Package: release.debian.org Severity: normal Tags: bookworm User: release.debian....@packages.debian.org Usertags: pu X-Debbugs-Cc: s...@packages.debian.org Control: affects -1 + src:spip
Another upstream release fixed a security issue. It introduces some factorisation adding two more clean up in sessions. We agreed with the security team that this don’t warrant a DSA. https://blog.spip.net/Mise-a-jour-de-maintenance-et-securite-sortie-de-SPIP-4-2-4-SPIP-4-1-11.html The 4.1 branch is mostly in maintenance mode, and the patches have been cherry-picked directly from upstream. [ Checklist ] [x] *all* changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in (old)stable [x] the issue is verified as fixed in unstable Thanks in advance. Regards, taffit
diff -Nru spip-4.1.9+dfsg/debian/changelog spip-4.1.9+dfsg/debian/changelog --- spip-4.1.9+dfsg/debian/changelog 2023-06-11 15:38:54.000000000 +0200 +++ spip-4.1.9+dfsg/debian/changelog 2023-07-08 20:29:04.000000000 +0200 @@ -1,3 +1,11 @@ +spip (4.1.9+dfsg-1+deb12u2) bookworm; urgency=medium + + * Backport security fix from 4.1.11 + - use an auth_desensibiliser_session() function to centralize extended + authentification data filtering. + + -- David Prévot <taf...@debian.org> Sat, 08 Jul 2023 20:29:04 +0200 + spip (4.1.9+dfsg-1+deb12u1) bookworm; urgency=medium [ David Prévot ] diff -Nru spip-4.1.9+dfsg/debian/patches/0009-security-Utiliser-une-fonction-d-di-e-pour-nettoyer-.patch spip-4.1.9+dfsg/debian/patches/0009-security-Utiliser-une-fonction-d-di-e-pour-nettoyer-.patch --- spip-4.1.9+dfsg/debian/patches/0009-security-Utiliser-une-fonction-d-di-e-pour-nettoyer-.patch 1970-01-01 01:00:00.000000000 +0100 +++ spip-4.1.9+dfsg/debian/patches/0009-security-Utiliser-une-fonction-d-di-e-pour-nettoyer-.patch 2023-07-08 20:25:35.000000000 +0200 @@ -0,0 +1,69 @@ +From: Cerdic <ced...@yterium.com> +Date: Mon, 3 Jul 2023 10:23:02 +0200 +Subject: =?utf-8?q?security=3A_Utiliser_une_fonction_d=C3=A9di=C3=A9e_pour_?= + =?utf-8?q?nettoyer_les_donn=C3=A9es_d=E2=80=99auteur_lors_de_la_pr=C3=A9pa?= + =?utf-8?q?ration_d=E2=80=99une_session?= +MIME-Version: 1.0 +Content-Type: text/plain; charset="utf-8" +Content-Transfer-Encoding: 8bit + +- Ajout d’une fonction `auth_desensibiliser_session()` pour desensibiliser une ligne auteur, +- qu'on utilise lors de la preparation d'une session +- et dans informer_login + +Refs: spip-team/securite#4847 +(cherry picked from commit 2e4d6273cee8ec63ce7f565a73262a8aae70b7bb) + +Origin: upstream, https://git.spip.net/spip/spip/commit/f1d2351c90a6127cab354be1647662ec5e941676 +--- + ecrire/inc/auth.php | 23 ++++++++++++++++++----- + 1 file changed, 18 insertions(+), 5 deletions(-) + +diff --git a/ecrire/inc/auth.php b/ecrire/inc/auth.php +index 85d5ab1..6185aff 100644 +--- a/ecrire/inc/auth.php ++++ b/ecrire/inc/auth.php +@@ -250,11 +250,7 @@ function auth_init_droits($row) { + $GLOBALS['visiteur_session'] = array_merge((array)$GLOBALS['visiteur_session'], $row); + + // au cas ou : ne pas memoriser les champs sensibles +- unset($GLOBALS['visiteur_session']['pass']); +- unset($GLOBALS['visiteur_session']['htpass']); +- unset($GLOBALS['visiteur_session']['alea_actuel']); +- unset($GLOBALS['visiteur_session']['alea_futur']); +- unset($GLOBALS['visiteur_session']['ldap_password']); ++ $GLOBALS['visiteur_session'] = auth_desensibiliser_session($GLOBALS['visiteur_session']); + + // creer la session au besoin + if (!isset($_COOKIE['spip_session'])) { +@@ -314,6 +310,22 @@ function auth_init_droits($row) { + return ''; // i.e. pas de pb. + } + ++/** ++ * Enlever les clés sensibles d'une ligne auteur ++ * @param array $auteur ++ * @return array ++ */ ++function auth_desensibiliser_session(array $auteur) { ++ $cles_sensibles = ['pass', 'htpass', 'alea_actuel', 'alea_futur', 'ldap_password', 'backup_cles']; ++ foreach ($cles_sensibles as $cle) { ++ if (isset($auteur[$cle])) { ++ unset($auteur[$cle]); ++ } ++ } ++ ++ return $auteur; ++} ++ + /** + * Retourne l'url de connexion + * +@@ -480,6 +492,7 @@ function auth_informer_login($login, $serveur = '') { + } + + $prefs = @unserialize($row['prefs']); ++ $row = auth_desensibiliser_session($row); + $infos = [ + 'id_auteur' => $row['id_auteur'], + 'login' => $row['login'], diff -Nru spip-4.1.9+dfsg/debian/patches/0010-security-Utiliser-auth_desensibiliser_session-aussi-.patch spip-4.1.9+dfsg/debian/patches/0010-security-Utiliser-auth_desensibiliser_session-aussi-.patch --- spip-4.1.9+dfsg/debian/patches/0010-security-Utiliser-auth_desensibiliser_session-aussi-.patch 1970-01-01 01:00:00.000000000 +0100 +++ spip-4.1.9+dfsg/debian/patches/0010-security-Utiliser-auth_desensibiliser_session-aussi-.patch 2023-07-08 20:25:35.000000000 +0200 @@ -0,0 +1,69 @@ +From: Matthieu Marcillaud <marci...@rezo.net> +Date: Mon, 3 Jul 2023 10:55:19 +0200 +Subject: =?utf-8?q?security=3A_Utiliser_=60auth=5Fdesensibiliser=5Fsession?= + =?utf-8?q?=28=29=60_aussi_=C3=A0_la_cr=C3=A9ation_du_fichier_de_session?= + +Refs: spip-team/securite#4847 +(cherry picked from commit 5a73e07745bb6753557f0dc2b5404aa49f3ab900) + +Origin: upstream, https://git.spip.net/spip/spip/commit/f2fb631f0034728fd275ffa619fd6ddb7b841bdf +--- + ecrire/inc/auth.php | 10 ++++------ + ecrire/inc/session.php | 12 ++++-------- + 2 files changed, 8 insertions(+), 14 deletions(-) + +diff --git a/ecrire/inc/auth.php b/ecrire/inc/auth.php +index 6185aff..d20af70 100644 +--- a/ecrire/inc/auth.php ++++ b/ecrire/inc/auth.php +@@ -247,7 +247,7 @@ function auth_init_droits($row) { + $GLOBALS['connect_login'] = $row['login']; + $GLOBALS['connect_statut'] = $row['statut']; + +- $GLOBALS['visiteur_session'] = array_merge((array)$GLOBALS['visiteur_session'], $row); ++ $GLOBALS['visiteur_session'] = array_merge((array) $GLOBALS['visiteur_session'], $row); + + // au cas ou : ne pas memoriser les champs sensibles + $GLOBALS['visiteur_session'] = auth_desensibiliser_session($GLOBALS['visiteur_session']); +@@ -312,13 +312,11 @@ function auth_init_droits($row) { + + /** + * Enlever les clés sensibles d'une ligne auteur +- * @param array $auteur +- * @return array + */ +-function auth_desensibiliser_session(array $auteur) { +- $cles_sensibles = ['pass', 'htpass', 'alea_actuel', 'alea_futur', 'ldap_password', 'backup_cles']; ++function auth_desensibiliser_session(array $auteur): array { ++ $cles_sensibles = ['pass', 'htpass', 'low_sec', 'alea_actuel', 'alea_futur', 'ldap_password', 'backup_cles']; + foreach ($cles_sensibles as $cle) { +- if (isset($auteur[$cle])) { ++ if (array_key_exists($cle, $auteur)) { + unset($auteur[$cle]); + } + } +diff --git a/ecrire/inc/session.php b/ecrire/inc/session.php +index 853b501..855838f 100644 +--- a/ecrire/inc/session.php ++++ b/ecrire/inc/session.php +@@ -613,16 +613,12 @@ function lister_sessions_auteur($id_auteur, $nb_max = null) { + * @param array $auteur + * @return array + */ +-function preparer_ecriture_session($auteur) { ++function preparer_ecriture_session(array $auteur): array { ++ + $row = $auteur; + +- // ne pas enregistrer ces elements de securite +- // dans le fichier de session +- unset($auteur['pass']); +- unset($auteur['htpass']); +- unset($auteur['low_sec']); +- unset($auteur['alea_actuel']); +- unset($auteur['alea_futur']); ++ // ne pas enregistrer ces elements de securite dans le fichier de session ++ $auteur = auth_desensibiliser_session($auteur); + + $auteur = pipeline('preparer_fichier_session', ['args' => ['row' => $row], 'data' => $auteur]); + diff -Nru spip-4.1.9+dfsg/debian/patches/0011-fix-Inclusion-manquante-dans-5663.patch spip-4.1.9+dfsg/debian/patches/0011-fix-Inclusion-manquante-dans-5663.patch --- spip-4.1.9+dfsg/debian/patches/0011-fix-Inclusion-manquante-dans-5663.patch 1970-01-01 01:00:00.000000000 +0100 +++ spip-4.1.9+dfsg/debian/patches/0011-fix-Inclusion-manquante-dans-5663.patch 2023-07-08 20:25:35.000000000 +0200 @@ -0,0 +1,23 @@ +From: Matthieu Marcillaud <marci...@rezo.net> +Date: Mon, 3 Jul 2023 23:10:51 +0200 +Subject: fix: Inclusion manquante dans !5663 + +(cherry picked from commit 13793c345bdc8ea362f71656c3b38103d6aaba2c) + +Origin: upstream, https://git.spip.net/spip/spip/commit/144f520ead7ca38a4644e35af4cac2278de6d3e9 +--- + ecrire/inc/session.php | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/ecrire/inc/session.php b/ecrire/inc/session.php +index 855838f..d9f9314 100644 +--- a/ecrire/inc/session.php ++++ b/ecrire/inc/session.php +@@ -618,6 +618,7 @@ function preparer_ecriture_session(array $auteur): array { + $row = $auteur; + + // ne pas enregistrer ces elements de securite dans le fichier de session ++ include_spip('inc/auth'); + $auteur = auth_desensibiliser_session($auteur); + + $auteur = pipeline('preparer_fichier_session', ['args' => ['row' => $row], 'data' => $auteur]); diff -Nru spip-4.1.9+dfsg/debian/patches/series spip-4.1.9+dfsg/debian/patches/series --- spip-4.1.9+dfsg/debian/patches/series 2023-06-11 15:37:44.000000000 +0200 +++ spip-4.1.9+dfsg/debian/patches/series 2023-07-08 20:25:35.000000000 +0200 @@ -6,3 +6,6 @@ 0006-security-Ameliorer-c76770a-en-vitant-un-unserialize-.patch 0007-security-Effectivement-bloquer-les-fichiers-cach-s-d.patch 0008-build-Up-cran-de-s-cu-en-1.5.3.patch +0009-security-Utiliser-une-fonction-d-di-e-pour-nettoyer-.patch +0010-security-Utiliser-auth_desensibiliser_session-aussi-.patch +0011-fix-Inclusion-manquante-dans-5663.patch
signature.asc
Description: PGP signature