Skip to content

Update Illuminate Database library for GHSA-3p32-j457-pg5x #6632

New issue
New issue
Closed
Closed
Update Illuminate Database library for GHSA-3p32-j457-pg5x#6632
Assignees
asmecher
Labels
Bug:1:MinorA bug found in uncommon paths, with low consequences, limited users or has an easy workaroundBug:3:CriticalA bug that prevents a substantial majority of users from using the software.
Milestone
OJS/OMP/OPS 3.2.1-3
@asmecher

Description

@asmecher
asmecher
opened on Jan 20, 2021

Issue Description

OJS, OMP, and OPS use the 3rd-party Illuminate/Database package for database interactions. Recently a potential vulnerability in this package was published: GHSA-3p32-j457-pg5x

Affected releases

PKP has not definitively confirmed whether its software can be attacked using this mechanism, but out of an abundance of caution recommends resolving it.

  • OJS, OMP, and OPS 3.2.1-3 and newer are not affected.
  • OJS, OMP, and OPS 3.2.0 (all builds), 3.2.1-0, 3.2.1-1, and 3.2.1-2 may be affected.
  • All builds of OJS and OMP 3.1.1, and 3.1.2 may be affected.
  • All builds of OJS 3.1.0 may be affected.
  • OMP 3.1.0 and older are not affected. OJS 3.0.2 and older are not affected.

Correction Using Composer (recommended)

Depending on your version of OJS, OMP, or OPS, use one of the following patch URLs in the instructions below:

To use Composer to fix the issue, go into your OJS, OMP, or OPS installation directory, then:

cd lib/pkp
wget -q -O - "PATCH URL HERE" | patch -p1 --dry-run

This command only tests the patch application. A successful test application of the patch may look like:

checking file composer.json
checking file composer.lock
checking file lib/laravel-binding-6632.diff

Note that no errors are reported.

If the command appears to succeed, then run it again without the --dry-run option to actually apply the patch:

wget -q -O - "PATCH URL HERE" | patch -p1

Now use Composer to install the patch tool:

composer install

Now use Composer a second time to apply the patch:

composer install

WARNING: Watch for an indication that the laravel-binding-6632.diff patch was installed, e.g.:

Gathering patches for dependencies. This might take a minute.
  - Installing illuminate/database (v5.8.36): Loading from cache
  - Applying patches for illuminate/database
    lib/laravel-binding-6632.diff (Patch Laravel binding array issue)

If you see this, you are finished!

Correction By Patching Illuminate/Database Directly

Depending on your version of OJS, OMP, or OPS, use one of the following patch URLs in the instructions below:

To directly patch the issue, go into your OJS, OMP, or OPS installation directory, then:

cd lib/pkp/lib/vendor/illuminate/database
wget -q -O - "PATCH URL HERE" | patch -p4 --dry-run

This command only tests the patch application. A successful test application of the patch may look like:

checking file Query/Builder.php
Hunk #1 succeeded at 658 (offset -40 lines).
Hunk #2 succeeded at 1050 (offset 7 lines).
Hunk #3 succeeded at 1118 (offset 7 lines).
Hunk #4 succeeded at 1159 (offset 7 lines).
Hunk #5 succeeded at 1200 (offset 7 lines).
Hunk #6 succeeded at 1245 (offset 7 lines).
Hunk #7 succeeded at 1290 (offset 7 lines).
Hunk #8 succeeded at 1598 (offset 5 lines).
Hunk #9 succeeded at 1731 (offset -11 lines).

Note that no errors are reported.

If the command appears to succeed, then run it again without the --dry-run option to actually apply the patch:

wget -q -O - "PATCH URL HERE" | patch -p4

If you see this, you are finished!

Note: This method involves modifying a dependency, and re-running Composer may cause the changes to be reverted. For this reason it's preferable to use the Composer-based update method documented above.

Metadata

Metadata

Assignees

Labels

Bug:1:MinorA bug found in uncommon paths, with low consequences, limited users or has an easy workaroundBug:3:CriticalA bug that prevents a substantial majority of users from using the software.

Type

No type

Projects

No projects

Milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions