Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Adding CVE-2024-28859 for SwiftMailer gadget chain in Symfony 1.x #715

Merged
merged 7 commits into from
Apr 17, 2024
Merged

Adding CVE-2024-28859 for SwiftMailer gadget chain in Symfony 1.x #715

merged 7 commits into from
Apr 17, 2024

Conversation

darkpills
Copy link
Contributor

There is a deserialization gadget chain in SwiftMailer that impacts Symfony 1.x.
Adding this in both SwiftMailer and Symfony directories

xabbuh
xabbuh requested changes Mar 17, 2024
View reviewed changes
symfony/symfony/CVE-2024-28859.yaml Outdated Show resolved Hide resolved
swiftmailer/swiftmailer/CVE-2024-28859.yaml
6.x:
time: 2020-12-8 19:18:59
versions: ['>=6.0.0', '<6.30.0']
reference: composer://swiftmailer/swiftmailer
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
reference: composer://swiftmailer/swiftmailer
reference: composer://friendsofsymfony1/swiftmailer

(and the filename needs to be changed accordingly)

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hello, @xabbuh , thank for you checks. reference for the file swiftmailer/swiftmailer/CVE-2024-28859.yaml corresponds to swiftmailer/swiftmailer repository. But it is archived and there has been a fork. So I suggest maybe making 2 files for referencing both repositories?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

As they published a fork with a fix, I suggest adding a separate advisory for friendsofsymfony1/swiftmailer (where 5.4.13 provides a patch for 5.x thanks to FriendsOfSymfony1/swiftmailer#18)

@darkpills
Copy link
Contributor Author

php validator.php fails asking for upper bounds to the version number but there is no upper bound since the issue is not resolved and won't be on swiftmailer/swiftmailer repository at least. How do you solve this situation?

@thirsch
Copy link

thirsch commented Mar 19, 2024

php validator.php fails asking for upper bounds to the version number but there is no upper bound since the issue is not resolved and won't be on swiftmailer/swiftmailer repository at least. How do you solve this situation?

Hi @darkpills, maybe just adding the latest release as the upper bound? As it is unlikely that there will come a new release in the archived repository. But I'm not sure, if it's the way to go here.

Adding another gadget chain for symfony1 (CVE-2024-28861)
d3292f5 
Aligning file path with composer paths
Adding upper bounds for swiftmailer
@darkpills
Copy link
Contributor Author

@thirsch I added upper bounds and aligned file path with composer path. I also added another CVE. I think it should be ok now.

@thePanz
Copy link

thePanz commented Mar 20, 2024

Thank you @darkpills for taking care of this 👍

@stof
Copy link
Member

stof commented Mar 20, 2024

an unpatched vulnerability is supported. But you should have null as the time as there would be not timestamp for the release of the patch.

stof
stof reviewed Mar 20, 2024
View reviewed changes
swiftmailer/swiftmailer/CVE-2024-28859.yaml Outdated Show resolved Hide resolved
swiftmailer/swiftmailer/CVE-2024-28859.yaml Outdated Show resolved Hide resolved
swiftmailer/swiftmailer/CVE-2024-28859.yaml
6.x:
time: 2020-12-8 19:18:59
versions: ['>=6.0.0', '<6.30.0']
reference: composer://swiftmailer/swiftmailer
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

As they published a fork with a fix, I suggest adding a separate advisory for friendsofsymfony1/swiftmailer (where 5.4.13 provides a patch for 5.x thanks to FriendsOfSymfony1/swiftmailer#18)

friendsofsymfony1/swiftmailer/CVE-2024-28859.yaml Outdated Show resolved Hide resolved
friendsofsymfony1/swiftmailer/CVE-2024-28859.yaml Outdated Show resolved Hide resolved
friendsofsymfony1/swiftmailer/CVE-2024-28859.yaml Outdated Show resolved Hide resolved
@naderman
Copy link
Contributor

@stof is this fine now?

@stof stof merged commit 0495186 into FriendsOfPHP:master Apr 17, 2024
1 check passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@thirsch thirsch thirsch left review comments

@xabbuh xabbuh xabbuh requested changes

@stof stof stof approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
6 participants
@darkpills @thirsch @thePanz @stof @naderman @xabbuh