Bug#682808: pu: package spip/2.1.1-3squeeze4

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#682808: pu: package spip/2.1.1-3squeeze4
From: David Prévot <taffit@debian.org>
Date: Wed, 25 Jul 2012 16:16:34 -0400
Message-id: <20120725201634.17380.11187.reportbug@mikado.tilapin.org>
Reply-to: David PrÃ©vot <taffit@debian.org>, 682808@bugs.debian.org

Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: pu

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Hi release team,

The spip package currently in stable is vulnerable to some security
issues (#677290, #672961, #680118), the last one being pretty nasty…

Having no answer from the security team, I hereby propose this update
via the upcoming point release. As in #680381, the attached debdiff is
pretty thin: most of the changes, in the security screen file, are due
to rewritten comments.

The package is available on ravel:
	http://people.debian.org/~taffit/spip/spip_2.1.1-3squeeze4.dsc

Cheers

David

- -- System Information:
Debian Release: wheezy/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (500, 'testing'), (500, 'stable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 3.2.0-3-amd64 (SMP w/1 CPU core)
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQIcBAEBCAAGBQJQEFQeAAoJELgqIXr9/gnyQrcP+gIjpnsZTxWkN1UDMOXOFAea
nr/zymlRiB+t0HyktX6dC77pL0332f8txkGETysfwMJnMtnTCe6fnEzjspwiw75w
nxDTd2u162ehSndQpkgSxy+Es4hOdlRU1qVBOx1oD2yfFBn3kOnzB3ZqUwOdyxO7
6A0Ps19srY7rivASnDGs4DH+8zbDnsVkVyXwZ3n+OmcalZyZrW7o0AnatmpZSe78
/vNaIwXK1mHb3uVGsM55XpxidJCsiJmQS47j7DYS+aRu2xAgfPhtYf/treTwzce+
H81rc0tjfQbeJRTrIEX7n31zEZvkmeh2Wnc6U5zRc/ZtImhu7/DCSMwH6u+TKxvo
LYYHisW8VdPG2bmbalIflTB8y3oyOodsAfb3qGOzmHAVk1YjWX+iG23dnJGpu5zP
XQEu/O5B1+JY+p7zyoOARbNXtMo4bXB8MnXH0OuLpCjl9LPtoGKscxmGrkyeNn63
RVVmhZql+G2JTtWiVFJreRgsLiBDEP3QqyeWQvduYwCtQt7sTmZPJBgLi3Ak7dCU
3gmr+4fcPP0TOfOHI2aSyMA7p8T+f+q/M7rlel4BZg1ZZQJztKAFxZpDnmsqgNyL
PTN3Flkb8c2dBRhFBcoxaLvbhmd93aYlkTLgNDcsr8r3oCPDp2IfSHVeU8+fOvsD
ccKkAvjkZh0+zRl+/1JH
=1vsI
-----END PGP SIGNATURE-----

diffstat for spip_2.1.1-3squeeze3 spip_2.1.1-3squeeze4

 debian/patches/fix_XSS_in_password.patch      |   18 +++
 debian/patches/fix_XSS_in_variable_name.patch |   19 +++
 spip-2.1.1/debian/changelog                   |   16 +++
 spip-2.1.1/debian/patches/series              |    2 
 spip-2.1.1/debian/security/ecran_securite.php |  130 ++++++++++++++++----------
 5 files changed, 137 insertions(+), 48 deletions(-)

diff -u spip-2.1.1/debian/changelog spip-2.1.1/debian/changelog
--- spip-2.1.1/debian/changelog
+++ spip-2.1.1/debian/changelog
@@ -1,3 +1,19 @@
+spip (2.1.1-3squeeze4) stable-security; urgency=low
+
+  * Non-maintainer upload by the Security Team.
+  * Updated security screen to 1.1.3. Prevent cross site scripting on referer
+    (addresses missing bits of [CVE-2012-2151]), cross site scripting and PHP
+    injections in internal functions.
+  Closes: #680118
+  * Backport patch from 2.1.14:
+    - fix XSS on password.
+  Closes: #672961
+  * Backport patch from 2.1.15:
+    - fix XSS injection in variable name.
+  Closes: #677290
+
+ -- David Prévot <taffit@debian.org>  Tue, 03 Jul 2012 14:24:23 -0400
+
 spip (2.1.1-3squeeze3) stable-security; urgency=high
 
   * Non-maintainer upload by the Security Team.
diff -u spip-2.1.1/debian/security/ecran_securite.php spip-2.1.1/debian/security/ecran_securite.php
--- spip-2.1.1/debian/security/ecran_securite.php
+++ spip-2.1.1/debian/security/ecran_securite.php
@@ -5,21 +5,20 @@
  * ------------------
  */
 
-define('_ECRAN_SECURITE', '1.0.10'); // 17 avril  2012
+define('_ECRAN_SECURITE', '1.1.3'); // 3 juillet 2012
 
 /*
  * Documentation : http://www.spip.net/fr_article4200.html
- *
  */
 
 /*
- * test utilisateur
+ * Test utilisateur
  */
 if (isset($_GET['test_ecran_securite']))
 	$ecran_securite_raison = 'test '._ECRAN_SECURITE;
 
 /*
- * detecteur de robot d'indexation
+ * Détecteur de robot d'indexation
  */
 if (!defined('_IS_BOT'))
 	define('_IS_BOT',
@@ -28,10 +27,11 @@
 			(string) $_SERVER['HTTP_USER_AGENT'])
 	);
 
-/*     - interdit de passer une variable id_article (ou id_xxx) qui ne
- *       soit pas numerique (ce qui bloque l'exploitation de divers trous
- *       de securite, dont celui de toutes les versions < 1.8.2f)
- *       (sauf pour id_table, qui n'est pas numerique jusqu'a [5743])
+/*
+ * Interdit de passer une variable id_article (ou id_xxx) qui ne
+ * soit pas numérique (ce qui bloque l'exploitation de divers trous
+ * de sécurité, dont celui de toutes les versions < 1.8.2f)
+ * (sauf pour id_table, qui n'est pas numérique jusqu'à [5743])
  */
 foreach ($_GET as $var => $val)
 	if ($_GET[$var] AND strncmp($var,"id_",3)==0 AND $var!='id_table')
@@ -43,32 +43,31 @@
 	if ($GLOBALS[$var] AND strncmp($var,"id_",3)==0 AND $var!='id_table')
 		$GLOBALS[$var] = is_array($GLOBALS[$var])?@array_map('intval',$GLOBALS[$var]):intval($GLOBALS[$var]);
 
-
-/*     - interdit la variable $cjpeg_command, qui etait utilisee sans
- *       precaution dans certaines versions de dev (1.8b2 -> 1.8b5)
- *
+/*
+ * Interdit la variable $cjpeg_command, qui était utilisée sans
+ * précaution dans certaines versions de dev (1.8b2 -> 1.8b5)
  */
 $cjpeg_command='';
 
-/*     - controle la variable lang, var_recherche, aide (XSS)
- *
+/*
+ * Contrôle de quelques variables (XSS)
  */
-foreach(array('lang', 'var_recherche', 'aide', 'var_lang_r', 'lang_r') as $var) {
+foreach(array('lang', 'var_recherche', 'aide', 'var_lang_r', 'lang_r', 'var_ajax_ancre') as $var) {
 	if (isset($_GET[$var]))
-		$_REQUEST[$var] = $GLOBALS[$var] = $_GET[$var] = preg_replace(',[^\w-]+,',' ',(string)$_GET[$var]);
+		$_REQUEST[$var] = $GLOBALS[$var] = $_GET[$var] = preg_replace(',[^\w\,/#&;-]+,',' ',(string)$_GET[$var]);
 	if (isset($_POST[$var]))
-		$_REQUEST[$var] = $GLOBALS[$var] = $_POST[$var] = preg_replace(',[^\w-]+,',' ',(string)$_POST[$var]);
+		$_REQUEST[$var] = $GLOBALS[$var] = $_POST[$var] = preg_replace(',[^\w\,/#&;-]+,',' ',(string)$_POST[$var]);
 }
 
-/*     - filtre l'acces a spip_acces_doc (injection SQL en 1.8.2x)
- *
+/*
+ * Filtre l'accès à spip_acces_doc (injection SQL en 1.8.2x)
  */
 if (preg_match(',^(.*/)?spip_acces_doc\.,', (string)$_SERVER['REQUEST_URI'])) {
 	$file = addslashes((string)$_GET['file']);
 }
 
 /*
- *     - agenda joue a l'injection php
+ * Agenda joue à l'injection php
  */
 if (isset($_REQUEST['partie_cal'])
 AND $_REQUEST['partie_cal'] !== htmlentities((string)$_REQUEST['partie_cal']))
@@ -78,7 +77,7 @@
 	$ecran_securite_raison = "echelle";
 
 /*
- *     - espace prive
+ * Espace privé
  */
 if (isset($_REQUEST['exec'])
 AND !preg_match(',^[\w-]+$,', (string)$_REQUEST['exec']))
@@ -107,8 +106,8 @@
 	}
 }
 
-/*     - bloque les requetes contenant %00 (manipulation d'include)
- *
+/*
+ * Bloque les requêtes contenant %00 (manipulation d'include)
  */
 if (strpos(
 	@get_magic_quotes_gpc() ?
@@ -117,22 +116,23 @@
 ) !== false)
 	$ecran_securite_raison = "%00";
 
-/*     - bloque les requetes fond=formulaire_
- *
+/*
+ * Bloque les requêtes fond=formulaire_
  */
 if (isset($_REQUEST['fond'])
 AND preg_match(',^formulaire_,i', $_REQUEST['fond']))
 	$ecran_securite_raison = "fond=formulaire_";
 
-/*     - bloque les requetes du type ?GLOBALS[type_urls]=toto (bug vieux php)
- *
+/*
+ * Bloque les requêtes du type ?GLOBALS[type_urls]=toto (bug vieux php)
  */
 if (isset($_REQUEST['GLOBALS']))
 	$ecran_securite_raison = "GLOBALS[GLOBALS]";
 
-/*     - bloque les requetes des bots sur:
- *       les agenda
- *       les paginations entremelees
+/*
+ * Bloque les requêtes des bots sur:
+ * les agenda
+ * les paginations entremélées
  */
 if (_IS_BOT AND (
 	(isset($_REQUEST['echelle']) AND isset($_REQUEST['partie_cal']) AND isset($_REQUEST['type']))
@@ -162,27 +162,29 @@
 if (isset($_REQUEST[$var]) AND is_array($_REQUEST[$var]))
 	$ecran_securite_raison = "xss ".$var;
 
-/* Parade antivirale contre un cheval de troie */
-if(!function_exists('tmp_lkojfghx')){
-function tmp_lkojfghx(){}
-function tmp_lkojfghx2($a=0,$b=0,$c=0,$d=0){
-	// si jamais on est arrive ici sur une erreur php
-	// et qu'un autre gestionnaire d'erreur est defini, l'appeller
-	if($b&&$GLOBALS['tmp_xhgfjokl'])
-		call_user_func($GLOBALS['tmp_xhgfjokl'],$a,$b,$c,$d);
-}
+/*
+ * Parade antivirale contre un cheval de troie
+ */
+if (!function_exists('tmp_lkojfghx')) {
+	function tmp_lkojfghx() {}
+	function tmp_lkojfghx2($a=0, $b=0, $c=0, $d=0) {
+		// si jamais on est arrivé ici sur une erreur php
+		// et qu'un autre gestionnaire d'erreur est défini, l'appeller
+		if ($b&&$GLOBALS['tmp_xhgfjokl'])
+			call_user_func($GLOBALS['tmp_xhgfjokl'],$a,$b,$c,$d);
+	}
 }
 if (isset($_POST['tmp_lkojfghx3']))
 	$ecran_securite_raison = "gumblar";
 
 /*
- * Outils XML mal securises < 2.0.9
+ * Outils XML mal sécurisés < 2.0.9
  */
 if (isset($_REQUEST['transformer_xml']))
 	$ecran_securite_raison = "transformer_xml";
 
 /*
- * Sauvegarde mal securisee < 2.0.9
+ * Sauvegarde mal securisée < 2.0.9
  */
 if (isset($_REQUEST['nom_sauvegarde'])
 AND strstr((string)$_REQUEST['nom_sauvegarde'], '/'))
@@ -194,14 +196,15 @@
 
 /*
  * op permet des inclusions arbitraires ;
- * on verifie 'page' pour ne pas bloquer ... drupal
+ * on vérifie 'page' pour ne pas bloquer ... drupal
  */
 if (isset($_REQUEST['op']) AND isset($_REQUEST['page'])
 AND $_REQUEST['op'] !== preg_replace('/[^\-\w]/', '', $_REQUEST['op']))
 	$ecran_securite_raison = 'op';
 
-
-/* Forms & Table ne se mefiait pas assez des uploads de fichiers */
+/*
+ * Forms & Table ne se méfiait pas assez des uploads de fichiers
+ */
 if (count($_FILES)){
 	foreach($_FILES as $k=>$v){
 		 if (preg_match(',^fichier_\d+$,',$k)
@@ -210,11 +213,42 @@
 	}
 }
 
-/* reinstall=oui un peu trop permissif */
+/*
+ * reinstall=oui un peu trop permissif
+ */
 if (isset($_REQUEST['reinstall'])
 AND $_REQUEST['reinstall'] == 'oui')
 	$ecran_securite_raison = 'reinstall=oui';
 
+/*
+ * Échappement xss referer
+ */
+if (isset($_SERVER['HTTP_REFERER']))
+	$_SERVER['HTTP_REFERER'] = strtr($_SERVER['HTTP_REFERER'], '<>"\'', '[]##');
+
+/*
+ * Réinjection des clés en html dans l'admin r19561
+ */
+if (strpos($_SERVER['REQUEST_URI'],"ecrire/")!==false){
+	$zzzz=implode("",array_keys($_REQUEST));
+	if (strlen($zzzz)!=strcspn($zzzz,'<>"\''))
+		$ecran_securite_raison = 'Cle incorrecte en $_REQUEST';
+}
+
+/*
+ * Injection par connect
+ */
+if (isset($_REQUEST['connect'])
+	AND
+	// cas qui permettent de sortir d'un commentaire PHP
+	(strpos($_REQUEST['connect'], "?".">")!==false
+	 OR strpos($_REQUEST['connect'], "\n")!==false
+	 OR strpos($_REQUEST['connect'], "\r")!==false)
+	) {
+	$_REQUEST['connect'] = str_replace(array("?".">", "\r", "\n"), "", $_REQUEST['connect']);
+	if (isset($_GET['connect'])) $_GET['connect'] = $_REQUEST['connect'];
+	if (isset($_POST['connect'])) $_POST['connect'] = $_REQUEST['connect'];
+}
 
 /*
  * S'il y a une raison de mourir, mourons
@@ -227,15 +261,15 @@
 	header("Content-Type: text/html");
 	die("<html><title>Error 403: Forbidden</title><body><h1>Error 403</h1><p>You are not authorized to view this page ($ecran_securite_raison)</p></body></html>");
 }
+
 /*
- * Fin securite
+ * Fin sécurité
  */
 
 
 
 /*
- * Bloque les bots quand le load deborde
- *
+ * Bloque les bots quand le load déborde
  */
 if (!defined('_ECRAN_SECURITE_LOAD'))
 	define('_ECRAN_SECURITE_LOAD', 4);
diff -u spip-2.1.1/debian/patches/series spip-2.1.1/debian/patches/series
--- spip-2.1.1/debian/patches/series
+++ spip-2.1.1/debian/patches/series
@@ -14,0 +15,2 @@
+fix_XSS_in_password.patch
+fix_XSS_in_variable_name.patch
only in patch2:
unchanged:
--- spip-2.1.1.orig/debian/patches/fix_XSS_in_variable_name.patch
+++ spip-2.1.1/debian/patches/fix_XSS_in_variable_name.patch
@@ -0,0 +1,19 @@
+From: denisb <denisb@laposte.net>
+Subject: Don't reinject unsanitize variable name in HTML
+
+* ecrire/inc/admin.php: Fix XSS injection in variable name (thanks to
+  AS ASafety).
+
+Origin: upstream, http://core.spip.org/projects/spip/repository/revisions/19559
+Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=
+--- a/ecrire/inc/admin.php
++++ b/ecrire/inc/admin.php
+@@ -172,7 +172,7 @@
+         include_spip('inc/filtres');
+ 	foreach($_POST as $n => $c) {
+ 	  if (($n != 'fichier') AND !is_array($c))
+-		$suite .= "\n<input type='hidden' name='$n' value='" .
++		$suite .= "\n<input type='hidden' name='".htmlspecialchars($n)."' value='" .
+ 		  entites_html($c) .
+ 		  "'  />";
+ 	}
only in patch2:
unchanged:
--- spip-2.1.1.orig/debian/patches/fix_XSS_in_password.patch
+++ spip-2.1.1/debian/patches/fix_XSS_in_password.patch
@@ -0,0 +1,18 @@
+From: Cédric Morin <cedric.morin@yterium.com>
+Subject: Fix auto-XSS on password
+
+* prive/javascript/login.js: fix auto-XSS on password (thanks to zataz).
+
+Origin: upstream, http://core.spip.org/projects/spip/repository/revisions/19333
+Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=
+--- a/prive/javascript/login.js
++++ b/prive/javascript/login.js
+@@ -77,7 +77,7 @@
+ 			// - certains navigateurs memorisent le hash au lieu du pass ...
+ 			// on cree un input hidden a cote, on lui met le name="password"
+ 			// et on vide le champ visible
+-			inputpass.after('<input name="password" type="hidden" value="'+pass+'" />');
++			inputpass.after('<input name="password" type="hidden" value="" />').attr('value',pass);
+ 			inputpass.attr('name','nothing').attr('value','');
+ 			calcule_hash_pass(pass);
+ 		}

Reply to:

Follow-Ups:
- Bug#682808: pu: package spip/2.1.1-3squeeze4
  - From: "Adam D. Barratt" <adam@adam-barratt.org.uk>
- Processed: Re: Bug#682808: pu: package spip/2.1.1-3squeeze4
  - From: owner@bugs.debian.org (Debian Bug Tracking System)
- Processed: Re: Bug#682808: pu: package spip/2.1.1-3squeeze4
  - From: owner@bugs.debian.org (Debian Bug Tracking System)

Prev by Date: Bug#682514: marked as done (unblock: phpldapadmin/1.2.2-5)
Next by Date: Re: Possible freeze exception for texlive-bin
Previous by thread: Bug#682769: dh_numpy working
Next by thread: Bug#682808: pu: package spip/2.1.1-3squeeze4
Index(es):
- Date
- Thread