Package: release.debian.org Severity: normal Tags: buster User: release.debian....@packages.debian.org Usertags: pu
Hi, [ Reason ] Two security issues (XSS) have been fixed in the latest upstream version. As agreed with the security team, those are not worth a DSA. [ Impact ] Without these fixes, websites are vulnerable to already public XSS issues. [ Tests ] The fixes are identical to the one proposed for Bullseye, but I don’t handle any server in production running Buster. [ Risks ] Both fixes are pretty small. [ Checklist ] [x] *all* changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in (old)stable [x] the issue is verified as fixed in unstable Cheers David
diff --git a/debian/changelog b/debian/changelog index 6618f122ee..6881e0948d 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,7 +1,17 @@ +spip (3.2.4-1+deb10u6) buster; urgency=medium + + * Document CVE fixed previously + * Backport security fixes (XSS) from 3.2.13 + + -- David Prévot <taf...@debian.org> Sat, 05 Feb 2022 09:21:02 -0400 + spip (3.2.4-1+deb10u5) buster-security; urgency=high * Backport security fixes from 3.2.12 - - SQL injections, remote code execution, XSS + - SQL injections + - remote code execution [CVE-2021-44123] + - XSS [CVE-2021-44118] [CVE-2021-44120] + - CSRF [CVE-2021-44122] -- David Prévot <taf...@debian.org> Wed, 15 Dec 2021 17:19:09 -0400 diff --git a/debian/patches/0038-Utiliser-valider_url_distante-en-plus-de-tester_url_.patch b/debian/patches/0038-Utiliser-valider_url_distante-en-plus-de-tester_url_.patch index b4ba41bb17..4c109c38ab 100644 --- a/debian/patches/0038-Utiliser-valider_url_distante-en-plus-de-tester_url_.patch +++ b/debian/patches/0038-Utiliser-valider_url_distante-en-plus-de-tester_url_.patch @@ -8,6 +8,7 @@ Subject: Utiliser valider_url_distante() en plus de tester_url_absolue() (cherry picked from commit 9b8d1487ef067b5bdb2ce7365cc65d0e7ec0fa44) Origin: upstream, https://git.spip.net/spip/medias/commit/1a4b7024cf728ec531658967b374c5ec6f36ee42 +Bug-Debian: https://security-tracker.debian.org/tracker/CVE-2021-44118 --- plugins-dist/medias/action/copier_local.php | 14 ++++++++++---- 1 file changed, 10 insertions(+), 4 deletions(-) diff --git a/debian/patches/0039-Fix-refactoring-query_echappe_textes-qui-ne-detectai.patch b/debian/patches/0039-Fix-refactoring-query_echappe_textes-qui-ne-detectai.patch index 6df33be8de..73e69b8f4a 100644 --- a/debian/patches/0039-Fix-refactoring-query_echappe_textes-qui-ne-detectai.patch +++ b/debian/patches/0039-Fix-refactoring-query_echappe_textes-qui-ne-detectai.patch @@ -11,6 +11,7 @@ Subject: Fix/refactoring query_echappe_textes() qui ne detectait parfois pas On modifie aussi l'usage dans req/mysql en privilegiant de garder la requete initiale intacte si il n'y a rien a faire dessus Origin: upstream, https://git.spip.net/spip/spip/commit/fca83dc95ee279552382eeb5015d5dc3efed9de3 +Bug-Debian: https://security-tracker.debian.org/tracker/CVE-2021-44120 --- ecrire/base/connect_sql.php | 47 ++++++++++++++++++++++++++++++++------------- ecrire/req/mysql.php | 10 +++++----- diff --git a/debian/patches/0040-Simplifier-la-regexp-c-est-pas-plus-mal-cfreal.patch b/debian/patches/0040-Simplifier-la-regexp-c-est-pas-plus-mal-cfreal.patch index 787d6c6c31..83741178b6 100644 --- a/debian/patches/0040-Simplifier-la-regexp-c-est-pas-plus-mal-cfreal.patch +++ b/debian/patches/0040-Simplifier-la-regexp-c-est-pas-plus-mal-cfreal.patch @@ -2,6 +2,7 @@ From: Cerdic <ced...@yterium.com> Date: Fri, 17 Sep 2021 17:39:04 +0200 Subject: Simplifier la regexp, c'est pas plus mal (cfreal) +Bug-Debian: https://security-tracker.debian.org/tracker/CVE-2021-44120 --- ecrire/base/connect_sql.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/debian/patches/0041-Complement-de-413ca3cc58-_mysql_traite_query-s-appel.patch b/debian/patches/0041-Complement-de-413ca3cc58-_mysql_traite_query-s-appel.patch index 6bcdf3456c..33c6e23ae6 100644 --- a/debian/patches/0041-Complement-de-413ca3cc58-_mysql_traite_query-s-appel.patch +++ b/debian/patches/0041-Complement-de-413ca3cc58-_mysql_traite_query-s-appel.patch @@ -7,6 +7,7 @@ Subject: Complement de 413ca3cc58 : _mysql_traite_query() s'appelle query_reinjecte_textes() Origin: upstream, https://git.spip.net/spip/spip/commit/a4fdb3b8ec11f067a6d09512c6f31dbda7fd57c6 +Bug-Debian: https://security-tracker.debian.org/tracker/CVE-2021-44120 --- ecrire/req/mysql.php | 19 +++++++++++++++---- 1 file changed, 15 insertions(+), 4 deletions(-) diff --git a/debian/patches/0042-Balise-FORMULAIRE-nettoyer-du-code-mort-qui-ne-sert-.patch b/debian/patches/0042-Balise-FORMULAIRE-nettoyer-du-code-mort-qui-ne-sert-.patch index 8f7e49a288..fc226345ab 100644 --- a/debian/patches/0042-Balise-FORMULAIRE-nettoyer-du-code-mort-qui-ne-sert-.patch +++ b/debian/patches/0042-Balise-FORMULAIRE-nettoyer-du-code-mort-qui-ne-sert-.patch @@ -12,6 +12,7 @@ Subject: =?utf-8?q?Balise_=23FORMULAIRE_=3A_nettoyer_du_code_mort_qui_ne_se?= =?utf-8?q?issue=29?= Origin: upstream, https://git.spip.net/spip/spip/commit/fea5b5b4507cc9c0b9e91bbfbf34fe40b0bea805 +Bug-Debian: https://security-tracker.debian.org/tracker/CVE-2021-44122 --- ecrire/balise/formulaire_.php | 13 +++++++++++++ ecrire/public/aiguiller.php | 23 ++++++++++++++++++++++- diff --git a/debian/patches/0043-Nom-nom_site-et-bio-etant-des-champs-librement-modif.patch b/debian/patches/0043-Nom-nom_site-et-bio-etant-des-champs-librement-modif.patch index 055ee350f7..86a7130b43 100644 --- a/debian/patches/0043-Nom-nom_site-et-bio-etant-des-champs-librement-modif.patch +++ b/debian/patches/0043-Nom-nom_site-et-bio-etant-des-champs-librement-modif.patch @@ -8,6 +8,7 @@ Subject: Nom, lequel ne contient en general pas de < ce qui passe tres vite dans safehtml Origin: backport, https://git.spip.net/spip/spip/commit/361cc26080d1377bc55d2cb80736e5cfaf5fd242 +Bug-Debian: https://security-tracker.debian.org/tracker/CVE-2021-44120 --- ecrire/public/interfaces.php | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/debian/patches/0044-Lors-de-l-upload-de-documents-gerer-le-cas-des-fichi.patch b/debian/patches/0044-Lors-de-l-upload-de-documents-gerer-le-cas-des-fichi.patch index 8ebc3ca857..1851a1c054 100644 --- a/debian/patches/0044-Lors-de-l-upload-de-documents-gerer-le-cas-des-fichi.patch +++ b/debian/patches/0044-Lors-de-l-upload-de-documents-gerer-le-cas-des-fichi.patch @@ -6,6 +6,7 @@ Subject: Lors de l'upload de documents, sinon on ne garde que la derniere Origin: upstream, https://git.spip.net/spip/spip/commit/28c2cd60bee60892c6660b81d98cc166aa442866 +Bug-Debian: https://security-tracker.debian.org/tracker/CVE-2021-44123 --- ecrire/inc/documents.php | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/debian/patches/0045-Oups-erreur-dans-1b8e4f404-il-faut-utiliser-empty-ca.patch b/debian/patches/0045-Oups-erreur-dans-1b8e4f404-il-faut-utiliser-empty-ca.patch index 1f15081dfe..52920a46e3 100644 --- a/debian/patches/0045-Oups-erreur-dans-1b8e4f404-il-faut-utiliser-empty-ca.patch +++ b/debian/patches/0045-Oups-erreur-dans-1b8e4f404-il-faut-utiliser-empty-ca.patch @@ -6,6 +6,7 @@ Subject: Oups, formulaire anonyme) Origin: upstream, https://git.spip.net/spip/spip/commit/2992190368197a0f966e85d6c5751b999be83cb4ZZ +Bug-Debian: https://security-tracker.debian.org/tracker/CVE-2021-44122 --- ecrire/public/aiguiller.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/debian/patches/0046-Il-faut-incrementer-spip_version_code-car-tous-les-f.patch b/debian/patches/0046-Il-faut-incrementer-spip_version_code-car-tous-les-f.patch index df77a90a23..5db137b311 100644 --- a/debian/patches/0046-Il-faut-incrementer-spip_version_code-car-tous-les-f.patch +++ b/debian/patches/0046-Il-faut-incrementer-spip_version_code-car-tous-les-f.patch @@ -4,6 +4,7 @@ Subject: Il faut incrementer spip_version_code car tous les formulaires doivent etre recalcules Origin: upstream, https://git.spip.net/spip/spip/commit/aefb90d6a186f81c2596dc39a010a5827921b6c1 +Bug-Debian: https://security-tracker.debian.org/tracker/CVE-2021-44122 --- ecrire/inc_version.php | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/debian/patches/0047-Le-plugin-mots-et-son-formulaire-editer_mot-contient.patch b/debian/patches/0047-Le-plugin-mots-et-son-formulaire-editer_mot-contient.patch index 2ad0ab37db..36d3ab2243 100644 --- a/debian/patches/0047-Le-plugin-mots-et-son-formulaire-editer_mot-contient.patch +++ b/debian/patches/0047-Le-plugin-mots-et-son-formulaire-editer_mot-contient.patch @@ -5,6 +5,7 @@ Subject: Le plugin mots et son formulaire editer_mot() contient encore du c'etait casse gueule de changer ca sur cette branche Origin: upstream, https://git.spip.net/spip/spip/commit/685a2c0bdcde2ef1804b4ac794243b54c4a22585 +Bug-Debian: https://security-tracker.debian.org/tracker/CVE-2021-44122 --- ecrire/balise/formulaire_.php | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/debian/patches/0048-Ameliorer-valider_url_distante-on-utilise-filter_var.patch b/debian/patches/0048-Ameliorer-valider_url_distante-on-utilise-filter_var.patch index f99c095188..28ac4c715d 100644 --- a/debian/patches/0048-Ameliorer-valider_url_distante-on-utilise-filter_var.patch +++ b/debian/patches/0048-Ameliorer-valider_url_distante-on-utilise-filter_var.patch @@ -7,6 +7,7 @@ Subject: Ameliorer valider_url_distante() : on utilise filter_var plutot que (cherry picked from commit a4a09d103500bb7f598833d746540e4b417dfd72) Origin: upstream, https://git.spip.net/spip/spip/commit/19c3592b93343c222589ffd3aeace97213e25745 +ug-Debian: https://security-tracker.debian.org/tracker/CVE-2021-44118 --- ecrire/inc/distant.php | 23 +++++++++++++++-------- 1 file changed, 15 insertions(+), 8 deletions(-) diff --git a/debian/patches/0049-Verifier-qu-on-a-bien-le-droit-de-modifier-le-login-.patch b/debian/patches/0049-Verifier-qu-on-a-bien-le-droit-de-modifier-le-login-.patch new file mode 100644 index 0000000000..c4f3760a77 --- /dev/null +++ b/debian/patches/0049-Verifier-qu-on-a-bien-le-droit-de-modifier-le-login-.patch @@ -0,0 +1,64 @@ +From: Cerdic <ced...@yterium.com> +Date: Wed, 2 Feb 2022 09:51:56 +0100 +Subject: Verifier qu'on a bien le droit de modifier le login avant d'accepter + un post sur cette variable + +Origin: upstream, https://git.spip.net/spip/spip/commit/9ed1818f14be283b0b6e8469bfbc54ba2d10763b +--- + prive/formulaires/editer_auteur.php | 42 ++++++++++++++++++++++++++----------- + 1 file changed, 30 insertions(+), 12 deletions(-) + +diff --git a/prive/formulaires/editer_auteur.php b/prive/formulaires/editer_auteur.php +index bd4efd2..3b7ac39 100644 +--- a/prive/formulaires/editer_auteur.php ++++ b/prive/formulaires/editer_auteur.php +@@ -236,19 +236,37 @@ function formulaires_editer_auteur_verifier_dist( + } + + $erreurs['message_erreur'] = ''; ++ if (_request('login')) { ++ // on n'est jamais cense poster le name login ++ $erreurs['login'] = _T('info_non_modifiable'); ++ } ++ elseif ( ++ ($login = _request('new_login')) and ++ $login !