Fedora 30: php-brumann-polyfill-unserialize FEDORA-2019-a8121923d5

    Date26 Jun 2019
    CategoryFedora
    302
    Posted ByLinuxSecurity Advisories
    ## php-typo3-phar-stream-wrapper2 ### v2.1.2 Handling mime-type & Windows paths #### Resolved Issues - \#34: Normalize resolved Windows path to Unix-style - \#42: Avoid analysing non-phar files on alias resolving - \#40: Add Windows tests using AppVeyor - \#33: Add alternative mime-type resolving (without ext- fileinfo) ### v2.1.1 Phar Alias Handling & Performance Releases v3.1.1 and
    --------------------------------------------------------------------------------
    Fedora Update Notification
    FEDORA-2019-a8121923d5
    2019-06-27 00:54:08.536484
    --------------------------------------------------------------------------------
    
    Name        : php-brumann-polyfill-unserialize
    Product     : Fedora 30
    Version     : 1.0.3
    Release     : 1.fc30
    URL         : https://github.com/dbrumann/polyfill-unserialize
    Summary     : Backports unserialize options introduced in PHP 7.0
    Description :
    Backports unserialize options introduced in PHP 7.0 to older PHP versions. This
    was originally designed as a Proof of Concept for Symfony Issue
    [#21090](https://github.com/symfony/symfony/pull/21090).
    
    You can use this package in projects that rely on PHP versions older than PHP
    7.0. In case you are using PHP 7.0+ the original unserialize() will be used
    instead.
    
    From the
    [documentation](https://secure.php.net/manual/en/function.unserialize.php):
    
    > Warning: Do not pass untrusted user input to unserialize(). Unserialization
    > can result in code being loaded and executed due to object instantiation and
    > autoloading, and a malicious user may be able to exploit this.
    
    This warning holds true even when `allowed_classes` is used.
    
    Autoloader: /usr/share/php/Brumann/Polyfill/autoload.php
    
    --------------------------------------------------------------------------------
    Update Information:
    
    ## php-typo3-phar-stream-wrapper2  ### v2.1.2 Handling mime-type & Windows paths
    #### Resolved Issues  - \#34: Normalize resolved Windows path to Unix-style -
    \#42: Avoid analysing non-phar files on alias resolving - \#40: Add Windows
    tests using AppVeyor - \#33: Add alternative mime-type resolving (without ext-
    fileinfo)  ### v2.1.1 Phar Alias Handling & Performance  Releases v3.1.1 and
    v.2.1.1 aim to overcome drawbacks in Phar's alias resolving from Phar stub as
    well as solving performance aspects.  ### v2.1.0 Phar Alias Handling  ####
    Description  Releases v3.1.0 and v.2.1.0 aim to overcome drawbacks in Phar's
    alias resolving (either by Phar archives using `Phar::setAlias()` in meta-data
    or `Phar::mapPhar()` in stub code).  Merged pull-requests  - Phar alias
    resolving (v3: #10, #12, v2: #14, #15) - Phar alias handling and (v3: #16, #17,
    v2: #20)  #### Migration  In case custom Assertable interceptors have been used,
    path resolving has to be adjusted in order to make use of alias resolving
    features.  ##### before - example in v3.0.1      $baseFile =
    Helper::determineBaseFile($path);  ##### after - example in v3.1.0
    $invocation = Manager::instance()->resolve($path);     $baseName =
    $invocation->getBaseName(); // previously called $baseFile  #### Open Issues
    There have been reports about flaws using `stream_select()` and according
    `stream_cast()` in `PharStreamWrapper`. Since it was not possible to reproduce
    the behavior in an isolated scenario and specific platform requiresments were
    not clear, these aspects have not been covered by these releses - see #8 and #19
    for details.  #### Features  - added low-level `Phar\Reader` for stub & meta-
    data (incl. alias) and their model representations - added
    `Resolver\PharInvocationResolver` in order to resolve/handle alias names - added
    `Interceptor\ConjunctionInterceptor` for combining multiple interceptors - added
    `Interceptor\PharMetaDataInterceptor` for actually testing against insecure
    deserialization in meta-data of Phar archives  ## php-brumann-polyfill-
    unserialize  Backports unserialize options introduced in PHP 7.0 to older PHP
    versions. This was originally designed as a Proof of Concept for Symfony Issue
    [#21090](https://github.com/symfony/symfony/pull/21090).  You can use this
    package in projects that rely on PHP versions older than PHP 7.0. In case you
    are using PHP 7.0+ the original unserialize() will be used instead.  From the
    [documentation](https://secure.php.net/manual/en/function.unserialize.php):  >
    Warning: Do not pass untrusted user input to unserialize(). Unserialization >
    can result in code being loaded and executed due to object instantiation and >
    autoloading, and a malicious user may be able to exploit this.  This warning
    holds true even when `allowed_classes` is used.
    --------------------------------------------------------------------------------
    References:
    
      [ 1 ] Bug #1708649 - CVE-2019-11831 phar-stream-wrapper: TYP03 does not prevent directory traversal resulting in bypass of deserialization of protection mechanism
            https://bugzilla.redhat.com/show_bug.cgi?id=1708649
      [ 2 ] Bug #1708646 - CVE-2019-11830 phar-stream-wrapper: mishandling of phar stub parsing leads to bypass a deserialization of protection mechanism
            https://bugzilla.redhat.com/show_bug.cgi?id=1708646
    --------------------------------------------------------------------------------
    
    This update can be installed with the "dnf" update program. Use
    su -c 'dnf upgrade --advisory FEDORA-2019-a8121923d5' at the command
    line. For more information, refer to the dnf documentation available at
    http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label
    
    All packages are signed with the Fedora Project GPG key. More details on the
    GPG keys used by the Fedora Project can be found at
    https://fedoraproject.org/keys
    --------------------------------------------------------------------------------
    _______________________________________________
    package-announce mailing list -- This email address is being protected from spambots. You need JavaScript enabled to view it.
    To unsubscribe send an email to This email address is being protected from spambots. You need JavaScript enabled to view it.
    Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
    List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
    List Archives: https://lists.fedoraproject.org/archives/list/This email address is being protected from spambots. You need JavaScript enabled to view it.
    
    You are not authorised to post comments.

    Comments powered by CComment

    LinuxSecurity Poll

    Do you read our distribution advisories on a regular basis?

    No answer selected. Please try again.
    Please select either existing option or enter your own, however not both.
    Please select minimum 0 answer(s) and maximum 3 answer(s).
    /component/communitypolls/?task=poll.vote&format=json
    23
    radio
    [{"id":"84","title":"Yes, for a single distribution","votes":"0","type":"x","order":"1","pct":0,"resources":[]},{"id":"85","title":"Yes, for multiple distributions","votes":"6","type":"x","order":"2","pct":60,"resources":[]},{"id":"86","title":"No","votes":"4","type":"x","order":"3","pct":40,"resources":[]}]["#ff5b00","#4ac0f2","#b80028","#eef66c","#60bb22","#b96a9a","#62c2cc"]["rgba(255,91,0,0.7)","rgba(74,192,242,0.7)","rgba(184,0,40,0.7)","rgba(238,246,108,0.7)","rgba(96,187,34,0.7)","rgba(185,106,154,0.7)","rgba(98,194,204,0.7)"]350
    bottom200

    We use cookies to provide and improve our services. By using our site, you consent to our Cookie Policy.