SqlServerGrammar.php | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/src/Illuminate/Database/Query/Grammars/SqlServerGrammar.php b/src/Illuminate/Database/Query/Grammars/SqlServerGrammar.php
+index f0a0bfc..88a7df3 100755
+--- a/src/Illuminate/Database/Query/Grammars/SqlServerGrammar.php
++++ b/src/Illuminate/Database/Query/Grammars/SqlServerGrammar.php
+@@ -60,8 +60,8 @@ class SqlServerGrammar extends Grammar
+         // If there is a limit on the query, but not an offset, we will add the top
+         // clause to the query, which serves as a "limit" type clause within the
+         // SQL Server system similar to the limit keywords available in MySQL.
+-        if ($query->limit > 0 && $query->offset <= 0) {
+-            $select .= 'top '.$query->limit.' ';
++        if (is_numeric($query->limit) && $query->limit > 0 && $query->offset <= 0) {
++            $select .= 'top '.((int) $query->limit).' ';
+         }
+
+         return $select.$this->columnize($columns);
+@@ -221,10 +221,10 @@ class SqlServerGrammar extends Grammar
+      */
+     protected function compileRowConstraint($query)
+     {
+-        $start = $query->offset + 1;
++        $start = (int) $query->offset + 1;
+
+         if ($query->limit > 0) {
+-            $finish = $query->offset + $query->limit;
++            $finish = (int) $query->offset + (int) $query->limit;
+
+             return "between {$start} and {$finish}";
+         }
diff -Nru php-laravel-framework-6.20.14+dfsg/debian/patches/series php-laravel-framework-6.20.14+dfsg/debian/patches/series
--- php-laravel-framework-6.20.14+dfsg/debian/patches/series	1970-01-01 00:00:00.000000000 +0000
+++ php-laravel-framework-6.20.14+dfsg/debian/patches/series	2021-04-30 16:23:38.000000000 +0000
@@ -0,0 +1 @@
+0001-cast-to-int.patch
====================

unblock php-laravel-framework/6.20.14+dfsg-2

--- End Message ---
--- Begin Message --- 
Unblocked.

--- End Message ---
Reply to: