[pkg-php-pear] Fix for CVE-2015-4050/symfony

David Prévot taffit at debian.org
Wed May 27 13:31:14 UTC 2015 

Hi,

Daniel just prepared a fixed symfony package backporting the patch for
CVE-2015-4050. Please find attached the actual debdiff as well as the
additional patch (to ease reviewing). I’ve also pushed the fixed
packages on p.d.o to ease testing:

	https://people.debian.org/~taffit/symfony/

(php-symfony-http-kernel is actually the only binary package fixed).

We can provide an initial draft for the DSA (based on upstream
announcement) if you believe the package is worth fixing via a DSA.

Regards

David
-------------- next part --------------
diff -Nru symfony-2.3.21+dfsg/debian/changelog symfony-2.3.21+dfsg/debian/changelog
--- symfony-2.3.21+dfsg/debian/changelog	2015-04-01 16:53:36.000000000 -0400
+++ symfony-2.3.21+dfsg/debian/changelog	2015-05-27 08:57:57.000000000 -0400
@@ -1,3 +1,11 @@
+symfony (2.3.21+dfsg-4+deb8u1) jessie-security; urgency=high
+
+  [ Daniel Beyer ]
+  * Backport a security fix from 2.3.29
+    - ESI unauthorized access [CVE-2015-4050]
+
+ -- David Prévot <taffit at debian.org>  Wed, 27 May 2015 08:57:06 -0400
+
 symfony (2.3.21+dfsg-4) unstable; urgency=medium
 
   * Backport security fixes from 2.3.27:
diff -Nru symfony-2.3.21+dfsg/debian/patches/0009-HttpKernel-Do-not-call-the-FragmentListener-if-_cont.patch symfony-2.3.21+dfsg/debian/patches/0009-HttpKernel-Do-not-call-the-FragmentListener-if-_cont.patch
--- symfony-2.3.21+dfsg/debian/patches/0009-HttpKernel-Do-not-call-the-FragmentListener-if-_cont.patch	1969-12-31 20:00:00.000000000 -0400
+++ symfony-2.3.21+dfsg/debian/patches/0009-HttpKernel-Do-not-call-the-FragmentListener-if-_cont.patch	2015-05-27 08:56:23.000000000 -0400
@@ -0,0 +1,62 @@
+From: Jakub Zalas <jakub at zalas.pl>
+Date: Thu, 21 May 2015 09:29:36 +0100
+Subject: [HttpKernel] Do not call the FragmentListener if _controller is
+ already defined
+
+Origin: upstream, https://github.com/fabpot/symfony/commit/d320d27699abcea12479cf608908fa91bcc133d4
+---
+ .../HttpKernel/EventListener/FragmentListener.php    |  2 +-
+ .../Tests/EventListener/FragmentListenerTest.php     | 20 ++++++++++++++++++--
+ 2 files changed, 19 insertions(+), 3 deletions(-)
+
+diff --git a/src/Symfony/Component/HttpKernel/EventListener/FragmentListener.php b/src/Symfony/Component/HttpKernel/EventListener/FragmentListener.php
+index 6f45c3b..04193aa 100644
+--- a/src/Symfony/Component/HttpKernel/EventListener/FragmentListener.php
++++ b/src/Symfony/Component/HttpKernel/EventListener/FragmentListener.php
+@@ -58,7 +58,7 @@ class FragmentListener implements EventSubscriberInterface
+     {
+         $request = $event->getRequest();
+ 
+-        if ($this->fragmentPath !== rawurldecode($request->getPathInfo())) {
++        if ($request->attributes->has('_controller') || $this->fragmentPath !== rawurldecode($request->getPathInfo())) {
+             return;
+         }
+ 
+diff --git a/src/Symfony/Component/HttpKernel/Tests/EventListener/FragmentListenerTest.php b/src/Symfony/Component/HttpKernel/Tests/EventListener/FragmentListenerTest.php
+index 75562f7..78428bf 100644
+--- a/src/Symfony/Component/HttpKernel/Tests/EventListener/FragmentListenerTest.php
++++ b/src/Symfony/Component/HttpKernel/Tests/EventListener/FragmentListenerTest.php
+@@ -41,6 +41,22 @@ class FragmentListenerTest extends \PHPUnit_Framework_TestCase
+         $this->assertTrue($request->query->has('_path'));
+     }
+ 
++
++    public function testOnlyTriggeredIfControllerWasNotDefinedYet()
++    {
++        $request = Request::create('http://example.com/_fragment?_path=foo%3Dbar%26_controller%3Dfoo');
++        $request->attributes->set('_controller', 'bar');
++
++        $listener = new FragmentListener(new UriSigner('foo'));
++        $event = $this->createGetResponseEvent($request, HttpKernelInterface::SUB_REQUEST);
++
++        $expected = $request->attributes->all();
++
++        $listener->onKernelRequest($event);
++
++        $this->assertEquals($expected, $request->attributes->all());
++    }
++
+     /**
+      * @expectedException \Symfony\Component\HttpKernel\Exception\AccessDeniedHttpException
+      */
+@@ -81,8 +97,8 @@ class FragmentListenerTest extends \PHPUnit_Framework_TestCase
+         $this->assertFalse($request->query->has('_path'));
+     }
+ 
+-    private function createGetResponseEvent(Request $request)
++    private function createGetResponseEvent(Request $request, $requestType = HttpKernelInterface::MASTER_REQUEST)
+     {
+-        return new GetResponseEvent($this->getMock('Symfony\Component\HttpKernel\HttpKernelInterface'), $request, HttpKernelInterface::MASTER_REQUEST);
++        return new GetResponseEvent($this->getMock('Symfony\Component\HttpKernel\HttpKernelInterface'), $request, $requestType);
+     }
+ }
diff -Nru symfony-2.3.21+dfsg/debian/patches/series symfony-2.3.21+dfsg/debian/patches/series
--- symfony-2.3.21+dfsg/debian/patches/series	2015-04-01 16:44:25.000000000 -0400
+++ symfony-2.3.21+dfsg/debian/patches/series	2015-05-27 08:56:23.000000000 -0400
@@ -6,3 +6,4 @@
 0006-Increasing-timeout-in-test-AbstractProcessTest-testS.patch
 0007-isFromTrustedProxy-to-confirm-request-came-from-a-tr.patch
 0008-Safe-escaping-of-fragments-for-eval.patch
+0009-HttpKernel-Do-not-call-the-FragmentListener-if-_cont.patch
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0007-HttpKernel-Do-not-call-the-FragmentListener-if-_cont.patch
Type: text/x-diff
Size: 2992 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-php-pear/attachments/20150527/015d0d8c/attachment.patch>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: Digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-php-pear/attachments/20150527/015d0d8c/attachment.sig>

More information about the pkg-php-pear mailing list