Bug#987848: Security issue: SQL injection with Microsoft SQL

2021-05-01 Thread Robin Gustafsson 
Control: tags -1 patch

Hi Thorsten,

On Fri, Apr 30, 2021 at 11:56 PM Thorsten Glaser
 wrote:
> considering you took over maintenance and know the code in
> question better, it would be _much_ appreciated if you could
> also take care of this for buster.

Upstream's fix for version 6.x seems suitable for 5.x as well. I've
applied it, looked it over, and checked for regressions with
upstream's test suite. Seems alright from what I can tell.

A patch is attached.

Regards,
Robin
From 00a499a805d8b2d1811ca16bf4f833d7b8da5eb8 Mon Sep 17 00:00:00 2001
From: Robin Gustafsson 
Date: Sat, 1 May 2021 16:24:09 +0200
Subject: [PATCH] Security fix: SQL injection with Microsoft SQL Server

Closes: #987848
---
 debian/patches/0001-cast-to-int.patch | 37 +++
 debian/patches/series |  1 +
 2 files changed, 38 insertions(+)
 create mode 100644 debian/patches/0001-cast-to-int.patch
 create mode 100644 debian/patches/series

diff --git a/debian/patches/0001-cast-to-int.patch b/debian/patches/0001-cast-to-int.patch
new file mode 100644
index 00..3ad4e6a50b
--- /dev/null
+++ b/debian/patches/0001-cast-to-int.patch
@@ -0,0 +1,37 @@
+From: Taylor Otwell 
+Date: Wed, 28 Apr 2021 08:18:19 -0500
+Subject: cast to int
+
+Origin: https://github.com/laravel/framework/commit/09bf1457e9df53e172e6fd5929cbafb539677c7c
+---
+ Query/Grammars/SqlServerGrammar.php | 8 
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/Query/Grammars/SqlServerGrammar.php b/Query/Grammars/SqlServerGrammar.php
+index ed7f176..0f099c7 100755
+--- a/Query/Grammars/SqlServerGrammar.php
 b/Query/Grammars/SqlServerGrammar.php
+@@ -60,8 +60,8 @@ class SqlServerGrammar extends Grammar
+ // If there is a limit on the query, but not an offset, we will add the top
+ // clause to the query, which serves as a "limit" type clause within the
+ // SQL Server system similar to the limit keywords available in MySQL.
+-if ($query->limit > 0 && $query->offset <= 0) {
+-$select .= 'top '.$query->limit.' ';
++if (is_numeric($query->limit) && $query->limit > 0 && $query->offset <= 0) {
++$select .= 'top '.((int) $query->limit).' ';
+ }
+ 
+ return $select.$this->columnize($columns);
+@@ -221,10 +221,10 @@ class SqlServerGrammar extends Grammar
+  */
+ protected function compileRowConstraint($query)
+ {
+-$start = $query->offset + 1;
++$start = (int) $query->offset + 1;
+ 
+ if ($query->limit > 0) {
+-$finish = $query->offset + $query->limit;
++$finish = (int) $query->offset + (int) $query->limit;
+ 
+ return "between {$start} and {$finish}";
+ }
diff --git a/debian/patches/series b/debian/patches/series
new file mode 100644
index 00..9bf625b68b
--- /dev/null
+++ b/debian/patches/series
@@ -0,0 +1 @@
+0001-cast-to-int.patch
-- 
2.20.1

Bug#987848: Security issue: SQL injection with Microsoft SQL

2021-04-30 Thread Thorsten Glaser 
Hi Robin,

considering you took over maintenance and know the code in
question better, it would be _much_ appreciated if you could
also take care of this for buster.

Thanks in advance,
//mirabilos
-- 
Thorsten Glaser (Founding Member)
Teckids e.V. — Digital freedom with youth and education
https://www.teckids.org/

Bug#987848: Security issue: SQL injection with Microsoft SQL

2021-04-30 Thread Robin Gustafsson 
Package: src:php-illuminate-database
Version: 5.7.27-1
Severity: important
Tags: security upstream

Dear Maintainer,

Upstream has published a security advisory [1,2] regarding an SQL
injection vulnerability when used with Microsoft SQL Server.

The vulnerability was fixed upstream in version 6.20.26 and 8.40.0.

Looking at the package, this vulnerability probably exists in the
version that is currently in stable, too.

[1] https://blog.laravel.com/security-sql-injection-in-sql-server-limit-offset
[2] https://github.com/laravel/framework/security/advisories/GHSA-4mg9-vhxq-vm7j

Regards,
Robin