Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian@packages.debian.org
Usertags: pu
Hi,
Thanks in advance for accepting this short update.
* Prevent CSV injection via formulas [CVE-2021-41270]
[ Reason ]
The security issue was introduced in 4.1 (buster shipped with
3.4). The security team decided it doesn’t warrant a DSA.
[ Impact ]
It makes applications depending on php-symfony-serializer vulnerable to
CSV injection.
[ Tests ]
The testsuite was fixed and extended in the applied patch. The testsuite
is run at build time and via autopkgtest.
[ Risks ]
The code changed is trivial, upstream patch applied directly, and the
php-symfony-serializer binary package actually shipping the code has not
much reverse dependencies.
[ Checklist ]
[x] *all* changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in (old)stable
[x] the issue is verified as fixed in unstable
[ Changes ]
The escape character (\t) chosen in Symfony 4.1 for CSV formula has
recently been added as a character starting a formula. The fix adds \t
and \r among the characters starting a formula, and uses a single quote
(') to escape them, following OWASP recommendations.
[ Other info ]
Version 4.4.19+dfsg-3 (similar to the one I’m proposing here) was
uploaded to unstable, but didn’t last long: version 5 (also fixing the
issue) was uploaded soon after.
Regards
David
https://symfony.com/blog/cve-2021-41270-prevent-csv-injection-via-formulas
diff --git a/debian/changelog b/debian/changelog
index db978be8b7..50313ca943 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,9 @@
+symfony (4.4.19+dfsg-2+deb11u1) stable; urgency=medium
+
+ * Prevent CSV injection via formulas [CVE-2021-41270]
+
+ -- David Prévot Wed, 24 Nov 2021 06:07:00 -0400
+
symfony (4.4.19+dfsg-2) unstable; urgency=medium
* Prevent user enumeration via response content [CVE-2021-21424]
diff --git a/debian/patches/Use-single-quote-to-escape-formulas.patch b/debian/patches/Use-single-quote-to-escape-formulas.patch
new file mode 100644
index 00..a3fa5c3ecc
--- /dev/null
+++ b/debian/patches/Use-single-quote-to-escape-formulas.patch
@@ -0,0 +1,191 @@
+From: =?utf-8?b?SsOpcsOpbXkgRGVydXNzw6k=?=
+Date: Mon, 15 Nov 2021 11:47:04 +0100
+Subject: Use single quote to escape formulas
+
+Origin: upstream, https://github.com/symfony/symfony/commit/3da6f2d45e7536ccb2a26f52fbaf340917e208a8
+---
+ .../Component/Serializer/Encoder/CsvEncoder.php| 7 +-
+ .../Serializer/Tests/Encoder/CsvEncoderTest.php| 85 --
+ 2 files changed, 81 insertions(+), 11 deletions(-)
+
+diff --git a/src/Symfony/Component/Serializer/Encoder/CsvEncoder.php b/src/Symfony/Component/Serializer/Encoder/CsvEncoder.php
+index f20211b..cd71fec 100644
+--- a/src/Symfony/Component/Serializer/Encoder/CsvEncoder.php
b/src/Symfony/Component/Serializer/Encoder/CsvEncoder.php
+@@ -35,7 +35,8 @@ class CsvEncoder implements EncoderInterface, DecoderInterface
+
+ private const UTF8_BOM = "\xEF\xBB\xBF";
+
+-private $formulasStartCharacters = ['=', '-', '+', '@'];
++private const FORMULAS_START_CHARACTERS = ['=', '-', '+', '@', "\t", "\r"];
++
+ private $defaultContext = [
+ self::DELIMITER_KEY => ',',
+ self::ENCLOSURE_KEY => '"',
+@@ -238,8 +239,8 @@ class CsvEncoder implements EncoderInterface, DecoderInterface
+ if (is_iterable($value)) {
+ $this->flatten($value, $result, $keySeparator, $parentKey.$key.$keySeparator, $escapeFormulas);
+ } else {
+-if ($escapeFormulas && \in_array(substr((string) $value, 0, 1), $this->formulasStartCharacters, true)) {
+-$result[$parentKey.$key] = "\t".$value;
++if ($escapeFormulas && \in_array(substr((string) $value, 0, 1), self::FORMULAS_START_CHARACTERS, true)) {
++$result[$parentKey.$key] = "'".$value;
+ } else {
+ // Ensures an actual value is used when dealing with true and false
+ $result[$parentKey.$key] = false === $value ? 0 : (true === $value ? 1 : $value);
+diff --git a/src/Symfony/Component/Serializer/Tests/Encoder/CsvEncoderTest.php b/src/Symfony/Component/Serializer/Tests/Encoder/CsvEncoderTest.php
+index 33a16ee..596afa2 100644
+--- a/src/Symfony/Component/Serializer/Tests/Encoder/CsvEncoderTest.php
b/src/Symfony/Component/Serializer/Tests/Encoder/CsvEncoderTest.php
+@@ -285,31 +285,52 @@ CSV;
+
+ $this->assertSame(<<<'CSV'
+ 0
+-" =2+3"
++'=2+3
+
+ CSV
+ , $this->encoder->encode(['=2+3'], 'csv'));
+
+ $this->assertSame(<<<'CSV'
+ 0
+-" -2+3"
++'-2+3
+
+ CSV
+ , $this->encoder->encode(['-2+3'], 'csv'));
+
+ $this->assertSame(<<<'CSV'
+ 0
+-" +2+3"
++'+2+3
+
+ CSV
+ , $this->encoder->encode(['+2+3'], 'csv'));
+
+