Bug#742637: squeeze-pu: package spip/2.1.1-3squeeze9

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#742637: squeeze-pu: package spip/2.1.1-3squeeze9
From: David Prévot <taffit@debian.org>
Date: Tue, 25 Mar 2014 15:54:12 -0400
Message-id: <[🔎] 20140325195412.GA22148@persil.tilapin.org>
Reply-to: David Prévot <taffit@debian.org>, 742637@bugs.debian.org

Package: release.debian.org
Severity: normal
Tags: squeeze
User: release.debian.org@packages.debian.org
Usertags: pu

Dear release team,

As agreed with the security team, here I am proposing another oldstable
update for fixing minor security issues in SPIP. Attached debdiff,
thanks in advance for considering.

Regards

David


-- System Information:
Debian Release: jessie/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (500, 'testing'), (110, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 3.13-trunk-amd64 (SMP w/2 CPU cores)
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

diff --git a/debian/changelog b/debian/changelog
index 0427965..25a8296 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,11 @@
+spip (2.1.1-3squeeze9) squeeze; urgency=medium
+
+  * Fix missing escape
+  * Fix missing escape in SQL
+  * Update security screen to 1.1.9 (Closes: #742456)
+
+ -- David Prévot <taffit@debian.org>  Thu, 13 Mar 2014 16:58:14 -0300
+
 spip (2.1.1-3squeeze8) squeeze; urgency=medium
 
   * Document fixed #729172
diff --git a/debian/patches/fix_missing_escape.patch b/debian/patches/fix_missing_escape.patch
new file mode 100644
index 0000000..7d08c36
--- /dev/null
+++ b/debian/patches/fix_missing_escape.patch
@@ -0,0 +1,19 @@
+From: Cédric Morin <cedric.morin@yterium.com>
+Subject: Fix missing escape
+
+ * ecrire/inc/log.php: Always escape < in logs, unless the _LOG_BRUT
+   constant is defined to true at the end of debug.
+
+Origin: upstream, http://core.spip.org/projects/spip/repository/revisions/21251
+Bug-Debian: http://bugs.debian.org/742456
+--- a/ecrire/inc/log.php
++++ b/ecrire/inc/log.php
+@@ -56,7 +56,7 @@
+ 
+ 	$f = @fopen($logfile, "ab");
+ 	if ($f) {
+-		fputs($f, ($logname!==NULL) ? $m : str_replace('<','&lt;',$m));
++		fputs($f, (defined('_LOG_BRUT') AND _LOG_BRUT) ? $m : str_replace('<','&lt;',$m));
+ 		fclose($f);
+ 	}
+ 
diff --git a/debian/patches/fix_missing_escape_in_SQL.patch b/debian/patches/fix_missing_escape_in_SQL.patch
new file mode 100644
index 0000000..8024698
--- /dev/null
+++ b/debian/patches/fix_missing_escape_in_SQL.patch
@@ -0,0 +1,18 @@
+From: Cédric Morin <cedric.morin@yterium.com>
+Subject: Fix missing escape in SQL
+
+ * ecrire/inc/quete.php: Fix missing escape in a SQL request.
+
+Origin: upstream, http://core.spip.org/projects/spip/repository/revisions/21247
+Bug-Debian: http://bugs.debian.org/742456
+--- a/ecrire/public/quete.php
++++ b/ecrire/public/quete.php
+@@ -248,7 +248,7 @@
+ 				$exposer[$m][$type][$principal] = true;
+ 				if ($type == 'id_mot'){
+ 					if (!$parent) {
+-						$parent = sql_getfetsel('id_groupe','spip_mots',"id_mot=" . $principal, '','','','',$connect);
++						$parent = sql_getfetsel('id_groupe','spip_mots',"id_mot=" . intval($principal), '','','','',$connect);
+ 					}
+ 					if ($parent)
+ 						$exposer[$m]['id_groupe'][$parent] = true;
diff --git a/debian/patches/series b/debian/patches/series
index 7646257..1ec8a6c 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -19,3 +19,5 @@ fix_privilege_escalation_2.1.21.patch
 fix_CSRF_on_logout.patch
 fix_XSS_on_author_page.patch
 fix_XSS_on_signature.patch
+fix_missing_escape.patch
+fix_missing_escape_in_SQL.patch
diff --git a/debian/security/ecran_securite.php b/debian/security/ecran_securite.php
index 7e6ec1c..36b0044 100644
--- a/debian/security/ecran_securite.php
+++ b/debian/security/ecran_securite.php
@@ -5,7 +5,7 @@
  * ------------------
  */
 
-define('_ECRAN_SECURITE', '1.1.8'); // 2013-08-29
+define('_ECRAN_SECURITE', '1.1.9'); // 2014-03-13
 
 /*
  * Documentation : http://www.spip.net/fr_article4200.html
@@ -254,13 +254,12 @@ if (isset($_REQUEST['connect'])
 	AND
 	// cas qui permettent de sortir d'un commentaire PHP
 	(strpos($_REQUEST['connect'], "?")!==false
+	 OR strpos($_REQUEST['connect'], "<")!==false
 	 OR strpos($_REQUEST['connect'], ">")!==false
 	 OR strpos($_REQUEST['connect'], "\n")!==false
 	 OR strpos($_REQUEST['connect'], "\r")!==false)
 	) {
-	$_REQUEST['connect'] = str_replace(array("?", ">", "\r", "\n"), "", $_REQUEST['connect']);
-	if (isset($_GET['connect'])) $_GET['connect'] = $_REQUEST['connect'];
-	if (isset($_POST['connect'])) $_POST['connect'] = $_REQUEST['connect'];
+	$ecran_securite_raison = "malformed connect argument";
 }
 
 /*
@@ -317,4 +316,4 @@ if (
 }
 
 
-?>
+?>
\ No newline at end of file

Attachment: signature.asc
Description: Digital signature

Reply to:

Follow-Ups:
- Bug#742637: squeeze-pu: package spip/2.1.1-3squeeze9
  - From: "Adam D. Barratt" <adam@adam-barratt.org.uk>
- Processed: Re: Bug#742637: squeeze-pu: package spip/2.1.1-3squeeze9
  - From: owner@bugs.debian.org (Debian Bug Tracking System)
- Processed: Re: Bug#742637: squeeze-pu: package spip/2.1.1-3squeeze9
  - From: owner@bugs.debian.org (Debian Bug Tracking System)

Prev by Date: Bug#742636: wheezy-pu: package spip/2.1.17-1+deb7u4
Next by Date: NEW changes in stable-new
Previous by thread: Bug#742636: wheezy-pu: package spip/2.1.17-1+deb7u4
Next by thread: Bug#742637: squeeze-pu: package spip/2.1.1-3squeeze9
Index(es):
- Date
- Thread