Bug#1117828: marked as done (trixie-pu: package spip/4.4.3+dfsg-1+deb13u1)

Debian Bug Tracking System Sat, 15 Nov 2025 03:36:09 -0800

Your message dated Sat, 15 Nov 2025 11:21:45 +0000
with message-id 
<736c7150dc08501cc89945035c406eaf9688e144.ca...@adam-barratt.org.uk>
and subject line Closing requests for updates included in 13.2
has caused the Debian Bug report #1117828,
regarding trixie-pu: package spip/4.4.3+dfsg-1+deb13u1
to be marked as done.


This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
1117828: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1117828
Debian Bug Tracking System
Contact [email protected] with problems

--- Begin Message ---

Package: release.debian.org
Severity: normal
Tags: trixie
X-Debbugs-Cc: [email protected]
Control: affects -1 + src:spip
User: [email protected]
Usertags: pu

Hi,

SPIP upstream released a 4.4.5 version fixing an open redirect on an
AJAX login form. 

It is not exploitable by default: the login form must have been
explicitly set to work with AJAX. 

The fix has been reviewed by the security team, it does not warrant a
DSA, yet it would be nice to have it fixed via a point release.

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
  [x] the issue is verified as fixed in unstable

Regards,

taffit

diff -Nru spip-4.4.3+dfsg/debian/changelog spip-4.4.3+dfsg/debian/changelog
--- spip-4.4.3+dfsg/debian/changelog	2025-04-10 13:59:24.000000000 +0200
+++ spip-4.4.3+dfsg/debian/changelog	2025-09-09 07:21:38.000000000 +0200
@@ -1,3 +1,10 @@
+spip (4.4.3+dfsg-1+deb13u1) trixie; urgency=medium
+
+  * Track debian/trixie
+  * Backport security fix from 4.4.5: Fix open redirect on ajax login form
+
+ -- David Prévot <[email protected]>  Tue, 09 Sep 2025 07:21:38 +0200
+
 spip (4.4.3+dfsg-1) unstable; urgency=medium
 
   * Upload to unstable
diff -Nru spip-4.4.3+dfsg/debian/control spip-4.4.3+dfsg/debian/control
--- spip-4.4.3+dfsg/debian/control	2025-03-18 00:01:51.000000000 +0100
+++ spip-4.4.3+dfsg/debian/control	2025-09-09 07:21:38.000000000 +0200
@@ -15,7 +15,7 @@
                uglifyjs
 Homepage: https://www.spip.net/
 Standards-Version: 4.7.0
-Vcs-Git: https://salsa.debian.org/debian/spip.git
+Vcs-Git: https://salsa.debian.org/debian/spip.git -b debian/trixie
 Vcs-Browser: https://salsa.debian.org/debian/spip
 Rules-Requires-Root: no
 
diff -Nru spip-4.4.3+dfsg/debian/gbp.conf spip-4.4.3+dfsg/debian/gbp.conf
--- spip-4.4.3+dfsg/debian/gbp.conf	2025-04-10 13:52:41.000000000 +0200
+++ spip-4.4.3+dfsg/debian/gbp.conf	2025-09-09 07:21:38.000000000 +0200
@@ -1,4 +1,4 @@
 [DEFAULT]
-debian-branch = debian/latest
+debian-branch = debian/trixie
 pristine-tar = True
 upstream-vcs-tag = %(version%~%-)s
diff -Nru spip-4.4.3+dfsg/debian/patches/0001-Fix-created-directories-and-files-default-rights.patch spip-4.4.3+dfsg/debian/patches/0001-Fix-created-directories-and-files-default-rights.patch
--- spip-4.4.3+dfsg/debian/patches/0001-Fix-created-directories-and-files-default-rights.patch	2025-03-19 10:51:07.000000000 +0100
+++ spip-4.4.3+dfsg/debian/patches/0001-Fix-created-directories-and-files-default-rights.patch	2025-09-09 07:21:38.000000000 +0200
@@ -13,7 +13,7 @@
  1 file changed, 1 insertion(+), 1 deletion(-)
 
 diff --git a/ecrire/inc_version.php b/ecrire/inc_version.php
-index 3b7d61b..effba72 100644
+index 45469b1..ab41a12 100644
 --- a/ecrire/inc_version.php
 +++ b/ecrire/inc_version.php
 @@ -436,7 +436,7 @@ $liste_des_authentifications = [
diff -Nru spip-4.4.3+dfsg/debian/patches/0003-Fix-displayed-version-in-the-private-interface.patch spip-4.4.3+dfsg/debian/patches/0003-Fix-displayed-version-in-the-private-interface.patch
--- spip-4.4.3+dfsg/debian/patches/0003-Fix-displayed-version-in-the-private-interface.patch	2025-03-19 10:51:07.000000000 +0100
+++ spip-4.4.3+dfsg/debian/patches/0003-Fix-displayed-version-in-the-private-interface.patch	2025-09-09 07:21:38.000000000 +0200
@@ -14,7 +14,7 @@
  1 file changed, 1 insertion(+), 1 deletion(-)
 
 diff --git a/ecrire/inc_version.php b/ecrire/inc_version.php
-index effba72..c80f544 100644
+index ab41a12..157717f 100644
 --- a/ecrire/inc_version.php
 +++ b/ecrire/inc_version.php
 @@ -461,7 +461,7 @@ $spip_sql_version = 1;
diff -Nru spip-4.4.3+dfsg/debian/patches/0006-security-fix-open-redirect-sur-formulaire-de-login-e.patch spip-4.4.3+dfsg/debian/patches/0006-security-fix-open-redirect-sur-formulaire-de-login-e.patch
--- spip-4.4.3+dfsg/debian/patches/0006-security-fix-open-redirect-sur-formulaire-de-login-e.patch	1970-01-01 01:00:00.000000000 +0100
+++ spip-4.4.3+dfsg/debian/patches/0006-security-fix-open-redirect-sur-formulaire-de-login-e.patch	2025-09-09 07:21:38.000000000 +0200
@@ -0,0 +1,34 @@
+From: b_b <[email protected]>
+Date: Mon, 8 Sep 2025 10:04:10 +0200
+Subject: security: fix open redirect sur formulaire de login en ajax
+MIME-Version: 1.0
+Content-Type: text/plain; charset="utf-8"
+Content-Transfer-Encoding: 8bit
+
+Dans certains cas, si la page de login est surchargée pour fonctionner en ajax,
+le formulaire de login pouvait permettre de rediriger sur un site externe non prévu.
+
+Refs: spip-security/securite#4865
+
+Origin: upstream, https://git.spip.net/spip/ecrire/-/commit/e434659fdedebc6f9bdaa862e45057f430dcf357
+---
+ ecrire/inc/headers.php | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/ecrire/inc/headers.php b/ecrire/inc/headers.php
+index 401f031..e581b37 100644
+--- a/ecrire/inc/headers.php
++++ b/ecrire/inc/headers.php
+@@ -144,9 +144,10 @@ function redirige_formulaire($url, $equiv = '', $format = 'message') {
+ 		$url = strtr($url, "\n\r", '  ');
+ 		# en theorie on devrait faire ca tout le temps, mais quand la chaine
+ 		# commence par ? c'est imperatif, sinon l'url finale n'est pas la bonne
+-		if ($url[0] == '?') {
+-			$url = url_de_base() . $url;
++		if (in_array($url[0], ['?', '/']) && !str_starts_with($url, '//')) {
++			$url = url_de_base() . ltrim($url, '/');
+ 		}
++
+ 		$url = str_replace('&amp;', '&', $url);
+ 		spip_log("redirige formulaire ajax: $url");
+ 		include_spip('inc/filtres');
diff -Nru spip-4.4.3+dfsg/debian/patches/series spip-4.4.3+dfsg/debian/patches/series
--- spip-4.4.3+dfsg/debian/patches/series	2025-03-19 10:51:07.000000000 +0100
+++ spip-4.4.3+dfsg/debian/patches/series	2025-09-09 07:21:38.000000000 +0200
@@ -3,3 +3,4 @@
 0003-Fix-displayed-version-in-the-private-interface.patch
 0004-Use-getid3-class-from-the-php-getid3-package.patch
 0005-Workaround-Composer-InstalledVersions-feature.patch
+0006-security-fix-open-redirect-sur-formulaire-de-login-e.patch

signature.asc
Description: PGP signature

--- End Message ---

--- Begin Message ---

Package: release.debian.org
Version: 13.2

Hi,

The updates referenced in each of these bugs were included in today's
13.2 trixie point release.

Regards,

Adam

--- End Message ---

Bug#1117828: marked as done (trixie-pu: package spip/4.4.3+dfsg-1+deb13u1)

Reply via email to