Your message dated Sat, 22 Jul 2023 13:19:43 +0000
with message-id <[email protected]>
and subject line Released with 12.1
has caused the Debian Bug report #1040756,
regarding bookworm-pu: package spip/4.1.9+dfsg-1+deb12u2
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1040756: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1040756
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: bookworm
User: [email protected]
Usertags: pu
X-Debbugs-Cc: [email protected]
Control: affects -1 + src:spip
Another upstream release fixed a security issue. It introduces some
factorisation adding two more clean up in sessions. We agreed with the
security team that this don’t warrant a DSA.
https://blog.spip.net/Mise-a-jour-de-maintenance-et-securite-sortie-de-SPIP-4-2-4-SPIP-4-1-11.html
The 4.1 branch is mostly in maintenance mode, and the patches have been
cherry-picked directly from upstream.
[ Checklist ]
[x] *all* changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in (old)stable
[x] the issue is verified as fixed in unstable
Thanks in advance.
Regards,
taffit
diff -Nru spip-4.1.9+dfsg/debian/changelog spip-4.1.9+dfsg/debian/changelog
--- spip-4.1.9+dfsg/debian/changelog 2023-06-11 15:38:54.000000000 +0200
+++ spip-4.1.9+dfsg/debian/changelog 2023-07-08 20:29:04.000000000 +0200
@@ -1,3 +1,11 @@
+spip (4.1.9+dfsg-1+deb12u2) bookworm; urgency=medium
+
+ * Backport security fix from 4.1.11
+ - use an auth_desensibiliser_session() function to centralize extended
+ authentification data filtering.
+
+ -- David Prévot <[email protected]> Sat, 08 Jul 2023 20:29:04 +0200
+
spip (4.1.9+dfsg-1+deb12u1) bookworm; urgency=medium
[ David Prévot ]
diff -Nru spip-4.1.9+dfsg/debian/patches/0009-security-Utiliser-une-fonction-d-di-e-pour-nettoyer-.patch spip-4.1.9+dfsg/debian/patches/0009-security-Utiliser-une-fonction-d-di-e-pour-nettoyer-.patch
--- spip-4.1.9+dfsg/debian/patches/0009-security-Utiliser-une-fonction-d-di-e-pour-nettoyer-.patch 1970-01-01 01:00:00.000000000 +0100
+++ spip-4.1.9+dfsg/debian/patches/0009-security-Utiliser-une-fonction-d-di-e-pour-nettoyer-.patch 2023-07-08 20:25:35.000000000 +0200
@@ -0,0 +1,69 @@
+From: Cerdic <[email protected]>
+Date: Mon, 3 Jul 2023 10:23:02 +0200
+Subject: =?utf-8?q?security=3A_Utiliser_une_fonction_d=C3=A9di=C3=A9e_pour_?=
+ =?utf-8?q?nettoyer_les_donn=C3=A9es_d=E2=80=99auteur_lors_de_la_pr=C3=A9pa?=
+ =?utf-8?q?ration_d=E2=80=99une_session?=
+MIME-Version: 1.0
+Content-Type: text/plain; charset="utf-8"
+Content-Transfer-Encoding: 8bit
+
+- Ajout d’une fonction `auth_desensibiliser_session()` pour desensibiliser une ligne auteur,
+- qu'on utilise lors de la preparation d'une session
+- et dans informer_login
+
+Refs: spip-team/securite#4847
+(cherry picked from commit 2e4d6273cee8ec63ce7f565a73262a8aae70b7bb)
+
+Origin: upstream, https://git.spip.net/spip/spip/commit/f1d2351c90a6127cab354be1647662ec5e941676
+---
+ ecrire/inc/auth.php | 23 ++++++++++++++++++-----
+ 1 file changed, 18 insertions(+), 5 deletions(-)
+
+diff --git a/ecrire/inc/auth.php b/ecrire/inc/auth.php
+index 85d5ab1..6185aff 100644
+--- a/ecrire/inc/auth.php
++++ b/ecrire/inc/auth.php
+@@ -250,11 +250,7 @@ function auth_init_droits($row) {
+ $GLOBALS['visiteur_session'] = array_merge((array)$GLOBALS['visiteur_session'], $row);
+
+ // au cas ou : ne pas memoriser les champs sensibles
+- unset($GLOBALS['visiteur_session']['pass']);
+- unset($GLOBALS['visiteur_session']['htpass']);
+- unset($GLOBALS['visiteur_session']['alea_actuel']);
+- unset($GLOBALS['visiteur_session']['alea_futur']);
+- unset($GLOBALS['visiteur_session']['ldap_password']);
++ $GLOBALS['visiteur_session'] = auth_desensibiliser_session($GLOBALS['visiteur_session']);
+
+ // creer la session au besoin
+ if (!isset($_COOKIE['spip_session'])) {
+@@ -314,6 +310,22 @@ function auth_init_droits($row) {
+ return ''; // i.e. pas de pb.
