Your message dated Sat, 23 Jan 2016 13:57:15 +0000 with message-id <1453557435.1835.52.camel@adam-barratt.org.uk> and subject line 8.3 point release cleanup has caused the Debian Bug report #804172, regarding jessie-pu: package spip/3.0.17-2+deb8u1 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact owner@bugs.debian.org immediately.) -- 804172: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=804172 Debian Bug Tracking System Contact owner@bugs.debian.org with problems
--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: jessie-pu: package spip/3.0.17-2+deb8u1
- From: David Prévot <david@tilapin.org>
- Date: Thu, 5 Nov 2015 14:10:48 -0400
- Message-id: <563B9BA8.4010703@tilapin.org>
Package: release.debian.org Severity: normal Tags: jessie User: release.debian.org@packages.debian.org Usertags: pu Hi, As agreed with the security team, the two XSS fixes from the latest upstream version do not deserve a DSA, yet I’d like to fix them via pu if you agree, debdiff attached. There is no upstream fix available (yet) for the 2.1 branch (that is still supported), so I won’t follow up with a pu request for Wheezy for the moment. Regards Daviddiff -Nru spip-3.0.17/debian/changelog spip-3.0.17/debian/changelog --- spip-3.0.17/debian/changelog 2014-10-25 20:52:48.000000000 -0400 +++ spip-3.0.17/debian/changelog 2015-11-01 15:34:31.000000000 -0400 @@ -1,3 +1,10 @@ +spip (3.0.17-2+deb8u1) jessie; urgency=medium + + * Track Jessie + * Backport XSS fixes in private content from 3.0.21 + + -- David Prévot <taffit@debian.org> Sun, 01 Nov 2015 15:34:00 -0400 + spip (3.0.17-2) unstable; urgency=medium [ Frans Spiesschaert ] diff -Nru spip-3.0.17/debian/gbp.conf spip-3.0.17/debian/gbp.conf --- spip-3.0.17/debian/gbp.conf 2014-10-25 20:50:16.000000000 -0400 +++ spip-3.0.17/debian/gbp.conf 2015-11-01 15:11:01.000000000 -0400 @@ -1,3 +1,3 @@ [DEFAULT] -debian-branch = 3.0 +debian-branch = jessie upstream-branch = upstream-3.0 diff -Nru spip-3.0.17/debian/patches/0005-Fix-XSS-in-private-content.patch spip-3.0.17/debian/patches/0005-Fix-XSS-in-private-content.patch --- spip-3.0.17/debian/patches/0005-Fix-XSS-in-private-content.patch 1969-12-31 20:00:00.000000000 -0400 +++ spip-3.0.17/debian/patches/0005-Fix-XSS-in-private-content.patch 2015-11-01 15:31:01.000000000 -0400 @@ -0,0 +1,173 @@ +From: =?utf-8?q?C=C3=A9dric_Morin?= <cedric.morin@yterium.com> +Date: Sat, 10 Oct 2015 10:44:19 +0000 +Subject: Fix XSS in private content + +Bug: https://core.spip.net/issues/3371 +Origin: Upstream, http://zone.spip.org/trac/spip-zone/changeset/92236, + https://core.spip.net/projects/spip/repository/revisions/22427, + https://core.spip.net/projects/spip/repository/revisions/22450, + https://core.spip.net/projects/spip/repository/revisions/22429 +--- + ecrire/inc/texte.php | 7 ++++ + ecrire/inc/texte_mini.php | 43 ++++++++++++++++++++-- + plugins-dist/revisions/inc/revisions.php | 3 ++ + .../prive/squelettes/contenu/revision.html | 6 +-- + prive/squelettes/ajax.html | 2 +- + prive/squelettes/head/dist.html | 2 +- + prive/squelettes/structure.html | 4 +- + 7 files changed, 57 insertions(+), 10 deletions(-) + +diff --git a/ecrire/inc/texte.php b/ecrire/inc/texte.php +index af706b3..c0cec0b 100644 +--- a/ecrire/inc/texte.php ++++ b/ecrire/inc/texte.php +@@ -156,6 +156,7 @@ function typo($letexte, $echapper=true, $connect=null, $env=array()) { + if (is_null($connect)){ + $connect = ''; + $interdire_script = true; ++ $env['espace_prive'] = 1; + } + + // Echapper les codes <html> etc +@@ -183,6 +184,12 @@ function typo($letexte, $echapper=true, $connect=null, $env=array()) { + if ($interdire_script) + $letexte = interdire_scripts($letexte); + ++ // Dans l'espace prive on se mefie de tout contenu dangereux ++ // https://core.spip.net/issues/3371 ++ if (isset($env['espace_prive']) AND $env['espace_prive']){ ++ $letexte = echapper_html_suspect($letexte); ++ } ++ + return $letexte; + } + +diff --git a/ecrire/inc/texte_mini.php b/ecrire/inc/texte_mini.php +index f3c2429..901d903 100644 +--- a/ecrire/inc/texte_mini.php ++++ b/ecrire/inc/texte_mini.php +@@ -385,15 +385,52 @@ function echapper_faux_tags($letexte){ + $letexte = ""; + while (count($textMatches)) { + // un texte a echapper +- $letexte .= str_replace(array("<"),array('<'),array_shift($textMatches)); ++ $letexte .= str_replace("<",'<',array_shift($textMatches)); + // un tag html qui a servit a faite le split + $letexte .= array_shift($textMatches); + } + return $letexte; + } + +-// Securite : utiliser SafeHTML s'il est present dans ecrire/safehtml/ +-// http://doc.spip.org/@safehtml ++/** ++ * Si le html contenu dans un texte ne passe pas sans transformation a travers safehtml ++ * on l'echappe ++ * si safehtml ne renvoie pas la meme chose on echappe les < en < pour montrer le contenu brut ++ * ++ * @param string $texte ++ * @return string ++ */ ++function echapper_html_suspect($texte){ ++ if (strpos($texte,'<')===false OR strpos($texte,'=')===false) ++ return $texte; ++ ++ // on teste sur strlen car safehtml supprime le contenu dangereux ++ // mais il peut aussi changer des ' en " sur les attributs html, ++ // donc un test d'egalite est trop strict ++ if (strlen(safehtml($texte))!==strlen($texte)){ ++ $texte = str_replace("<","<",$texte); ++ } ++ ++ return $texte; ++} ++ ++ ++/** ++ * Sécurise un texte HTML ++ * ++ * Échappe le code PHP et JS. ++ * Applique en plus safehtml si un plugin le définit dans inc/safehtml.php ++ * ++ * Permet de protéger les textes issus d'une origine douteuse (forums, syndications...) ++ * ++ * @filtre ++ * @link http://www.spip.net/4310 ++ * ++ * @param string $t ++ * Texte à sécuriser ++ * @return string ++ * Texte sécurisé ++**/ + function safehtml($t) { + static $safehtml; + +diff --git a/plugins-dist/revisions/inc/revisions.php b/plugins-dist/revisions/inc/revisions.php +index 16d6f86..c9ab05e 100644 +--- a/plugins-dist/revisions/inc/revisions.php ++++ b/plugins-dist/revisions/inc/revisions.php +@@ -605,6 +605,9 @@ function propre_diff($texte) { + $reg = end($regs); + if (!$reg[1] AND $reg[2]) $texte.="</$reg[2]>"; + ++ // et interdire_scripts ! ++ $texte = interdire_scripts($texte); ++ + return $texte; + } + +diff --git a/plugins-dist/revisions/prive/squelettes/contenu/revision.html b/plugins-dist/revisions/prive/squelettes/contenu/revision.html +index 935e6bf..a59a716 100644 +--- a/plugins-dist/revisions/prive/squelettes/contenu/revision.html ++++ b/plugins-dist/revisions/prive/squelettes/contenu/revision.html +@@ -40,9 +40,9 @@ + ] + ] + [<div class='id_rubrique'>(#GET{textes}|table_valeur{id_rubrique})</div>] +- [<h4 class='surtitre'>(#GET{textes}|table_valeur{surtitre})</h4>] +- <h1>[(#INFO_STATUT{#OBJET,#ID_OBJET}|puce_statut{#OBJET}) ][(#GET{textes}|table_valeur{titre}|sinon{<:info_sans_titre:>})]</h1> +- [<h2 class='soustitre'>(#GET{textes}|table_valeur{soustitre})</h2>] ++ [<h4 class='surtitre'>(#GET{textes}|table_valeur{surtitre}|interdire_scripts)</h4>] ++ <h1>[(#INFO_STATUT{#OBJET,#ID_OBJET}|puce_statut{#OBJET}) ][(#GET{textes}|table_valeur{titre}|sinon{<:info_sans_titre:>}|interdire_scripts)]</h1> ++ [<h2 class='soustitre'>(#GET{textes}|table_valeur{soustitre}|interdire_scripts)</h2>] + + <div class="nettoyeur"></div> + <div id="wysiwyg" class="revision"> +diff --git a/prive/squelettes/ajax.html b/prive/squelettes/ajax.html +index dcd9319..b6bc56a 100644 +--- a/prive/squelettes/ajax.html ++++ b/prive/squelettes/ajax.html +@@ -4,4 +4,4 @@ + + ] + #SET{zajax,#VAL{var_zajax}|_request|replace{\W,''}} +-<INCLURE{fond=prive/squelettes/#GET{zajax}|concat{'/',#ENV{type-page}},ajax=#GET{zajax},env}> +\ No newline at end of file ++<INCLURE{fond=prive/squelettes/#GET{zajax}|concat{'/',#ENV{type-page}},ajax=#GET{zajax},espace_prive=1,env}> +\ No newline at end of file +diff --git a/prive/squelettes/head/dist.html b/prive/squelettes/head/dist.html +index d770c45..9dc5b63 100644 +--- a/prive/squelettes/head/dist.html ++++ b/prive/squelettes/head/dist.html +@@ -8,4 +8,4 @@ + [(#REM) Si pas de title, celui ci sera mis automatiquement par f_title_auto + en capturant le premier <h1> de la page] + #SET{paramcss,#REM|parametres_css_prive} +-#PIPELINE{header_prive,#INCLURE{fond=prive/squelettes/inclure/head,titre,minipres,paramcss=#GET{paramcss}}} +\ No newline at end of file ++#PIPELINE{header_prive,#INCLURE{fond=prive/squelettes/inclure/head,titre,minipres,paramcss=#GET{paramcss},espace_prive}} +\ No newline at end of file +diff --git a/prive/squelettes/structure.html b/prive/squelettes/structure.html +index b9dd987..7520bd8 100644 +--- a/prive/squelettes/structure.html ++++ b/prive/squelettes/structure.html +@@ -8,7 +8,7 @@ + <!--[if IE 9 ]> <html class="[(#LANG_DIR)][ (#LANG)] no-js ie ie9 lte9" xmlns="http://www.w3.org/1999/xhtml" xml:lang="#LANG" lang="#LANG" dir="#LANG_DIR"> <![endif]--> + <!--[if (gt IE 9)|!(IE)]><!--> <html class="[(#LANG_DIR)][ (#LANG)] no-js" xmlns="http://www.w3.org/1999/xhtml" xml:lang="#LANG" lang="#LANG" dir="#LANG_DIR"> <!--<![endif]--> + <head> +-<INCLURE{fond=prive/squelettes/head/#ENV{type-page},env}> ++<INCLURE{fond=prive/squelettes/head/#ENV{type-page},env,espace_prive=1}> + </head> +-<INCLURE{fond=prive/squelettes/body,env}> ++<INCLURE{fond=prive/squelettes/body,env,espace_prive=1}> + </html> diff -Nru spip-3.0.17/debian/patches/0006-Fix-XSS-from-iframe-in-private-content.patch spip-3.0.17/debian/patches/0006-Fix-XSS-from-iframe-in-private-content.patch --- spip-3.0.17/debian/patches/0006-Fix-XSS-from-iframe-in-private-content.patch 1969-12-31 20:00:00.000000000 -0400 +++ spip-3.0.17/debian/patches/0006-Fix-XSS-from-iframe-in-private-content.patch 2015-11-01 15:31:01.000000000 -0400 @@ -0,0 +1,130 @@ +From: =?utf-8?q?C=C3=A9dric_Morin?= <cedric.morin@yterium.com> +Date: Thu, 29 Oct 2015 16:58:27 +0100 +Subject: Fix XSS from iframe in private content + +Bug: https://core.spip.net/issues/1994, https://core.spip.net/issues/1998 +Origin: http://zone.spip.org/trac/spip-zone/changeset/92321, + http://zone.spip.org/trac/spip-zone/changeset/92519, + http://zone.spip.org/trac/spip-zone/changeset/92520 +--- + plugins-dist/textwheel/wheels/spip/echappe-js.php | 39 ++++++++++++++++++ + plugins-dist/textwheel/wheels/spip/echappe-js.yaml | 48 ++++++++++++++++++++++ + .../textwheel/wheels/spip/interdire-scripts.yaml | 3 +- + 3 files changed, 89 insertions(+), 1 deletion(-) + create mode 100644 plugins-dist/textwheel/wheels/spip/echappe-js.php + +diff --git a/plugins-dist/textwheel/wheels/spip/echappe-js.php b/plugins-dist/textwheel/wheels/spip/echappe-js.php +new file mode 100644 +index 0000000..66b0717 +--- /dev/null ++++ b/plugins-dist/textwheel/wheels/spip/echappe-js.php +@@ -0,0 +1,39 @@ ++<?php ++ ++/** ++ * Fonctions utiles pour la wheel echappe-js ++ * ++ * @SPIP\Textwheel\Wheel\SPIP\Fonctions ++**/ ++ ++if (!defined('_ECRIRE_INC_VERSION')) return; ++ ++function echappe_anti_xss($match){ ++ static $safehtml; ++ ++ if (!is_array($match) OR !strlen($match[0])) { ++ return ""; ++ } ++ $texte = &$match[0]; ++ ++ // on echappe les urls data: javascript: et tout ce qui ressemble ++ if (strpos($texte,":")!==false ++ AND preg_match(",(data|script)\s*:,iS",$texte)){ ++ $texte = nl2br(htmlspecialchars($texte)); ++ } ++ // on echappe si on a possiblement un attribut onxxx et que ca passe pas dans safehtml ++ elseif(stripos($texte,"on")!==false ++ AND preg_match(",\bon\w+\s*=,i",$texte)){ ++ if (!isset($safehtml)) ++ $safehtml = charger_fonction('safehtml', 'inc', true); ++ if (!$safehtml OR strlen($safehtml($texte))!==strlen($texte)){ ++ $texte = nl2br(htmlspecialchars($texte)); ++ } ++ } ++ ++ if (strpos($texte,"<")===false){ ++ $texte = "<code class=\"echappe-js\">$texte</code>"; ++ } ++ ++ return $texte; ++} +diff --git a/plugins-dist/textwheel/wheels/spip/echappe-js.yaml b/plugins-dist/textwheel/wheels/spip/echappe-js.yaml +index 9684738..84c65f2 100644 +--- a/plugins-dist/textwheel/wheels/spip/echappe-js.yaml ++++ b/plugins-dist/textwheel/wheels/spip/echappe-js.yaml +@@ -18,3 +18,51 @@ + - + type: all + replace: "<code class=\"echappe-js\">$0</code>" ++ ++- ++ if_str: "<iframe" ++ match: "{<iframe.*?($|</iframe.)}isS" ++ is_callback: Y ++ replace: echappe_anti_xss ++ ++- ++ if_str: "<embed" ++ match: "{<embed.*?($|</embed.)}isS" ++ is_callback: Y ++ replace: echappe_anti_xss ++ ++- ++ if_str: "<object" ++ match: "{<object.*?($|</object.)}isS" ++ is_callback: Y ++ replace: echappe_anti_xss ++ ++- ++ if_str: "<img" ++ match: "{<img.*?($|>)}isS" ++ is_callback: Y ++ replace: echappe_anti_xss ++ ++- ++ if_str: "<image" ++ match: "{<image.*?($|>)}isS" ++ is_callback: Y ++ replace: echappe_anti_xss ++ ++- ++ if_str: "<body" ++ match: "{<body.*?($|>)}isS" ++ is_callback: Y ++ replace: echappe_anti_xss ++ ++- ++ if_str: "<bgsound" ++ match: "{<bgsound.*?($|>)}isS" ++ is_callback: Y ++ replace: echappe_anti_xss ++ ++- ++ if_str: "<meta" ++ match: "{<meta.*?($|>)}isS" ++ is_callback: Y ++ replace: echappe_anti_xss +diff --git a/plugins-dist/textwheel/wheels/spip/interdire-scripts.yaml b/plugins-dist/textwheel/wheels/spip/interdire-scripts.yaml +index 790f34d..d809847d 100644 +--- a/plugins-dist/textwheel/wheels/spip/interdire-scripts.yaml ++++ b/plugins-dist/textwheel/wheels/spip/interdire-scripts.yaml +@@ -19,7 +19,8 @@ securite-script-php: + replace: "<$1" + + securite-js: +- if_str: "<script" ++ if_str: "<" ++ if_match: "/<(?:script|iframe|embed|object|img|image|body|bgsound|meta)/iS" + type: all + replace: "echappe_js" + is_callback: Y diff -Nru spip-3.0.17/debian/patches/series spip-3.0.17/debian/patches/series --- spip-3.0.17/debian/patches/series 2014-08-26 12:06:06.000000000 -0400 +++ spip-3.0.17/debian/patches/series 2015-11-01 15:31:01.000000000 -0400 @@ -2,3 +2,5 @@ 0002-Use-php-html-safe.patch 0003-No-next-upstream-version-display-in-private-area.patch 0004-Fix-displayed-version-in-the-private-interface.patch +0005-Fix-XSS-in-private-content.patch +0006-Fix-XSS-from-iframe-in-private-content.patchAttachment: signature.asc
Description: OpenPGP digital signature
--- End Message ---
