[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#1000645: marked as done (bullseye-pu: package symfony/4.4.19+dfsg-2+deb11u1)

Your message dated Sat, 26 Mar 2022 11:59:13 +0000
with message-id <c4d20274f6d76a43fb574d2177f6e3af4235e4be.camel@adam-barratt.org.uk>
and subject line Closing p-u requests for updates in 11.3
has caused the Debian Bug report #1000645,
regarding bullseye-pu: package symfony/4.4.19+dfsg-2+deb11u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
1000645: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1000645
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian.org@packages.debian.org
Usertags: pu

Hi,

Thanks in advance for accepting this short update.

  * Prevent CSV injection via formulas [CVE-2021-41270]

[ Reason ]
The security issue was introduced in 4.1 (buster shipped with 
3.4). The security team decided it doesn’t warrant a DSA.

[ Impact ]
It makes applications depending on php-symfony-serializer vulnerable to
CSV injection.

[ Tests ]
The testsuite was fixed and extended in the applied patch. The testsuite
is run at build time and via autopkgtest.

[ Risks ]
The code changed is trivial, upstream patch applied directly, and the
php-symfony-serializer binary package actually shipping the code has not
much reverse dependencies.

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
  [x] the issue is verified as fixed in unstable

[ Changes ]
The escape character (\t) chosen in Symfony 4.1 for CSV formula has
recently been added as a character starting a formula. The fix adds \t
and \r among the characters starting a formula, and uses a single quote
(') to escape them, following OWASP recommendations.

[ Other info ]
Version 4.4.19+dfsg-3 (similar to the one I’m proposing here) was
uploaded to unstable, but didn’t last long: version 5 (also fixing the
issue) was uploaded soon after.

Regards

David

https://symfony.com/blog/cve-2021-41270-prevent-csv-injection-via-formulas

diff --git a/debian/changelog b/debian/changelog
index db978be8b7..50313ca943 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,9 @@
+symfony (4.4.19+dfsg-2+deb11u1) stable; urgency=medium
+
+  * Prevent CSV injection via formulas [CVE-2021-41270]
+
+ -- David Prévot <taffit@debian.org>  Wed, 24 Nov 2021 06:07:00 -0400
+
 symfony (4.4.19+dfsg-2) unstable; urgency=medium
 