+ }
+
++/**
++ * Enlever les clés sensibles d'une ligne auteur
++ * @param array $auteur
++ * @return array
++ */
++function auth_desensibiliser_session(array $auteur) {
++ $cles_sensibles = ['pass', 'htpass', 'alea_actuel', 'alea_futur', 'ldap_password', 'backup_cles'];
++ foreach ($cles_sensibles as $cle) {
++ if (isset($auteur[$cle])) {
++ unset($auteur[$cle]);
++ }
++ }
++
++ return $auteur;
++}
++
+ /**
+ * Retourne l'url de connexion
+ *
+@@ -480,6 +492,7 @@ function auth_informer_login($login, $serveur = '') {
+ }
+
+ $prefs = @unserialize($row['prefs']);
++ $row = auth_desensibiliser_session($row);
+ $infos = [
+ 'id_auteur' => $row['id_auteur'],
+ 'login' => $row['login'],
diff -Nru spip-4.1.9+dfsg/debian/patches/0010-security-Utiliser-auth_desensibiliser_session-aussi-.patch spip-4.1.9+dfsg/debian/patches/0010-security-Utiliser-auth_desensibiliser_session-aussi-.patch
--- spip-4.1.9+dfsg/debian/patches/0010-security-Utiliser-auth_desensibiliser_session-aussi-.patch 1970-01-01 01:00:00.000000000 +0100
+++ spip-4.1.9+dfsg/debian/patches/0010-security-Utiliser-auth_desensibiliser_session-aussi-.patch 2023-07-08 20:25:35.000000000 +0200
@@ -0,0 +1,69 @@
+From: Matthieu Marcillaud <[email protected]>
+Date: Mon, 3 Jul 2023 10:55:19 +0200
+Subject: =?utf-8?q?security=3A_Utiliser_=60auth=5Fdesensibiliser=5Fsession?=
+ =?utf-8?q?=28=29=60_aussi_=C3=A0_la_cr=C3=A9ation_du_fichier_de_session?=
+
+Refs: spip-team/securite#4847
+(cherry picked from commit 5a73e07745bb6753557f0dc2b5404aa49f3ab900)
+
+Origin: upstream, https://git.spip.net/spip/spip/commit/f2fb631f0034728fd275ffa619fd6ddb7b841bdf
+---
+ ecrire/inc/auth.php | 10 ++++------
+ ecrire/inc/session.php | 12 ++++--------
+ 2 files changed, 8 insertions(+), 14 deletions(-)
+
+diff --git a/ecrire/inc/auth.php b/ecrire/inc/auth.php
+index 6185aff..d20af70 100644
+--- a/ecrire/inc/auth.php
++++ b/ecrire/inc/auth.php
+@@ -247,7 +247,7 @@ function auth_init_droits($row) {
+ $GLOBALS['connect_login'] = $row['login'];
+ $GLOBALS['connect_statut'] = $row['statut'];
+
+- $GLOBALS['visiteur_session'] = array_merge((array)$GLOBALS['visiteur_session'], $row);
++ $GLOBALS['visiteur_session'] = array_merge((array) $GLOBALS['visiteur_session'], $row);
+
+ // au cas ou : ne pas memoriser les champs sensibles
+ $GLOBALS['visiteur_session'] = auth_desensibiliser_session($GLOBALS['visiteur_session']);
+@@ -312,13 +312,11 @@ function auth_init_droits($row) {
+
+ /**
+ * Enlever les clés sensibles d'une ligne auteur
+- * @param array $auteur
+- * @return array
+ */
+-function auth_desensibiliser_session(array $auteur) {
+- $cles_sensibles = ['pass', 'htpass', 'alea_actuel', 'alea_futur', 'ldap_password', 'backup_cles'];
++function auth_desensibiliser_session(array $auteur): array {
++ $cles_sensibles = ['pass', 'htpass', 'low_sec', 'alea_actuel', 'alea_futur', 'ldap_password', 'backup_cles'];
+ foreach ($cles_sensibles as $cle) {
+- if (isset($auteur[$cle])) {
++ if (array_key_exists($cle, $auteur)) {
+ unset($auteur[$cle]);
+ }
+ }
+diff --git a/ecrire/inc/session.php b/ecrire/inc/session.php
+index 853b501..855838f 100644
+--- a/ecrire/inc/session.php
++++ b/ecrire/inc/session.php
+@@ -613,16 +613,12 @@ function lister_sessions_auteur($id_auteur, $nb_max = null) {
+ * @param array $auteur
+ * @return array
+ */
+-function preparer_ecriture_session($auteur) {
++function preparer_ecriture_session(array $auteur): array {
++
+ $row = $auteur;
+
+- // ne pas enregistrer ces elements de securite
+- // dans le fichier de session
+- unset($auteur['pass']);
+- unset($auteur['htpass']);
+- unset($auteur['low_sec']);
+- unset($auteur['alea_actuel']);
+- unset($auteur['alea_futur']);
++ // ne pas enregistrer ces elements de securite dans le fichier de session
++ $auteur = auth_desensibiliser_session($auteur);
+
+ $auteur = pipeline('preparer_fichier_session', ['args' => ['row' => $row], 'data' => $auteur]);
+
diff -Nru spip-4.1.9+dfsg/debian/patches/0011-fix-Inclusion-manquante-dans-5663.patch spip-4.1.9+dfsg/debian/patches/0011-fix-Inclusion-manquante-dans-5663.patch
--- spip-4.1.9+dfsg/debian/patches/0011-fix-Inclusion-manquante-dans-5663.patch 1970-01-01 01:00:00.000000000 +0100
+++ spip-4.1.9+dfsg/debian/patches/0011-fix-Inclusion-manquante-dans-5663.patch 2023-07-08 20:25:35.000000000 +0200
@@ -0,0 +1,23 @@
+From: Matthieu Marcillaud <[email protected]>
+Date: Mon, 3 Jul 2023 23:10:51 +0200
+Subject: fix: Inclusion manquante dans !5663
+
+(cherry picked from commit 13793c345bdc8ea362f71656c3b38103d6aaba2c)
+
+Origin: upstream, https://git.spip.net/spip/spip/commit/144f520ead7ca38a4644e35af4cac2278de6d3e9
+---
+ ecrire/inc/session.php | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/ecrire/inc/session.php b/ecrire/inc/session.php
+index 855838f..d9f9314 100644
+--- a/ecrire/inc/session.php
++++ b/ecrire/inc/session.php
+@@ -618,6 +618,7 @@ function preparer_ecriture_session(array $auteur): array {
+ $row = $auteur;
+
+ // ne pas enregistrer ces elements de securite dans le fichier de session
++ include_spip('inc/auth');
+ $auteur = auth_desensibiliser_session($auteur);
+
+ $auteur = pipeline('preparer_fichier_session', ['args' => ['row' => $row], 'data' => $auteur]);
diff -Nru spip-4.1.9+dfsg/debian/patches/series spip-4.1.9+dfsg/debian/patches/series
--- spip-4.1.9+dfsg/debian/patches/series 2023-06-11 15:37:44.000000000 +0200
+++ spip-4.1.9+dfsg/debian/patches/series 2023-07-08 20:25:35.000000000 +0200
@@ -6,3 +6,6 @@
0006-security-Ameliorer-c76770a-en-vitant-un-unserialize-.patch
0007-security-Effectivement-bloquer-les-fichiers-cach-s-d.patch
0008-build-Up-cran-de-s-cu-en-1.5.3.patch
+0009-security-Utiliser-une-fonction-d-di-e-pour-nettoyer-.patch
+0010-security-Utiliser-auth_desensibiliser_session-aussi-.patch
+0011-fix-Inclusion-manquante-dans-5663.patch
signature.asc
Description: PGP signature
--- End Message ---
--- Begin Message ---
Version: 12.1
The upload requested in this bug has been released as part of 12.1.
--- End Message ---