== sql_getfetsel('login', 'spip_auteurs', 'id_auteur=' . intval($id_auteur)) ++ ) { ++ // on verifie la meme chose que dans auteurs_edit_config() ++ if ( ++ ! auth_autoriser_modifier_login($auth_methode) ++ or !autoriser('modifier', 'auteur', intval($id_auteur), null, ['email' => true]) ++ ) { ++ $erreurs['login'] = _T('info_non_modifiable'); ++ } ++ } + +- if ($err = auth_verifier_login($auth_methode, _request('new_login'), $id_auteur)) { +- $erreurs['new_login'] = $err; +- $erreurs['message_erreur'] .= $err; +- } else { +- // pass trop court ou confirmation non identique +- if ($p = _request('new_pass')) { +- if ($p != _request('new_pass2')) { +- $erreurs['new_pass'] = _T('info_passes_identiques'); +- $erreurs['message_erreur'] .= _T('info_passes_identiques'); +- } elseif ($err = auth_verifier_pass($auth_methode, _request('new_login'), $p, $id_auteur)) { +- $erreurs['new_pass'] = $err; +- $erreurs['message_erreur'] .= $err; ++ if (empty($erreurs['login'])){ ++ if ($err = auth_verifier_login($auth_methode, _request('new_login'), $id_auteur)){ ++ $erreurs['new_login'] = $err; ++ $erreurs['message_erreur'] .= $err; ++ } else { ++ // pass trop court ou confirmation non identique ++ if ($p = _request('new_pass')){ ++ if ($p!=_request('new_pass2')){ ++ $erreurs['new_pass'] = _T('info_passes_identiques'); ++ $erreurs['message_erreur'] .= _T('info_passes_identiques'); ++ } elseif ($err = auth_verifier_pass($auth_methode, _request('new_login'), $p, $id_auteur)) { ++ $erreurs['new_pass'] = $err; ++ $erreurs['message_erreur'] .= $err; ++ } + } + } + } diff --git a/debian/patches/0050-appliquer-rawurlencode-aussi-sur-les-tableaux-qu-on-.patch b/debian/patches/0050-appliquer-rawurlencode-aussi-sur-les-tableaux-qu-on-.patch new file mode 100644 index 0000000000..f95d4333fa --- /dev/null +++ b/debian/patches/0050-appliquer-rawurlencode-aussi-sur-les-tableaux-qu-on-.patch @@ -0,0 +1,23 @@ +From: Cerdic <ced...@yterium.com> +Date: Wed, 29 Dec 2021 10:50:27 +0100 +Subject: appliquer rawurlencode() aussi sur les tableaux qu'on passe en + argument de parametre_url() #4819 + +Origin: upstream, https://git.spip.net/spip/spip/commit/b2f8e3a59ccbf958197e22609938871884438b5f +--- + ecrire/inc/utils.php | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/ecrire/inc/utils.php b/ecrire/inc/utils.php +index 40f892e..9fc3ee3 100644 +--- a/ecrire/inc/utils.php ++++ b/ecrire/inc/utils.php +@@ -600,7 +600,7 @@ function parametre_url($url, $c, $v = null, $sep = '&') { + } else { + $id = (substr($k, -2) == '[]') ? $k : ($k . "[]"); + foreach ($v as $w) { +- $url[] = $id . '=' . (is_array($w) ? 'Array' : $w); ++ $url[] = $id . '=' . (is_array($w) ? 'Array' : rawurlencode($w)); + } + } + } diff --git a/debian/patches/series b/debian/patches/series index faecf747dc..4707b67d85 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -46,3 +46,5 @@ 0046-Il-faut-incrementer-spip_version_code-car-tous-les-f.patch 0047-Le-plugin-mots-et-son-formulaire-editer_mot-contient.patch 0048-Ameliorer-valider_url_distante-on-utilise-filter_var.patch +0049-Verifier-qu-on-a-bien-le-droit-de-modifier-le-login-.patch +0050-appliquer-rawurlencode-aussi-sur-les-tableaux-qu-on-.patch
signature.asc
Description: PGP signature