Package: release.debian.org Severity: normal Tags: buster User: release.debian....@packages.debian.org Usertags: pu X-Debbugs-Cc: t...@mirbsd.de
[ Reason ] These are two security-related backports by the new maintainer of these binary packages for bullseye and up. I’ve been asked to do this via the upcoming point release by the security team. [ Impact ] Two pending security fixes of SQL injection type not applied. [ Tests ] The new maintainer, who backported these fixes, has tested them with upstream’s testsuite and provided tests for the issues themselves. [ Risks ] These are backports of the patches for later versions, so the risk is low, I guess. I’m not sufficiently familiar with the codebase to judge myself, but they look plausible at a quick glance. [ Checklist ] [x] *all* changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in (old)stable [x] the issue is verified as fixed in unstable [ Changes ] Apply two patches prepared by the new maintainer and change the Maintainer field to them.
diff -Nru php-illuminate-database-5.7.27/debian/changelog php-illuminate-database-5.7.27/debian/changelog --- php-illuminate-database-5.7.27/debian/changelog 2019-02-22 20:06:21.000000000 +0100 +++ php-illuminate-database-5.7.27/debian/changelog 2022-02-25 00:53:26.000000000 +0100 @@ -1,3 +1,15 @@ +php-illuminate-database (5.7.27-1+deb10u1) buster; urgency=medium + + [ Robin Gustafsson ] + * Security fix: Query Binding Exploitation (Closes: #980899) + Fixes CVE-2021-21263 + * Security fix: SQL injection with Microsoft SQL Server (Closes: #987848) + + [ Thorsten Glaser ] + * Update Maintainer, upload to oldstable as security fixpack + + -- Thorsten Glaser <t...@mirbsd.de> Fri, 25 Feb 2022 00:53:26 +0100 + php-illuminate-database (5.7.27-1) unstable; urgency=medium * New upstream version. diff -Nru php-illuminate-database-5.7.27/debian/control php-illuminate-database-5.7.27/debian/control --- php-illuminate-database-5.7.27/debian/control 2019-02-22 20:06:21.000000000 +0100 +++ php-illuminate-database-5.7.27/debian/control 2022-02-25 00:53:26.000000000 +0100 @@ -1,7 +1,7 @@ Source: php-illuminate-database Section: php Priority: optional -Maintainer: Teckids Debian Task Force <t...@lists.teckids.org> +Maintainer: Robin Gustafsson <ro...@rgson.se> Uploaders: Thorsten Glaser <t...@mirbsd.de>, Dominik George <naturesha...@debian.org> Build-Depends: debhelper (>= 11~), pkg-php-tools (>= 1.7~) Standards-Version: 4.3.0 diff -Nru php-illuminate-database-5.7.27/debian/patches/0001-6.x-Limit-expected-bindings-35865.patch php-illuminate-database-5.7.27/debian/patches/0001-6.x-Limit-expected-bindings-35865.patch --- php-illuminate-database-5.7.27/debian/patches/0001-6.x-Limit-expected-bindings-35865.patch 1970-01-01 01:00:00.000000000 +0100 +++ php-illuminate-database-5.7.27/debian/patches/0001-6.x-Limit-expected-bindings-35865.patch 2022-02-25 00:51:21.000000000 +0100 @@ -0,0 +1,96 @@ +From: Taylor Otwell <tay...@laravel.com> +Date: Wed, 13 Jan 2021 07:35:45 -0600 +Subject: [6.x] Limit expected bindings (#35865) + +* limit expected bindings + +* limit more bindings + +Origin: https://github.com/laravel/framework/commit/d0954f4574f315f0c2e9e65e92cc74b80eadcac1 +--- + Query/Builder.php | 18 ++++++++++++++---- + 1 file changed, 14 insertions(+), 4 deletions(-) + +--- a/Query/Builder.php ++++ b/Query/Builder.php +@@ -654,7 +654,7 @@ class Builder + ); + + if (! $value instanceof Expression) { +- $this->addBinding($value, 'where'); ++ $this->addBinding(is_array($value) ? head($value) : $value, 'where'); + } + + return $this; +@@ -1051,7 +1051,7 @@ class Builder + + $this->wheres[] = compact('type', 'column', 'values', 'boolean', 'not'); + +- $this->addBinding($this->cleanBindings($values), 'where'); ++ $this->addBinding(array_slice($this->cleanBindings($values), 0, 2), 'where'); + + return $this; + } +@@ -1119,6 +1119,8 @@ class Builder + $value, $operator, func_num_args() === 2 + ); + ++ $value = is_array($value) ? head($value) : $value; ++ + if ($value instanceof DateTimeInterface) { + $value = $value->format('Y-m-d'); + } +@@ -1158,6 +1160,8 @@ class Builder + $value, $operator, func_num_args() === 2 + ); + ++ $value = is_array($value) ? head($value) : $value; ++ + if ($value instanceof DateTimeInterface) { + $value = $value->format('H:i:s'); + } +@@ -1197,6 +1201,8 @@ class Builder + $value, $operator, func_num_args() === 2 + ); + ++ $value = is_array($value) ? head($value) : $value; ++ + if ($value instanceof DateTimeInterface) { + $value = $value->format('d'); + } +@@ -1236,6 +1242,8 @@ class Builder + $value, $operator, func_num_args() === 2 + ); + ++ $value = is_array($value) ? head($value) : $value; ++ + if ($value instanceof DateTimeInterface) { + $value = $value->format('m'); + } +@@ -1275,6 +1283,8 @@ class Builder + $value, $operator, func_num_args() === 2 + ); + ++ $value = is_array($value) ? head($value) : $value; ++ + if ($value instanceof DateTimeInterface) { + $value = $value->format('Y'); + } +@@ -1581,7 +1591,7 @@ class Builder + $this->wheres[] = compact('type', 'column', 'operator', 'value', 'boolean'); + + if (! $value instanceof Expression) { +- $this->addBinding($value); ++ $this->addBinding((int) $value); + } + + return $this; +@@ -1714,7 +1724,7 @@ class Builder + $this->havings[] = compact('type', 'column', 'operator', 'value', 'boolean'); + + if (! $value instanceof Expression) { +- $this->addBinding($value, 'having'); ++ $this->addBinding(is_array($value) ? head($value) : $value, 'having'); + } + + return $this; diff -Nru php-illuminate-database-5.7.27/debian/patches/0002-Limit-expected-bindingx-v2.patch php-illuminate-database-5.7.27/debian/patches/0002-Limit-expected-bindingx-v2.patch --- php-illuminate-database-5.7.27/debian/patches/0002-Limit-expected-bindingx-v2.patch 1970-01-01 01:00:00.000000000 +0100 +++ php-illuminate-database-5.7.27/debian/patches/0002-Limit-expected-bindingx-v2.patch 2022-02-25 00:51:21.000000000 +0100 @@ -0,0 +1,92 @@ +From: Kane Cohen <kaneco...@gmail.com> +Date: Thu, 21 Jan 2021 08:44:52 +0000 +Subject: Limit expected bindingx v2. + +Origin: https://github.com/laravel/framework/commit/9d3752ca5f29c4cb1c0384fb01847820b6ac492c +--- + Query/Builder.php | 25 ++++++++++++++++++------- + 1 file changed, 18 insertions(+), 7 deletions(-) + +--- a/Query/Builder.php ++++ b/Query/Builder.php +@@ -293,6 +293,17 @@ class Builder + } + + /** ++ * Returns scalar type value from an unknown type of input. ++ * ++ * @param mixed $value ++ * @return mixed ++ */ ++ protected function scalarValue($value) ++ { ++ return is_array($value) ? head(Arr::flatten($value)) : $value; ++ } ++ ++ /** + * Creates a subquery and parse it. + * + * @param \Closure|\Illuminate\Database\Query\Builder|string $query +@@ -654,7 +665,7 @@ class Builder + ); + + if (! $value instanceof Expression) { +- $this->addBinding(is_array($value) ? head($value) : $value, 'where'); ++ $this->addBinding($this->scalarValue($value), 'where'); + } + + return $this; +@@ -1051,7 +1062,7 @@ class Builder + + $this->wheres[] = compact('type', 'column', 'values', 'boolean', 'not'); + +- $this->addBinding(array_slice($this->cleanBindings($values), 0, 2), 'where'); ++ $this->addBinding(array_slice($this->cleanBindings(Arr::flatten($values)), 0, 2), 'where'); + + return $this; + } +@@ -1119,7 +1130,7 @@ class Builder + $value, $operator, func_num_args() === 2 + ); + +- $value = is_array($value) ? head($value) : $value; ++ $value = $this->scalarValue($value); + + if ($value instanceof DateTimeInterface) { + $value = $value->format('Y-m-d'); +@@ -1160,7 +1171,7 @@ class Builder + $value, $operator, func_num_args() === 2 + ); + +- $value = is_array($value) ? head($value) : $value; ++ $value = $this->scalarValue($value); + + if ($value instanceof DateTimeInterface) { + $value = $value->format('H:i:s'); +@@ -1242,7 +1253,7 @@ class Builder + $value, $operator, func_num_args() === 2 + ); + +- $value = is_array($value) ? head($value) : $value; ++ $value = $this->scalarValue($value); + + if ($value instanceof DateTimeInterface) { + $value = $value->format('m'); +@@ -1591,7 +1602,7 @@ class Builder + $this->wheres[] = compact('type', 'column', 'operator', 'value', 'boolean'); + + if (! $value instanceof Expression) { +- $this->addBinding((int) $value); ++ $this->addBinding((int) $this->scalarValue($value)); + } + + return $this; +@@ -1724,7 +1735,7 @@ class Builder + $this->havings[] = compact('type', 'column', 'operator', 'value', 'boolean'); + + if (! $value instanceof Expression) { +- $this->addBinding(is_array($value) ? head($value) : $value, 'having'); ++ $this->addBinding($this->scalarValue($value), 'having'); + } + + return $this; diff -Nru php-illuminate-database-5.7.27/debian/patches/0003-Update-whereDay-and-whereYear-to-clean-value.patch php-illuminate-database-5.7.27/debian/patches/0003-Update-whereDay-and-whereYear-to-clean-value.patch --- php-illuminate-database-5.7.27/debian/patches/0003-Update-whereDay-and-whereYear-to-clean-value.patch 1970-01-01 01:00:00.000000000 +0100 +++ php-illuminate-database-5.7.27/debian/patches/0003-Update-whereDay-and-whereYear-to-clean-value.patch 2022-02-25 00:51:22.000000000 +0100 @@ -0,0 +1,29 @@ +From: Kane Cohen <kaneco...@gmail.com> +Date: Thu, 21 Jan 2021 10:48:50 +0000 +Subject: Update whereDay and whereYear to clean value. + +Origin: https://github.com/laravel/framework/commit/dbbb1c1c8a1fa0a51677b5a74fcfe0e2561ced91 +--- + Query/Builder.php | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/Query/Builder.php ++++ b/Query/Builder.php +@@ -1212,7 +1212,7 @@ class Builder + $value, $operator, func_num_args() === 2 + ); + +- $value = is_array($value) ? head($value) : $value; ++ $value = $this->scalarValue($value); + + if ($value instanceof DateTimeInterface) { + $value = $value->format('d'); +@@ -1294,7 +1294,7 @@ class Builder + $value, $operator, func_num_args() === 2 + ); + +- $value = is_array($value) ? head($value) : $value; ++ $value = $this->scalarValue($value); + + if ($value instanceof DateTimeInterface) { + $value = $value->format('Y'); diff -Nru php-illuminate-database-5.7.27/debian/patches/0004-Add-limit-bindings-for-having-between-tests.patch php-illuminate-database-5.7.27/debian/patches/0004-Add-limit-bindings-for-having-between-tests.patch --- php-illuminate-database-5.7.27/debian/patches/0004-Add-limit-bindings-for-having-between-tests.patch 1970-01-01 01:00:00.000000000 +0100 +++ php-illuminate-database-5.7.27/debian/patches/0004-Add-limit-bindings-for-having-between-tests.patch 2022-02-25 00:51:22.000000000 +0100 @@ -0,0 +1,20 @@ +From: Kane Cohen <kaneco...@gmail.com> +Date: Thu, 21 Jan 2021 12:08:38 +0000 +Subject: Add limit bindings for having between + tests. + +Origin: https://github.com/laravel/framework/commit/c6b8168e6cbbe339fdc3af5ccdded545779965df +--- + Query/Builder.php | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/Query/Builder.php ++++ b/Query/Builder.php +@@ -1773,7 +1773,7 @@ class Builder + + $this->havings[] = compact('type', 'column', 'values', 'boolean', 'not'); + +- $this->addBinding($this->cleanBindings($values), 'having'); ++ $this->addBinding(array_slice($this->cleanBindings(Arr::flatten($values)), 0, 2), 'having'); + + return $this; + } diff -Nru php-illuminate-database-5.7.27/debian/patches/0005-Clean-value-in-orWhereDay-Month-Year.patch php-illuminate-database-5.7.27/debian/patches/0005-Clean-value-in-orWhereDay-Month-Year.patch --- php-illuminate-database-5.7.27/debian/patches/0005-Clean-value-in-orWhereDay-Month-Year.patch 1970-01-01 01:00:00.000000000 +0100 +++ php-illuminate-database-5.7.27/debian/patches/0005-Clean-value-in-orWhereDay-Month-Year.patch 2022-02-25 00:51:22.000000000 +0100 @@ -0,0 +1,40 @@ +From: Robin Gustafsson <ro...