[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#683689: pu: package spip/2.1.1-3squeeze5

Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: pu

Hi release team,

You recently accepted 2.1.1-3squeeze4 for the next point release, that
fixes some security issues, but a new one has just been disclosed
(#683667), so here I am again. Upstream confirmed they can't reproduce
the last security issue with this version.

I didn't bug the security team since this last issue is less important
than the previous ones that have been handled via a stable upload.

Attached debdiff, thanks in advance for considering it.

The package is available on ravel:

	http://people.debian.org/~taffit/spip/spip_2.1.1-3squeeze5.dsc

Cheers

David


-- System Information:
Debian Release: wheezy/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (500, 'testing'), (500, 'stable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 3.2.0-3-amd64 (SMP w/1 CPU core)
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

diffstat for spip_2.1.1-3squeeze4 spip_2.1.1-3squeeze5

 debian/patches/fix_base_disclosure.patch |  155 +++++++++++++++++++++++++++++++
 spip-2.1.1/debian/changelog              |    6 +
 spip-2.1.1/debian/patches/series         |    1 
 3 files changed, 162 insertions(+)

diff -u spip-2.1.1/debian/changelog spip-2.1.1/debian/changelog
--- spip-2.1.1/debian/changelog
+++ spip-2.1.1/debian/changelog
@@ -1,3 +1,9 @@
+spip (2.1.1-3squeeze5) stable; urgency=low
+
+  * Fix base name disclosure. Closes: #683667
+
+ -- David Prévot <taffit@debian.org>  Thu, 02 Aug 2012 14:27:29 -0400
+
 spip (2.1.1-3squeeze4) stable; urgency=low
 
