Version in base suite: 6.20.14+dfsg-2 Base version: php-laravel-framework_6.20.14+dfsg-2 Target version: php-laravel-framework_6.20.14+dfsg-2+deb11u1 Base file: /srv/ftp-master.debian.org/ftp/pool/main/p/php-laravel-framework/php-laravel-framework_6.20.14+dfsg-2.dsc Target file: /srv/ftp-master.debian.org/policy/pool/main/p/php-laravel-framework/php-laravel-framework_6.20.14+dfsg-2+deb11u1.dsc changelog | 9 patches/0002-Fix-parent-call.patch | 192 +++++++++++ patches/0003-Add-.phar-to-blocked-PHP-extensions-39666.patch | 26 + patches/series | 2 4 files changed, 229 insertions(+) diff -Nru php-laravel-framework-6.20.14+dfsg/debian/changelog php-laravel-framework-6.20.14+dfsg/debian/changelog --- php-laravel-framework-6.20.14+dfsg/debian/changelog 2021-04-30 16:23:38.000000000 +0000 +++ php-laravel-framework-6.20.14+dfsg/debian/changelog 2022-01-02 18:58:35.000000000 +0000 @@ -1,3 +1,12 @@ +php-laravel-framework (6.20.14+dfsg-2+deb11u1) bullseye; urgency=high + + * Fix security issue: XSS vulnerability in the Blade templating engine + (CVE-2021-43808, Closes: #1001333) + * Fix security issue: Failure to block the upload of executable PHP content + (CVE-2021-43617, Closes: #1002728) + + -- Robin Gustafsson Sun, 02 Jan 2022 19:58:35 +0100 + php-laravel-framework (6.20.14+dfsg-2) unstable; urgency=medium * Fix security issue: SQL injection with Microsoft SQL Server diff -Nru php-laravel-framework-6.20.14+dfsg/debian/patches/0002-Fix-parent-call.patch php-laravel-framework-6.20.14+dfsg/debian/patches/0002-Fix-parent-call.patch --- php-laravel-framework-6.20.14+dfsg/debian/patches/0002-Fix-parent-call.patch 1970-01-01 00:00:00.000000000 +0000 +++ php-laravel-framework-6.20.14+dfsg/debian/patches/0002-Fix-parent-call.patch 2021-12-28 15:17:51.000000000 +0000 @@ -0,0 +1,192 @@ +From: Dries Vints +Date: Mon, 6 Dec 2021 18:14:03 +0100 +Subject: Fix parent call + +Origin: https://github.com/laravel/framework/commit/b8174169b1807f36de1837751599e2828ceddb9b +Applied-Upstream: 6.20.42 +--- + src/Illuminate/View/Compilers/Compiler.php | 2 +- + .../View/Compilers/Concerns/CompilesLayouts.php | 6 ++--- + src/Illuminate/View/Concerns/ManagesLayouts.php | 26 +++++++++++++++++++++- + tests/View/ViewBladeCompilerTest.php | 20 ++++++++--------- + 4 files changed, 39 insertions(+), 15 deletions(-) + +diff --git a/src/Illuminate/View/Compilers/Compiler.php b/src/Illuminate/View/Compilers/Compiler.php +index 08648ad..d2a9f26 100755 +--- a/src/Illuminate/View/Compilers/Compiler.php ++++ b/src/Illuminate/View/Compilers/Compiler.php +@@ -48,7 +48,7 @@ abstract class Compiler + */ + public function getCompiledPath($path) + { +- return $this->cachePath.'/'.sha1($path).'.php'; ++ return $this->cachePath.'/'.sha1('v2'.$path).'.php'; + } + + /** +diff --git a/src/Illuminate/View/Compilers/Concerns/CompilesLayouts.php b/src/Illuminate/View/Compilers/Concerns/CompilesLayouts.php +index aaef617..fc6a63a 100644 +--- a/src/Illuminate/View/Compilers/Concerns/CompilesLayouts.php ++++ b/src/Illuminate/View/Compilers/Concerns/CompilesLayouts.php +@@ -2,8 +2,6 @@ + + namespace Illuminate\View\Compilers\Concerns; + +-use Illuminate\View\Factory as ViewFactory; +- + trait CompilesLayouts + { + /** +@@ -50,7 +48,9 @@ trait CompilesLayouts + */ + protected function compileParent() + { +- return ViewFactory::parentPlaceholder($this->lastSection ?: ''); ++ $escapedLastSection = strtr($this->lastSection, ['\\' => '\\\\', "'" => "\\'"]); ++ ++ return ""; + } + + /** +diff --git a/src/Illuminate/View/Concerns/ManagesLayouts.php b/src/Illuminate/View/Concerns/ManagesLayouts.php +index 29d7155..82fb77b 100644 +--- a/src/Illuminate/View/Concerns/ManagesLayouts.php ++++ b/src/Illuminate/View/Concerns/ManagesLayouts.php +@@ -3,6 +3,7 @@ + namespace Illuminate\View\Concerns; + + use Illuminate\Contracts\View\View; ++use