@rgson.se> +Date: Sat, 1 May 2021 15:52:36 +0200 +Subject: Clean value in orWhereDay/Month/Year + +In 6.x these methods call the whereDay/Month/Year methods where +the value is cleaned. In 5.x they don't, and so the value must +be cleaned here too. +--- + Query/Builder.php | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/Query/Builder.php ++++ b/Query/Builder.php +@@ -1235,6 +1235,8 @@ class Builder + $value, $operator, func_num_args() === 2 + ); + ++ $value = $this->scalarValue($value); ++ + return $this->addDateBasedWhere('Day', $column, $operator, $value, 'or'); + } + +@@ -1276,6 +1278,8 @@ class Builder + $value, $operator, func_num_args() === 2 + ); + ++ $value = $this->scalarValue($value); ++ + return $this->addDateBasedWhere('Month', $column, $operator, $value, 'or'); + } + +@@ -1317,6 +1321,8 @@ class Builder + $value, $operator, func_num_args() === 2 + ); + ++ $value = $this->scalarValue($value); ++ + return $this->addDateBasedWhere('Year', $column, $operator, $value, 'or'); + } + diff -Nru php-illuminate-database-5.7.27/debian/patches/0006-cast-to-int.patch php-illuminate-database-5.7.27/debian/patches/0006-cast-to-int.patch --- php-illuminate-database-5.7.27/debian/patches/0006-cast-to-int.patch 1970-01-01 01:00:00.000000000 +0100 +++ php-illuminate-database-5.7.27/debian/patches/0006-cast-to-int.patch 2022-02-25 00:51:23.000000000 +0100 @@ -0,0 +1,35 @@ +From: Taylor Otwell <taylorotw...@gmail.com> +Date: Wed, 28 Apr 2021 08:18:19 -0500 +Subject: cast to int + +Origin: https://github.com/laravel/framework/commit/09bf1457e9df53e172e6fd5929cbafb539677c7c +--- + Query/Grammars/SqlServerGrammar.php | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +--- a/Query/Grammars/SqlServerGrammar.php ++++ b/Query/Grammars/SqlServerGrammar.php +@@ -60,8 +60,8 @@ class SqlServerGrammar extends Grammar + // If there is a limit on the query, but not an offset, we will add the top + // clause to the query, which serves as a "limit" type clause within the + // SQL Server system similar to the limit keywords available in MySQL. +- if ($query->limit > 0 && $query->offset <= 0) { +- $select .= 'top '.$query->limit.' '; ++ if (is_numeric($query->limit) && $query->limit > 0 && $query->offset <= 0) { ++ $select .= 'top '.((int) $query->limit).' '; + } + + return $select.$this->columnize($columns); +@@ -221,10 +221,10 @@ class SqlServerGrammar extends Grammar + */ + protected function compileRowConstraint($query) + { +- $start = $query->offset + 1; ++ $start = (int) $query->offset + 1; + + if ($query->limit > 0) { +- $finish = $query->offset + $query->limit; ++ $finish = (int) $query->offset + (int) $query->limit; + + return "between {$start} and {$finish}"; + } diff -Nru php-illuminate-database-5.7.27/debian/patches/series php-illuminate-database-5.7.27/debian/patches/series --- php-illuminate-database-5.7.27/debian/patches/series 1970-01-01 01:00:00.000000000 +0100 +++ php-illuminate-database-5.7.27/debian/patches/series 2022-02-25 00:52:01.000000000 +0100 @@ -0,0 +1,6 @@ +0001-6.x-Limit-expected-bindings-35865.patch +0002-Limit-expected-bindingx-v2.patch +0003-Update-whereDay-and-whereYear-to-clean-value.patch +0004-Add-limit-bindings-for-having-between-tests.patch +0005-Clean-value-in-orWhereDay-Month-Year.patch +0006-cast-to-int.patch