Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Revisit Update Illuminate Database library for GHSA-3p32-j457-pg5x (#6632) #6718

Closed
asmecher opened this issue Feb 3, 2021 · 2 comments
Closed

Revisit Update Illuminate Database library for GHSA-3p32-j457-pg5x (#6632) #6718

asmecher opened this issue Feb 3, 2021 · 2 comments
Assignees
@asmecher
Labels
Bug:1:Low A bug that does not have a severe consequence or affects a small number of users. Bug:3:Critical A bug that prevents a substantial minority of users from using the software.
Milestone
OJS/OMP/OPS 3.2.1-4

Comments

@asmecher
Copy link
Member

asmecher commented Feb 3, 2021
edited

Issue Description

OJS, OMP, and OPS use the 3rd-party Illuminate/Database package for database interactions. Recently a potential vulnerability in this package was published: GHSA-3p32-j457-pg5x.

The original fix for this issue was applied in #6632 and released in OJS/OMP/OPS 3.2.1-3 and 3.3.0-2. However, apparently the previous fix was not complete -- see laravel/framework#35865 (comment). This has led to another release of illuminate/database with an additional fix applied.

Affected releases

PKP has not definitively confirmed whether its software can be attacked using this mechanism, but out of an abundance of caution recommends resolving it.

  • OJS, OMP, and OPS 3.3.0-3 and newer are not affected.
  • OJS, OMP, and OPS 3.2.1-4 and newer are not affected.
  • OJS, OMP, and OPS 3.3.0-0 (RC1), 3.3.0-1 (RC2), and 3.3.0-2 (OJS 3.3.0) may be affected.
  • OJS, OMP, and OPS 3.2.0 (all builds), 3.2.1-0, 3.2.1-1, 3.2.1-2, and 3.2.1-3 may be affected.
  • All builds of OJS and OMP 3.1.1, and 3.1.2 may be affected.
  • All builds of OJS 3.1.0 may be affected.
  • OMP 3.1.0 and older are not affected. OJS 3.0.2 and older are not affected.

Resolution

The best way to resolve this issue is to use the latest releases of OJS, OMP, or OPS. This issue is resolved in 3.3.0-3 and 3.2.1-4. For older releases, the issue can be corrected following the instructions below.

Check your OJS/OMP/OPS code version by looking in dbscrits/xml/version.xml.

OJS/OMP/OPS 3.3.0-0 (RC1), 3.3.0-1 (RC2), 3.3.0-2 (3.3.0)

To resolve this issue, use Composer:

cd lib/pkp
composer require laravel/framework:7.30.4

You should see the following confirmation that 7.30.4 has been installed and patched:

Gathering patches for dependencies. This might take a minute.
  - Updating laravel/framework (v7.30.3 => v7.30.4): Downloading (100%)         
  - Applying patches for laravel/framework
    lib/laravel-helper-4017.diff (Inhibit __ Laravel helper)

If you see this, the issue is resolved!

Affected versions of OJS/OMP/OPS 3.2.1 or older

If you are using OJS/OMP/OPS 3.2.1-3, then only the steps below are necessary. Otherwise, you must apply the changes documented in #6632 before following the instructions below.

When applying patches, it is always recommended to use the --dry-run option first to ensure that the patch will apply cleanly.

Correction Using Composer (recommended)

Depending on your version of OJS, OMP, or OPS, use one of the following patch URLs in the instructions below in place of PATCH URL HERE:

To apply the fix:

  1. Patch the Composer configuration file:

    cd lib/pkp
wget -O - -q "PATCH URL HERE" | patch -p1

    You should see the following output:

    patching file composer.json
patching file lib/laravel-binding-6718.diff

  2. Run Composer to apply the patch:

    composer install

    You should see the following output:

    Gathering patches for dependencies. This might take a minute.
- Installing illuminate/database (v5.8.36): Loading from cache
- Applying patches for illuminate/database
  lib/laravel-binding-6632.diff (Patch Laravel binding array issue)
  lib/laravel-binding-6718.diff (Patch Laravel binding array issue v2)

    This indicates that two patches were successfully applied. If you see this, the issue is resolved.

Correction By Patching Illuminate/Database Directly

This method involves modifying a dependency, and re-running Composer may cause the changes to be reverted. For this reason it's preferable to use the Composer-based update method documented above.

Depending on your version of OJS, OMP, or OPS, use one of the following patch URLs in the instructions below in place of PATCH URL HERE:

To directly patch the issue:

cd lib/pkp/lib/vendor/illuminate/database
wget -q -O - "PATCH URL HERE" | patch -p4 --dry-run

You should see the following output:

patching file Query/Builder.php

This indicates that the patch was successfully applied. If you see this, the issue is resolved.
@asmecher asmecher added Bug:3:Critical A bug that prevents a substantial minority of users from using the software. Bug:1:Low A bug that does not have a severe consequence or affects a small number of users. labels Feb 3, 2021
@asmecher asmecher added this to the OJS/OMP/OPS 3.3.0-3 milestone Feb 3, 2021
@asmecher asmecher self-assigned this Feb 3, 2021
asmecher added a commit that referenced this issue Feb 4, 2021
@asmecher
#6718 Revisit illuminate/database binding fix (stable-3_2_1)
caa8882
asmecher added a commit that referenced this issue Feb 4, 2021
@asmecher
#6718 Revisit illuminate/database binding fix (stable-3_2_0)
ee67a9d
asmecher added a commit that referenced this issue Feb 4, 2021
@asmecher
#6718 Revisit illuminate/database binding fix (stable-3_1_2)
4f02f0b
asmecher added a commit that referenced this issue Feb 4, 2021
@asmecher
#6718 Revisit illuminate/database binding fix (stable-3_1_1)
7dcc46b
asmecher added a commit that referenced this issue Feb 4, 2021
@asmecher
#6718 Revisit illuminate/database binding fix (stable-3_1_1)
cb23e6b
asmecher added a commit that referenced this issue Feb 4, 2021
@asmecher
#6718 Revisit illuminate/database binding fix (stable-3_1_1)
6081b34
@asmecher asmecher closed this as completed Feb 5, 2021
@matheusotoni
Copy link

Hi @asmecher, how are you? what's version that PHP was installed in the server? I use centOS with PHP 7.3.21.

@asmecher
Copy link
Member Author

@matheusotoni, I currently use PHP 7.4.3, the current release of OJS/OMP/OPS works with 7.3.x, and the next releases will also support 8.x (see e.g. our CI testing: https://travis-ci.com/github/pkp/ojs/builds/217954158) -- but I'm not sure that answers your question or if it's relevant to this issue? The best place to get general help is our support forum: https://forum.pkp.sfu.ca

asmecher added a commit that referenced this issue Mar 26, 2021
@asmecher
#6718 Revisit illuminate/database binding fix (stable-3_1_1)
eec3f0b
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@asmecher asmecher

Labels
Bug:1:Low A bug that does not have a severe consequence or affects a small number of users. Bug:3:Critical A bug that prevents a substantial minority of users from using the software.
Projects
None yet
Milestone
OJS/OMP/OPS 3.2.1-4
Development

No branches or pull requests
2 participants
@asmecher @matheusotoni