   * Prevent user enumeration via response content [CVE-2021-21424]
diff --git a/debian/patches/Use-single-quote-to-escape-formulas.patch b/debian/patches/Use-single-quote-to-escape-formulas.patch
new file mode 100644
index 0000000000..a3fa5c3ecc
--- /dev/null
+++ b/debian/patches/Use-single-quote-to-escape-formulas.patch
@@ -0,0 +1,191 @@
+From: =?utf-8?b?SsOpcsOpbXkgRGVydXNzw6k=?= <jeremy@derusse.com>
+Date: Mon, 15 Nov 2021 11:47:04 +0100
+Subject: Use single quote to escape formulas
+
+Origin: upstream, https://github.com/symfony/symfony/commit/3da6f2d45e7536ccb2a26f52fbaf340917e208a8
+---
+ .../Component/Serializer/Encoder/CsvEncoder.php    |  7 +-
+ .../Serializer/Tests/Encoder/CsvEncoderTest.php    | 85 ++++++++++++++++++++--
+ 2 files changed, 81 insertions(+), 11 deletions(-)
+
+diff --git a/src/Symfony/Component/Serializer/Encoder/CsvEncoder.php b/src/Symfony/Component/Serializer/Encoder/CsvEncoder.php
+index f20211b..cd71fec 100644
+--- a/src/Symfony/Component/Serializer/Encoder/CsvEncoder.php
++++ b/src/Symfony/Component/Serializer/Encoder/CsvEncoder.php
+@@ -35,7 +35,8 @@ class CsvEncoder implements EncoderInterface, DecoderInterface
+ 
+     private const UTF8_BOM = "\xEF\xBB\xBF";
+ 
+-    private $formulasStartCharacters = ['=', '-', '+', '@'];
++    private const FORMULAS_START_CHARACTERS = ['=', '-', '+', '@', "\t", "\r"];
++
+     private $defaultContext = [
+         self::DELIMITER_KEY => ',',
+         self::ENCLOSURE_KEY => '"',
+@@ -238,8 +239,8 @@ class CsvEncoder implements EncoderInterface, DecoderInterface
+             if (is_iterable($value)) {
+                 $this->flatten($value, $result, $keySeparator, $parentKey.$key.$keySeparator, $escapeFormulas);
+             } else {
+-                if ($escapeFormulas && \in_array(substr((string) $value, 0, 1), $this->formulasStartCharacters, true)) {
+-                    $result[$parentKey.$key] = "\t".$value;
++                if ($escapeFormulas && \in_array(substr((string) $value, 0, 1), self::FORMULAS_START_CHARACTERS, true)) {
++                    $result[$parentKey.$key] = "'".$value;
+                 } else {
+                     // Ensures an actual value is used when dealing with true and false
+                     $result[$parentKey.$key] = false === $value ? 0 : (true === $value ? 1 : $value);
+diff --git a/src/Symfony/Component/Serializer/Tests/Encoder/CsvEncoderTest.php b/src/Symfony/Component/Serializer/Tests/Encoder/CsvEncoderTest.php
+index 33a16ee..596afa2 100644
+--- a/src/Symfony/Component/Serializer/Tests/Encoder/CsvEncoderTest.php
++++ b/src/Symfony/Component/Serializer/Tests/Encoder/CsvEncoderTest.php
+@@ -285,31 +285,52 @@ CSV;
+ 
+         $this->assertSame(<<<'CSV'
+ 0
+-"	=2+3"
++'=2+3
+ 
+ CSV
+             , $this->encoder->encode(['=2+3'], 'csv'));
+ 
+         $this->assertSame(<<<'CSV'
+ 0
+-"	-2+3"
++'-2+3
+ 
+ CSV
+             , $this->encoder->encode(['-2+3'], 'csv'));
+ 
+         $this->assertSame(<<<'CSV'
+ 0
+-"	+2+3"
++'+2+3
+ 
+ CSV
+             , $this->encoder->encode(['+2+3'], 'csv'));
+ 
+         $this->assertSame(<<<'CSV'
+ 0
+-"	@MyDataColumn"
++'@MyDataColumn
+ 
+ CSV
+             , $this->encoder->encode(['@MyDataColumn'], 'csv'));
++
++        $this->assertSame(<<<'CSV'
++0
++"'	tab"
++
++CSV
++            , $this->encoder->encode(["\ttab"], 'csv'));
++
++        $this->assertSame(<<<'CSV'
++0
++"'=1+2"";=1+2"
++
++CSV
++            , $this->encoder->encode(['=1+2";=1+2'], 'csv'));
++
++        $this->assertSame(<<<'CSV'
++0
++"'=1+2'"" ;,=1+2"
++
++CSV
++            , $this->encoder->encode(['=1+2\'" ;,=1+2'], 'csv'));
+     }
+ 
+     public function testDoNotEncodeFormulas()
+@@ -341,13 +362,34 @@ CSV
+ 
+ CSV
+             , $this->encoder->encode(['@MyDataColumn'], 'csv'));
++
++        $this->assertSame(<<<'CSV'
++0
++"	tab"
++
++CSV
++            , $this->encoder->encode(["\ttab"], 'csv'));
++
++        $this->assertSame(<<<'CSV'
++0
++"=1+2"";=1+2"
++
++CSV
++            , $this->encoder->encode(['=1+2";=1+2'], 'csv'));
++
++        $this->assertSame(<<<'CSV'
++0
++"=1+2'"" ;,=1+2"
++
++CSV
++            , $this->encoder->encode(['=1+2\'" ;,=1+2'], 'csv'));
+     }
+ 
+     public function testEncodeFormulasWithSettingsPassedInContext()
+     {
+         $this->assertSame(<<<'CSV'
+ 0
+-"	=2+3"
++'=2+3
+ 
+ CSV
+             , $this->encoder->encode(['=2+3'], 'csv', [
+@@ -356,7 +398,7 @@ CSV
+ 
+         $this->assertSame(<<<'CSV'
+ 0
+-"	-2+3"
++'-2+3
+ 
+ CSV
+             , $this->encoder->encode(['-2+3'], 'csv', [
+@@ -365,7 +407,7 @@ CSV
+ 
+         $this->assertSame(<<<'CSV'
+ 0
+-"	+2+3"
++'+2+3
+ 
+ CSV
+             , $this->encoder->encode(['+2+3'], 'csv', [
+@@ -374,12 +416,39 @@ CSV
+ 
+         $this->assertSame(<<<'CSV'
+ 0
+-"	@MyDataColumn"
++'@MyDataColumn
+ 
+ CSV
+             , $this->encoder->encode(['@MyDataColumn'], 'csv', [
+                 CsvEncoder::ESCAPE_FORMULAS_KEY => true,
+             ]));
++
++        $this->assertSame(<<<'CSV'
++0
++"'	tab"
++
++CSV
++            , $this->encoder->encode(["\ttab"], 'csv', [
++                CsvEncoder::ESCAPE_FORMULAS_KEY => true,
++            ]));
++
++        $this->assertSame(<<<'CSV'
++0
++"'=1+2"";=1+2"
++
++CSV
++            , $this->encoder->encode(['=1+2";=1+2'], 'csv', [
++                CsvEncoder::ESCAPE_FORMULAS_KEY => true,
++            ]));
++
++        $this->assertSame(<<<'CSV'
++0
++"'=1+2'"" ;,=1+2"
++
++CSV
++            , $this->encoder->encode(['=1+2\'" ;,=1+2'], 'csv', [
++                CsvEncoder::ESCAPE_FORMULAS_KEY => true,
++            ]));
+     }
+ 
+     public function testEncodeWithoutHeader()
diff --git a/debian/patches/series b/debian/patches/series
index de2ecb771a..c88659fea9 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -19,3 +19,4 @@ Config-Drop-currently-broken-assertions.patch
 Workaround-failing-tests-with-php7.4.patch
 HttpClient-group-network-for-test-failing-without-vulcain.patch
 Merge-branch-3.4-into-4.4.patch
+Use-single-quote-to-escape-formulas.patch

Attachment: signature.asc
Description: PGP signature


--- End Message ---
--- Begin Message --- 
Package: release.debian.org
Version: 11.3

Hi,

The updates referenced by these bugs were included in stable as part of
this morning's 11.3 point release.

Regards,

Adam

--- End Message ---
Reply to: