Package: release.debian.org Severity: normal Tags: bullseye User: release.debian....@packages.debian.org Usertags: pu
Hi, Thanks in advance for accepting this short update. * Prevent CSV injection via formulas [CVE-2021-41270] [ Reason ] The security issue was introduced in 4.1 (buster shipped with 3.4). The security team decided it doesn’t warrant a DSA. [ Impact ] It makes applications depending on php-symfony-serializer vulnerable to CSV injection. [ Tests ] The testsuite was fixed and extended in the applied patch. The testsuite is run at build time and via autopkgtest. [ Risks ] The code changed is trivial, upstream patch applied directly, and the php-symfony-serializer binary package actually shipping the code has not much reverse dependencies. [ Checklist ] [x] *all* changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in (old)stable [x] the issue is verified as fixed in unstable [ Changes ] The escape character (\t) chosen in Symfony 4.1 for CSV formula has recently been added as a character starting a formula. The fix adds \t and \r among the characters starting a formula, and uses a single quote (') to escape them, following OWASP recommendations. [ Other info ] Version 4.4.19+dfsg-3 (similar to the one I’m proposing here) was uploaded to unstable, but didn’t last long: version 5 (also fixing the issue) was uploaded soon after. Regards David https://symfony.com/blog/cve-2021-41270-prevent-csv-injection-via-formulas
diff --git a/debian/changelog b/debian/changelog index db978be8b7..50313ca943 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +symfony (4.4.19+dfsg-2+deb11u1) stable; urgency=medium + + * Prevent CSV injection via formulas [CVE-2021-41270] + + -- David Prévot <taf...@debian.org> Wed, 24 Nov 2021 06:07:00 -0400 + symfony (4.4.19+dfsg-2) unstable; urgency=medium * Prevent user enumeration via response content [CVE-2021-21424] diff --git a/debian/patches/Use-single-quote-to-escape-formulas.patch b/debian/patches/Use-single-quote-to-escape-formulas.patch new file mode 100644 index 0000000000..a3fa5c3ecc --- /dev/null +++ b/debian/patches/Use-single-quote-to-escape-formulas.patch @@ -0,0 +1,191 @@ +From: =?utf-8?b?SsOpcsOpbXkgRGVydXNzw6k=?= <jer...@derusse.com> +Date: Mon, 15 Nov 2021 11:47:04 +0100 +Subject: Use single quote to escape formulas + +Origin: upstream, https://github.com/symfony/symfony/commit/3da6f2d45e7536ccb2a26f52fbaf340917e208a8 +--- + .../Component/Serializer/Encoder/CsvEncoder.php | 7 +- + .../Serializer/Tests/Encoder/CsvEncoderTest.php | 85 ++++++++++++++++++++-- + 2 files changed, 81 insertions(+), 11 deletions(-) + +diff --git a/src/Symfony/Component/Serializer/Encoder/CsvEncoder.php b/src/Symfony/Component/Serializer/Encoder/CsvEncoder.php +index f20211b..cd71fec 100644 +--- a/src/Symfony/Component/Serializer/Encoder/CsvEncoder.php ++++ b/src/Symfony/Component/Serializer/Encoder/CsvEncoder.php +@@ -35,7 +35,8 @@ class CsvEncoder implements EncoderInterface, DecoderInterface + + private const UTF8_BOM = "\xEF\xBB\xBF"; + +- private $formulasStartCharacters = ['=', '-', '+', '@']; ++ private const FORMULAS_START_CHARACTERS = ['=', '-', '+', '@', "\t", "\r"]; ++ + private $defaultContext = [ + self::DELIMITER_KEY => ',', + self::ENCLOSURE_KEY => '"', +@@ -238,8 +239,8 @@ class CsvEncoder implements EncoderInterface, DecoderInterface + if (is_iterable($value)) { + $this->flatten($value, $result, $keySeparator, $parentKey.$key.$keySeparator, $escapeFormulas); + } else { +- if ($escapeFormulas && \in_array(substr((string) $value, 0, 1), $this->formulasStartCharacters, true)) { +- $result[$parentKey.$key] = "\t".$value; ++ if ($escapeFormulas && \in_array(substr((string) $value, 0, 1), self::FORMULAS_START_CHARACTERS, true)) { ++ $result[$parentKey.$key] = "'".$value; + } else { + // Ensures an actual value is used when dealing with true and false + $result[$parentKey.$key] = false === $value ? 0 : (true === $value ? 1 : $value); +diff --git a/src/Symfony/Component/Serializer/Tests/Encoder/CsvEncoderTest.php b/src/Symfony/Component/Serializer/Tests/Encoder/CsvEncoderTest.php +index 33a16ee..596afa2 100644 +--- a/src/Symfony/Component/Serializer/Tests/Encoder/CsvEncoderTest.php ++++ b/src/Symfony/Component/Serializer/Tests/Encoder/CsvEncoderTest.php +@@ -285,31 +285,52 @@ CSV; + + $this->assertSame(<<<'CSV' + 0 +-" =2+3" ++'=2+3 + + CSV + , $this->encoder->encode(['=2+3'], 'csv')); + + $this->assertSame(<<<'CSV' + 0 +-" -2+3" ++'-2+3 + + CSV + , $this->encoder->encode(['-2+3'], 'csv')); + + $this->assertSame(<<<'CSV' + 0 +-" +2+3" ++'+2+3 + + CSV + , $this->encoder->encode(['+2+3'], 'csv')); + + $this->assertSame(<<<'CSV' + 0 +-" @MyDataColumn" ++'@MyDataColumn + + CSV + , $this->encoder->encode(['@MyDataColumn'], 'csv')); ++ ++ $this->assertSame(<<<'CSV' ++0 ++"' tab" ++ ++CSV ++ , $this->encoder->encode(["\ttab"], 'csv')); ++ ++ $this->assertSame(<<<'CSV' ++0 ++"'=1+2"";=1+2" ++ ++CSV ++ , $this->encoder->encode(['=1+2";=1+2'], 'csv')); ++ ++ $this->assertSame(<<<'CSV' ++0 ++"'=1+2'"" ;,=1+2" ++ ++CSV ++ , $this->encoder->encode(['=1+2\'" ;,=1+2'], 'csv')); + } + + public function testDoNotEncodeFormulas() +@@ -341,13 +362,34 @@ CSV + + CSV + , $this->encoder->encode(['@MyDataColumn'], 'csv')); ++ ++ $this->assertSame(<<<'CSV' ++0 ++" tab" ++ ++CSV ++ , $this->encoder->encode(["\ttab"], 'csv')); ++ ++ $this->assertSame(<<<'CSV' ++0 ++"=1+2"";=1+2" ++ ++CSV ++ , $this->encoder->encode(['=1+2";=1+2'], 'csv')); ++ ++ $this->assertSame(<<<'CSV' ++0 ++"=1+2'"" ;,=1+2" ++ ++CSV ++ , $this->encoder->encode(['=1+2\'" ;,=1+2'], 'csv')); + } + + public function testEncodeFormulasWithSettingsPassedInContext() + { + $this->assertSame(<<<'CSV' + 0 +-" =2+3" ++'=2+3 + + CSV + , $this->encoder->encode(['=2+3'], 'csv', [ +@@ -356,7 +398,7 @@ CSV + + $this->assertSame(<<<'CSV' + 0 +-" -2+3" ++'-2+3 + + CSV + , $this->encoder->encode(['-2+3'], 'csv', [ +@@ -365,7 +407,7 @@ CSV + + $this->assertSame(<<<'CSV' + 0 +-" +2+3" ++'+2+3 + + CSV + , $this->encoder->encode(['+2+3'], 'csv', [ +@@ -374,12 +416,39 @@ CSV + + $this->assertSame(<<<'CSV' + 0 +-" @MyDataColumn" ++'@MyDataColumn + + CSV + , $this->encoder->encode(['@MyDataColumn'], 'csv', [ + CsvEncoder::ESCAPE_FORMULAS_KEY => true, + ])); ++ ++ $this->assertSame(<<<'CSV' ++0 ++"' tab" ++ ++CSV ++ , $this->encoder->encode(["\ttab"], 'csv', [ ++ CsvEncoder::ESCAPE_FORMULAS_KEY => true, ++ ])); ++ ++ $this->assertSame(<<<'CSV' ++0 ++"'=1+2"";=1+2" ++ ++CSV ++ , $this->encoder->encode(['=1+2";=1+2'], 'csv', [ ++ CsvEncoder::ESCAPE_FORMULAS_KEY => true, ++ ])); ++ ++ $this->assertSame(<<<'CSV' ++0 ++"'=1+2'"" ;,=1+2" ++ ++CSV ++ , $this->encoder->encode(['=1+2\'" ;,=1+2'], 'csv', [ ++ CsvEncoder::ESCAPE_FORMULAS_KEY => true, ++ ])); + } + + public function testEncodeWithoutHeader() diff --git a/debian/patches/series b/debian/patches/series index de2ecb771a..c88659fea9 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -19,3 +19,4 @@ Config-Drop-currently-broken-assertions.patch Workaround-failing-tests-with-php7.4.patch HttpClient-group-network-for-test-failing-without-vulcain.patch Merge-branch-3.4-into-4.4.patch +Use-single-quote-to-escape-formulas.patch
signature.asc
Description: PGP signature