Bug#1040756: bookworm-pu: package spip/4.1.9+dfsg-1+deb12u2

[David Prévot]

Package: release.debian.org
Severity: normal
Tags: bookworm
User: release.debian....@packages.debian.org
Usertags: pu
X-Debbugs-Cc: s...@packages.debian.org
Control: affects -1 + src:spip

Another upstream release fixed a security issue. It introduces some
factorisation adding two more clean up in sessions. We agreed with the
security team that this don’t warrant a DSA.

https://blog.spip.net/Mise-a-jour-de-maintenance-et-securite-sortie-de-SPIP-4-2-4-SPIP-4-1-11.html

The 4.1 branch is mostly in maintenance mode, and the patches have been
cherry-picked directly from upstream.

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
  [x] the issue is verified as fixed in unstable

Thanks in advance.

Regards,

taffit

diff -Nru spip-4.1.9+dfsg/debian/changelog spip-4.1.9+dfsg/debian/changelog
--- spip-4.1.9+dfsg/debian/changelog	2023-06-11 15:38:54.000000000 +0200
+++ spip-4.1.9+dfsg/debian/changelog	2023-07-08 20:29:04.000000000 +0200
@@ -1,3 +1,11 @@
+spip (4.1.9+dfsg-1+deb12u2) bookworm; urgency=medium
+
+  * Backport security fix from 4.1.11
+    - use an auth_desensibiliser_session() function to centralize extended
+      authentification data filtering.
+
+ -- David Prévot <taf...@debian.org>  Sat, 08 Jul 2023 20:29:04 +0200
+
 spip (4.1.9+dfsg-1+deb12u1) bookworm; urgency=medium
 
   [ David Prévot ]
diff -Nru spip-4.1.9+dfsg/debian/patches/0009-security-Utiliser-une-fonction-d-di-e-pour-nettoyer-.patch spip-4.1.9+dfsg/debian/patches/0009-security-Utiliser-une-fonction-d-di-e-pour-nettoyer-.patch
--- spip-4.1.9+dfsg/debian/patches/0009-security-Utiliser-une-fonction-d-di-e-pour-nettoyer-.patch	1970-01-01 01:00:00.000000000 +0100
+++ spip-4.1.9+dfsg/debian/patches/0009-security-Utiliser-une-fonction-d-di-e-pour-nettoyer-.patch	2023-07-08 20:25:35.000000000 +0200
@@ -0,0 +1,69 @@
+From: Cerdic <ced...@yterium.com>
+Date: Mon, 3 Jul 2023 10:23:02 +0200
+Subject: =?utf-8?q?security=3A_Utiliser_une_fonction_d=C3=A9di=C3=A9e_pour_?=
+ =?utf-8?q?nettoyer_les_donn=C3=A9es_d=E2=80=99auteur_lors_de_la_pr=C3=A9pa?=
+ =?utf-8?q?ration_d=E2=80=99une_session?=
+MIME-Version: 1.0
+Content-Type: text/plain; charset="utf-8"
+Content-Transfer-Encoding: 8bit
+
+- Ajout d’une fonction `auth_desensibiliser_session()` pour desensibiliser une ligne auteur,
+- qu'on utilise lors de la preparation d'une session
+- et dans informer_login
+
+Refs:  spip-team/securite#4847
+(cherry picked from commit 2e4d6273cee8ec63ce7f565a73262a8aae70b7bb)
+
+Origin: upstream, https://git.spip.net/spip/spip/commit/f1d2351c90a6127cab354be1647662ec5e941676
+---
+ ecrire/inc/auth.php | 23 ++++++++++++++++++-----
+ 1 file changed, 18 insertions(+), 5 deletions(-)
+
+diff --git a/ecrire/inc/auth.php b/ecrire/inc/auth.php
+index 85d5ab1..6185aff 100644
+--- a/ecrire/inc/auth.php
++++ b/ecrire/inc/auth.php
+@@ -250,11 +250,7 @@ function auth_init_droits($row) {
+ 	$GLOBALS['visiteur_session'] = array_merge((array)$GLOBALS['visiteur_session'], $row);
+ 
+ 	// au cas ou : ne pas memoriser les champs sensibles
+-	unset($GLOBALS['visiteur_session']['pass']);
+-	unset($GLOBALS['visiteur_session']['htpass']);
+-	unset($GLOBALS['visiteur_session']['alea_actuel']);
+-	unset($GLOBALS['visiteur_session']['alea_futur']);
+-	unset($GLOBALS['visiteur_session']['ldap_password']);
++	$GLOBALS['visiteur_session'] = auth_desensibiliser_session($GLOBALS['visiteur_session']);
+ 
+ 	// creer la session au besoin
+ 	if (!isset($_COOKIE['spip_session'])) {
+@@ -314,6 +310,22 @@ function auth_init_droits($row) {
+ 	return ''; // i.e. pas de pb.
+ }
+ 
++/**
++ * Enlever les clés sensibles d'une ligne auteur
++ * @param array $auteur
++ * @return array
++ */
++function auth_desensibiliser_session(array $auteur) {
++	$cles_sensibles = ['pass', 'htpass', 'alea_actuel', 'alea_futur', 'ldap_password', 'backup_cles'];
++	foreach ($cles_sensibles as $cle) {
++		if (isset($auteur[$cle])) {
++			unset($auteur[$cle]);
++		}
++	}
++
++	return $auteur;
++}
++
+ /**
+  * Retourne l'url de connexion
+  *
+@@ -480,6 +492,7 @@ function auth_informer_login($login, $serveur = '') {
+ 	}
+ 
+ 	$prefs = @unserialize($row['prefs']);
++	$row = auth_desensibiliser_session($row);
+ 	$infos = [
+ 		'id_auteur' => $row['id_auteur'],
+ 		'login' => $row['login'],
diff -Nru spip-4.1.9+dfsg/debian/patches/0010-security-Utiliser-auth_desensibiliser_session-aussi-.patch spip-4.1.9+dfsg/debian/patches/0010-security-Utiliser-auth_desensibiliser_session-aussi-.patch
--- spip-4.1.9+dfsg/debian/patches/0010-security-Utiliser-auth_desensibiliser_session-aussi-.patch	1970-01-01 01:00:00.000000000 +0100
+++ spip-4.1.9+dfsg/debian/patches/0010-security-Utiliser-auth_desensibiliser_session-aussi-.patch	2023-07-08 20:25:35.000000000 +0200
@@ -0,0 +1,69 @@
+From: Matthieu Marcillaud <marci...@rezo.net>
+Date: Mon, 3 Jul 2023 10:55:19 +0200
+Subject: =?utf-8?q?security=3A_Utiliser_=60auth=5Fdesensibiliser=5Fsession?=
+ =?utf-8?q?=28=29=60_aussi_=C3=A0_la_cr=C3=A9ation_du_fichier_de_session?=
+
+Refs:  spip-team/securite#4847
+(cherry picked from commit 5a73e07745bb6753557f0dc2b5404aa49f3ab900)
+
+Origin: upstream, https://git.spip.net/spip/spip/commit/f2fb631f0034728fd275ffa619fd6ddb7b841bdf
+---
+ ecrire/inc/auth.php    | 10 ++++------
+ ecrire/inc/session.php | 12 ++++--------
+ 2 files changed, 8 insertions(+), 14 deletions(-)
+
+diff --git a/ecrire/inc/auth.php b/ecrire/inc/auth.php
+index 6185aff..d20af70 100644
+--- a/ecrire/inc/auth.php
++++ b/ecrire/inc/auth.php
+@@ -247,7 +247,7 @@ function auth_init_droits($row) {
+ 	$GLOBALS['connect_login'] = $row['login'];
+ 	$GLOBALS['connect_statut'] = $row['statut'];
+ 
+-	$GLOBALS['visiteur_session'] = array_merge((array)$GLOBALS['visiteur_session'], $row);
++	$GLOBALS['visiteur_session'] = array_merge((array) $GLOBALS['visiteur_session'], $row);
+ 
+ 	// au cas ou : ne pas memoriser les champs sensibles
+ 	$GLOBALS['visiteur_session'] = auth_desensibiliser_session($GLOBALS['visiteur_session']);
+@@ -312,13 +312,11 @@ function auth_init_droits($row) {
+ 
+ /**
+  * Enlever les clés sensibles d'une ligne auteur
+- * @param array $auteur
+- * @return array
+  */
+-function auth_desensibiliser_session(array $auteur) {
+-	$cles_sensibles = ['pass', 'htpass', 'alea_actuel', 'alea_futur', 'ldap_password', 'backup_cles'];
++function auth_desensibiliser_session(array $auteur): array {
++	$cles_sensibles = ['pass', 'htpass', 'low_sec', 'alea_actuel', 'alea_futur', 'ldap_password', 'backup_cles'];
+ 	foreach ($cles_sensibles as $cle) {
+-		if (isset($auteur[$cle])) {
++		if (array_key_exists($cle, $auteur)) {
+ 			unset($auteur[$cle]);
+ 		}
+ 	}
+diff --git a/ecrire/inc/session.php b/ecrire/inc/session.php
+index 853b501..855838f 100644
+--- a/ecrire/inc/session.php
++++ b/ecrire/inc/session.php
+@@ -613,16 +613,12 @@ function lister_sessions_auteur($id_auteur, $nb_max = null) {
+  * @param array $auteur
+  * @return array
+  */
+-function preparer_ecriture_session($auteur) {
++function preparer_ecriture_session(array $auteur): array {
++
+ 	$row = $auteur;
+ 
+-	// ne pas enregistrer ces elements de securite
+-	// dans le fichier de session
+-	unset($auteur['pass']);
+-	unset($auteur['htpass']);
+-	unset($auteur['low_sec']);
+-	unset($auteur['alea_actuel']);
+-	unset($auteur['alea_futur']);
++	// ne pas enregistrer ces elements de securite dans le fichier de session
++	$auteur = auth_desensibiliser_session($auteur);
+ 
+ 	$auteur = pipeline('preparer_fichier_session', ['args' => ['row' => $row], 'data' => $auteur]);
+ 
diff -Nru spip-4.1.9+dfsg/debian/patches/0011-fix-Inclusion-manquante-dans-5663.patch spip-4.1.9+dfsg/debian/patches/0011-fix-Inclusion-manquante-dans-5663.patch
--- spip-4.1.9+dfsg/debian/patches/0011-fix-Inclusion-manquante-dans-5663.patch	1970-01-01 01:00:00.000000000 +0100
+++ spip-4.1.9+dfsg/debian/patches/0011-fix-Inclusion-manquante-dans-5663.patch	2023-07-08 20:25:35.000000000 +0200
@@ -0,0 +1,23 @@
+From: Matthieu Marcillaud <marci...@rezo.net>
+Date: Mon, 3 Jul 2023 23:10:51 +0200
+Subject: fix: Inclusion manquante dans !5663
+
+(cherry picked from commit 13793c345bdc8ea362f71656c3b38103d6aaba2c)
+
+Origin: upstream, https://git.spip.net/spip/spip/commit/144f520ead7ca38a4644e35af4cac2278de6d3e9
+---
+ ecrire/inc/session.php | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/ecrire/inc/session.php b/ecrire/inc/session.php
+index 855838f..d9f9314 100644
+--- a/ecrire/inc/session.php
++++ b/ecrire/inc/session.php
+@@ -618,6 +618,7 @@ function preparer_ecriture_session(array $auteur): array {
+ 	$row = $auteur;
+ 
+ 	// ne pas enregistrer ces elements de securite dans le fichier de session
++	include_spip('inc/auth');
+ 	$auteur = auth_desensibiliser_session($auteur);
+ 
+ 	$auteur = pipeline('preparer_fichier_session', ['args' => ['row' => $row], 'data' => $auteur]);
diff -Nru spip-4.1.9+dfsg/debian/patches/series spip-4.1.9+dfsg/debian/patches/series
--- spip-4.1.9+dfsg/debian/patches/series	2023-06-11 15:37:44.000000000 +0200
+++ spip-4.1.9+dfsg/debian/patches/series	2023-07-08 20:25:35.000000000 +0200
@@ -6,3 +6,6 @@
 0006-security-Ameliorer-c76770a-en-vitant-un-unserialize-.patch
 0007-security-Effectivement-bloquer-les-fichiers-cach-s-d.patch
 0008-build-Up-cran-de-s-cu-en-1.5.3.patch
+0009-security-Utiliser-une-fonction-d-di-e-pour-nettoyer-.patch
+0010-security-Utiliser-auth_desensibiliser_session-aussi-.patch
+0011-fix-Inclusion-manquante-dans-5663.patch

signature.asc
Description: PGP signature