Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian@packages.debian.org
Usertags: pu
X-Debbugs-Cc: s...@packages.debian.org
Control: affects -1 + src:spip
This issue is similar to #1040756 in bookworm.
Another upstream release fixed a security issue. It introduces some
factorisation adding two more clean up in sessions. We agreed with the
security team that this don’t warrant a DSA.
https://blog.spip.net/Mise-a-jour-de-maintenance-et-securite-sortie-de-SPIP-4-2-4-SPIP-4-1-11.html
The 3.2 branch is not maintained upstream anymore, but the patches have
been cherry-picked directly from the 4.1 branch, except for the first
one that needed some slight editing. Also, I’ve already deployed the
proposed package on a server providing over 30 SPIP websites.
[ Checklist ]
[x] *all* changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in (old)stable
[x] the issue is verified as fixed in unstable
Thanks in advance.
Regards,
taffit
diff -Nru spip-3.2.11/debian/changelog spip-3.2.11/debian/changelog
--- spip-3.2.11/debian/changelog 2023-06-11 15:47:39.0 +0200
+++ spip-3.2.11/debian/changelog 2023-07-08 20:38:26.0 +0200
@@ -1,3 +1,11 @@
+spip (3.2.11-3+deb11u9) bullseye; urgency=medium
+
+ * Backport security fix from 4.1.11
+- use an auth_desensibiliser_session() function to centralize extended
+ authentification data filtering.
+
+ -- David Prévot Sat, 08 Jul 2023 20:38:26 +0200
+
spip (3.2.11-3+deb11u8) bullseye; urgency=medium
* Backport security fixes from 4.1.10
diff -Nru spip-3.2.11/debian/patches/0056-security-Utiliser-une-fonction-d-di-e-pour-nettoyer-.patch spip-3.2.11/debian/patches/0056-security-Utiliser-une-fonction-d-di-e-pour-nettoyer-.patch
--- spip-3.2.11/debian/patches/0056-security-Utiliser-une-fonction-d-di-e-pour-nettoyer-.patch 1970-01-01 01:00:00.0 +0100
+++ spip-3.2.11/debian/patches/0056-security-Utiliser-une-fonction-d-di-e-pour-nettoyer-.patch 2023-07-08 20:38:18.0 +0200
@@ -0,0 +1,69 @@
+From: Cerdic
+Date: Mon, 3 Jul 2023 10:23:02 +0200
+Subject: =?utf-8?q?security=3A_Utiliser_une_fonction_d=C3=A9di=C3=A9e_pour_?=
+ =?utf-8?q?nettoyer_les_donn=C3=A9es_d=E2=80=99auteur_lors_de_la_pr=C3=A9pa?=
+ =?utf-8?q?ration_d=E2=80=99une_session?=
+MIME-Version: 1.0
+Content-Type: text/plain; charset="utf-8"
+Content-Transfer-Encoding: 8bit
+
+- Ajout d’une fonction `auth_desensibiliser_session()` pour desensibiliser une ligne auteur,
+- qu'on utilise lors de la preparation d'une session
+- et dans informer_login
+
+Refs: spip-team/securite#4847
+(cherry picked from commit 2e4d6273cee8ec63ce7f565a73262a8aae70b7bb)
+
+Origin: backport, https://git.spip.net/spip/spip/commit/f1d2351c90a6127cab354be1647662ec5e941676
+---
+ ecrire/inc/auth.php | 23 ++-
+ 1 file changed, 18 insertions(+), 5 deletions(-)
+
+diff --git a/ecrire/inc/auth.php b/ecrire/inc/auth.php
+index 12fc4ce..cb61446 100644
+--- a/ecrire/inc/auth.php
b/ecrire/inc/auth.php
+@@ -249,11 +249,7 @@ function auth_init_droits($row) {
+ $GLOBALS['visiteur_session'] = array_merge((array)$GLOBALS['visiteur_session'], $row);
+
+ // au cas ou : ne pas memoriser les champs sensibles
+- unset($GLOBALS['visiteur_session']['pass']);
+- unset($GLOBALS['visiteur_session']['htpass']);
+- unset($GLOBALS['visiteur_session']['alea_actuel']);
+- unset($GLOBALS['visiteur_session']['alea_futur']);
+- unset($GLOBALS['visiteur_session']['ldap_password']);
++ $GLOBALS['visiteur_session'] = auth_desensibiliser_session($GLOBALS['visiteur_session']);
+
+ // creer la session au besoin
+ if (!isset($_COOKIE['spip_session'])) {
+@@ -310,6 +306,22 @@ function auth_init_droits($row) {
+ return ''; // i.e. pas de pb.
+ }
+
++/**
++ * Enlever les clés sensibles d'une ligne auteur
++ * @param array $auteur
++ * @return array
++ */
++function auth_desensibiliser_session(array $auteur) {
++ $cles_sensibles = ['pass', 'htpass', 'alea_actuel', 'alea_futur', 'ldap_password', 'backup_cles'];
++ foreach ($cles_sensibles as $cle) {
++ if (isset($auteur[$cle])) {
++ unset($auteur[$cle]);
++ }
++ }
++
++ return $auteur;
++}
++
+ /**
+ * Retourne l'url de connexion
+ *
+@@ -490,6 +502,7 @@ function auth_informer_login($login, $serveur = '') {
+ }
+
+ $prefs = unserialize($row['prefs']);
++ $row = auth_desensibiliser_session($row);
+ $infos = array(
+ 'id_auteur' => $row['id_auteur'],
+ 'login' => $row['login'],
diff -Nru spip-3.2.11/debian/patches/0057-security-Utiliser-auth_desensibiliser_session-aussi-.patch spip-3.2.11/debian/patches/0057-security-Utiliser-auth_desensibiliser_session-aussi-.patch
--- spip-3.2.11/debian/patches/0057-security-Utiliser-auth_desensibiliser_session-aussi-.patch 1970-01-01 01:00:00.0 +0100
+++ spip-3.2.11/debian/patches/0057-security-Utiliser-auth_desensibiliser_session-aussi-.patch 2023-07-08 20:38:18.0 +0200
@@ -0,0 +1,69 @@