Illuminate\Support\Str; + use InvalidArgumentException; + + trait ManagesLayouts +@@ -28,6 +29,13 @@ trait ManagesLayouts + */ + protected static $parentPlaceholder = []; + ++ /** ++ * The parent placeholder salt for the request. ++ * ++ * @var string ++ */ ++ protected static $parentPlaceholderSalt; ++ + /** + * Start injecting content into a section. + * +@@ -168,12 +176,28 @@ trait ManagesLayouts + public static function parentPlaceholder($section = '') + { + if (! isset(static::$parentPlaceholder[$section])) { +- static::$parentPlaceholder[$section] = '##parent-placeholder-'.sha1($section).'##'; ++ $salt = static::parentPlaceholderSalt(); ++ ++ static::$parentPlaceholder[$section] = '##parent-placeholder-'.sha1($salt.$section).'##'; + } + + return static::$parentPlaceholder[$section]; + } + ++ /** ++ * Get the parent placeholder salt. ++ * ++ * @return string ++ */ ++ protected static function parentPlaceholderSalt() ++ { ++ if (! static::$parentPlaceholderSalt) { ++ return static::$parentPlaceholderSalt = Str::random(40); ++ } ++ ++ return static::$parentPlaceholderSalt; ++ } ++ + /** + * Check if section exists. + * +diff --git a/tests/View/ViewBladeCompilerTest.php b/tests/View/ViewBladeCompilerTest.php +index fd61b8c..eddf9e2 100644 +--- a/tests/View/ViewBladeCompilerTest.php ++++ b/tests/View/ViewBladeCompilerTest.php +@@ -18,7 +18,7 @@ class ViewBladeCompilerTest extends TestCase + public function testIsExpiredReturnsTrueIfCompiledFileDoesntExist() + { + $compiler = new BladeCompiler($files = $this->getFiles(), __DIR__); +- $files->shouldReceive('exists')->once()->with(__DIR__.'/'.sha1('foo').'.php')->andReturn(false); ++ $files->shouldReceive('exists')->once()->with(__DIR__.'/'.sha1('v2foo').'.php')->andReturn(false); + $this->assertTrue($compiler->isExpired('foo')); + } + +@@ -33,23 +33,23 @@ class ViewBladeCompilerTest extends TestCase + public function testIsExpiredReturnsTrueWhenModificationTimesWarrant() + { + $compiler = new BladeCompiler($files = $this->getFiles(), __DIR__); +- $files->shouldReceive('exists')->once()->with(__DIR__.'/'.sha1('foo').'.php')->andReturn(true); ++ $files->shouldReceive('exists')->once()->with(__DIR__.'/'.sha1('v2foo').'.php')->andReturn(true); + $files->shouldReceive('lastModified')->once()->with('foo')->andReturn(100); +- $files->shouldReceive('lastModified')->once()->with(__DIR__.'/'.sha1('foo').'.php')->andReturn(0); ++ $files->shouldReceive('lastModified')->once()->with(__DIR__.'/'.sha1('v2foo').'.php')->andReturn(0); + $this->assertTrue($compiler->isExpired('foo')); + } + + public function testCompilePathIsProperlyCreated() + { + $compiler = new BladeCompiler($this->getFiles(), __DIR__); +- $this->assertEquals(__DIR__.'/'.sha1('foo').'.php', $compiler->getCompiledPath('foo')); ++ $this->assertEquals(__DIR__.'/'.sha1('v2foo').'.php', $compiler->getCompiledPath('foo')); + } + + public function testCompileCompilesFileAndReturnsContents() + { + $compiler = new BladeCompiler($files = $this->getFiles(), __DIR__); + $files->shouldReceive('get')->once()->with('foo')->andReturn('Hello World'); +- $files->shouldReceive('put')->once()->with(__DIR__.'/'.sha1('foo').'.php', 'Hello World'); ++ $files->shouldReceive('put')->once()->with(__DIR__.'/'.sha1('v2foo').'.php', 'Hello World'); + $compiler->compile('foo'); + } + +@@ -57,7 +57,7 @@ class ViewBladeCompilerTest extends TestCase + { + $compiler = new BladeCompiler($files = $this->getFiles(), __DIR__); + $files->shouldReceive('get')->once()->with('foo')->andReturn('Hello World'); +- $files->shouldReceive('put')->once()->with(__DIR__.'/'.sha1('foo').'.php', 'Hello World'); ++ $files->shouldReceive('put')->once()->with(__DIR__.'/'.sha1('v2foo').'.php', 'Hello World'); + $compiler->compile('foo'); + $this->assertSame('foo', $compiler->getPath()); + } +@@ -73,7 +73,7 @@ class ViewBladeCompilerTest extends TestCase + { + $compiler = new BladeCompiler($files = $this->getFiles(), __DIR__); + $files->shouldReceive('get')->once()->with('foo')->andReturn('Hello World'); +- $files->shouldReceive('put')->once()->with(__DIR__.'/'.sha1('foo').'.php', 'Hello World'); ++ $files->shouldReceive('put')->once()->with(__DIR__.'/'.sha1('v2foo').'.php', 'Hello World'); + // set path before compilation + $compiler->setPath('foo'); + // trigger compilation with $path +@@ -103,7 +103,7 @@ class ViewBladeCompilerTest extends TestCase + { + $compiler = new BladeCompiler($files = $this->getFiles(), __DIR__); + $files->shouldReceive('get')->once()->with('foo')->andReturn($content); +- $files->shouldReceive('put')->once()->with(__DIR__.'/'.sha1('foo').'.php', $compiled); ++ $files->shouldReceive('put')->once()->with(__DIR__.'/'.sha1('v2foo').'.php', $compiled); + + $compiler->compile('foo'); + } +@@ -157,7 +157,7 @@ class ViewBladeCompilerTest extends TestCase + { + $compiler = new BladeCompiler($files = $this->getFiles(), __DIR__); + $files->shouldReceive('get')->once()->with('')->andReturn('Hello World'); +- $files->shouldReceive('put')->once()->with(__DIR__.'/'.sha1('').'.php', 'Hello World'); ++ $files->shouldReceive('put')->once()->with(__DIR__.'/'.sha1('v2').'.php', 'Hello World'); + $compiler->setPath(''); + $compiler->compile(); + } +@@ -166,7 +166,7 @@ class ViewBladeCompilerTest extends TestCase + { + $compiler = new BladeCompiler($files = $this->getFiles(), __DIR__); + $files->shouldReceive('get')->once()->with(null)->andReturn('Hello World'); +- $files->shouldReceive('put')->once()->with(__DIR__.'/'.sha1(null).'.php', 'Hello World'); ++ $files->shouldReceive('put')->once()->with(__DIR__.'/'.sha1('v2').'.php', 'Hello World'); + $compiler->setPath(null); + $compiler->compile(); + } diff -Nru php-laravel-framework-6.20.14+dfsg/debian/patches/0003-Add-.phar-to-blocked-PHP-extensions-39666.patch php-laravel-framework-6.20.14+dfsg/debian/patches/0003-Add-.phar-to-blocked-PHP-extensions-39666.patch --- php-laravel-framework-6.20.14+dfsg/debian/patches/0003-Add-.phar-to-blocked-PHP-extensions-39666.patch 1970-01-01 00:00:00.000000000 +0000 +++ php-laravel-framework-6.20.14+dfsg/debian/patches/0003-Add-.phar-to-blocked-PHP-extensions-39666.patch 2022-01-02 18:57:55.000000000 +0000 @@ -0,0 +1,26 @@ +From: Stephen Rees-Carter +Date: Thu, 18 Nov 2021 12:10:56 +1000 +Subject: Add .phar to blocked PHP extensions (#39666) + +By default Debian includes support for executing .phar files alongside +.php and .phtml files, and should be included in the blocked list. + +Origin: https://github.com/laravel/framework/commit/ccea1bfcbb37cf923dc1bb30cdbf2effbfb1619c +Applied-Upstream: 6.20.41 +--- + src/Illuminate/Validation/Concerns/ValidatesAttributes.php | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/Illuminate/Validation/Concerns/ValidatesAttributes.php b/src/Illuminate/Validation/Concerns/ValidatesAttributes.php +index 84e0964..6f0d8d6 100644 +--- a/src/Illuminate/Validation/Concerns/ValidatesAttributes.php ++++ b/src/Illuminate/Validation/Concerns/ValidatesAttributes.php +@@ -1254,7 +1254,7 @@ trait ValidatesAttributes + } + + $phpExtensions = [ +- 'php', 'php3', 'php4', 'php5', 'phtml', ++ 'php', 'php3', 'php4', 'php5', 'phtml', 'phar', + ]; + + return ($value instanceof UploadedFile) diff -Nru php-laravel-framework-6.20.14+dfsg/debian/patches/series php-laravel-framework-6.20.14+dfsg/debian/patches/series --- php-laravel-framework-6.20.14+dfsg/debian/patches/series 2021-04-30 16:23:38.000000000 +0000 +++ php-laravel-framework-6.20.14+dfsg/debian/patches/series 2022-01-02 18:57:55.000000000 +0000 @@ -1 +1,3 @@ 0001-cast-to-int.patch +0002-Fix-parent-call.patch +0003-Add-.phar-to-blocked-PHP-extensions-39666.patch