--- Begin Message ---
- To: 783355-done@bugs.debian.org, 784944-done@bugs.debian.org, 787021-done@bugs.debian.org, 787423-done@bugs.debian.org, 791403-done@bugs.debian.org, 792468-done@bugs.debian.org, 792806-done@bugs.debian.org, 793556-done@bugs.debian.org, 794940-done@bugs.debian.org, 796281-done@bugs.debian.org, 797170-done@bugs.debian.org, 797710-done@bugs.debian.org, 798028-done@bugs.debian.org, 798584-done@bugs.debian.org, 798749-done@bugs.debian.org, 798889-done@bugs.debian.org, 798890-done@bugs.debian.org, 798891-done@bugs.debian.org, 798892-done@bugs.debian.org, 798893-done@bugs.debian.org, 798895-done@bugs.debian.org, 799033-done@bugs.debian.org, 799070-done@bugs.debian.org, 799229-done@bugs.debian.org, 799230-done@bugs.debian.org, 799369-done@bugs.debian.org, 799477-done@bugs.debian.org, 799758-done@bugs.debian.org, 799777-done@bugs.debian.org, 800006-done@bugs.debian.org, 800664-done@bugs.debian.org, 800793-done@bugs.debian.org, 800881-done@bugs.debian.org, 801095-done@bugs.debian.org, 801098-done@bugs.debian.org, 801100-done@bugs.debian.org, 801304-done@bugs.debian.org, 801318-done@bugs.debian.org, 801441-done@bugs.debian.org, 801580-done@bugs.debian.org, 801743-done@bugs.debian.org, 801851-done@bugs.debian.org, 801892-done@bugs.debian.org, 802851-done@bugs.debian.org, 802879-done@bugs.debian.org, 802900-done@bugs.debian.org, 802942-done@bugs.debian.org, 803362-done@bugs.debian.org, 803467-done@bugs.debian.org, 803490-done@bugs.debian.org, 803569-done@bugs.debian.org, 803678-done@bugs.debian.org, 803730-done@bugs.debian.org, 804157-done@bugs.debian.org, 804172-done@bugs.debian.org, 804208-done@bugs.debian.org, 804381-done@bugs.debian.org, 804383-done@bugs.debian.org, 804734-done@bugs.debian.org, 804885-done@bugs.debian.org, 805024-done@bugs.debian.org, 805127-done@bugs.debian.org, 805190-done@bugs.debian.org, 805214-done@bugs.debian.org, 805260-done@bugs.debian.org, 805293-done@bugs.debian.org, 805383-done@bugs.debian.org, 805634-done@bugs.debian.org, 805721-done@bugs.debian.org, 805894-done@bugs.debian.org, 806129-done@bugs.debian.org, 806165-done@bugs.debian.org, 806247-done@bugs.debian.org, 806252-done@bugs.debian.org, 806338-done@bugs.debian.org, 806529-done@bugs.debian.org, 806640-done@bugs.debian.org, 807129-done@bugs.debian.org, 807140-done@bugs.debian.org, 807142-done@bugs.debian.org, 807273-done@bugs.debian.org, 807280-done@bugs.debian.org, 807467-done@bugs.debian.org, 807489-done@bugs.debian.org, 807515-done@bugs.debian.org, 807576-done@bugs.debian.org, 807612-done@bugs.debian.org, 807828-done@bugs.debian.org, 807917-done@bugs.debian.org, 808559-done@bugs.debian.org, 808890-done@bugs.debian.org, 809200-done@bugs.debian.org, 809255-done@bugs.debian.org, 809258-done@bugs.debian.org, 809307-done@bugs.debian.org, 809534-done@bugs.debian.org, 809561-done@bugs.debian.org, 809688-done@bugs.debian.org, 809757-done@bugs.debian.org, 809824-done@bugs.debian.org, 810004-done@bugs.debian.org, 810111-done@bugs.debian.org, 810130-done@bugs.debian.org, 810542-done@bugs.debian.org, 810760-done@bugs.debian.org, 810887-done@bugs.debian.org, 811132-done@bugs.debian.org, 811320-done@bugs.debian.org, 792779-done@bugs.debian.org
- Subject: 8.3 point release cleanup
- From: "Adam D. Barratt" <adam@adam-barratt.org.uk>
- Date: Sat, 23 Jan 2016 13:57:15 +0000
- Message-id: <1453557435.1835.52.camel@adam-barratt.org.uk>
Version: 8.3 Hi, The updates referred to in these bugs were included in today's 8.3 Jessie point release. Regards, Adam
--- End Message ---