subject:"Bug#1059289\: bullseye\-pu\: package spip\/3.2.11\-3\+deb11u10"

Bug#1059289: bullseye-pu: package spip/3.2.11-3+deb11u10

2024-01-31 Thread Adam D. Barratt

Control: tags -1 + confirmed

On Fri, 2023-12-22 at 13:32 +0100, David Prévot wrote:
> Le Fri, Dec 22, 2023 at 01:21:56PM +0100, David Prévot a écrit :
> […]
> >   [x] attach debdiff against the package in oldstable
> 
> For real now (the usual running gag of the missing attachement)… 

Please go ahead.

Regards,

Adam

Bug#1059289: bullseye-pu: package spip/3.2.11-3+deb11u10

2023-12-30 Thread Salvatore Bonaccorso

Hi,

On Fri, Dec 22, 2023 at 01:21:56PM +0100, David Prévot wrote:
> Package: release.debian.org
> Severity: normal
> Tags: bullseye
> User: release.debian@packages.debian.org
> Usertags: pu
> X-Debbugs-Cc: s...@packages.debian.org, t...@security.debian.org
> Control: affects -1 + src:spip
> 
> Another upstream release fixed a security (XSS) issue. The last two
> updates of this kind didn’t warrant a DSA, so I guess this one will not
> warrant one either (security team X-D-CCed in case I’m wrong).

To confirm, from security team perspective, this does not warrant a
DSA and can be fixed in the upcoming point release.

Regards,
Salvatore

Bug#1059289: bullseye-pu: package spip/3.2.11-3+deb11u10

2023-12-22 Thread David Prévot

Le Fri, Dec 22, 2023 at 01:21:56PM +0100, David Prévot a écrit :
[…]
>   [x] attach debdiff against the package in oldstable

For real now (the usual running gag of the missing attachement)… Merry 
Christmas.

Cheers.

taffit
diff -Nru spip-3.2.11/debian/changelog spip-3.2.11/debian/changelog
--- spip-3.2.11/debian/changelog	2023-07-08 20:38:26.0 +0200
+++ spip-3.2.11/debian/changelog	2023-12-21 19:27:21.0 +0100
@@ -1,3 +1,10 @@
+spip (3.2.11-3+deb11u10) bullseye; urgency=medium
+
+  * Backport security fix from 4.1.13
+- fix XSS when calling some templates
+
+ -- David Prévot   Thu, 21 Dec 2023 19:27:21 +0100
+
 spip (3.2.11-3+deb11u9) bullseye; urgency=medium
 
   * Backport security fix from 4.1.11
diff -Nru spip-3.2.11/debian/patches/0059-fix-les-mod-les-ins-r-s-dans-un-texte-h-ritent-autom.patch spip-3.2.11/debian/patches/0059-fix-les-mod-les-ins-r-s-dans-un-texte-h-ritent-autom.patch
--- spip-3.2.11/debian/patches/0059-fix-les-mod-les-ins-r-s-dans-un-texte-h-ritent-autom.patch	1970-01-01 01:00:00.0 +0100
+++ spip-3.2.11/debian/patches/0059-fix-les-mod-les-ins-r-s-dans-un-texte-h-ritent-autom.patch	2023-12-21 19:26:30.0 +0100
@@ -0,0 +1,68 @@
+From: Cerdic 
+Date: Thu, 9 Nov 2023 16:46:19 +0100
+Subject: =?utf-8?q?fix=3A_les_mod=C3=A8les_ins=C3=A9r=C3=A9s_dans_un_texte_?=
+ =?utf-8?q?h=C3=A9ritent_automatiquement_du_contexte=2C_a_l=27insu_des_reda?=
+ =?utf-8?q?cteurs=2E_Securiser_ce_qui_proviendrait_de_variables_envoy=C3=A9?=
+ =?utf-8?q?es_par_l=27utilisateur?=
+
+(cherry picked from commit d993a9797d839218a3fee84f80be60409b2c05f1)
+
+Origin: upstream, https://git.spip.net/spip/spip/commit/e90f5344b8c82711053053e778d38a35e42b7bcb
+---
+ ecrire/public/assembler.php | 36 
+ 1 file changed, 36 insertions(+)
+
+diff --git a/ecrire/public/assembler.php b/ecrire/public/assembler.php
+index 8fc3f7a..ba77e48 100644
+--- a/ecrire/public/assembler.php
 b/ecrire/public/assembler.php
+@@ -563,6 +563,20 @@ function inclure_modele($type, $id, $params, $lien, $connect = '', $env = array(
+ 	$fond = 'modeles/' . $fond;
+ 	// Creer le contexte
+ 	$contexte = $env;
++	// securiser le contexte des modèles : tout ce qui arrive de _request() doit être sanitizé
++	foreach ($contexte as $k => &$v) {
++		if (!is_null(_request($k)) && (!is_scalar($v) || (_request($k) === $v))) {
++			include_spip('inc/texte_mini');
++			if (is_scalar($v)) {
++$v = spip_securise_valeur_env_modele($v);
++			} else {
++array_walk_recursive($v, function (&$value, $index) {
++	$value = spip_securise_valeur_env_modele($value);
++});
++			}
++		}
++	}
++
+ 	$contexte['dir_racine'] = _DIR_RACINE; # eviter de mixer un cache racine et un cache ecrire (meme si pour l'instant les modeles ne sont pas caches, le resultat etant different il faut que le contexte en tienne compte
+ 
+ 	// Le numero du modele est mis dans l'environnement
+@@ -616,6 +630,28 @@ function inclure_modele($type, $id, $params, $lien, $connect = '', $env = array(
+ 		: $retour;
+ }
+ 
++/**
++ * Sanitizer une valeur venant de _request() et passée à un modèle :
++ * on laisse passer les null, bool et numeriques (id et pagination),
++ * les @+nombre (pagination indirecte)
++ * ou sinon le \w + espace et tirets uniquement, pour les tris/sens tri etc
++ * mais rien de compliqué suceptible d'être interprété
++ *
++ * @param $valeur
++ * @return array|float|int|mixed|string|string[]|null
++ */
++function spip_securise_valeur_env_modele($valeur) {
++	if (is_numeric($valeur) || is_bool($valeur) || is_null($valeur)) {
++		return $valeur;
++	}
++	$valeur = (string)$valeur;
++	if (strpos($valeur, '@') === 0 && is_numeric(substr($valeur, 1))) {
++		return $valeur;
++	}
++	// on laisse passer que les \w, les espaces et les -, le reste est supprimé
++	return preg_replace(",[^\w\s-],", "", $valeur);
++}
++
+ // Un inclure_page qui marche aussi pour l'espace prive
+ // fonction interne a spip, ne pas appeler directement
+ // pour recuperer $page complet, utiliser:
diff -Nru spip-3.2.11/debian/patches/series spip-3.2.11/debian/patches/series
--- spip-3.2.11/debian/patches/series	2023-07-08 20:38:18.0 +0200
+++ spip-3.2.11/debian/patches/series	2023-12-21 19:26:30.0 +0100
@@ -56,3 +56,4 @@
 0056-security-Utiliser-une-fonction-d-di-e-pour-nettoyer-.patch
 0057-security-Utiliser-auth_desensibiliser_session-aussi-.patch
 0058-fix-Inclusion-manquante-dans-5663.patch
+0059-fix-les-mod-les-ins-r-s-dans-un-texte-h-ritent-autom.patch


signature.asc
Description: PGP signature

Bug#1059289: bullseye-pu: package spip/3.2.11-3+deb11u10

2023-12-22 Thread David Prévot

Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian@packages.debian.org
Usertags: pu
X-Debbugs-Cc: s...@packages.debian.org, t...@security.debian.org
Control: affects -1 + src:spip

Another upstream release fixed a security (XSS) issue. The last two
updates of this kind didn’t warrant a DSA, so I guess this one will not
warrant one either (security team X-D-CCed in case I’m wrong).

https://blog.spip.net/Mise-a-jour-de-maintenance-et-securite-sortie-de-SPIP-4-2-7-SPIP-4-1-13.html

The 3.2 branch is not maintained upstream anymore, but the patch has
been cherry-picked directly from the 4.1 branch. Also, I’ve already
deployed the proposed package on a server providing over 30 SPIP
websites.

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in oldstable
  [x] the issue is verified as fixed in unstable

Thanks in advance.

Regards,

taffit


signature.asc
Description: PGP signature

Bug#1059289: bullseye-pu: package spip/3.2.11-3+deb11u10

Bug#1059289: bullseye-pu: package spip/3.2.11-3+deb11u10

Bug#1059289: bullseye-pu: package spip/3.2.11-3+deb11u10

Bug#1059289: bullseye-pu: package spip/3.2.11-3+deb11u10

4 matches

Site Navigation

Mail list logo

Footer information