Bug#1120661: trixie-pu: package symfony/6.4.21+dfsg-2+deb13u1

David Prévot Thu, 13 Nov 2025 20:35:42 -0800

Package: release.debian.org
Severity: normal
Tags: trixie
X-Debbugs-Cc: [email protected], Debian PHP PEAR Maintainers 
<[email protected]>
Control: affects -1 + src:symfony
User: [email protected]
Usertags: pu


Hi,

As agreed with the security team, I’d like to see CVE-2025-64500 fixed
in trixie. The patch is minimal, and only affects
php-symfony-http-foundation that is not part of the dependency chain of
any end-user package AFAICT.

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
  [x] the issue is verified as fixed in unstable

Thanks in advance.

Regards,

taffit

diff -Nru symfony-6.4.21+dfsg/debian/changelog symfony-6.4.21+dfsg/debian/changelog
--- symfony-6.4.21+dfsg/debian/changelog	2025-05-05 08:04:39.000000000 +0200
+++ symfony-6.4.21+dfsg/debian/changelog	2025-11-13 07:51:30.000000000 +0100
@@ -1,3 +1,13 @@
+symfony (6.4.21+dfsg-2+deb13u1) trixie; urgency=medium
+
+  * Backport security fix from Symfony 6.4.29:
+    - [HttpFoundation] Fix parsing pathinfo with no leading slash
+      [CVE-2025-64500]
+  * Use debian/trixie branch
+  * [Finder] Drop data from testsuite
+
+ -- David Prévot <[email protected]>  Thu, 13 Nov 2025 07:51:30 +0100
+
 symfony (6.4.21+dfsg-2) unstable; urgency=medium
 
   * Drop tests currently failing on reproducible infrastructure
diff -Nru symfony-6.4.21+dfsg/debian/control symfony-6.4.21+dfsg/debian/control
--- symfony-6.4.21+dfsg/debian/control	2025-05-05 08:04:39.000000000 +0200
+++ symfony-6.4.21+dfsg/debian/control	2025-11-13 07:51:30.000000000 +0100
@@ -64,7 +64,7 @@
                      phpunit
 Homepage: https://symfony.com/
 Vcs-Browser: https://salsa.debian.org/php-team/pear/symfony
-Vcs-Git: https://salsa.debian.org/php-team/pear/symfony.git -b debian/6
+Vcs-Git: https://salsa.debian.org/php-team/pear/symfony.git -b debian/trixie
 Rules-Requires-Root: no
 
