Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian.org@packages.debian.org
Usertags: pu
Hi,
Thanks in advance for accepting this short update.
* Prevent CSV injection via formulas [CVE-2021-41270]
[ Reason ]
The security issue was introduced in 4.1 (buster shipped with
3.4). The security team decided it doesn’t warrant a DSA.
[ Impact ]
It makes applications depending on php-symfony-serializer vulnerable to
CSV injection.
[ Tests ]
The testsuite was fixed and extended in the applied patch. The testsuite
is run at build time and via autopkgtest.
[ Risks ]
The code changed is trivial, upstream patch applied directly, and the
php-symfony-serializer binary package actually shipping the code has not
much reverse dependencies.
[ Checklist ]
[x] *all* changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in (old)stable
[x] the issue is verified as fixed in unstable
[ Changes ]
The escape character (\t) chosen in Symfony 4.1 for CSV formula has
recently been added as a character starting a formula. The fix adds \t
and \r among the characters starting a formula, and uses a single quote
(') to escape them, following OWASP recommendations.
[ Other info ]
Version 4.4.19+dfsg-3 (similar to the one I’m proposing here) was
uploaded to unstable, but didn’t last long: version 5 (also fixing the
issue) was uploaded soon after.
Regards
David
https://symfony.com/blog/cve-2021-41270-prevent-csv-injection-via-formulas
diff --git a/debian/changelog b/debian/changelog
index db978be8b7..50313ca943 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,9 @@
+symfony (4.4.19+dfsg-2+deb11u1) stable; urgency=medium
+
+ * Prevent CSV injection via formulas [CVE-2021-41270]
+
+ -- David Prévot <taffit@debian.org> Wed, 24 Nov 2021 06:07:00 -0400
+
symfony (4.4.19+dfsg-2) unstable; urgency=medium
* Prevent user enumeration via response content [CVE-2021-21424]
diff --git a/debian/patches/Use-single-quote-to-escape-formulas.patch b/debian/patches/Use-single-quote-to-escape-formulas.patch
new file mode 100644
index 0000000000..a3fa5c3ecc
--- /dev/null
+++ b/debian/patches/Use-single-quote-to-escape-formulas.patch
@@ -0,0 +1,191 @@
+From: =?utf-8?b?SsOpcsOpbXkgRGVydXNzw6k=?= <jeremy@derusse.com>
+Date: Mon, 15 Nov 2021 11:47:04 +0100
+Subject: Use single quote to escape formulas
+
+Origin: upstream, https://github.com/symfony/symfony/commit/3da6f2d45e7536ccb2a26f52fbaf340917e208a8
+---
+ .../Component/Serializer/Encoder/CsvEncoder.php | 7 +-
+ .../Serializer/Tests/Encoder/CsvEncoderTest.php | 85 ++++++++++++++++++++--
+ 2 files changed, 81 insertions(+), 11 deletions(-)
+
+diff --git a/src/Symfony/Component/Serializer/Encoder/CsvEncoder.php b/src/Symfony/Component/Serializer/Encoder/CsvEncoder.php
+index f20211b..cd71fec 100644
+--- a/src/Symfony/Component/Serializer/Encoder/CsvEncoder.php
++++ b/src/Symfony/Component/Serializer/Encoder/CsvEncoder.php
+@@ -35,7 +35,8 @@ class CsvEncoder implements EncoderInterface, DecoderInterface
+
+ private const UTF8_BOM = "\xEF\xBB\xBF";
+
+- private $formulasStartCharacters = ['=', '-', '+', '@'];
++ private const FORMULAS_START_CHARACTERS = ['=', '-', '+', '@', "\t", "\r"];
++
+ private $defaultContext = [
+ self::DELIMITER_KEY => ',',
+ self::ENCLOSURE_KEY => '"',
+@@ -238,8 +239,8 @@ class CsvEncoder implements EncoderInterface, DecoderInterface
+ if (is_iterable($value)) {
+ $this->flatten($value, $result, $keySeparator, $parentKey.$key.$keySeparator, $escapeFormulas);
+ } else {
+- if ($escapeFormulas && \in_array(substr((string) $value, 0, 1), $this->formulasStartCharacters, true)) {
+- $result[$parentKey.$key] = "\t".$value;
