Package: release.debian.org Severity: normal X-Debbugs-Cc: [email protected] Control: affects -1 + src:sogo User: [email protected] Usertags: unblock
Please unblock package sogo The main fix for this unblock request is the fix for #1104813, to use Debian packaged versions of some javascript libs. Additionally, I have included some upstream git cherrypicks for the new OIDC support in SOGo, which debuted in 5.12.0, and after a few months, SOGo users have found some issues with it. The final cherry-pick fixes escaping in a regex for the password changing functionality. [ Impact ] If this isn't accepted, the biggest issue is the release team needing to update SOGo when/if they fix some JS vulnerabilities in angularjs, lodash, etc., as well as the OIDC support not playing well with some IDPs. [ Tests ] I have tested the packages in one of my own deployments. [ Risks ] The main risk is that I might not have been able to test some code path that uses one of the replaced JS libs, and thus have not found an issue. I did diff the vendored versions against the debian versions and concluded they were the exact same code. [ Checklist ] [x] all changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in testing unblock sogo/5.12.1-2
diff -Nru sogo-5.12.1/debian/changelog sogo-5.12.1/debian/changelog --- sogo-5.12.1/debian/changelog 2025-05-04 23:21:03.000000000 +0200 +++ sogo-5.12.1/debian/changelog 2025-06-06 11:37:50.000000000 +0200 @@ -1,3 +1,11 @@ +sogo (5.12.1-2) unstable; urgency=medium + + * Replace vendoring of lodash, FileSaver and angularjs with packaged versions. + (Closes: #1104813) + * Cherry-pick post 5.12.1 fixes for OpenID and password management. + + -- Jordi Mallach <[email protected]> Fri, 06 Jun 2025 11:37:50 +0200 + sogo (5.12.1-1) unstable; urgency=medium * New upstream release. diff -Nru sogo-5.12.1/debian/control sogo-5.12.1/debian/control --- sogo-5.12.1/debian/control 2025-03-24 14:34:01.000000000 +0100 +++ sogo-5.12.1/debian/control 2025-06-06 11:37:34.000000000 +0200 @@ -62,7 +62,7 @@ Package: sogo-common Architecture: all -Depends: ${misc:Depends} +Depends: libjs-angularjs, libjs-filesaver, libjs-lodash, ${misc:Depends} Suggests: httpd Multi-Arch: foreign Description: Scalable groupware server - common files diff -Nru sogo-5.12.1/debian/patches/series sogo-5.12.1/debian/patches/series --- sogo-5.12.1/debian/patches/series 2025-05-04 23:16:30.000000000 +0200 +++ sogo-5.12.1/debian/patches/series 2025-06-06 09:45:21.000000000 +0200 @@ -11,3 +11,5 @@ python3.patch disable_isIpv4_test.patch cross.patch +upstream_openid_fixes.patch +upstream_password_regex.patch diff -Nru sogo-5.12.1/debian/patches/upstream_openid_fixes.patch sogo-5.12.1/debian/patches/upstream_openid_fixes.patch --- sogo-5.12.1/debian/patches/upstream_openid_fixes.patch 1970-01-01 01:00:00.000000000 +0100 +++ sogo-5.12.1/debian/patches/upstream_openid_fixes.patch 2025-06-06 09:45:21.000000000 +0200 @@ -0,0 +1,161 @@ +commit c5fb3482e22f1bfc935213e8ed7208becd9bd1f4 +Author: Hivert Quentin <[email protected]> +Date: Tue May 13 16:03:13 2025 +0200 + + fix(openid): make end_session_endpoint optional + +diff --git a/Documentation/SOGoInstallationGuide.asciidoc b/Documentation/SOGoInstallationGuide.asciidoc +index ae9951da9..372f6b4f8 100644 +--- a/Documentation/SOGoInstallationGuide.asciidoc ++++ b/Documentation/SOGoInstallationGuide.asciidoc +@@ -1612,7 +1612,7 @@ Defaults to `0` when unset. + + |S |SOGoOpenIdLogoutEnabled + |Allow user to end their openId with the webmail. Meaning that will disconnect them from +-the others applicaitons as well. ++the others applicaitons as well. The openid server must have a end_session_endpoint. + + Defaults to `NO` when unset. + |======================================================================= +diff --git a/SoObjects/SOGo/SOGoOpenIdSession.m b/SoObjects/SOGo/SOGoOpenIdSession.m +index 024d27e15..0dda9b5c2 100644 +--- a/SoObjects/SOGo/SOGoOpenIdSession.m ++++ b/SoObjects/SOGo/SOGoOpenIdSession.m +@@ -238,7 +238,9 @@ static BOOL SOGoOpenIDDebugEnabled = YES; + self->authorizationEndpoint = [config objectForKey: @"authorization_endpoint"]; + self->tokenEndpoint = [config objectForKey: @"token_endpoint"]; + self->userinfoEndpoint = [config objectForKey: @"userinfo_endpoint"]; +- self->endSessionEndpoint = [config objectForKey: @"end_session_endpoint"]; ++ ++ if([config objectForKey: @"end_session_endpoint"]) ++ self->endSessionEndpoint = [config objectForKey: @"end_session_endpoint"]; + + //Optionnals? + if([config objectForKey: @"introspection_endpoint"]) +@@ -346,7 +348,8 @@ static BOOL SOGoOpenIDDebugEnabled = YES; + ASSIGN (authorizationEndpoint, [sessionDict objectForKey: @"authorization_endpoint"]); + ASSIGN (tokenEndpoint, [sessionDict objectForKey: @"token_endpoint"]); + ASSIGN (userinfoEndpoint, [sessionDict objectForKey: @"userinfo_endpoint"]); +- ASSIGN (endSessionEndpoint, [sessionDict objectForKey: @"end_session_endpoint"]); ++ if([sessionDict objectForKey: @"end_session_endpoint"]) ++ ASSIGN (endSessionEndpoint, [sessionDict objectForKey: @"end_session_endpoint"]); + + //Optionnals? + if([sessionDict objectForKey: @"introspection_endpoint"]) +@@ -370,7 +373,8 @@ static BOOL SOGoOpenIDDebugEnabled = YES; + [sessionDict setObject: authorizationEndpoint forKey: @"authorization_endpoint"]; + [sessionDict setObject: tokenEndpoint forKey: @"token_endpoint"]; + [sessionDict setObject: userinfoEndpoint forKey: @"userinfo_endpoint"]; +- [sessionDict setObject: endSessionEndpoint forKey: @"end_session_endpoint"]; ++ if(endSessionEndpoint) ++ [sessionDict setObject: endSessionEndpoint forKey: @"end_session_endpoint"]; + + //Optionnals? + if(introspectionEndpoint) +commit 085fc4a9eb7d1e2a0f7b48baa1f09a8ba0d515e1 +Author: Hivert Quentin <[email protected]> +Date: Tue May 20 09:08:46 2025 +0200 + + fix(openid): add state in connection flow + +diff --git a/SoObjects/SOGo/SOGoOpenIdSession.m b/SoObjects/SOGo/SOGoOpenIdSession.m +index 0dda9b5c2..38710f4a1 100644 +--- a/SoObjects/SOGo/SOGoOpenIdSession.m ++++ b/SoObjects/SOGo/SOGoOpenIdSession.m +@@ -18,6 +18,8 @@ + * Boston, MA 02111-1307, USA. + */ + ++#import <Foundation/NSProcessInfo.h> ++ + #import <NGObjWeb/WOHTTPConnection.h> + #import <NGObjWeb/WORequest.h> + #import <NGObjWeb/WOResponse.h> +@@ -435,6 +437,12 @@ static BOOL SOGoOpenIDDebugEnabled = YES; + nextCheckAfter: nextCheck]; + } + ++ ++-(NSString *) _random_state ++{ ++ return [[[NSProcessInfo processInfo] globallyUniqueString] asSHA1String];; ++} ++ + - (NSString*) loginUrl: (NSString *) oldLocation + { + NSString* logUrl; +@@ -442,6 +450,7 @@ static BOOL SOGoOpenIDDebugEnabled = YES; + logUrl = [logUrl stringByAppendingString: @"&response_type=code"]; + logUrl = [logUrl stringByAppendingFormat: @"&client_id=%@", self->openIdClient]; + logUrl = [logUrl stringByAppendingFormat: @"&redirect_uri=%@", oldLocation]; ++ logUrl = [logUrl stringByAppendingFormat: @"&state=%@", [self _random_state]]; + if(self->forDomain != nil && [self->forDomain length] > 0) + logUrl = [logUrl stringByAppendingFormat: @"&sogo_domain=%@", forDomain]; + // logurl = [self->logurl stringByAppendingFormat: @"&state=%@", state]; +diff --git a/UI/MainUI/SOGoUserHomePage.m b/UI/MainUI/SOGoUserHomePage.m +index 9a56ed962..e9c5d9573 100644 +--- a/UI/MainUI/SOGoUserHomePage.m ++++ b/UI/MainUI/SOGoUserHomePage.m +@@ -447,9 +447,9 @@ + } + else if ([authType isEqualToString: @"openid"]) + { +- SOGoOpenIdSession* session; +- session = [SOGoOpenIdSession OpenIdSession: loginDomain]; +- redirectURL = [session logoutUrl]; ++ SOGoOpenIdSession* sessionOidc; ++ sessionOidc = [SOGoOpenIdSession OpenIdSession: loginDomain]; ++ redirectURL = [sessionOidc logoutUrl]; + } + #if defined(SAML2_CONFIG) + else if ([authType isEqualToString: @"saml2"]) +commit 9954c3607bfda55424f5ac532a1075407235f345 +Author: Hivert Quentin <[email protected]> +Date: Wed May 21 14:50:41 2025 +0200 + + fix(openid): allow expires_in param to be null + +diff --git a/SOPE/GDLContentStore/GCSSpecialQueries.m b/SOPE/GDLContentStore/GCSSpecialQueries.m +index 167b38559..ca7709e03 100644 +--- a/SOPE/GDLContentStore/GCSSpecialQueries.m ++++ b/SOPE/GDLContentStore/GCSSpecialQueries.m +@@ -218,7 +218,7 @@ + @" c_old_session VARCHAR(4096) NULL," + @" c_session_started INT4 NOT NULL," + @" c_refresh_token VARCHAR(4096) NULL," +- @" c_access_token_expires_in INT4 NOT NULL," ++ @" c_access_token_expires_in INT4 NULL," + @" c_refresh_token_expires_in INT4 NULL)"); + + return [NSString stringWithFormat: sqlFolderFormat, tableName]; +@@ -379,7 +379,7 @@ + @" c_old_session VARCHAR(4096) NULL," + @" c_session_started INT4 NOT NULL," + @" c_refresh_token VARCHAR(4096) NULL," +- @" c_access_token_expires_in INT4 NOT NULL," ++ @" c_access_token_expires_in INT4 NULL," + @" c_refresh_token_expires_in INT4 NULL)"); + + return [NSString stringWithFormat: sqlFolderFormat, tableName]; +@@ -540,7 +540,7 @@ + @" c_old_session VARCHAR2(4096) NULL," + @" c_session_started INTEGER NOT NULL," + @" c_refresh_token VARCHAR2(4096) NULL," +- @" c_access_token_expires_in INTEGER NOT NULL," ++ @" c_access_token_expires_in INTEGER NULL," + @" c_refresh_token_expires_in INTEGER NULL)"); + + return [NSString stringWithFormat: sqlFolderFormat, tableName]; +diff --git a/Scripts/mysql-utf8mb4.sql b/Scripts/mysql-utf8mb4.sql +index 38dd90ecb..41a8824e5 100644 +--- a/Scripts/mysql-utf8mb4.sql ++++ b/Scripts/mysql-utf8mb4.sql +@@ -170,7 +170,7 @@ CREATE TABLE sogo_opend_id ( + c_old_session varchar(4096) DEFAULT '', + c_session_started int(11) NOT NULL, + c_refresh_token varchar(4096) DEFAULT '', +- c_access_token_expires_in int(11) NOT NULL, ++ c_access_token_expires_in int(11) DEFAULT '', + c_refresh_token_expires_in int(11) DEFAULT NULL, + PRIMARY KEY (c_user_session) + ) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 ROW_FORMAT=DYNAMIC; diff -Nru sogo-5.12.1/debian/patches/upstream_password_regex.patch sogo-5.12.1/debian/patches/upstream_password_regex.patch --- sogo-5.12.1/debian/patches/upstream_password_regex.patch 1970-01-01 01:00:00.000000000 +0100 +++ sogo-5.12.1/debian/patches/upstream_password_regex.patch 2025-06-06 09:45:21.000000000 +0200 @@ -0,0 +1,19 @@ +commit e36d0d219baed8c7d57af0069fadb8d1bf7df072 +Author: Hivert Quentin <[email protected]> +Date: Tue May 13 16:51:08 2025 +0200 + + fix(password): put correct regex for special char + +diff --git a/SoObjects/SOGo/SOGoPasswordPolicy.m b/SoObjects/SOGo/SOGoPasswordPolicy.m +index 02bb8be07..5db36c4a5 100644 +--- a/SoObjects/SOGo/SOGoPasswordPolicy.m ++++ b/SoObjects/SOGo/SOGoPasswordPolicy.m +@@ -33,7 +33,7 @@ static const NSString *POLICY_MIN_DIGIT = @"POLICY_MIN_DIGIT"; + static const NSString *POLICY_MIN_SPECIAL_SYMBOLS = @"POLICY_MIN_SPECIAL_SYMBOLS"; + static const NSString *POLICY_MIN_LENGTH = @"POLICY_MIN_LENGTH"; + +-static const NSString *SPECIAL_SYMBOL_ALLOWED = @"%$&*(){}!?\\@#.,:;+=\\[\\]\\|<>\\/-_"; ++static const NSString *SPECIAL_SYMBOL_ALLOWED = @"%$&*(){}!?\\@#.,:;+=\\[\\]\\|<>\\/\\-_"; + + @implementation SOGoPasswordPolicy + diff -Nru sogo-5.12.1/debian/rules sogo-5.12.1/debian/rules --- sogo-5.12.1/debian/rules 2025-03-21 13:22:07.000000000 +0100 +++ sogo-5.12.1/debian/rules 2025-06-06 11:37:34.000000000 +0200 @@ -45,6 +45,15 @@ mkdir -p debian/tmp/usr/share/GNUstep/SOGo mv debian/tmp/usr/lib/*/GNUstep/SOGo/Templates debian/tmp/usr/lib/*/GNUstep/SOGo/WebServerResources debian/tmp/usr/share/GNUstep/SOGo + # Use packaged 3rd party javascript libraries available in Debian + rm -f debian/tmp/usr/share/GNUstep/SOGo/WebServerResources/js/vendor/FileSaver.min.js* + rm -f debian/tmp/usr/share/GNUstep/SOGo/WebServerResources/js/vendor/angular.js + rm -f debian/tmp/usr/share/GNUstep/SOGo/WebServerResources/js/vendor/angular.min.js* + rm -f debian/tmp/usr/share/GNUstep/SOGo/WebServerResources/js/vendor/angular-{animate,aria,cookies,messages,sanitize}.js + rm -f debian/tmp/usr/share/GNUstep/SOGo/WebServerResources/js/vendor/angular-{animate,aria,cookies,messages,sanitize}.min.js* + rm -f debian/tmp/usr/share/GNUstep/SOGo/WebServerResources/js/vendor/lodash.js + rm -f debian/tmp/usr/share/GNUstep/SOGo/WebServerResources/js/vendor/lodash.min.js* + dh_install override_dh_installchangelogs: diff -Nru sogo-5.12.1/debian/sogo-common.links sogo-5.12.1/debian/sogo-common.links --- sogo-5.12.1/debian/sogo-common.links 1970-01-01 01:00:00.000000000 +0100 +++ sogo-5.12.1/debian/sogo-common.links 2025-06-06 09:45:21.000000000 +0200 @@ -0,0 +1,15 @@ +usr/share/javascript/angular.js/angular.js usr/share/GNUstep/SOGo/WebServerResources/js/vendor/angular.js +usr/share/javascript/angular.js/angular.min.js usr/share/GNUstep/SOGo/WebServerResources/js/vendor/angular.min.js +usr/share/javascript/angular.js/angular-animate.js usr/share/GNUstep/SOGo/WebServerResources/js/vendor/angular-animate.js +usr/share/javascript/angular.js/angular-animate.min.js usr/share/GNUstep/SOGo/WebServerResources/js/vendor/angular-animate.min.js +usr/share/javascript/angular.js/angular-aria.js usr/share/GNUstep/SOGo/WebServerResources/js/vendor/angular-aria.js +usr/share/javascript/angular.js/angular-aria.min.js usr/share/GNUstep/SOGo/WebServerResources/js/vendor/angular-aria.min.js +usr/share/javascript/angular.js/angular-cookies.js usr/share/GNUstep/SOGo/WebServerResources/js/vendor/angular-cookies.js +usr/share/javascript/angular.js/angular-cookies.min.js usr/share/GNUstep/SOGo/WebServerResources/js/vendor/angular-cookies.min.js +usr/share/javascript/angular.js/angular-messages.js usr/share/GNUstep/SOGo/WebServerResources/js/vendor/angular-messages.js +usr/share/javascript/angular.js/angular-messages.min.js usr/share/GNUstep/SOGo/WebServerResources/js/vendor/angular-messages.min.js +usr/share/javascript/angular.js/angular-sanitize.js usr/share/GNUstep/SOGo/WebServerResources/js/vendor/angular-sanitize.js +usr/share/javascript/angular.js/angular-sanitize.min.js usr/share/GNUstep/SOGo/WebServerResources/js/vendor/angular-sanitize.min.js +usr/share/javascript/filesaver/FileSaver.min.js usr/share/GNUstep/SOGo/WebServerResources/js/vendor/FileSaver.min.js +usr/share/javascript/lodash/lodash.js usr/share/GNUstep/SOGo/WebServerResources/js/vendor/lodash.js +usr/share/javascript/lodash/lodash.min.js usr/share/GNUstep/SOGo/WebServerResources/js/vendor/lodash.min.js
