[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#804172: marked as done (jessie-pu: package spip/3.0.17-2+deb8u1)

Your message dated Sat, 23 Jan 2016 13:57:15 +0000
with message-id <1453557435.1835.52.camel@adam-barratt.org.uk>
and subject line 8.3 point release cleanup
has caused the Debian Bug report #804172,
regarding jessie-pu: package spip/3.0.17-2+deb8u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
804172: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=804172
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian.org@packages.debian.org
Usertags: pu

Hi,

As agreed with the security team, the two XSS fixes from the latest
upstream version do not deserve a DSA, yet I’d like to fix them via pu
if you agree, debdiff attached. There is no upstream fix available (yet)
for the 2.1 branch (that is still supported), so I won’t follow up with
a pu request for Wheezy for the moment.

Regards

David

diff -Nru spip-3.0.17/debian/changelog spip-3.0.17/debian/changelog
--- spip-3.0.17/debian/changelog	2014-10-25 20:52:48.000000000 -0400
+++ spip-3.0.17/debian/changelog	2015-11-01 15:34:31.000000000 -0400
@@ -1,3 +1,10 @@
+spip (3.0.17-2+deb8u1) jessie; urgency=medium
+
+  * Track Jessie
+  * Backport XSS fixes in private content from 3.0.21
+
+ -- David Prévot <taffit@debian.org>  Sun, 01 Nov 2015 15:34:00 -0400
+
 spip (3.0.17-2) unstable; urgency=medium
 
   [ Frans Spiesschaert ]
diff -Nru spip-3.0.17/debian/gbp.conf spip-3.0.17/debian/gbp.conf
--- spip-3.0.17/debian/gbp.conf	2014-10-25 20:50:16.000000000 -0400
+++ spip-3.0.17/debian/gbp.conf	2015-11-01 15:11:01.000000000 -0400
@@ -1,3 +1,3 @@
 [DEFAULT]
-debian-branch = 3.0
+debian-branch = jessie
 upstream-branch = upstream-3.0
diff -Nru spip-3.0.17/debian/patches/0005-Fix-XSS-in-private-content.patch spip-3.0.17/debian/patches/0005-Fix-XSS-in-private-content.patch
--- spip-3.0.17/debian/patches/0005-Fix-XSS-in-private-content.patch	1969-12-31 20:00:00.000000000 -0400
+++ spip-3.0.17/debian/patches/0005-Fix-XSS-in-private-content.patch	2015-11-01 15:31:01.000000000 -0400
@@ -0,0 +1,173 @@
+From: =?utf-8?q?C=C3=A9dric_Morin?= <cedric.morin@yterium.com>
+Date: Sat, 10 Oct 2015 10:44:19 +0000
+Subject: Fix XSS in private content
+
+Bug: https://core.spip.net/issues/3371
+Origin: Upstream, http://zone.spip.org/trac/spip-zone/changeset/92236,
+ https://core.spip.net/projects/spip/repository/revisions/22427,
+ https://core.spip.net/projects/spip/repository/revisions/22450,
+ https://core.spip.net/projects/spip/repository/revisions/22429
+---
+ ecrire/inc/texte.php                               |  7 ++++
+ ecrire/inc/texte_mini.php                          | 43 ++++++++++++++++++++--
+ plugins-dist/revisions/inc/revisions.php           |  3 ++
+ .../prive/squelettes/contenu/revision.html         |  6 +--
+ prive/squelettes/ajax.html                         |  2 +-
+ prive/squelettes/head/dist.html                    |  2 +-
+ prive/squelettes/structure.html                    |  4 +-
+ 7 files changed, 57 insertions(+), 10 deletions(-)
+
+diff --git a/ecrire/inc/texte.php b/ecrire/inc/texte.php
+index af706b3..c0cec0b 100644
+--- a/ecrire/inc/texte.php
++++ b/ecrire/inc/texte.php
+@@ -156,6 +156,7 @@ function typo($letexte, $echapper=true, $connect=null, $env=array()) {
+ 	if (is_null($connect)){
+ 		$connect = '';
+ 		$interdire_script = true;
++		$env['espace_prive'] = 1;
+ 	}
+ 
+ 	// Echapper les codes <html> etc
+@@ -183,6 +184,12 @@ function typo($letexte, $echapper=true, $connect=null, $env=array()) {
+ 	if ($interdire_script)
+ 		$letexte = interdire_scripts($letexte);
+ 
++	// Dans l'espace prive on se mefie de tout contenu dangereux
++	// https://core.spip.net/issues/3371
++	if (isset($env['espace_prive']) AND $env['espace_prive']){
++		$letexte = echapper_html_suspect($letexte);
++	}
++
+ 	return $letexte;
+ }
+ 
+diff --git a/ecrire/inc/texte_mini.php b/ecrire/inc/texte_mini.php
+index f3c2429..901d903 100644
+--- a/ecrire/inc/texte_mini.php
++++ b/ecrire/inc/texte_mini.php
+@@ -385,15 +385,52 @@ function echapper_faux_tags($letexte){
+   $letexte = "";
+   while (count($textMatches)) {
+   	// un texte a echapper
+-  	$letexte .= str_replace(array("<"),array('&lt;'),array_shift($textMatches));
++  	$letexte .= str_replace("<",'&lt;',array_shift($textMatches));
+   	// un tag html qui a servit a faite le split
+  		$letexte .= array_shift($textMatches);
+   }
+   return $letexte;
+ }
+ 
+-// Securite : utiliser SafeHTML s'il est present dans ecrire/safehtml/
+-// http://doc.spip.org/@safehtml
++/**
++ * Si le html contenu dans un texte ne passe pas sans transformation a travers safehtml
++ * on l'echappe
++ * si safehtml ne renvoie pas la meme chose on echappe les < en &lt; pour montrer le contenu brut
++ *
++ * @param string $texte
++ * @return string
++ */
++function echapper_html_suspect($texte){
++	if (strpos($texte,'<')===false OR strpos($texte,'=')===false)
++		return $texte;
++
++	// on teste sur strlen car safehtml supprime le contenu dangereux
++	// mais il peut aussi changer des ' en " sur les attributs html,
++	// donc un test d'egalite est trop strict
++	if (strlen(safehtml($texte))!==strlen($texte)){
++		$texte = str_replace("<","&lt;",$texte);
++	}
++
++	return $texte;
++}
++
++
++/**
++ * Sécurise un texte HTML 
++ *
++ * Échappe le code PHP et JS.
++ * Applique en plus safehtml si un plugin le définit dans inc/safehtml.php
++ *
++ * Permet de protéger les textes issus d'une origine douteuse (forums, syndications...)
++ *
++ * @filtre
++ * @link http://www.spip.net/4310
++ * 
++ * @param string $t
++ *      Texte à sécuriser
++ * @return string
++ *      Texte sécurisé
++**/
+ function safehtml($t) {