 Package: php-symfony
diff -Nru symfony-6.4.21+dfsg/debian/gbp.conf symfony-6.4.21+dfsg/debian/gbp.conf
--- symfony-6.4.21+dfsg/debian/gbp.conf	2025-05-05 08:04:39.000000000 +0200
+++ symfony-6.4.21+dfsg/debian/gbp.conf	2025-11-13 07:51:30.000000000 +0100
@@ -1,5 +1,5 @@
 [DEFAULT]
-debian-branch = debian/6
+debian-branch = debian/trixie
 filter = [ '.gitattributes' ]
 upstream-branch = upstream-6
 pristine-tar = True
diff -Nru symfony-6.4.21+dfsg/debian/patches/Finder-Drop-data-from-testsuite.patch symfony-6.4.21+dfsg/debian/patches/Finder-Drop-data-from-testsuite.patch
--- symfony-6.4.21+dfsg/debian/patches/Finder-Drop-data-from-testsuite.patch	1970-01-01 01:00:00.000000000 +0100
+++ symfony-6.4.21+dfsg/debian/patches/Finder-Drop-data-from-testsuite.patch	2025-11-13 07:51:30.000000000 +0100
@@ -0,0 +1,22 @@
+From: =?utf-8?q?David_Pr=C3=A9vot?= <[email protected]>
+Date: Thu, 13 Nov 2025 08:24:17 +0100
+Subject: [Finder] Drop data from testsuite
+
+It seems to be failing in current Debian (old)stable now.
+---
+ .../Component/Finder/Tests/Iterator/DateRangeFilterIteratorTest.php     | 2 --
+ 1 file changed, 2 deletions(-)
+
+diff --git a/src/Symfony/Component/Finder/Tests/Iterator/DateRangeFilterIteratorTest.php b/src/Symfony/Component/Finder/Tests/Iterator/DateRangeFilterIteratorTest.php
+index f4985df..bb4b239 100644
+--- a/src/Symfony/Component/Finder/Tests/Iterator/DateRangeFilterIteratorTest.php
++++ b/src/Symfony/Component/Finder/Tests/Iterator/DateRangeFilterIteratorTest.php
+@@ -36,8 +36,6 @@ class DateRangeFilterIteratorTest extends RealIteratorTestCase
+             '.git',
+             'test.py',
+             'foo',
+-            'foo/bar.tmp',
+-            'test.php',
+             'toto',
+             'toto/.git',
+             '.bar',
diff -Nru symfony-6.4.21+dfsg/debian/patches/HttpFoundation-Fix-parsing-pathinfo-with-no-leading-slash.patch symfony-6.4.21+dfsg/debian/patches/HttpFoundation-Fix-parsing-pathinfo-with-no-leading-slash.patch
--- symfony-6.4.21+dfsg/debian/patches/HttpFoundation-Fix-parsing-pathinfo-with-no-leading-slash.patch	1970-01-01 01:00:00.000000000 +0100
+++ symfony-6.4.21+dfsg/debian/patches/HttpFoundation-Fix-parsing-pathinfo-with-no-leading-slash.patch	2025-11-13 07:51:30.000000000 +0100
@@ -0,0 +1,49 @@
+From: Nicolas Grekas <[email protected]>
+Date: Fri, 31 Oct 2025 17:43:49 +0100
+Subject: [HttpFoundation] Fix parsing pathinfo with no leading slash
+
+Origin: upstream, https://github.com/symfony/symfony/commit/9962b91b12bb791322fa73836b350836b6db7cac
+Bug: https://github.com/symfony/symfony/security/advisories/GHSA-3rg7-wf37-54rm
+Bug-Debian: https://security-tracker.debian.org/tracker/CVE-2025-64500
+---
+ src/Symfony/Component/HttpFoundation/Request.php           |  5 ++---
+ src/Symfony/Component/HttpFoundation/Tests/RequestTest.php | 10 ++++++++++
+ 2 files changed, 12 insertions(+), 3 deletions(-)
+
+diff --git a/src/Symfony/Component/HttpFoundation/Request.php b/src/Symfony/Component/HttpFoundation/Request.php
+index 9220141..77e7384 100644
+--- a/src/Symfony/Component/HttpFoundation/Request.php
++++ b/src/Symfony/Component/HttpFoundation/Request.php
+@@ -1917,9 +1917,8 @@ class Request
+         }
+ 
+         $pathInfo = substr($requestUri, \strlen($baseUrl));
+-        if (false === $pathInfo || '' === $pathInfo) {
+-            // If substr() returns false then PATH_INFO is set to an empty string
+-            return '/';
++        if (false === $pathInfo || '' === $pathInfo || '/' !== $pathInfo[0]) {
++            return '/'.$pathInfo;
+         }
+ 
+         return $pathInfo;
+diff --git a/src/Symfony/Component/HttpFoundation/Tests/RequestTest.php b/src/Symfony/Component/HttpFoundation/Tests/RequestTest.php
+index 7a4807e..5f35640 100644
+--- a/src/Symfony/Component/HttpFoundation/Tests/RequestTest.php
++++ b/src/Symfony/Component/HttpFoundation/Tests/RequestTest.php
+@@ -1906,6 +1906,16 @@ class RequestTest extends TestCase
+                 '',
+                 '/foo/api/bar',
+             ],
++            [
++                '/api/index.phpfoo',
++                [
++                    'SCRIPT_FILENAME' => '/var/www/api/index.php',
++                    'SCRIPT_NAME' => '/api/index.php',
++                    'PHP_SELF' => '/api/index.php',
++                ],
++                '/api/index.php',
++                '/foo',
++            ],
+         ];
+     }
+ 
diff -Nru symfony-6.4.21+dfsg/debian/patches/series symfony-6.4.21+dfsg/debian/patches/series
--- symfony-6.4.21+dfsg/debian/patches/series	2025-05-05 08:04:39.000000000 +0200
+++ symfony-6.4.21+dfsg/debian/patches/series	2025-11-13 07:51:30.000000000 +0100
@@ -39,3 +39,6 @@
 Skip-test-relying-on-broken-timezone-during-build.patch
 Skip-tests-failing-with-PHPUnit-11.5.17-1.patch
 Drop-tests-currently-failing-on-reproducible-infrastructu.patch
+HttpFoundation-Fix-parsing-pathinfo-with-no-leading-slash.patch
+Finder-Drop-data-from-testsuite.patch
+# DEP-8/Tests-against-installed-classes.patch

signature.asc
Description: PGP signature

Bug#1120661: trixie-pu: package symfony/6.4.21+dfsg-2+deb13u1

Reply via email to