   * Updated security screen to 1.1.3. Prevent cross site scripting on referer
diff -u spip-2.1.1/debian/patches/series spip-2.1.1/debian/patches/series
--- spip-2.1.1/debian/patches/series
+++ spip-2.1.1/debian/patches/series
@@ -16,0 +17 @@
+fix_base_disclosure.patch
only in patch2:
unchanged:
--- spip-2.1.1.orig/debian/patches/fix_base_disclosure.patch
+++ spip-2.1.1/debian/patches/fix_base_disclosure.patch
@@ -0,0 +1,155 @@
+From: b b
+Subject: Fix base name disclosure from form text field
+
+* ecrire/base/connect_sql.php, ecrire/req/mysql.php,
+  ecrire/req/sqlite_generique.php: escape text in traiter_query
+  (thanks to Philippe Brehmer).
+
+Origin: upstream, http://core.spip.org/projects/spip/repository/revisions/19753
+Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=683667
+--- a/ecrire/base/connect_sql.php
++++ b/ecrire/base/connect_sql.php
+@@ -335,6 +335,75 @@
+ 	return '';
+ }
+ 
++/**
++ * Echapper les textes entre ' ' ou " " d'une requete SQL
++ * avant son pre-traitement
++ * On renvoi la query sans textes et les textes separes, dans
++ * leur ordre d'apparition dans la query
++ *
++ * @param string $query
++ * @return array
++ */
++function query_echappe_textes($query){
++	static $codeEchappements = array("''"=>"\x1@##@\x1", "\'"=>"\x2@##@\x2", "\\\""=>"\x3@##@\x3");
++	$query = str_replace(array_keys($codeEchappements), array_values($codeEchappements), $query);
++	if (preg_match_all("/((['])[^']*(\\2))|(([\"])[^\"]*(\\5))/S",$query,$textes)){
++		$textes = reset($textes); // indice 0 du match
++		switch(count($textes)){
++			case 0:$replace=array();break;
++			case 1:$replace=array('%1$s');break;
++			case 2:$replace=array('%1$s','%2$s');break;
++			case 3:$replace=array('%1$s','%2$s','%3$s');break;
++			case 4:$replace=array('%1$s','%2$s','%3$s','%4$s');break;
++			case 5:$replace=array('%1$s','%2$s','%3$s','%4$s','%5$s');break;
++			default:
++				$replace = range(1,count($textes));
++				$replace = '%'.implode('$s,%',$replace).'$s';
++				$replace = explode(',',$replace);
++				break;
++		}
++		$query = str_replace($textes,$replace,$query);
++	}
++	else
++		$textes = array();
++
++	return array($query, $textes);
++}
++
++/**
++ * Reinjecter les textes d'une requete SQL a leur place initiale,
++ * apres traitement de la requete
++ *
++ * @param string $query
++ * @param array $textes
++ * @return string
++ */
++function query_reinjecte_textes($query, $textes){
++	static $codeEchappements = array("''"=>"\x1@##@\x1", "\'"=>"\x2@##@\x2", "\\\""=>"\x3@##@\x3");
++	# debug de la substitution
++	#if (($c1=substr_count($query,"%"))!=($c2=count($textes))){
++	#	spip_log("$c1 ::". $query,"tradquery"._LOG_ERREUR);
++	#	spip_log("$c2 ::". var_export($textes,1),"tradquery"._LOG_ERREUR);
++	#	spip_log("ini ::". $qi,"tradquery"._LOG_ERREUR);
++	#}
++	switch (count($textes)){
++		case 0:break;
++		case 1:$query=sprintf($query,$textes[0]);break;
++		case 2:$query=sprintf($query,$textes[0],$textes[1]);break;
++		case 3:$query=sprintf($query,$textes[0],$textes[1],$textes[2]);break;
++		case 4:$query=sprintf($query,$textes[0],$textes[1],$textes[2],$textes[3]);break;
++		case 5:$query=sprintf($query,$textes[0],$textes[1],$textes[2],$textes[3],$textes[4]);break;
++		default:
++			array_unshift($textes,$query);
++			$query = call_user_func_array('sprintf',$textes);
++			break;
++	}
++
++	$query = str_replace(array_values($codeEchappements), array_keys($codeEchappements), $query);
++
++	return $query;
++}
++
+ // Pour compatibilite. Ne plus utiliser.
+ // http://doc.spip.org/@spip_query
+ function spip_query($query, $serveur='') {
+--- a/ecrire/req/mysql.php
++++ b/ecrire/req/mysql.php
+@@ -286,8 +286,14 @@
+ 	} else {
+ 		$suite = strstr($query, $regs[0]);
+ 		$query = substr($query, 0, -strlen($suite));
+-		if (preg_match('/^(.*?)([(]\s*SELECT\b.*)$/si', $suite, $r)) {
+-		  $suite = $r[1] . traite_query($r[2], $db, $prefixe);
++		// propager le prefixe en cas de requete imbriquee
++		// il faut alors echapper les chaine avant de le faire, pour ne pas risquer de
++		// modifier une requete qui est en fait juste du texte dans un champ
++		if (stripos($suite,"SELECT")!==false) {
++			list($suite,$textes) = query_echappe_textes($suite);
++			if (preg_match('/^(.*?)([(]\s*SELECT\b.*)$/si', $suite, $r))
++		    $suite = $r[1] . traite_query($r[2], $db, $prefixe);
++			$suite = query_reinjecte_textes($suite, $textes);
+ 		}
+ 	}
+ 	$r = preg_replace(_SQL_PREFIXE_TABLE, '\1'.$pref, $query) . $suite;
+--- a/ecrire/req/sqlite_generique.php
++++ b/ecrire/req/sqlite_generique.php
+@@ -1611,7 +1611,6 @@
+ 	
+ 	// Pour les corrections a effectuer sur les requetes :
+ 	var $textes = array(); 	// array(code=>'texte') trouvé
+-	var $codeEchappements = "%@##@%";
+ 	
+ 	
+ 	// constructeur
+@@ -1681,16 +1680,13 @@
+ 	// enleve les textes, transforme la requete pour quelle soit
+ 	// bien interpretee par sqlite, puis remet les textes
+ 	// la fonction affecte $this->query
+-// http://doc.spip.org/@traduire_requete
++	// http://doc.spip.org/@traduire_requete
+ 	function traduire_requete(){
+ 		//
+ 		// 1) Protection des textes en les remplacant par des codes
+ 		//
+-		// enlever les echappements ''
+-		$this->query = str_replace("''", $this->codeEchappements, $this->query);
+-		// enlever les 'textes'
+-		$this->textes = array(); // vider 
+-		$this->query = preg_replace_callback("/('[^']*')/", array(&$this, '_remplacerTexteParCode'), $this->query);
++		// enlever les 'textes' et initialiser avec
++		list($this->query, $textes) = query_echappe_textes($this->query);
+ 		
+ 		//
+ 		// 2) Corrections de la requete
+@@ -1791,12 +1787,12 @@
+ 		//
+ 		// 3) Remise en place des textes d'origine
+ 		//
+-		// remettre les 'textes'
+-		foreach ($this->textes as $cle=>$val){
+-			$this->query = str_replace($cle, $val, $this->query);
+-		}
+-		// remettre les echappements ''
+-		$this->query = str_replace($this->codeEchappements,"''",$this->query);
++		// Correction Antiquotes et echappements
++		// ` => rien
++		if (strpos($this->query,'`')!==false)
++			$this->query = str_replace('`','', $this->query);
++
++		$this->query = query_reinjecte_textes($this->query, $textes);
+ 	}
+ 	
+
Reply to: