[pkg-php-pear] Fixing the Debian-specific issue found in CVE-2024-24821

[David Prévot]

Hi,

When CVE-2024-24821 was discovered, we’ve been warned of a
Debian-specific issue in the way dependencies are loaded. Since the
default loading path is .:/usr/share/php, a file present in the current
folder may be used to bypass the intended file. What was fixed in
composer had also to be fixed in its dependencies (and their
dependencies, and…).

For example, php-composer-class-map-generator was fixed from

 > require_once 'Composer/Pcre/autoload.php';

to

 > require_once __DIR__ . '/../Pcre/autoload.php';

(see for https://bugs.debian.org/1065056 a proposed follow up in
Bookworm).

An alternative would have been to use

 > require_once '/usr/share/php/composer/Pcre/autoload.php';

and that’s the proposed fix to phpabtpl(1) as recently uploaded (to
experimental) in pkg-php-tools 1.45.

Of course, composer and it’s dependencies are not the only packages
affected with this issue, and most libraries need to fixed…

Unfortunately, “just” uploading the pkg-php-tools fix to unstable and
rebuilding all the packages that uses it won’t work most of the time
because it usually makes the testsuite fail at build time.

I’ve been fixing some packages in unstable for and since DSA-5632-1,
and reached around 70 packages updated already, but there are more, so
if you can share some cycles to fix any of the remaining ones, your help
would be much welcome.

Feel free to have a look at any recent upload to have an idea of the
(easy) fixes I’ve been pushing so far, and feel free to share better
ideas if you have any!

Regards,

taffit
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature.asc
Type: application/pgp-signature
Size: 495 bytes
Desc: OpenPGP digital signature
URL: <http://alioth-lists.debian.net/pipermail/pkg-php-pear/attachments/20240307/0ab691bc/attachment-0001.sig>