Package: release.debian.org Severity: normal Tags: wheezy User: release.debian.org@packages.debian.org Usertags: pu Dear release team, As agreed with the security team, here I am proposing another stable update for fixing a minor security issues in SPIP. Attached debdiff, thanks in advance for considering. Regards David -- System Information: Debian Release: jessie/sid APT prefers unstable APT policy: (500, 'unstable'), (500, 'testing'), (110, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 3.13-trunk-amd64 (SMP w/2 CPU cores) Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash
diff --git a/debian/changelog b/debian/changelog index d09ada5..e00ae22 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,12 @@ +spip (2.1.17-1+deb7u4) wheezy; urgency=medium + + * Update displayed version + * Fix missing escape + * Fix missing escape in SQL + * Update security screen to 1.1.9 (Closes: #742456) + + -- David Prévot <taffit@debian.org> Thu, 13 Mar 2014 16:50:23 -0300 + spip (2.1.17-1+deb7u3) wheezy; urgency=medium * Document fixed #729172 diff --git a/debian/patches/fix_displayed_version.patch b/debian/patches/fix_displayed_version.patch index fdc1186..80ff1d0 100644 --- a/debian/patches/fix_displayed_version.patch +++ b/debian/patches/fix_displayed_version.patch @@ -2,7 +2,7 @@ Description: Fix displayed version in the private interface Make it obvious it's a Debian (patched) version Forwarded: not-needed Author: David Prévot <taffit@debian.org> -Last-Update: 2013-11-02 +Last-Update: 2014-01-24 --- a/ecrire/inc_version.php +++ b/ecrire/inc_version.php @@ -423,7 +423,7 @@ @@ -10,7 +10,7 @@ Last-Update: 2013-11-02 // 1.xxyy : xx00 versions stables publiees, xxyy versions de dev // (ce qui marche pour yy ne marchera pas forcement sur une version plus ancienne) -$spip_version_affichee = "$spip_version_branche"; -+$spip_version_affichee = "2.1.17-1+deb7u2 (Debian)"; ++$spip_version_affichee = "2.1.17-1+deb7u4 (Debian)"; // ** Securite ** $visiteur_session = $auteur_session = $connect_statut = $connect_toutes_rubriques = $hash_recherche = $hash_recherche_strict = $ldap_present =''; diff --git a/debian/patches/fix_missing_escape.patch b/debian/patches/fix_missing_escape.patch new file mode 100644 index 0000000..7d08c36 --- /dev/null +++ b/debian/patches/fix_missing_escape.patch @@ -0,0 +1,19 @@ +From: Cédric Morin <cedric.morin@yterium.com> +Subject: Fix missing escape + + * ecrire/inc/log.php: Always escape < in logs, unless the _LOG_BRUT + constant is defined to true at the end of debug. + +Origin: upstream, http://core.spip.org/projects/spip/repository/revisions/21251 +Bug-Debian: http://bugs.debian.org/742456 +--- a/ecrire/inc/log.php ++++ b/ecrire/inc/log.php +@@ -56,7 +56,7 @@ + + $f = @fopen($logfile, "ab"); + if ($f) { +- fputs($f, ($logname!==NULL) ? $m : str_replace('<','<',$m)); ++ fputs($f, (defined('_LOG_BRUT') AND _LOG_BRUT) ? $m : str_replace('<','<',$m)); + fclose($f); + } + diff --git a/debian/patches/fix_missing_escape_in_SQL.patch b/debian/patches/fix_missing_escape_in_SQL.patch new file mode 100644 index 0000000..8024698 --- /dev/null +++ b/debian/patches/fix_missing_escape_in_SQL.patch @@ -0,0 +1,18 @@ +From: Cédric Morin <cedric.morin@yterium.com> +Subject: Fix missing escape in SQL + + * ecrire/inc/quete.php: Fix missing escape in a SQL request. + +Origin: upstream, http://core.spip.org/projects/spip/repository/revisions/21247 +Bug-Debian: http://bugs.debian.org/742456 +--- a/ecrire/public/quete.php ++++ b/ecrire/public/quete.php +@@ -248,7 +248,7 @@ + $exposer[$m][$type][$principal] = true; + if ($type == 'id_mot'){ + if (!$parent) { +- $parent = sql_getfetsel('id_groupe','spip_mots',"id_mot=" . $principal, '','','','',$connect); ++ $parent = sql_getfetsel('id_groupe','spip_mots',"id_mot=" . intval($principal), '','','','',$connect); + } + if ($parent) + $exposer[$m]['id_groupe'][$parent] = true; diff --git a/debian/patches/series b/debian/patches/series index 79be5e2..7de80f0 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -6,3 +6,5 @@ fix_privilege_escalation_2.1.21.patch fix_CSRF_on_logout.patch fix_XSS_on_author_page.patch fix_XSS_on_signature.patch +fix_missing_escape.patch +fix_missing_escape_in_SQL.patch diff --git a/debian/security/ecran_securite.php b/debian/security/ecran_securite.php index 7e6ec1c..36b0044 100644 --- a/debian/security/ecran_securite.php +++ b/debian/security/ecran_securite.php @@ -5,7 +5,7 @@ * ------------------ */ -define('_ECRAN_SECURITE', '1.1.8'); // 2013-08-29 +define('_ECRAN_SECURITE', '1.1.9'); // 2014-03-13 /* * Documentation : http://www.spip.net/fr_article4200.html @@ -254,13 +254,12 @@ if (isset($_REQUEST['connect']) AND // cas qui permettent de sortir d'un commentaire PHP (strpos($_REQUEST['connect'], "?")!==false + OR strpos($_REQUEST['connect'], "<")!==false OR strpos($_REQUEST['connect'], ">")!==false OR strpos($_REQUEST['connect'], "\n")!==false OR strpos($_REQUEST['connect'], "\r")!==false) ) { - $_REQUEST['connect'] = str_replace(array("?", ">", "\r", "\n"), "", $_REQUEST['connect']); - if (isset($_GET['connect'])) $_GET['connect'] = $_REQUEST['connect']; - if (isset($_POST['connect'])) $_POST['connect'] = $_REQUEST['connect']; + $ecran_securite_raison = "malformed connect argument"; } /* @@ -317,4 +316,4 @@ if ( } -?> +?> \ No newline at end of file
Attachment:
signature.asc
Description: Digital signature