Bug#1006417: buster-pu: package php-illuminate-database/5.7.27-1+deb10u1
Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian.org@packages.debian.org
Usertags: pu
X-Debbugs-Cc: tg@mirbsd.de
[ Reason ]
These are two security-related backports by the new maintainer
of these binary packages for bullseye and up. I’ve been asked
to do this via the upcoming point release by the security team.
[ Impact ]
Two pending security fixes of SQL injection type not applied.
[ Tests ]
The new maintainer, who backported these fixes, has tested them
with upstream’s testsuite and provided tests for the issues
themselves.
[ Risks ]
These are backports of the patches for later versions, so
the risk is low, I guess. I’m not sufficiently familiar with
the codebase to judge myself, but they look plausible at a
quick glance.
[ Checklist ]
[x] *all* changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in (old)stable
[x] the issue is verified as fixed in unstable
[ Changes ]
Apply two patches prepared by the new maintainer and change
the Maintainer field to them.
diff -Nru php-illuminate-database-5.7.27/debian/changelog php-illuminate-database-5.7.27/debian/changelog
--- php-illuminate-database-5.7.27/debian/changelog 2019-02-22 20:06:21.000000000 +0100
+++ php-illuminate-database-5.7.27/debian/changelog 2022-02-25 00:53:26.000000000 +0100
@@ -1,3 +1,15 @@
+php-illuminate-database (5.7.27-1+deb10u1) buster; urgency=medium
+
+ [ Robin Gustafsson ]
+ * Security fix: Query Binding Exploitation (Closes: #980899)
+ Fixes CVE-2021-21263
+ * Security fix: SQL injection with Microsoft SQL Server (Closes: #987848)
+
+ [ Thorsten Glaser ]
+ * Update Maintainer, upload to oldstable as security fixpack
+
+ -- Thorsten Glaser <tg@mirbsd.de> Fri, 25 Feb 2022 00:53:26 +0100
+
php-illuminate-database (5.7.27-1) unstable; urgency=medium
* New upstream version.
diff -Nru php-illuminate-database-5.7.27/debian/control php-illuminate-database-5.7.27/debian/control
--- php-illuminate-database-5.7.27/debian/control 2019-02-22 20:06:21.000000000 +0100
+++ php-illuminate-database-5.7.27/debian/control 2022-02-25 00:53:26.000000000 +0100
@@ -1,7 +1,7 @@
Source: php-illuminate-database
Section: php
Priority: optional
-Maintainer: Teckids Debian Task Force <tdtf@lists.teckids.org>
+Maintainer: Robin Gustafsson <robin@rgson.se>
Uploaders: Thorsten Glaser <tg@mirbsd.de>, Dominik George <natureshadow@debian.org>
Build-Depends: debhelper (>= 11~), pkg-php-tools (>= 1.7~)
Standards-Version: 4.3.0
diff -Nru php-illuminate-database-5.7.27/debian/patches/0001-6.x-Limit-expected-bindings-35865.patch php-illuminate-database-5.7.27/debian/patches/0001-6.x-Limit-expected-bindings-35865.patch
--- php-illuminate-database-5.7.27/debian/patches/0001-6.x-Limit-expected-bindings-35865.patch 1970-01-01 01:00:00.000000000 +0100
+++ php-illuminate-database-5.7.27/debian/patches/0001-6.x-Limit-expected-bindings-35865.patch 2022-02-25 00:51:21.000000000 +0100
@@ -0,0 +1,96 @@
+From: Taylor Otwell <taylor@laravel.com>
+Date: Wed, 13 Jan 2021 07:35:45 -0600
+Subject: [6.x] Limit expected bindings (#35865)
+
+* limit expected bindings
+
+* limit more bindings
+
+Origin: https://github.com/laravel/framework/commit/d0954f4574f315f0c2e9e65e92cc74b80eadcac1
+---
+ Query/Builder.php | 18 ++++++++++++++----
+ 1 file changed, 14 insertions(+), 4 deletions(-)
+
+--- a/Query/Builder.php
++++ b/Query/Builder.php
+@@ -654,7 +654,7 @@ class Builder
+ );
+
+ if (! $value instanceof Expression) {
+- $this->addBinding($value, 'where');
++ $this->addBinding(is_array($value) ? head($value) : $value, 'where');
+ }
+
+ return $this;
+@@ -1051,7 +1051,7 @@ class Builder
+
+ $this->wheres[] = compact('type', 'column', 'values', 'boolean', 'not');
+
+- $this->addBinding($this->cleanBindings($values), 'where');
++ $this->addBinding(array_slice($this->cleanBindings($values), 0, 2), 'where');
+
+ return $this;
+ }
+@@ -1119,6 +1119,8 @@ class Builder
+ $value, $operator, func_num_args() === 2
+ );
+
++ $value = is_array($value) ? head($value) : $value;
++
+ if ($value instanceof DateTimeInterface) {
+ $value = $value->format('Y-m-d');
+ }
+@@ -1158,6 +1160,8 @@ class Builder
+ $value, $operator, func_num_args() === 2
+ );
+
++ $value = is_array($value) ? head($value) : $value;
++
+ if ($value instanceof DateTimeInterface) {
+ $value = $value->format('H:i:s');
+ }
+@@ -1197,6 +1201,8 @@ class Builder
+ $value, $operator, func_num_args() === 2
+ );
+
++ $value = is_array($value) ? head($value) : $value;
++
+ if ($value instanceof DateTimeInterface) {
+ $value = $value->format('d');
+ }
+@@ -1236,6 +1242,8 @@ class Builder
+ $value, $operator, func_num_args() === 2
+ );
+
++ $value = is_array($value) ? head($value) : $value;
++
+ if ($value instanceof DateTimeInterface) {
+ $value = $value->format('m');
+ }
+@@ -1275,6 +1283,8 @@ class Builder
+ $value, $operator, func_num_args() === 2
+ );
+
++ $value = is_array($value) ? head($value) : $value;
++
+ if ($value instanceof DateTimeInterface) {
+ $value = $value->format('Y');
+ }
+@@ -1581,7 +1591,7 @@ class Builder
+ $this->wheres[] = compact('type', 'column', 'operator', 'value', 'boolean');
+
+ if (! $value instanceof Expression) {
+- $this->addBinding($value);
++ $this->addBinding((int) $value);
+ }
+
+ return $this;
+@@ -1714,7 +1724,7 @@ class Builder
+ $this->havings[] = compact('type', 'column', 'operator', 'value', 'boolean');
+
+ if (! $value instanceof Expression) {
+- $this->addBinding($value, 'having');
++ $this->addBinding(is_array($value) ? head($value) : $value, 'having');
+ }
+
+ return $this;
diff -Nru php-illuminate-database-5.7.27/debian/patches/0002-Limit-expected-bindingx-v2.patch php-illuminate-database-5.7.27/debian/patches/0002-Limit-expected-bindingx-v2.patch
--- php-illuminate-database-5.7.27/debian/patches/0002-Limit-expected-bindingx-v2.patch 1970-01-01 01:00:00.000000000 +0100
+++ php-illuminate-database-5.7.27/debian/patches/0002-Limit-expected-bindingx-v2.patch 2022-02-25 00:51:21.000000000 +0100
@@ -0,0 +1,92 @@
+From: Kane Cohen <kanecohen@gmail.com>
+Date: Thu, 21 Jan 2021 08:44:52 +0000
+Subject: Limit expected bindingx v2.
+
+Origin: https://github.com/laravel/framework/commit/9d3752ca5f29c4cb1c0384fb01847820b6ac492c
+---
+ Query/Builder.php | 25 ++++++++++++++++++-------
+ 1 file changed, 18 insertions(+), 7 deletions(-)
+
+--- a/Query/Builder.php
++++ b/Query/Builder.php
+@@ -293,6 +293,17 @@ class Builder
+ }
+
+ /**
++ * Returns scalar type value from an unknown type of input.
++ *
++ * @param mixed $value
++ * @return mixed
++ */
++ protected function scalarValue($value)
++ {
++ return is_array($value) ? head(Arr::flatten($value)) : $value;
++ }
++
++ /**
+ * Creates a subquery and parse it.
+ *
+ * @param \Closure|\Illuminate\Database\Query\Builder|string $query
+@@ -654,7 +665,7 @@ class Builder
+ );
+
+ if (! $value instanceof Expression) {
+- $this->addBinding(is_array($value) ? head($value) : $value, 'where');
++ $this->addBinding($this->scalarValue($value), 'where');
+ }
+
+ return $this;
+@@ -1051,7 +1062,7 @@ class Builder
+
+ $this->wheres[] = compact('type', 'column', 'values', 'boolean', 'not');
+
+- $this->addBinding(array_slice($this->cleanBindings($values), 0, 2), 'where');
++ $this->addBinding(array_slice($this->cleanBindings(Arr::flatten($values)), 0, 2), 'where');
+
+ return $this;
+ }
+@@ -1119,7 +1130,7 @@ class Builder
+ $value, $operator, func_num_args() === 2
+ );
+
+- $value = is_array($value) ? head($value) : $value;
++ $value = $this->scalarValue($value);
+
+ if ($value instanceof DateTimeInterface) {
+ $value = $value->format('Y-m-d');
+@@ -1160,7 +1171,7 @@ class Builder
+ $value, $operator, func_num_args() === 2
+ );
+
+- $value = is_array($value) ? head($value) : $value;
++ $value = $this->scalarValue($value);
+
+ if ($value instanceof DateTimeInterface) {
+ $value = $value->format('H:i:s');
+@@ -1242,7 +1253,7 @@ class Builder
+ $value, $operator, func_num_args() === 2
+ );
+
+- $value = is_array($value) ? head($value) : $value;
++ $value = $this->scalarValue($value);
+
+ if ($value instanceof DateTimeInterface) {
+ $value = $value->format('m');
+@@ -1591,7 +1602,7 @@ class Builder
+ $this->wheres[] = compact('type', 'column', 'operator', 'value', 'boolean');
+
+ if (! $value instanceof Expression) {
+- $this->addBinding((int) $value);
++ $this->addBinding((int) $this->scalarValue($value));
+ }
+
+ return $this;
+@@ -1724,7 +1735,7 @@ class Builder
+ $this->havings[] = compact('type', 'column', 'operator', 'value', 'boolean');
+
+ if (! $value instanceof Expression) {
+- $this->addBinding(is_array($value) ? head($value) : $value, 'having');
++ $this->addBinding($this->scalarValue($value), 'having');
+ }
+
+ return $this;
diff -Nru php-illuminate-database-5.7.27/debian/patches/0003-Update-whereDay-and-whereYear-to-clean-value.patch php-illuminate-database-5.7.27/debian/patches/0003-Update-whereDay-and-whereYear-to-clean-value.patch
--- php-illuminate-database-5.7.27/debian/patches/0003-Update-whereDay-and-whereYear-to-clean-value.patch 1970-01-01 01:00:00.000000000 +0100
+++ php-illuminate-database-5.7.27/debian/patches/0003-Update-whereDay-and-whereYear-to-clean-value.patch 2022-02-25 00:51:22.000000000 +0100
@@ -0,0 +1,29 @@
+From: Kane Cohen <kanecohen@gmail.com>
+Date: Thu, 21 Jan 2021 10:48:50 +0000
+Subject: Update whereDay and whereYear to clean value.
+
+Origin: https://github.com/laravel/framework/commit/dbbb1c1c8a1fa0a51677b5a74fcfe0e2561ced91
+---
+ Query/Builder.php | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/Query/Builder.php
++++ b/Query/Builder.php
+@@ -1212,7 +1212,7 @@ class Builder
+ $value, $operator, func_num_args() === 2
+ );
+
+- $value = is_array($value) ? head($value) : $value;
++ $value = $this->scalarValue($value);
+
+ if ($value instanceof DateTimeInterface) {
+ $value = $value->format('d');
+@@ -1294,7 +1294,7 @@ class Builder
+ $value, $operator, func_num_args() === 2
+ );
+
+- $value = is_array($value) ? head($value) : $value;
++ $value = $this->scalarValue($value);
+
+ if ($value instanceof DateTimeInterface) {
+ $value = $value->format('Y');
diff -Nru php-illuminate-database-5.7.27/debian/patches/0004-Add-limit-bindings-for-having-between-tests.patch php-illuminate-database-5.7.27/debian/patches/0004-Add-limit-bindings-for-having-between-tests.patch
--- php-illuminate-database-5.7.27/debian/patches/0004-Add-limit-bindings-for-having-between-tests.patch 1970-01-01 01:00:00.000000000 +0100
+++ php-illuminate-database-5.7.27/debian/patches/0004-Add-limit-bindings-for-having-between-tests.patch 2022-02-25 00:51:22.000000000 +0100
@@ -0,0 +1,20 @@
+From: Kane Cohen <kanecohen@gmail.com>
+Date: Thu, 21 Jan 2021 12:08:38 +0000
+Subject: Add limit bindings for having between + tests.