+ 	static $safehtml;
+ 
+diff --git a/plugins-dist/revisions/inc/revisions.php b/plugins-dist/revisions/inc/revisions.php
+index 16d6f86..c9ab05e 100644
+--- a/plugins-dist/revisions/inc/revisions.php
++++ b/plugins-dist/revisions/inc/revisions.php
+@@ -605,6 +605,9 @@ function propre_diff($texte) {
+ 	$reg = end($regs);
+ 	if (!$reg[1] AND $reg[2]) $texte.="</$reg[2]>";
+ 
++	// et interdire_scripts !
++	$texte = interdire_scripts($texte);
++
+ 	return $texte;
+ }
+ 
+diff --git a/plugins-dist/revisions/prive/squelettes/contenu/revision.html b/plugins-dist/revisions/prive/squelettes/contenu/revision.html
+index 935e6bf..a59a716 100644
+--- a/plugins-dist/revisions/prive/squelettes/contenu/revision.html
++++ b/plugins-dist/revisions/prive/squelettes/contenu/revision.html
+@@ -40,9 +40,9 @@
+ 		]
+ 	]
+ 	[<div class='id_rubrique'>(#GET{textes}|table_valeur{id_rubrique})</div>]
+-	[<h4 class='surtitre'>(#GET{textes}|table_valeur{surtitre})</h4>]
+-	<h1>[(#INFO_STATUT{#OBJET,#ID_OBJET}|puce_statut{#OBJET}) ][(#GET{textes}|table_valeur{titre}|sinon{<:info_sans_titre:>})]</h1>
+-	[<h2 class='soustitre'>(#GET{textes}|table_valeur{soustitre})</h2>]
++	[<h4 class='surtitre'>(#GET{textes}|table_valeur{surtitre}|interdire_scripts)</h4>]
++	<h1>[(#INFO_STATUT{#OBJET,#ID_OBJET}|puce_statut{#OBJET}) ][(#GET{textes}|table_valeur{titre}|sinon{<:info_sans_titre:>}|interdire_scripts)]</h1>
++	[<h2 class='soustitre'>(#GET{textes}|table_valeur{soustitre}|interdire_scripts)</h2>]
+ 
+ 	<div class="nettoyeur"></div>
+ 	<div id="wysiwyg" class="revision">
+diff --git a/prive/squelettes/ajax.html b/prive/squelettes/ajax.html
+index dcd9319..b6bc56a 100644
+--- a/prive/squelettes/ajax.html
++++ b/prive/squelettes/ajax.html
+@@ -4,4 +4,4 @@
+ 
+ ]
+ #SET{zajax,#VAL{var_zajax}|_request|replace{\W,''}}
+-<INCLURE{fond=prive/squelettes/#GET{zajax}|concat{'/',#ENV{type-page}},ajax=#GET{zajax},env}>
+\ No newline at end of file
++<INCLURE{fond=prive/squelettes/#GET{zajax}|concat{'/',#ENV{type-page}},ajax=#GET{zajax},espace_prive=1,env}>
+\ No newline at end of file
+diff --git a/prive/squelettes/head/dist.html b/prive/squelettes/head/dist.html
+index d770c45..9dc5b63 100644
+--- a/prive/squelettes/head/dist.html
++++ b/prive/squelettes/head/dist.html
+@@ -8,4 +8,4 @@
+ [(#REM) Si pas de title, celui ci sera mis automatiquement par f_title_auto
+ en capturant le premier <h1> de la page]
+ #SET{paramcss,#REM|parametres_css_prive}
+-#PIPELINE{header_prive,#INCLURE{fond=prive/squelettes/inclure/head,titre,minipres,paramcss=#GET{paramcss}}}
+\ No newline at end of file
++#PIPELINE{header_prive,#INCLURE{fond=prive/squelettes/inclure/head,titre,minipres,paramcss=#GET{paramcss},espace_prive}}
+\ No newline at end of file
+diff --git a/prive/squelettes/structure.html b/prive/squelettes/structure.html
+index b9dd987..7520bd8 100644
+--- a/prive/squelettes/structure.html
++++ b/prive/squelettes/structure.html
+@@ -8,7 +8,7 @@
+ <!--[if IE 9 ]>    <html class="[(#LANG_DIR)][ (#LANG)] no-js ie ie9 lte9" xmlns="http://www.w3.org/1999/xhtml"; xml:lang="#LANG" lang="#LANG" dir="#LANG_DIR"> <![endif]-->
+ <!--[if (gt IE 9)|!(IE)]><!--> <html class="[(#LANG_DIR)][ (#LANG)] no-js" xmlns="http://www.w3.org/1999/xhtml"; xml:lang="#LANG" lang="#LANG" dir="#LANG_DIR"> <!--<![endif]-->
+ <head>
+-<INCLURE{fond=prive/squelettes/head/#ENV{type-page},env}>
++<INCLURE{fond=prive/squelettes/head/#ENV{type-page},env,espace_prive=1}>
+ </head>
+-<INCLURE{fond=prive/squelettes/body,env}>
++<INCLURE{fond=prive/squelettes/body,env,espace_prive=1}>
+ </html>
diff -Nru spip-3.0.17/debian/patches/0006-Fix-XSS-from-iframe-in-private-content.patch spip-3.0.17/debian/patches/0006-Fix-XSS-from-iframe-in-private-content.patch
--- spip-3.0.17/debian/patches/0006-Fix-XSS-from-iframe-in-private-content.patch	1969-12-31 20:00:00.000000000 -0400
+++ spip-3.0.17/debian/patches/0006-Fix-XSS-from-iframe-in-private-content.patch	2015-11-01 15:31:01.000000000 -0400
@@ -0,0 +1,130 @@
+From: =?utf-8?q?C=C3=A9dric_Morin?= <cedric.morin@yterium.com>
+Date: Thu, 29 Oct 2015 16:58:27 +0100
+Subject: Fix XSS from iframe in private content
+
+Bug: https://core.spip.net/issues/1994, https://core.spip.net/issues/1998
+Origin: http://zone.spip.org/trac/spip-zone/changeset/92321,
+ http://zone.spip.org/trac/spip-zone/changeset/92519,
