Your message dated Sun, 02 May 2021 08:18:27 +0000
with message-id <[email protected]>
and subject line unblock php-laravel-framework
has caused the Debian Bug report #987847,
regarding unblock: php-laravel-framework/6.20.14+dfsg-2
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
987847: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=987847
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
User: [email protected]
Usertags: unblock
Please unblock package php-laravel-framework
[ Reason ]
Security fix. See bug #987831 [1].
[ Impact ]
If the security vulnerability remains, users could be vulnerable
to SQL injections.
[ Tests ]
Tested with a subset* of upstream's automated test suite.
The patch is taken from upstream and has passed their QA.
* The test suite is not yet functional in Debian due to its
dependencies, thus no autopkgtest yet, but I can run much of it
locally.
[ Risks ]
I consider it a low-risk change.
The patch was taken from upstream. Their code is still close to the
packaged version in general and identical in this case. The change
is also small and uncomplicated.
Additionally, while the source package builds many binary packages,
only one of them is actually affected by this.
[1] https://bugs.debian.org/987831
Regards,
Robin
====================
diff -Nru php-laravel-framework-6.20.14+dfsg/debian/changelog
php-laravel-framework-6.20.14+dfsg/debian/changelog
--- php-laravel-framework-6.20.14+dfsg/debian/changelog 2021-01-22
17:39:34.000000000 +0000
+++ php-laravel-framework-6.20.14+dfsg/debian/changelog 2021-04-30
16:23:38.000000000 +0000
@@ -1,6 +1,14 @@
+php-laravel-framework (6.20.14+dfsg-2) unstable; urgency=medium
+
+ * Fix security issue: SQL injection with Microsoft SQL Server
+ (Closes: #987831)
+
+ -- Robin Gustafsson <[email protected]> Fri, 30 Apr 2021 18:23:38 +0200
+
php-laravel-framework (6.20.14+dfsg-1) unstable; urgency=medium
* New upstream version 6.20.14+dfsg
+ - Fix security issue: More unexpected bindings in QueryBuilder
* Replace git attributes with uscan's gitexport=all
-- Robin Gustafsson <[email protected]> Fri, 22 Jan 2021 18:39:34 +0100
@@ -9,7 +17,8 @@
* Set upstream metadata fields: Security-Contact.
* New upstream version 6.20.11+dfsg
- - Fix security issue: Unexpected bindings in QueryBuilder (Closes: #980095)
+ - Fix security issue: Unexpected bindings in QueryBuilder
+ (CVE-2021-21263, Closes: #980095)
* Bump Standards-Version
-- Robin Gustafsson <[email protected]> Fri, 15 Jan 2021 00:35:41 +0100
diff -Nru
php-laravel-framework-6.20.14+dfsg/debian/patches/0001-cast-to-int.patch
php-laravel-framework-6.20.14+dfsg/debian/patches/0001-cast-to-int.patch
--- php-laravel-framework-6.20.14+dfsg/debian/patches/0001-cast-to-int.patch
1970-01-01 00:00:00.000000000 +0000
+++ php-laravel-framework-6.20.14+dfsg/debian/patches/0001-cast-to-int.patch
2021-04-30 16:23:38.000000000 +0000
@@ -0,0 +1,38 @@
+From: Taylor Otwell <[email protected]>
+Date: Wed, 28 Apr 2021 08:18:19 -0500
+Subject: cast to int
+
+Origin:
https://github.com/laravel/framework/commit/09bf1457e9df53e172e6fd5929cbafb539677c7c
+Applied-Upstream: 6.20.26
+---
+ src/Illuminate/Database/Query/Grammars/SqlServerGrammar.php | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/src/Illuminate/Database/Query/Grammars/SqlServerGrammar.php
b/src/Illuminate/Database/Query/Grammars/SqlServerGrammar.php
+index f0a0bfc..88a7df3 100755
+--- a/src/Illuminate/Database/Query/Grammars/SqlServerGrammar.php
++++ b/src/Illuminate/Database/Query/Grammars/SqlServerGrammar.php
+@@ -60,8 +60,8 @@ class SqlServerGrammar extends Grammar
+ // If there is a limit on the query, but not an offset, we will add
the top
+ // clause to the query, which serves as a "limit" type clause within
the
+ // SQL Server system similar to the limit keywords available in MySQL.
+- if ($query->limit > 0 && $query->offset <= 0) {
+- $select .= 'top '.$query->limit.' ';
++ if (is_numeric($query->limit) && $query->limit > 0 && $query->offset
<= 0) {
++ $select .= 'top '.((int) $query->limit).' ';
+ }
+
+ return $select.$this->columnize($columns);
+@@ -221,10 +221,10 @@ class SqlServerGrammar extends Grammar
+ */
+ protected function compileRowConstraint($query)
+ {
+- $start = $query->offset + 1;
++ $start = (int) $query->offset + 1;
+
+ if ($query->limit > 0) {
+- $finish = $query->offset + $query->limit;
++ $finish = (int) $query->offset + (int) $query->limit;
+
+ return "between {$start} and {$finish}";
+ }
diff -Nru php-laravel-framework-6.20.14+dfsg/debian/patches/series
php-laravel-framework-6.20.14+dfsg/debian/patches/series
--- php-laravel-framework-6.20.14+dfsg/debian/patches/series 1970-01-01
00:00:00.000000000 +0000
+++ php-laravel-framework-6.20.14+dfsg/debian/patches/series 2021-04-30
16:23:38.000000000 +0000
@@ -0,0 +1 @@
+0001-cast-to-int.patch
====================
unblock php-laravel-framework/6.20.14+dfsg-2
--- End Message ---
--- Begin Message ---
Unblocked.
--- End Message ---
