Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Clarify importance of phpseclib security release #2066

Closed
lode opened this issue Apr 8, 2021 · 4 comments
Closed

Clarify importance of phpseclib security release #2066

lode opened this issue Apr 8, 2021 · 4 comments
Labels
type: question Request for information or clarification. Not an issue.

Comments

@lode
Copy link

lode commented Apr 8, 2021
edited
Loading

One of the dependencies, phpseclib, just released https://github.com/phpseclib/phpseclib/releases/tag/3.0.7 which was flagged as a security release. Since I don't have enough knowledge about reviewing their changes, it would be nice if you could provide some more information on this.

E.g. how is this used? What cases does this fix? How high risk is it for this project?
And maybe adjust the dependency in composer to minimally 2.0.31/3.0.7 to confirm this is a needed/safe upgrade?
@yoshi-automation yoshi-automation added triage me I really want to be triaged. 🚨 This issue needs some love. labels Apr 9, 2021
@dwsupplee dwsupplee added type: question Request for information or clarification. Not an issue. and removed 🚨 This issue needs some love. triage me I really want to be triaged. labels Apr 15, 2021
@bshaffer
Copy link
Contributor

Hello @lode ! Sorry to answer this so late, but this is a great question.

PHPSeclib is only used in this library when verifying ID tokens using the Google\AccessToken\Verify class or calling the Google\Client::verifyIdToken method.

We require a minimum of 3.0.2, and as far as I can tell, this version is considered safe. If I'm wrong, I'm happy to bump the minimum version. You can submit a PR to do so, or reopen this issue and tell me where I can see that the 3.0.7 release was flagged as a security release (I can't see anything in the URL you provided).

I hope this helps. Thanks!

@lode
Copy link
Author

lode commented Sep 11, 2023
edited
Loading

Hi @bshaffer thanks for the reply!

And I'm sorry for the unclear link. It was a while ago now, and I don't remember the issue. I'm also a bit puzzled why I linked to 3.0.7, because indeed nothing is shown there. And in my internal issue tracking I see a mention of another version (to which I patched at that moment): https://github.com/phpseclib/phpseclib/releases/tag/3.0.19. I was notified by GitHub via GHSA-hm7p-r324-hhf3.

So I'd say this repo is still using a vulnerable dependency. But I don't know if that part is used and thus needed?

@bshaffer
Copy link
Contributor

bshaffer commented Sep 11, 2023
edited
Loading

This is super helpful, thank you @lode !

As mentioned above, phpseclib is used in this library ONLY to verify ID tokens in Google\Client::verifyIdToken (or directly with the Google\AccessToken\Verify class).

I've submitted a fix to raise the minimum version here: #2499

Thanks again for providing this information!

@lode
Copy link
Author

lode commented Sep 13, 2023

Great, thanks for the fix!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
type: question Request for information or clarification. Not an issue.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@bshaffer @lode @dwsupplee @yoshi-automation