Bug#1000645: bullseye-pu: package symfony/4.4.19+dfsg-2+deb11u1

2021-12-20 Thread David Prévot 
Le Sat, Dec 04, 2021 at 04:12:01PM -0400, David Prévot a écrit :
[…]
> Thanks, uploaded (with changelog updated).

Really uploaded now, seems like i failed to actually upload two weeks
ago, sorry about that.

Regards

David


signature.asc
Description: PGP signature

Bug#1000645: bullseye-pu: package symfony/4.4.19+dfsg-2+deb11u1

2021-12-04 Thread David Prévot 

Hi Adam,

Le 04/12/2021 à 13:13, Adam D. Barratt a écrit :

On Fri, 2021-11-26 at 07:40 -0400, David Prévot wrote:

[…]

+symfony (4.4.19+dfsg-2+deb11u1) stable; urgency=medium

We generally prefer using codenames (so "bullseye")


Sorry, I used to know that…


Please go ahead.


Thanks, uploaded (with changelog updated).

Regards

David

Bug#1000645: bullseye-pu: package symfony/4.4.19+dfsg-2+deb11u1

2021-12-04 Thread Adam D. Barratt 
Control: tags -1 + confirmed

On Fri, 2021-11-26 at 07:40 -0400, David Prévot wrote:
>   * Prevent CSV injection via formulas [CVE-2021-41270]
> 
> [ Reason ]
> The security issue was introduced in 4.1 (buster shipped with 
> 3.4). The security team decided it doesn’t warrant a DSA.
> 
> [ Impact ]
> It makes applications depending on php-symfony-serializer vulnerable
> to
> CSV injection.
> 

+symfony (4.4.19+dfsg-2+deb11u1) stable; urgency=medium

We generally prefer using codenames (so "bullseye") as the
distribution, as it's more self-documenting over time (and doesn't have
unexpected side-effects if an update is uploaded and accepted on
opposite sides of a release occurring).

Please go ahead.

Regards,

Adam

Bug#1000645: bullseye-pu: package symfony/4.4.19+dfsg-2+deb11u1

2021-11-26 Thread David Prévot 
Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian@packages.debian.org
Usertags: pu

Hi,

Thanks in advance for accepting this short update.

  * Prevent CSV injection via formulas [CVE-2021-41270]

[ Reason ]
The security issue was introduced in 4.1 (buster shipped with 
3.4). The security team decided it doesn’t warrant a DSA.

[ Impact ]
It makes applications depending on php-symfony-serializer vulnerable to
CSV injection.

[ Tests ]
The testsuite was fixed and extended in the applied patch. The testsuite
is run at build time and via autopkgtest.

[ Risks ]
The code changed is trivial, upstream patch applied directly, and the
php-symfony-serializer binary package actually shipping the code has not
much reverse dependencies.

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
  [x] the issue is verified as fixed in unstable

[ Changes ]
The escape character (\t) chosen in Symfony 4.1 for CSV formula has
recently been added as a character starting a formula. The fix adds \t
and \r among the characters starting a formula, and uses a single quote
(') to escape them, following OWASP recommendations.

[ Other info ]
Version 4.4.19+dfsg-3 (similar to the one I’m proposing here) was
uploaded to unstable, but didn’t last long: version 5 (also fixing the
issue) was uploaded soon after.

Regards

David

https://symfony.com/blog/cve-2021-41270-prevent-csv-injection-via-formulas
diff --git a/debian/changelog b/debian/changelog
index db978be8b7..50313ca943 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,9 @@
+symfony (4.4.19+dfsg-2+deb11u1) stable; urgency=medium
+
+  * Prevent CSV injection via formulas [CVE-2021-41270]
+
+ -- David Prévot   Wed, 24 Nov 2021 06:07:00 -0400
+
 symfony (4.4.19+dfsg-2) unstable; urgency=medium
 
   * Prevent user enumeration via response content [CVE-2021-21424]
diff --git a/debian/patches/Use-single-quote-to-escape-formulas.patch b/debian/patches/Use-single-quote-to-escape-formulas.patch
new file mode 100644
index 00..a3fa5c3ecc
--- /dev/null
+++ b/debian/patches/Use-single-quote-to-escape-formulas.patch
@@ -0,0 +1,191 @@
+From: =?utf-8?b?SsOpcsOpbXkgRGVydXNzw6k=?= 
+Date: Mon, 15 Nov 2021 11:47:04 +0100
+Subject: Use single quote to escape formulas
+
+Origin: upstream, https://github.com/symfony/symfony/commit/3da6f2d45e7536ccb2a26f52fbaf340917e208a8
+---
+ .../Component/Serializer/Encoder/CsvEncoder.php|  7 +-
+ .../Serializer/Tests/Encoder/CsvEncoderTest.php| 85 --
+ 2 files changed, 81 insertions(+), 11 deletions(-)
+
+diff --git a/src/Symfony/Component/Serializer/Encoder/CsvEncoder.php b/src/Symfony/Component/Serializer/Encoder/CsvEncoder.php
+index f20211b..cd71fec 100644
+--- a/src/Symfony/Component/Serializer/Encoder/CsvEncoder.php
 b/src/Symfony/Component/Serializer/Encoder/CsvEncoder.php
+@@ -35,7 +35,8 @@ class CsvEncoder implements EncoderInterface, DecoderInterface
+ 
+ private const UTF8_BOM = "\xEF\xBB\xBF";
+ 
+-private $formulasStartCharacters = ['=', '-', '+', '@'];
++private const FORMULAS_START_CHARACTERS = ['=', '-', '+', '@', "\t", "\r"];
++
+ private $defaultContext = [
+ self::DELIMITER_KEY => ',',
+ self::ENCLOSURE_KEY => '"',
+@@ -238,8 +239,8 @@ class CsvEncoder implements EncoderInterface, DecoderInterface
+ if (is_iterable($value)) {
+ $this->flatten($value, $result, $keySeparator, $parentKey.$key.$keySeparator, $escapeFormulas);
+ } else {
+-if ($escapeFormulas && \in_array(substr((string) $value, 0, 1), $this->formulasStartCharacters, true)) {
+-$result[$parentKey.$key] = "\t".$value;
++if ($escapeFormulas && \in_array(substr((string) $value, 0, 1), self::FORMULAS_START_CHARACTERS, true)) {
++$result[$parentKey.$key] = "'".$value;
+ } else {
+ // Ensures an actual value is used when dealing with true and false
+ $result[$parentKey.$key] = false === $value ? 0 : (true === $value ? 1 : $value);
+diff --git a/src/Symfony/Component/Serializer/Tests/Encoder/CsvEncoderTest.php b/src/Symfony/Component/Serializer/Tests/Encoder/CsvEncoderTest.php
+index 33a16ee..596afa2 100644
+--- a/src/Symfony/Component/Serializer/Tests/Encoder/CsvEncoderTest.php
 b/src/Symfony/Component/Serializer/Tests/Encoder/CsvEncoderTest.php
+@@ -285,31 +285,52 @@ CSV;
+ 
+ $this->assertSame(<<<'CSV'
+ 0
+-"	=2+3"
++'=2+3
+ 
+ CSV
+ , $this->encoder->encode(['=2+3'], 'csv'));
+ 
+ $this->assertSame(<<<'CSV'
+ 0
+-"	-2+3"
++'-2+3
+ 
+ CSV
+ , $this->encoder->encode(['-2+3'], 'csv'));
+ 
+ $this->assertSame(<<<'CSV'
+ 0
+-"	+2+3"
++'+2+3
+ 
+ CSV
+ , $this->encoder->encode(['+2+3'], 'csv'));
+ 
+