++ if ($escapeFormulas && \in_array(substr((string) $value, 0, 1), self::FORMULAS_START_CHARACTERS, true)) {
++ $result[$parentKey.$key] = "'".$value;
+ } else {
+ // Ensures an actual value is used when dealing with true and false
+ $result[$parentKey.$key] = false === $value ? 0 : (true === $value ? 1 : $value);
+diff --git a/src/Symfony/Component/Serializer/Tests/Encoder/CsvEncoderTest.php b/src/Symfony/Component/Serializer/Tests/Encoder/CsvEncoderTest.php
+index 33a16ee..596afa2 100644
+--- a/src/Symfony/Component/Serializer/Tests/Encoder/CsvEncoderTest.php
++++ b/src/Symfony/Component/Serializer/Tests/Encoder/CsvEncoderTest.php
+@@ -285,31 +285,52 @@ CSV;
+
+ $this->assertSame(<<<'CSV'
+ 0
+-" =2+3"
++'=2+3
+
+ CSV
+ , $this->encoder->encode(['=2+3'], 'csv'));
+
+ $this->assertSame(<<<'CSV'
+ 0
+-" -2+3"
++'-2+3
+
+ CSV
+ , $this->encoder->encode(['-2+3'], 'csv'));
+
+ $this->assertSame(<<<'CSV'
+ 0
+-" +2+3"
++'+2+3
+
+ CSV
+ , $this->encoder->encode(['+2+3'], 'csv'));
+
+ $this->assertSame(<<<'CSV'
+ 0
+-" @MyDataColumn"
++'@MyDataColumn
+
+ CSV
+ , $this->encoder->encode(['@MyDataColumn'], 'csv'));
++
++ $this->assertSame(<<<'CSV'
++0
++"' tab"
++
++CSV
++ , $this->encoder->encode(["\ttab"], 'csv'));
++
++ $this->assertSame(<<<'CSV'
++0
++"'=1+2"";=1+2"
++
++CSV
++ , $this->encoder->encode(['=1+2";=1+2'], 'csv'));
++
++ $this->assertSame(<<<'CSV'
++0
++"'=1+2'"" ;,=1+2"
++
++CSV
++ , $this->encoder->encode(['=1+2\'" ;,=1+2'], 'csv'));
+ }
+
+ public function testDoNotEncodeFormulas()
+@@ -341,13 +362,34 @@ CSV
+
+ CSV
+ , $this->encoder->encode(['@MyDataColumn'], 'csv'));
++
++ $this->assertSame(<<<'CSV'
++0
++" tab"
++
++CSV
++ , $this->encoder->encode(["\ttab"], 'csv'));
++
++ $this->assertSame(<<<'CSV'
++0
++"=1+2"";=1+2"
++
++CSV
++ , $this->encoder->encode(['=1+2";=1+2'], 'csv'));
++
++ $this->assertSame(<<<'CSV'
++0
++"=1+2'"" ;,=1+2"
++
++CSV
++ , $this->encoder->encode(['=1+2\'" ;,=1+2'], 'csv'));
+ }
+
+ public function testEncodeFormulasWithSettingsPassedInContext()
+ {
+ $this->assertSame(<<<'CSV'
+ 0
+-" =2+3"
++'=2+3
+
+ CSV
+ , $this->encoder->encode(['=2+3'], 'csv', [
+@@ -356,7 +398,7 @@ CSV
+
+ $this->assertSame(<<<'CSV'
+ 0
+-" -2+3"
++'-2+3
+
+ CSV
+ , $this->encoder->encode(['-2+3'], 'csv', [
+@@ -365,7 +407,7 @@ CSV
+
+ $this->assertSame(<<<'CSV'
+ 0
+-" +2+3"
++'+2+3
+
+ CSV
+ , $this->encoder->encode(['+2+3'], 'csv', [
+@@ -374,12 +416,39 @@ CSV
+
+ $this->assertSame(<<<'CSV'
+ 0
+-" @MyDataColumn"
++'@MyDataColumn
+
+ CSV
+ , $this->encoder->encode(['@MyDataColumn'], 'csv', [
+ CsvEncoder::ESCAPE_FORMULAS_KEY => true,
+ ]));
++
++ $this->assertSame(<<<'CSV'
++0
++"' tab"
++
++CSV
++ , $this->encoder->encode(["\ttab"], 'csv', [
++ CsvEncoder::ESCAPE_FORMULAS_KEY => true,
++ ]));
++
++ $this->assertSame(<<<'CSV'
++0
++"'=1+2"";=1+2"
++
++CSV
++ , $this->encoder->encode(['=1+2";=1+2'], 'csv', [
++ CsvEncoder::ESCAPE_FORMULAS_KEY => true,
++ ]));
++
++ $this->assertSame(<<<'CSV'
++0
++"'=1+2'"" ;,=1+2"
++
++CSV
++ , $this->encoder->encode(['=1+2\'" ;,=1+2'], 'csv', [
++ CsvEncoder::ESCAPE_FORMULAS_KEY => true,
++ ]));
+ }
+
+ public function testEncodeWithoutHeader()
diff --git a/debian/patches/series b/debian/patches/series
index de2ecb771a..c88659fea9 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -19,3 +19,4 @@ Config-Drop-currently-broken-assertions.patch
Workaround-failing-tests-with-php7.4.patch
HttpClient-group-network-for-test-failing-without-vulcain.patch
Merge-branch-3.4-into-4.4.patch
+Use-single-quote-to-escape-formulas.patch
Attachment:
signature.asc
Description: PGP signature