+ http://zone.spip.org/trac/spip-zone/changeset/92520
+---
+ plugins-dist/textwheel/wheels/spip/echappe-js.php  | 39 ++++++++++++++++++
+ plugins-dist/textwheel/wheels/spip/echappe-js.yaml | 48 ++++++++++++++++++++++
+ .../textwheel/wheels/spip/interdire-scripts.yaml   |  3 +-
+ 3 files changed, 89 insertions(+), 1 deletion(-)
+ create mode 100644 plugins-dist/textwheel/wheels/spip/echappe-js.php
+
+diff --git a/plugins-dist/textwheel/wheels/spip/echappe-js.php b/plugins-dist/textwheel/wheels/spip/echappe-js.php
+new file mode 100644
+index 0000000..66b0717
+--- /dev/null
++++ b/plugins-dist/textwheel/wheels/spip/echappe-js.php
+@@ -0,0 +1,39 @@
++<?php
++
++/**
++ * Fonctions utiles pour la wheel echappe-js
++ *
++ * @SPIP\Textwheel\Wheel\SPIP\Fonctions
++**/
++
++if (!defined('_ECRIRE_INC_VERSION')) return;
++
++function echappe_anti_xss($match){
++	static $safehtml;
++
++	if (!is_array($match) OR !strlen($match[0])) {
++		return "";
++	}
++	$texte = &$match[0];
++
++	// on echappe les urls data: javascript: et tout ce qui ressemble
++	if (strpos($texte,":")!==false
++		AND preg_match(",(data|script)\s*:,iS",$texte)){
++		$texte = nl2br(htmlspecialchars($texte));
++	}
++	// on echappe si on a possiblement un attribut onxxx et que ca passe pas dans safehtml
++	elseif(stripos($texte,"on")!==false
++	  AND preg_match(",\bon\w+\s*=,i",$texte)){
++		if (!isset($safehtml))
++			$safehtml = charger_fonction('safehtml', 'inc', true);
++		if (!$safehtml OR strlen($safehtml($texte))!==strlen($texte)){
++			$texte = nl2br(htmlspecialchars($texte));
++		}
++	}
++
++	if (strpos($texte,"<")===false){
++		$texte = "<code class=\"echappe-js\">$texte</code>";
++	}
++
++	return $texte;
++}
+diff --git a/plugins-dist/textwheel/wheels/spip/echappe-js.yaml b/plugins-dist/textwheel/wheels/spip/echappe-js.yaml
+index 9684738..84c65f2 100644
+--- a/plugins-dist/textwheel/wheels/spip/echappe-js.yaml
++++ b/plugins-dist/textwheel/wheels/spip/echappe-js.yaml
+@@ -18,3 +18,51 @@
+     -
+       type: all
+       replace: "<code class=\"echappe-js\">$0</code>"
++
++-
++  if_str: "<iframe"
++  match: "{<iframe.*?($|</iframe.)}isS"
++  is_callback: Y
++  replace: echappe_anti_xss
++
++-
++  if_str: "<embed"
++  match: "{<embed.*?($|</embed.)}isS"
++  is_callback: Y
++  replace: echappe_anti_xss
++
++-
++  if_str: "<object"
++  match: "{<object.*?($|</object.)}isS"
++  is_callback: Y
++  replace: echappe_anti_xss
++
++-
++  if_str: "<img"
++  match: "{<img.*?($|>)}isS"
++  is_callback: Y
++  replace: echappe_anti_xss
++
++-
++  if_str: "<image"
++  match: "{<image.*?($|>)}isS"
++  is_callback: Y
++  replace: echappe_anti_xss
++
++-
++  if_str: "<body"
++  match: "{<body.*?($|>)}isS"
++  is_callback: Y
++  replace: echappe_anti_xss
++
++-
++  if_str: "<bgsound"
++  match: "{<bgsound.*?($|>)}isS"
++  is_callback: Y
++  replace: echappe_anti_xss
++
++-
++  if_str: "<meta"
++  match: "{<meta.*?($|>)}isS"
++  is_callback: Y
++  replace: echappe_anti_xss
+diff --git a/plugins-dist/textwheel/wheels/spip/interdire-scripts.yaml b/plugins-dist/textwheel/wheels/spip/interdire-scripts.yaml
+index 790f34d..d809847d 100644
+--- a/plugins-dist/textwheel/wheels/spip/interdire-scripts.yaml
++++ b/plugins-dist/textwheel/wheels/spip/interdire-scripts.yaml
+@@ -19,7 +19,8 @@ securite-script-php:
+   replace: "&lt;$1"
+ 
+ securite-js:
+-  if_str: "<script"
++  if_str: "<"
++  if_match: "/<(?:script|iframe|embed|object|img|image|body|bgsound|meta)/iS"
+   type: all
+   replace: "echappe_js"
+   is_callback: Y
diff -Nru spip-3.0.17/debian/patches/series spip-3.0.17/debian/patches/series
--- spip-3.0.17/debian/patches/series	2014-08-26 12:06:06.000000000 -0400
+++ spip-3.0.17/debian/patches/series	2015-11-01 15:31:01.000000000 -0400
@@ -2,3 +2,5 @@
 0002-Use-php-html-safe.patch
 0003-No-next-upstream-version-display-in-private-area.patch
 0004-Fix-displayed-version-in-the-private-interface.patch
+0005-Fix-XSS-in-private-content.patch
+0006-Fix-XSS-from-iframe-in-private-content.patch

Attachment: signature.asc
Description: OpenPGP digital signature


--- End Message ---
--- Begin Message --- 
Version: 8.3

Hi,

The updates referred to in these bugs were included in today's 8.3
Jessie point release.

Regards,

Adam

--- End Message ---
Reply to: