Bug#980899: php-illuminate-database: CVE-2021-21263 Query Binding Exploitation

2021-05-01 Thread Robin Gustafsson 
Control: tags -1 patch

Hi,

I've backported upstream's fixes for version 6.x. to version 5.7,
along with a few additional lines that I believe are required to
adequately fix this for 5.7. This seems to work as far as I can tell;
upstream's test suite shows no regressions and the tests they added
along with their fixes also pass.

A patch is attached.

Regards,
Robin
From f8365784a8b5d9c3ef8ad0ce316bf056ea0eef5e Mon Sep 17 00:00:00 2001
From: Robin Gustafsson 
Date: Sat, 1 May 2021 15:30:35 +0200
Subject: [PATCH] Security fix: Query Binding Exploitation

Closes: #980899
CVE-2021-21263
---
 ...01-6.x-Limit-expected-bindings-35865.patch | 98 +++
 .../0002-Limit-expected-bindingx-v2.patch | 94 ++
 ...hereDay-and-whereYear-to-clean-value.patch | 31 ++
 ...it-bindings-for-having-between-tests.patch | 22 +
 ...Clean-value-in-orWhereDay-Month-Year.patch | 42 
 debian/patches/series |  5 +
 6 files changed, 292 insertions(+)
 create mode 100644 debian/patches/0001-6.x-Limit-expected-bindings-35865.patch
 create mode 100644 debian/patches/0002-Limit-expected-bindingx-v2.patch
 create mode 100644 debian/patches/0003-Update-whereDay-and-whereYear-to-clean-value.patch
 create mode 100644 debian/patches/0004-Add-limit-bindings-for-having-between-tests.patch
 create mode 100644 debian/patches/0005-Clean-value-in-orWhereDay-Month-Year.patch
 create mode 100644 debian/patches/series

diff --git a/debian/patches/0001-6.x-Limit-expected-bindings-35865.patch b/debian/patches/0001-6.x-Limit-expected-bindings-35865.patch
new file mode 100644
index 00..a42ef10821
--- /dev/null
+++ b/debian/patches/0001-6.x-Limit-expected-bindings-35865.patch
@@ -0,0 +1,98 @@
+From: Taylor Otwell 
+Date: Wed, 13 Jan 2021 07:35:45 -0600
+Subject: [6.x] Limit expected bindings (#35865)
+
+* limit expected bindings
+
+* limit more bindings
+
+Origin: https://github.com/laravel/framework/commit/d0954f4574f315f0c2e9e65e92cc74b80eadcac1
+---
+ Query/Builder.php | 18 ++
+ 1 file changed, 14 insertions(+), 4 deletions(-)
+
+diff --git a/Query/Builder.php b/Query/Builder.php
+index 4fa3c6d..0812a70 100755
+--- a/Query/Builder.php
 b/Query/Builder.php
+@@ -654,7 +654,7 @@ class Builder
+ );
+ 
+ if (! $value instanceof Expression) {
+-$this->addBinding($value, 'where');
++$this->addBinding(is_array($value) ? head($value) : $value, 'where');
+ }
+ 
+ return $this;
+@@ -1051,7 +1051,7 @@ class Builder
+ 
+ $this->wheres[] = compact('type', 'column', 'values', 'boolean', 'not');
+ 
+-$this->addBinding($this->cleanBindings($values), 'where');
++$this->addBinding(array_slice($this->cleanBindings($values), 0, 2), 'where');
+ 
+ return $this;
+ }
+@@ -1119,6 +1119,8 @@ class Builder
+ $value, $operator, func_num_args() === 2
+ );
+ 
++$value = is_array($value) ? head($value) : $value;
++
+ if ($value instanceof DateTimeInterface) {
+ $value = $value->format('Y-m-d');
+ }
+@@ -1158,6 +1160,8 @@ class Builder
+ $value, $operator, func_num_args() === 2
+ );
+ 
++$value = is_array($value) ? head($value) : $value;
++
+ if ($value instanceof DateTimeInterface) {
+ $value = $value->format('H:i:s');
+ }
+@@ -1197,6 +1201,8 @@ class Builder
+ $value, $operator, func_num_args() === 2
+ );
+ 
++$value = is_array($value) ? head($value) : $value;
++
+ if ($value instanceof DateTimeInterface) {
+ $value = $value->format('d');
+ }
+@@ -1236,6 +1242,8 @@ class Builder
+ $value, $operator, func_num_args() === 2
+ );
+ 
++$value = is_array($value) ? head($value) : $value;
++
+ if ($value instanceof DateTimeInterface) {
+ $value = $value->format('m');
+ }
+@@ -1275,6 +1283,8 @@ class Builder
+ $value, $operator, func_num_args() === 2
+ );
+ 
++$value = is_array($value) ? head($value) : $value;
++
+ if ($value instanceof DateTimeInterface) {
+ $value = $value->format('Y');
+ }
+@@ -1581,7 +1591,7 @@ class Builder
+ $this->wheres[] = compact('type', 'column', 'operator', 'value', 'boolean');
+ 
+ if (! $value instanceof Expression) {
+-$this->addBinding($value);
++$this->addBinding((int) $value);
+ }
+ 
+ return $this;
+@@ -1714,7 +1724,7 @@ class Builder
+ $this->havings[] = compact('type', 'column', 'operator', 'value', 'boolean');
+ 
+ if (! $value instanceof Expression) {
+-$this->addBinding($value, 'having');
++$this->addBinding(is_array($value) ? head($value) : $value, 'having');
+ }
+ 
+ return $this;
diff --git a/debian/patches/0002-Limit-expected-bindingx-v2.patch

Bug#980899: [pkg-php-pear] Bug#980899: php-illuminate-database: CVE-2021-21263 Query Binding Exploitation

2021-02-14 Thread David Prévot 
Control: reassign -1 src:php-illuminate-database

I filled the bug against the binary package, that has been superseded by
src:php-laravel-framework and thus missed the expected audience, sorry
about that.

Le Tue, Feb 02, 2021 at 11:20:06AM -0400, David Prévot a écrit :
> Le 23/01/2021 à 18:49, David Prévot a écrit :
> > Package: php-illuminate-database
> > Version: 5.7.27-1
> […]
> > A quick look at the php-illuminate-database code, as shipped in stable,
> > makes me think that it is probably vulnerable to CVE-2021-21263 as fixed
> > in 6.20.11
> 
> Also, since the CVE-2021-21263 fix was incomplete, upstream released another
> security update as 6.20.14.
> 
> https://github.com/laravel/framework/security/advisories/GHSA-x7p5-p2c9-phvg
> 
> Regards
> 
> David


signature.asc
Description: PGP signature

Bug#980899: [pkg-php-pear] Bug#980899: php-illuminate-database: CVE-2021-21263 Query Binding Exploitation

2021-02-02 Thread David Prévot 

Le 23/01/2021 à 18:49, David Prévot a écrit :

Package: php-illuminate-database
Version: 5.7.27-1

[…]

A quick look at the php-illuminate-database code, as shipped in stable,
makes me think that it is probably vulnerable to CVE-2021-21263 as fixed
in 6.20.11


Also, since the CVE-2021-21263 fix was incomplete, upstream released 
another security update as 6.20.14.


https://github.com/laravel/framework/security/advisories/GHSA-x7p5-p2c9-phvg

Regards

David

Bug#980899: php-illuminate-database: CVE-2021-21263 Query Binding Exploitation

2021-01-23 Thread David Prévot 
Package: php-illuminate-database
Version: 5.7.27-1
Severity: important
Tags: security upstream
X-Debbugs-Cc: Robin Gustafsson , Debian Security Team 


Hi,

A quick look at the php-illuminate-database code, as shipped in stable,
makes me think that it is probably vulnerable to CVE-2021-21263 as fixed
in 6.20.11 (and its follow up in 6.20.14 since the initial fix was
incomplete) already fixed in Debian testing via php-laravel-framework
source.

Regards

David


signature.asc
Description: PGP signature