Package: release.debian.org
Severity: normal
User: release.debian....@packages.debian.org
Usertags: unblock

Please unblock package php-laravel-framework

[ Reason ]
Security fix. See bug #987831 [1].

[ Impact ]
If the security vulnerability remains, users could be vulnerable
to SQL injections.

[ Tests ]
Tested with a subset* of upstream's automated test suite.
The patch is taken from upstream and has passed their QA.

* The test suite is not yet functional in Debian due to its
dependencies, thus no autopkgtest yet, but I can run much of it
locally.

[ Risks ]
I consider it a low-risk change.

The patch was taken from upstream. Their code is still close to the
packaged version in general and identical in this case. The change
is also small and uncomplicated.

Additionally, while the source package builds many binary packages,
only one of them is actually affected by this.


[1] https://bugs.debian.org/987831

Regards,
Robin


====================
diff -Nru php-laravel-framework-6.20.14+dfsg/debian/changelog 
php-laravel-framework-6.20.14+dfsg/debian/changelog
--- php-laravel-framework-6.20.14+dfsg/debian/changelog 2021-01-22 
17:39:34.000000000 +0000
+++ php-laravel-framework-6.20.14+dfsg/debian/changelog 2021-04-30 
16:23:38.000000000 +0000
@@ -1,6 +1,14 @@
+php-laravel-framework (6.20.14+dfsg-2) unstable; urgency=medium
+
+  * Fix security issue: SQL injection with Microsoft SQL Server
+    (Closes: #987831)
+
+ -- Robin Gustafsson <ro...@rgson.se>  Fri, 30 Apr 2021 18:23:38 +0200
+
 php-laravel-framework (6.20.14+dfsg-1) unstable; urgency=medium

   * New upstream version 6.20.14+dfsg
+    - Fix security issue: More unexpected bindings in QueryBuilder
   * Replace git attributes with uscan's gitexport=all

  -- Robin Gustafsson <ro...@rgson.se>  Fri, 22 Jan 2021 18:39:34 +0100
@@ -9,7 +17,8 @@

   * Set upstream metadata fields: Security-Contact.
   * New upstream version 6.20.11+dfsg
-    - Fix security issue: Unexpected bindings in QueryBuilder (Closes: #980095)
+    - Fix security issue: Unexpected bindings in QueryBuilder
+      (CVE-2021-21263, Closes: #980095)
   * Bump Standards-Version

  -- Robin Gustafsson <ro...@rgson.se>  Fri, 15 Jan 2021 00:35:41 +0100
diff -Nru 
php-laravel-framework-6.20.14+dfsg/debian/patches/0001-cast-to-int.patch 
php-laravel-framework-6.20.14+dfsg/debian/patches/0001-cast-to-int.patch
--- php-laravel-framework-6.20.14+dfsg/debian/patches/0001-cast-to-int.patch    
1970-01-01 00:00:00.000000000 +0000
+++ php-laravel-framework-6.20.14+dfsg/debian/patches/0001-cast-to-int.patch    
2021-04-30 16:23:38.000000000 +0000
@@ -0,0 +1,38 @@
+From: Taylor Otwell <taylorotw...@gmail.com>
+Date: Wed, 28 Apr 2021 08:18:19 -0500
+Subject: cast to int
+
+Origin: 
https://github.com/laravel/framework/commit/09bf1457e9df53e172e6fd5929cbafb539677c7c
+Applied-Upstream: 6.20.26
+---
+ src/Illuminate/Database/Query/Grammars/SqlServerGrammar.php | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/src/Illuminate/Database/Query/Grammars/SqlServerGrammar.php 
b/src/Illuminate/Database/Query/Grammars/SqlServerGrammar.php
+index f0a0bfc..88a7df3 100755
+--- a/src/Illuminate/Database/Query/Grammars/SqlServerGrammar.php
++++ b/src/Illuminate/Database/Query/Grammars/SqlServerGrammar.php
+@@ -60,8 +60,8 @@ class SqlServerGrammar extends Grammar
+         // If there is a limit on the query, but not an offset, we will add 
the top
+         // clause to the query, which serves as a "limit" type clause within 
the
+         // SQL Server system similar to the limit keywords available in MySQL.
+-        if ($query->limit > 0 && $query->offset <= 0) {
+-            $select .= 'top '.$query->limit.' ';
++        if (is_numeric($query->limit) && $query->limit > 0 && $query->offset 
<= 0) {
++            $select .= 'top '.((int) $query->limit).' ';
+         }
+
+         return $select.$this->columnize($columns);
+@@ -221,10 +221,10 @@ class SqlServerGrammar extends Grammar
+      */
+     protected function compileRowConstraint($query)
+     {
+-        $start = $query->offset + 1;
++        $start = (int) $query->offset + 1;
+
+         if ($query->limit > 0) {
+-            $finish = $query->offset + $query->limit;
++            $finish = (int) $query->offset + (int) $query->limit;
+
+             return "between {$start} and {$finish}";
+         }
diff -Nru php-laravel-framework-6.20.14+dfsg/debian/patches/series 
php-laravel-framework-6.20.14+dfsg/debian/patches/series
--- php-laravel-framework-6.20.14+dfsg/debian/patches/series    1970-01-01 
00:00:00.000000000 +0000
+++ php-laravel-framework-6.20.14+dfsg/debian/patches/series    2021-04-30 
16:23:38.000000000 +0000
@@ -0,0 +1 @@
+0001-cast-to-int.patch
====================

unblock php-laravel-framework/6.20.14+dfsg-2

Reply via email to