+
+Origin: https://github.com/laravel/framework/commit/c6b8168e6cbbe339fdc3af5ccdded545779965df
+---
+ Query/Builder.php | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/Query/Builder.php
++++ b/Query/Builder.php
+@@ -1773,7 +1773,7 @@ class Builder
+
+ $this->havings[] = compact('type', 'column', 'values', 'boolean', 'not');
+
+- $this->addBinding($this->cleanBindings($values), 'having');
++ $this->addBinding(array_slice($this->cleanBindings(Arr::flatten($values)), 0, 2), 'having');
+
+ return $this;
+ }
diff -Nru php-illuminate-database-5.7.27/debian/patches/0005-Clean-value-in-orWhereDay-Month-Year.patch php-illuminate-database-5.7.27/debian/patches/0005-Clean-value-in-orWhereDay-Month-Year.patch
--- php-illuminate-database-5.7.27/debian/patches/0005-Clean-value-in-orWhereDay-Month-Year.patch 1970-01-01 01:00:00.000000000 +0100
+++ php-illuminate-database-5.7.27/debian/patches/0005-Clean-value-in-orWhereDay-Month-Year.patch 2022-02-25 00:51:22.000000000 +0100
@@ -0,0 +1,40 @@
+From: Robin Gustafsson <robin@rgson.se>
+Date: Sat, 1 May 2021 15:52:36 +0200
+Subject: Clean value in orWhereDay/Month/Year
+
+In 6.x these methods call the whereDay/Month/Year methods where
+the value is cleaned. In 5.x they don't, and so the value must
+be cleaned here too.
+---
+ Query/Builder.php | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+--- a/Query/Builder.php
++++ b/Query/Builder.php
+@@ -1235,6 +1235,8 @@ class Builder
+ $value, $operator, func_num_args() === 2
+ );
+
++ $value = $this->scalarValue($value);
++
+ return $this->addDateBasedWhere('Day', $column, $operator, $value, 'or');
+ }
+
+@@ -1276,6 +1278,8 @@ class Builder
+ $value, $operator, func_num_args() === 2
+ );
+
++ $value = $this->scalarValue($value);
++
+ return $this->addDateBasedWhere('Month', $column, $operator, $value, 'or');
+ }
+
+@@ -1317,6 +1321,8 @@ class Builder
+ $value, $operator, func_num_args() === 2
+ );
+
++ $value = $this->scalarValue($value);
++
+ return $this->addDateBasedWhere('Year', $column, $operator, $value, 'or');
+ }
+
diff -Nru php-illuminate-database-5.7.27/debian/patches/0006-cast-to-int.patch php-illuminate-database-5.7.27/debian/patches/0006-cast-to-int.patch
--- php-illuminate-database-5.7.27/debian/patches/0006-cast-to-int.patch 1970-01-01 01:00:00.000000000 +0100
+++ php-illuminate-database-5.7.27/debian/patches/0006-cast-to-int.patch 2022-02-25 00:51:23.000000000 +0100
@@ -0,0 +1,35 @@
+From: Taylor Otwell <taylorotwell@gmail.com>
+Date: Wed, 28 Apr 2021 08:18:19 -0500
+Subject: cast to int
+
+Origin: https://github.com/laravel/framework/commit/09bf1457e9df53e172e6fd5929cbafb539677c7c
+---
+ Query/Grammars/SqlServerGrammar.php | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+--- a/Query/Grammars/SqlServerGrammar.php
++++ b/Query/Grammars/SqlServerGrammar.php
+@@ -60,8 +60,8 @@ class SqlServerGrammar extends Grammar
+ // If there is a limit on the query, but not an offset, we will add the top
+ // clause to the query, which serves as a "limit" type clause within the
+ // SQL Server system similar to the limit keywords available in MySQL.
+- if ($query->limit > 0 && $query->offset <= 0) {
+- $select .= 'top '.$query->limit.' ';
++ if (is_numeric($query->limit) && $query->limit > 0 && $query->offset <= 0) {
++ $select .= 'top '.((int) $query->limit).' ';
+ }
+
+ return $select.$this->columnize($columns);
+@@ -221,10 +221,10 @@ class SqlServerGrammar extends Grammar
+ */
+ protected function compileRowConstraint($query)
+ {
+- $start = $query->offset + 1;
++ $start = (int) $query->offset + 1;
+
+ if ($query->limit > 0) {
+- $finish = $query->offset + $query->limit;
++ $finish = (int) $query->offset + (int) $query->limit;
+
+ return "between {$start} and {$finish}";
+ }
diff -Nru php-illuminate-database-5.7.27/debian/patches/series php-illuminate-database-5.7.27/debian/patches/series
--- php-illuminate-database-5.7.27/debian/patches/series 1970-01-01 01:00:00.000000000 +0100
+++ php-illuminate-database-5.7.27/debian/patches/series 2022-02-25 00:52:01.000000000 +0100
@@ -0,0 +1,6 @@
+0001-6.x-Limit-expected-bindings-35865.patch
+0002-Limit-expected-bindingx-v2.patch
+0003-Update-whereDay-and-whereYear-to-clean-value.patch
+0004-Add-limit-bindings-for-having-between-tests.patch
+0005-Clean-value-in-orWhereDay-Month-Year.patch
+0006-cast-to-int.patch
Reply to: