Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian@packages.debian.org
Usertags: pu
Hi,
As agreed with the security team, the two XSS fixes from the latest
upstream version do not deserve a DSA, yet I’d like to fix them via pu
if you agree, debdiff attached. There is no upstream fix available (yet)
for the 2.1 branch (that is still supported), so I won’t follow up with
a pu request for Wheezy for the moment.
Regards
David
diff -Nru spip-3.0.17/debian/changelog spip-3.0.17/debian/changelog
--- spip-3.0.17/debian/changelog 2014-10-25 20:52:48.0 -0400
+++ spip-3.0.17/debian/changelog 2015-11-01 15:34:31.0 -0400
@@ -1,3 +1,10 @@
+spip (3.0.17-2+deb8u1) jessie; urgency=medium
+
+ * Track Jessie
+ * Backport XSS fixes in private content from 3.0.21
+
+ -- David Prévot Sun, 01 Nov 2015 15:34:00 -0400
+
spip (3.0.17-2) unstable; urgency=medium
[ Frans Spiesschaert ]
diff -Nru spip-3.0.17/debian/gbp.conf spip-3.0.17/debian/gbp.conf
--- spip-3.0.17/debian/gbp.conf 2014-10-25 20:50:16.0 -0400
+++ spip-3.0.17/debian/gbp.conf 2015-11-01 15:11:01.0 -0400
@@ -1,3 +1,3 @@
[DEFAULT]
-debian-branch = 3.0
+debian-branch = jessie
upstream-branch = upstream-3.0
diff -Nru spip-3.0.17/debian/patches/0005-Fix-XSS-in-private-content.patch spip-3.0.17/debian/patches/0005-Fix-XSS-in-private-content.patch
--- spip-3.0.17/debian/patches/0005-Fix-XSS-in-private-content.patch 1969-12-31 20:00:00.0 -0400
+++ spip-3.0.17/debian/patches/0005-Fix-XSS-in-private-content.patch 2015-11-01 15:31:01.0 -0400
@@ -0,0 +1,173 @@
+From: =?utf-8?q?C=C3=A9dric_Morin?=
+Date: Sat, 10 Oct 2015 10:44:19 +
+Subject: Fix XSS in private content
+
+Bug: https://core.spip.net/issues/3371
+Origin: Upstream, http://zone.spip.org/trac/spip-zone/changeset/92236,
+ https://core.spip.net/projects/spip/repository/revisions/22427,
+ https://core.spip.net/projects/spip/repository/revisions/22450,
+ https://core.spip.net/projects/spip/repository/revisions/22429
+---
+ ecrire/inc/texte.php | 7
+ ecrire/inc/texte_mini.php | 43 --
+ plugins-dist/revisions/inc/revisions.php | 3 ++
+ .../prive/squelettes/contenu/revision.html | 6 +--
+ prive/squelettes/ajax.html | 2 +-
+ prive/squelettes/head/dist.html| 2 +-
+ prive/squelettes/structure.html| 4 +-
+ 7 files changed, 57 insertions(+), 10 deletions(-)
+
+diff --git a/ecrire/inc/texte.php b/ecrire/inc/texte.php
+index af706b3..c0cec0b 100644
+--- a/ecrire/inc/texte.php
b/ecrire/inc/texte.php
+@@ -156,6 +156,7 @@ function typo($letexte, $echapper=true, $connect=null, $env=array()) {
+ if (is_null($connect)){
+ $connect = '';
+ $interdire_script = true;
++ $env['espace_prive'] = 1;
+ }
+
+ // Echapper les codes etc
+@@ -183,6 +184,12 @@ function typo($letexte, $echapper=true, $connect=null, $env=array()) {
+ if ($interdire_script)
+ $letexte = interdire_scripts($letexte);
+
++ // Dans l'espace prive on se mefie de tout contenu dangereux
++ // https://core.spip.net/issues/3371
++ if (isset($env['espace_prive']) AND $env['espace_prive']){
++ $letexte = echapper_html_suspect($letexte);
++ }
++
+ return $letexte;
+ }
+
+diff --git a/ecrire/inc/texte_mini.php b/ecrire/inc/texte_mini.php
+index f3c2429..901d903 100644
+--- a/ecrire/inc/texte_mini.php
b/ecrire/inc/texte_mini.php
+@@ -385,15 +385,52 @@ function echapper_faux_tags($letexte){
+ $letexte = "";
+ while (count($textMatches)) {
+ // un texte a echapper
+- $letexte .= str_replace(array("<"),array(''),array_shift($textMatches));
++ $letexte .= str_replace("<",'',array_shift($textMatches));
+ // un tag html qui a servit a faite le split
+ $letexte .= array_shift($textMatches);
+ }
+ return $letexte;
+ }
+
+-// Securite : utiliser SafeHTML s'il est present dans ecrire/safehtml/
+-// http://doc.spip.org/@safehtml
++/**
++ * Si le html contenu dans un texte ne passe pas sans transformation a travers safehtml
++ * on l'echappe
++ * si safehtml ne renvoie pas la meme chose on echappe les < en pour montrer le contenu brut
++ *
++ * @param string $texte
++ * @return string
++ */
++function echapper_html_suspect($texte){
++ if (strpos($texte,'<')===false OR strpos($texte,'=')===false)
++ return $texte;
++
++ // on teste sur strlen car safehtml supprime le contenu dangereux
++ // mais il peut aussi changer des ' en " sur les attributs html,
++ // donc un test d'egalite est trop strict
++ if (strlen(safehtml($texte))!==strlen($texte)){
++ $texte = str_replace("<","",$texte);
++ }
++
++ return $texte;
++}
++
++
++/**
++ * Sécurise un texte HTML
++ *
++ * Échappe le code PHP et JS.
++ * Applique en plus safehtml si un plugin le définit dans inc/safehtml.php
++ *
++ * Permet de protéger les textes issus d'une origine douteuse