FEDORA-EPEL-2019-24edff97c6

security update in Fedora EPEL 7 for php-brumann-polyfill-unserialize and php-typo3-phar-stream-wrapper2

Status: stable 2 months ago

php-typo3-phar-stream-wrapper2

v2.1.2 Handling mime-type & Windows paths

Resolved Issues

  • #34: Normalize resolved Windows path to Unix-style
  • #42: Avoid analysing non-phar files on alias resolving
  • #40: Add Windows tests using AppVeyor
  • #33: Add alternative mime-type resolving (without ext-fileinfo)

v2.1.1 Phar Alias Handling & Performance

Releases v3.1.1 and v.2.1.1 aim to overcome drawbacks in Phar's alias resolving from Phar stub as well as solving performance aspects.

v2.1.0 Phar Alias Handling

Description

Releases v3.1.0 and v.2.1.0 aim to overcome drawbacks in Phar's alias resolving (either by Phar archives using Phar::setAlias() in meta-data or Phar::mapPhar() in stub code).

Merged pull-requests

  • Phar alias resolving (v3: #10, #12, v2: #14, #15)
  • Phar alias handling and (v3: #16, #17, v2: #20)

Migration

In case custom Assertable interceptors have been used, path resolving has to be adjusted in order to make use of alias resolving features.

before - example in v3.0.1
$baseFile = Helper::determineBaseFile($path);
after - example in v3.1.0
$invocation = Manager::instance()->resolve($path);
$baseName = $invocation->getBaseName(); // previously called $baseFile

Open Issues

There have been reports about flaws using stream_select() and according stream_cast() in PharStreamWrapper. Since it was not possible to reproduce the behavior in an isolated scenario and specific platform requiresments were not clear, these aspects have not been covered by these releses - see #8 and #19 for details.

Features

  • added low-level Phar\Reader for stub & meta-data (incl. alias) and their model representations
  • added Resolver\PharInvocationResolver in order to resolve/handle alias names
  • added Interceptor\ConjunctionInterceptor for combining multiple interceptors
  • added Interceptor\PharMetaDataInterceptor for actually testing against insecure deserialization in meta-data of Phar archives

php-brumann-polyfill-unserialize

Backports unserialize options introduced in PHP 7.0 to older PHP versions. This was originally designed as a Proof of Concept for Symfony Issue #21090.

You can use this package in projects that rely on PHP versions older than PHP 7.0. In case you are using PHP 7.0+ the original unserialize() will be used instead.

From the documentation:

Warning: Do not pass untrusted user input to unserialize(). Unserialization can result in code being loaded and executed due to object instantiation and autoloading, and a malicious user may be able to exploit this.

This warning holds true even when allowed_classes is used.

Comments 7

This update has been submitted for testing by siwinski.

This update test gating status has been changed to 'waiting'.

This update test gating status has been changed to 'ignored'.

This update has been pushed to testing.

This update has reached 14 days in testing and can be pushed to stable now if the maintainer wishes

This update has been submitted for stable by siwinski.

This update has been pushed to stable.

Add Comment & Feedback

Please login to add feedback.

Content Type
RPM
Status
stable
Test Gating
Submitted by
Update Type
security
Update Severity
medium
Karma
0
stable threshold: 3
unstable threshold: -3
Autopush (karma)
Enabled
Autopush (time)
Disabled
Dates
submitted 2 months ago
in testing 2 months ago
in stable 2 months ago

Related Bugs 5

00 #1707960 Review Request: php-brumann-polyfill-unserialize - Backports unserialize options introduced in PHP 7.0
00 #1708646 CVE-2019-11830 phar-stream-wrapper: mishandling of phar stub parsing leads to bypass a deserialization of protection mechanism
00 #1708649 CVE-2019-11831 phar-stream-wrapper: TYP03 does not prevent directory traversal resulting in bypass of deserialization of protection mechanism
00 #1708652 CVE-2019-11830 CVE-2019-11831 php-typo3-phar-stream-wrapper2: various flaws [fedora-all]
00 #1708653 CVE-2019-11830 CVE-2019-11831 php-typo3-phar-stream-wrapper2: various flaws [epel-7]

Automated Test Results