[pkg-php-pear] Bug#1098872: bookworm-pu: package php-nesbot-carbon/2.65.0-1+deb12u1

Adrian Bunk bunk at debian.org
Tue Feb 25 11:42:28 GMT 2025 

On Tue, Feb 25, 2025 at 01:35:09PM +0200, Adrian Bunk wrote:
>...
>   * CVE-2025-22145: Arbitrary file include in Carbon::setLocale
> 
> Tagged moreinfo, as question to the security team whether they want
> this in -pu or as DSA.

Updated debdiff that also Closes: #1092680 in the changelog is attached.

cu
Adrian
-------------- next part --------------
diffstat for php-nesbot-carbon-2.65.0 php-nesbot-carbon-2.65.0

 changelog                                  |    8 ++++++++
 patches/0001-Validate-locale-earlier.patch |   26 ++++++++++++++++++++++++++
 patches/series                             |    1 +
 3 files changed, 35 insertions(+)

diff -Nru php-nesbot-carbon-2.65.0/debian/changelog php-nesbot-carbon-2.65.0/debian/changelog
--- php-nesbot-carbon-2.65.0/debian/changelog	2023-01-14 23:52:26.000000000 +0200
+++ php-nesbot-carbon-2.65.0/debian/changelog	2025-02-25 13:17:47.000000000 +0200
@@ -1,3 +1,11 @@
+php-nesbot-carbon (2.65.0-1+deb12u1) bookworm; urgency=medium
+
+  * Non-maintainer upload.
+  * CVE-2025-22145: Arbitrary file include in Carbon::setLocale
+    (Closes: #1092680)
+
+ -- Adrian Bunk <bunk at debian.org>  Tue, 25 Feb 2025 13:17:47 +0200
+
 php-nesbot-carbon (2.65.0-1) unstable; urgency=medium
 
   * New upstream version 2.65.0
diff -Nru php-nesbot-carbon-2.65.0/debian/patches/0001-Validate-locale-earlier.patch php-nesbot-carbon-2.65.0/debian/patches/0001-Validate-locale-earlier.patch
--- php-nesbot-carbon-2.65.0/debian/patches/0001-Validate-locale-earlier.patch	1970-01-01 02:00:00.000000000 +0200
+++ php-nesbot-carbon-2.65.0/debian/patches/0001-Validate-locale-earlier.patch	2025-02-25 13:15:28.000000000 +0200
@@ -0,0 +1,26 @@
+From bbc3bdad25f33ba4ba129043763563046ae6a36d Mon Sep 17 00:00:00 2001
+From: kylekatarnls <kylekatarnls at gmail.com>
+Date: Fri, 27 Dec 2024 10:25:35 +0100
+Subject: Validate locale earlier
+
+(cherry picked from commit 129700ed449b1f02d70272d2ac802357c8c30c58)
+---
+ src/Carbon/AbstractTranslator.php | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/src/Carbon/AbstractTranslator.php b/src/Carbon/AbstractTranslator.php
+index 8b8fe089..ffe82e43 100644
+--- a/src/Carbon/AbstractTranslator.php
++++ b/src/Carbon/AbstractTranslator.php
+@@ -159,6 +159,8 @@ abstract class AbstractTranslator extends Translation\Translator
+             return true;
+         }
+ 
++        $this->assertValidLocale($locale);
++
+         foreach ($this->getDirectories() as $directory) {
+             $data = @include sprintf('%s/%s.php', rtrim($directory, '\\/'), $locale);
+ 
+-- 
+2.30.2
+
diff -Nru php-nesbot-carbon-2.65.0/debian/patches/series php-nesbot-carbon-2.65.0/debian/patches/series
--- php-nesbot-carbon-2.65.0/debian/patches/series	2023-01-14 23:52:26.000000000 +0200
+++ php-nesbot-carbon-2.65.0/debian/patches/series	2025-02-25 13:17:44.000000000 +0200
@@ -4,3 +4,4 @@
 0004-Drop-currently-failing-test.patch
 0005-Remove-exit-call-in-unit-tests.patch
 0006-Remove-unfinished-test.patch
+0001-Validate-locale-earlier.patch

More information about the pkg-php-pear mailing list