Help resolve the security vulnerability with laminas-diactoros

mrXmr

The issue

My composer reports that I have 1 package with a security vulnerability:

user@server:/var/www/flarum$ sudo -u www-data composer audit
Cannot create cache directory /var/www/.cache/composer/repo/https---repo.packagist.org/, or directory is not writable. Proceeding without cache. See also cache-read-only config if your filesystem is read-only.
Info from https://repo.packagist.org: #StandWithUkraine
Found 1 security vulnerability advisory affecting 1 package:
+-------------------+----------------------------------------------------------------------------------+
| Package           | laminas/laminas-diactoros                                                        |
| CVE               | CVE-2023-29530                                                                   |
| Title             | HTTP Multiline Header Termination                                                |
| URL               | https://github.com/advisories/GHSA-xv3h-4844-9h36                                |
| Affected versions | >=2.25.0,<2.25.2|>=2.24.0,<2.24.2|=2.23.0|=2.22.0|=2.21.0|=2.20.0|=2.19.0|<2.18. |
|                   | 1                                                                                |
| Reported at       | 2023-04-24T22:42:39+00:00                                                        |
+-------------------+----------------------------------------------------------------------------------+
user@server:/var/www/flarum$

When I try to update the laminas-diactoros package using composer, it doesn't seem like catching the update:

user@server:/var/www/flarum$ sudo -u www-data composer update laminas/laminas-diactoros
Loading composer repositories with package information
Cannot create cache directory /var/www/.cache/composer/repo/https---repo.packagist.org/, or directory is not writable. Proceeding without cache. See also cache-read-only config if your filesystem is read-only.
Info from https://repo.packagist.org: #StandWithUkraine
Updating dependencies
Nothing to modify in lock file
Installing dependencies from lock file (including require-dev)
Nothing to install, update or remove
Package swiftmailer/swiftmailer is abandoned, you should avoid using it. Use symfony/mailer instead.
Generating autoload files
78 packages you are using are looking for funding.
Use the `composer fund` command to find out more!
Found 1 security vulnerability advisory affecting 1 package.
Run composer audit for a full list of advisories.
user@server:/var/www/flarum$ less composer.json

When I check github, I see that laminas-diactoros has versions above what I have currently installed. So, there should be an update available for it. But composer isn't catching it. I suspect one of my installed packages holding it back?

user@server:/var/www/flarum$ sudo -u www-data composer why laminas/laminas-diactoros
flarum/core                  v1.7.2 requires  laminas/laminas-diactoros (^2.4.1)
laminas/laminas-stratigility 3.8.0  conflicts laminas/laminas-diactoros (<1.7.1)
user@server:/var/www/flarum$ sudo -u www-data composer audit

How can I update laminas-diactoros and get rid of the security vulnerability?

Flarum information

user@server:/var/www/flarum$ php flarum info
Flarum core: 1.7.2
PHP version: 7.4.33
MySQL version: 10.5.19-MariaDB-0+deb11u2
Loaded extensions: Core, date, libxml, openssl, pcre, zlib, filter, hash, pcntl, Reflection, SPL, session, standard, sodium, mysqlnd, PDO, xml, calendar, ctype, curl, dom, mbstring, FFI, fileinfo, ftp, gd, gettext, iconv, intl, json, exif, mysqli, pdo_mysql, Phar, posix, readline, shmop, SimpleXML, sockets, sysvmsg, sysvsem, sysvshm, tokenizer, xmlreader, xmlwriter, xsl, zip, Zend OPcache
+----------------------+---------+--------+
| Flarum Extensions    |         |        |
+----------------------+---------+--------+
| ID                   | Version | Commit |
+----------------------+---------+--------+
| flarum-flags         | v1.7.0  |        |
| flarum-suspend       | v1.7.0  |        |
| flarum-approval      | v1.7.0  |        |
| fof-user-bio         | 1.1.1   |        |
| fof-upload           | 1.2.3   |        |
| flarum-tags          | v1.7.1  |        |
| flarum-subscriptions | v1.7.0  |        |
| flarum-sticky        | v1.7.0  |        |
| flarum-statistics    | v1.7.0  |        |
| flarum-mentions      | v1.7.0  |        |
| flarum-markdown      | v1.7.0  |        |
| flarum-lock          | v1.7.0  |        |
| flarum-likes         | v1.7.0  |        |
| flarum-lang-english  | v1.7.0  |        |
| flarum-emoji         | v1.7.0  |        |
| flarum-bbcode        | v1.7.0  |        |
+----------------------+---------+--------+
Base URL: <REDACTED>
Installation path: /var/www/flarum
Queue driver: sync
Session driver: file
Mail driver: mail
Debug mode: off
user@server:/var/www/flarum$

clarkwinkelmann

mrXmr try also updating laminas/laminas-stratigility. Their latest 3.10 version seems to have removed the laminas/laminas-diactoros conflict rule that prevents updating. I'm not able to test this myself right now, but it seems like it should be possible to update.

There's also the -W flag in Composer to allow updating other dependencies as needed, but it's always a bit risky because it might update extensions or Flarum itself unexpectedly. If you are already on the latest Flarum version it should be safe to try that flag if updating the 2 packages in order or same time doesn't help.

That being said, I don't think that CVE is a cause for concern. For the "problem" to happen, you need Flarum or an extension to generate a request or response class with unvalidated or loosly-validated user-provided values in a header. And then you need this to be used somewhere where it could be used to bypass some sort of header-based access control or send malicious values to external services. The only place in Flarum where a request/response might be built in an insecure way is when the internal API client is used to generate preloaded JSON payloads. More serious issues would be more likely in extensions but I can't think of any extension that would be impacted.

A similar issue was also discovered and patched in Guzzle (a library to make external HTTP/API requests) a while ago. At that time I had gone through my own extensions and some popular ones but was not able to find any way to exploit the vulnerability.