[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#1120662: bookworm-pu: package symfony/5.4.23+dfsg-1+deb12u5

Package: release.debian.org
Severity: normal
Tags: bookworm
X-Debbugs-Cc: symfony@packages.debian.org, Debian PHP PEAR Maintainers <pkg-php-pear@lists.alioth.debian.org>
Control: affects -1 + src:symfony
User: release.debian.org@packages.debian.org
Usertags: pu

Hi,

[ This request is similar to #1120661 for trixie ]

As agreed with the security team, I’d like to see CVE-2025-64500 fixed
in bookworm. The patch is minimal, and only affects
php-symfony-http-foundation that is not part of the dependency chain of
any end-user package AFAICT.

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
  [x] the issue is verified as fixed in unstable

Thanks in advance.

Regards,

taffit

diff -Nru symfony-5.4.23+dfsg/debian/changelog symfony-5.4.23+dfsg/debian/changelog
--- symfony-5.4.23+dfsg/debian/changelog	2024-11-14 12:16:18.000000000 +0100
+++ symfony-5.4.23+dfsg/debian/changelog	2025-11-13 07:56:38.000000000 +0100
@@ -1,3 +1,12 @@
+symfony (5.4.23+dfsg-1+deb12u5) bookworm; urgency=medium
+
+  * Backport security fix from Symfony 5.4.50
+    - [HttpFoundation] Fix parsing pathinfo with no leading slash
+      [CVE-2025-64500]
+  * [Finder] Drop data from testsuite
+
+ -- David Prévot <taffit@debian.org>  Thu, 13 Nov 2025 07:56:38 +0100
+
 symfony (5.4.23+dfsg-1+deb12u4) bookworm-security; urgency=medium
 
   * Backport security fixes from Symfony 5.4.47
diff -Nru symfony-5.4.23+dfsg/debian/patches/Finder-Drop-data-from-testsuite.patch symfony-5.4.23+dfsg/debian/patches/Finder-Drop-data-from-testsuite.patch
--- symfony-5.4.23+dfsg/debian/patches/Finder-Drop-data-from-testsuite.patch	1970-01-01 01:00:00.000000000 +0100
+++ symfony-5.4.23+dfsg/debian/patches/Finder-Drop-data-from-testsuite.patch	2025-11-13 07:56:38.000000000 +0100
@@ -0,0 +1,22 @@
+From: =?utf-8?q?David_Pr=C3=A9vot?= <david@tilapin.org>
+Date: Thu, 13 Nov 2025 08:24:17 +0100
+Subject: [Finder] Drop data from testsuite
+
+It seems to be failing in current Debian (old)stable now.
+---
+ .../Component/Finder/Tests/Iterator/DateRangeFilterIteratorTest.php     | 2 --
+ 1 file changed, 2 deletions(-)
+
+diff --git a/src/Symfony/Component/Finder/Tests/Iterator/DateRangeFilterIteratorTest.php b/src/Symfony/Component/Finder/Tests/Iterator/DateRangeFilterIteratorTest.php
+index b02d8f4..908f8be 100644
+--- a/src/Symfony/Component/Finder/Tests/Iterator/DateRangeFilterIteratorTest.php
++++ b/src/Symfony/Component/Finder/Tests/Iterator/DateRangeFilterIteratorTest.php
+@@ -36,8 +36,6 @@ class DateRangeFilterIteratorTest extends RealIteratorTestCase
+             '.git',
+             'test.py',
+             'foo',
+-            'foo/bar.tmp',
+-            'test.php',
+             'toto',
+             'toto/.git',
+             '.bar',
diff -Nru symfony-5.4.23+dfsg/debian/patches/HttpClient-Temporary-test-hack.patch symfony-5.4.23+dfsg/debian/patches/HttpClient-Temporary-test-hack.patch
--- symfony-5.4.23+dfsg/debian/patches/HttpClient-Temporary-test-hack.patch	2024-11-14 12:16:18.000000000 +0100
+++ symfony-5.4.23+dfsg/debian/patches/HttpClient-Temporary-test-hack.patch	1970-01-01 01:00:00.000000000 +0100
@@ -1,27 +0,0 @@
-From: =?utf-8?q?David_Pr=C3=A9vot?= <david@tilapin.org>
-Date: Sun, 10 Nov 2024 08:56:23 +0100
-Subject: [HttpClient] Temporary test hack
-MIME-Version: 1.0
-Content-Type: text/plain; charset="utf-8"
-Content-Transfer-Encoding: 8bit
-
-Since php-symfony-http-client is part of the Build-Dependency chain, the
-“old” version is used at build time, so the “new” error message is not
-yet available. This patch can be dropped for the next upload.
----
- .../Component/HttpClient/Tests/NoPrivateNetworkHttpClientTest.php       | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/src/Symfony/Component/HttpClient/Tests/NoPrivateNetworkHttpClientTest.php b/src/Symfony/Component/HttpClient/Tests/NoPrivateNetworkHttpClientTest.php
-index 7130c09..9fdf110 100755
---- a/src/Symfony/Component/HttpClient/Tests/NoPrivateNetworkHttpClientTest.php
-+++ b/src/Symfony/Component/HttpClient/Tests/NoPrivateNetworkHttpClientTest.php
-@@ -95,7 +95,7 @@ class NoPrivateNetworkHttpClientTest extends TestCase
- 
-         if ($mustThrow) {
-             $this->expectException(TransportException::class);
--            $this->expectExceptionMessage(sprintf('Host "%s" is blocked for "%s".', $ipAddr, $url));
-+            $this->expectExceptionMessage(sprintf('"%s" is blocked for "%s".', $ipAddr, $url));
-         }
- 
-         $previousHttpClient = $this->getHttpClientMock($url, $ipAddr, $content);
diff -Nru symfony-5.4.23+dfsg/debian/patches/HttpFoundation-Fix-parsing-pathinfo-with-no-leading-slash.patch symfony-5.4.23+dfsg/debian/patches/HttpFoundation-Fix-parsing-pathinfo-with-no-leading-slash.patch
--- symfony-5.4.23+dfsg/debian/patches/HttpFoundation-Fix-parsing-pathinfo-with-no-leading-slash.patch	1970-01-01 01:00:00.000000000 +0100
+++ symfony-5.4.23+dfsg/debian/patches/HttpFoundation-Fix-parsing-pathinfo-with-no-leading-slash.patch	2025-11-13 07:56:38.000000000 +0100
@@ -0,0 +1,49 @@
+From: Nicolas Grekas <nicolas.grekas@gmail.com>
+Date: Fri, 31 Oct 2025 17:43:49 +0100
+Subject: [HttpFoundation] Fix parsing pathinfo with no leading slash
+
+Origin: upstream, https://github.com/symfony/symfony/commit/9962b91b12bb791322fa73836b350836b6db7cac
+Bug: https://github.com/symfony/symfony/security/advisories/GHSA-3rg7-wf37-54rm
+Bug-Debian: https://security-tracker.debian.org/tracker/CVE-2025-64500
+---
+ src/Symfony/Component/HttpFoundation/Request.php           |  5 ++---
+ src/Symfony/Component/HttpFoundation/Tests/RequestTest.php | 10 ++++++++++
+ 2 files changed, 12 insertions(+), 3 deletions(-)
+
+diff --git a/src/Symfony/Component/HttpFoundation/Request.php b/src/Symfony/Component/HttpFoundation/Request.php
+index acad3c9..40b68fc 100644
+--- a/src/Symfony/Component/HttpFoundation/Request.php
++++ b/src/Symfony/Component/HttpFoundation/Request.php
+@@ -1983,9 +1983,8 @@ class Request
+         }
+ 
+         $pathInfo = substr($requestUri, \strlen($baseUrl));
+-        if (false === $pathInfo || '' === $pathInfo) {
+-            // If substr() returns false then PATH_INFO is set to an empty string
+-            return '/';
++        if (false === $pathInfo || '' === $pathInfo || '/' !== $pathInfo[0]) {
++            return '/'.$pathInfo;
+         }
+ 
+         return $pathInfo;
+diff --git a/src/Symfony/Component/HttpFoundation/Tests/RequestTest.php b/src/Symfony/Component/HttpFoundation/Tests/RequestTest.php
+index 993d95c..772b5d4 100644
+--- a/src/Symfony/Component/HttpFoundation/Tests/RequestTest.php
++++ b/src/Symfony/Component/HttpFoundation/Tests/RequestTest.php
+@@ -1873,6 +1873,16 @@ class RequestTest extends TestCase
+                 '',
+                 '/foo/api/bar',
+             ],
++            [
++                '/api/index.phpfoo',
++                [
++                    'SCRIPT_FILENAME' => '/var/www/api/index.php',
++                    'SCRIPT_NAME' => '/api/index.php',
++                    'PHP_SELF' => '/api/index.php',
++                ],
++                '/api/index.php',
++                '/foo',
++            ],
+         ];
+     }
+ 
diff -Nru symfony-5.4.23+dfsg/debian/patches/series symfony-5.4.23+dfsg/debian/patches/series
--- symfony-5.4.23+dfsg/debian/patches/series	2024-11-14 12:16:18.000000000 +0100
+++ symfony-5.4.23+dfsg/debian/patches/series	2025-11-13 07:56:38.000000000 +0100
@@ -46,4 +46,6 @@
 ErrorHandler-Extend-test-expectation.patch
 HttpClient-Resolve-hostnames-in-NoPrivateNetworkHttpClien.patch
 security-http-Check-owner-of-persisted-remember-me-cookie.patch
-HttpClient-Temporary-test-hack.patch
+HttpFoundation-Fix-parsing-pathinfo-with-no-leading-slash.patch
+Finder-Drop-data-from-testsuite.patch
+# DEP-8/Tests-against-installed-classes.patch

Attachment: signature.asc
Description: PGP signature

Reply to: