Bug#1005218: marked as done (buster-pu: package spip/3.2.4-1+deb10u6)

To: "Adam D. Barratt" <adam@adam-barratt.org.uk>
Subject: Bug#1005218: marked as done (buster-pu: package spip/3.2.4-1+deb10u6)
From: "Debian Bug Tracking System" <owner@bugs.debian.org>
Date: Sat, 26 Mar 2022 12:07:04 +0000
Message-id: <[🔎] handler.1005218.D1005218.164829618912502.ackdone@bugs.debian.org>
Reply-to: 1005218@bugs.debian.org
References: <540de30a27d37c3ff416b94b1adf7ff2a2cab257.camel@adam-barratt.org.uk> <YgNtzbAqnh6eUFd3@persil.tilapin.org>

Your message dated Sat, 26 Mar 2022 12:02:22 +0000
with message-id <540de30a27d37c3ff416b94b1adf7ff2a2cab257.camel@adam-barratt.org.uk>
and subject line Closing requests for updates in 10.12
has caused the Debian Bug report #1005218,
regarding buster-pu: package spip/3.2.4-1+deb10u6
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
1005218: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1005218
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: buster-pu: package spip/3.2.4-1+deb10u6
From: David Prévot <taffit@debian.org>
Date: Wed, 9 Feb 2022 03:31:25 -0400
Message-id: <YgNtzbAqnh6eUFd3@persil.tilapin.org>

Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian.org@packages.debian.org
Usertags: pu

Hi,

[ Reason ]
Two security issues (XSS) have been fixed in the latest upstream
version. As agreed with the security team, those are not worth a DSA.

[ Impact ]
Without these fixes, websites are vulnerable to already public XSS
issues.

[ Tests ]
The fixes are identical to the one proposed for Bullseye, but I don’t
handle any server in production running Buster.

[ Risks ]
Both fixes are pretty small.

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
  [x] the issue is verified as fixed in unstable

Cheers

David

diff --git a/debian/changelog b/debian/changelog
index 6618f122ee..6881e0948d 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,7 +1,17 @@
+spip (3.2.4-1+deb10u6) buster; urgency=medium
+
+  * Document CVE fixed previously
+  * Backport security fixes (XSS) from 3.2.13
+
+ -- David Prévot <taffit@debian.org>  Sat, 05 Feb 2022 09:21:02 -0400
+
 spip (3.2.4-1+deb10u5) buster-security; urgency=high
 
   * Backport security fixes from 3.2.12
-    - SQL injections, remote code execution, XSS
+    - SQL injections
+    - remote code execution [CVE-2021-44123]
+    - XSS [CVE-2021-44118] [CVE-2021-44120]
+    - CSRF [CVE-2021-44122]
 
  -- David Prévot <taffit@debian.org>  Wed, 15 Dec 2021 17:19:09 -0400
 
diff --git a/debian/patches/0038-Utiliser-valider_url_distante-en-plus-de-tester_url_.patch b/debian/patches/0038-Utiliser-valider_url_distante-en-plus-de-tester_url_.patch
index b4ba41bb17..4c109c38ab 100644
--- a/debian/patches/0038-Utiliser-valider_url_distante-en-plus-de-tester_url_.patch
+++ b/debian/patches/0038-Utiliser-valider_url_distante-en-plus-de-tester_url_.patch
@@ -8,6 +8,7 @@ Subject: Utiliser valider_url_distante() en plus de tester_url_absolue()
 (cherry picked from commit 9b8d1487ef067b5bdb2ce7365cc65d0e7ec0fa44)
 
 Origin: upstream, https://git.spip.net/spip/medias/commit/1a4b7024cf728ec531658967b374c5ec6f36ee42
+Bug-Debian: https://security-tracker.debian.org/tracker/CVE-2021-44118
 ---
  plugins-dist/medias/action/copier_local.php | 14 ++++++++++----
  1 file changed, 10 insertions(+), 4 deletions(-)
diff --git a/debian/patches/0039-Fix-refactoring-query_echappe_textes-qui-ne-detectai.patch b/debian/patches/0039-Fix-refactoring-query_echappe_textes-qui-ne-detectai.patch
index 6df33be8de..73e69b8f4a 100644
--- a/debian/patches/0039-Fix-refactoring-query_echappe_textes-qui-ne-detectai.patch
+++ b/debian/patches/0039-Fix-refactoring-query_echappe_textes-qui-ne-detectai.patch
@@ -11,6 +11,7 @@ Subject: Fix/refactoring query_echappe_textes() qui ne detectait parfois pas
 On modifie aussi l'usage dans req/mysql en privilegiant de garder la requete initiale intacte si il n'y a rien a faire dessus
 
 Origin: upstream, https://git.spip.net/spip/spip/commit/fca83dc95ee279552382eeb5015d5dc3efed9de3
+Bug-Debian: https://security-tracker.debian.org/tracker/CVE-2021-44120
 ---
  ecrire/base/connect_sql.php | 47 ++++++++++++++++++++++++++++++++-------------
  ecrire/req/mysql.php        | 10 +++++-----
diff --git a/debian/patches/0040-Simplifier-la-regexp-c-est-pas-plus-mal-cfreal.patch b/debian/patches/0040-Simplifier-la-regexp-c-est-pas-plus-mal-cfreal.patch
index 787d6c6c31..83741178b6 100644
--- a/debian/patches/0040-Simplifier-la-regexp-c-est-pas-plus-mal-cfreal.patch
+++ b/debian/patches/0040-Simplifier-la-regexp-c-est-pas-plus-mal-cfreal.patch
@@ -2,6 +2,7 @@ From: Cerdic <cedric@yterium.com>
 Date: Fri, 17 Sep 2021 17:39:04 +0200
 Subject: Simplifier la regexp, c'est pas plus mal (cfreal)
 
+Bug-Debian: https://security-tracker.debian.org/tracker/CVE-2021-44120
 ---
  ecrire/base/connect_sql.php | 2 +-
  1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/debian/patches/0041-Complement-de-413ca3cc58-_mysql_traite_query-s-appel.patch b/debian/patches/0041-Complement-de-413ca3cc58-_mysql_traite_query-s-appel.patch
index 6bcdf3456c..33c6e23ae6 100644
--- a/debian/patches/0041-Complement-de-413ca3cc58-_mysql_traite_query-s-appel.patch
+++ b/debian/patches/0041-Complement-de-413ca3cc58-_mysql_traite_query-s-appel.patch
@@ -7,6 +7,7 @@ Subject: Complement de 413ca3cc58 : _mysql_traite_query() s'appelle
  query_reinjecte_textes()
 
 Origin: upstream, https://git.spip.net/spip/spip/commit/a4fdb3b8ec11f067a6d09512c6f31dbda7fd57c6
+Bug-Debian: https://security-tracker.debian.org/tracker/CVE-2021-44120
 ---
  ecrire/req/mysql.php | 19 +++++++++++++++----
  1 file changed, 15 insertions(+), 4 deletions(-)
diff --git a/debian/patches/0042-Balise-FORMULAIRE-nettoyer-du-code-mort-qui-ne-sert-.patch b/debian/patches/0042-Balise-FORMULAIRE-nettoyer-du-code-mort-qui-ne-sert-.patch
index 8f7e49a288..fc226345ab 100644
--- a/debian/patches/0042-Balise-FORMULAIRE-nettoyer-du-code-mort-qui-ne-sert-.patch
+++ b/debian/patches/0042-Balise-FORMULAIRE-nettoyer-du-code-mort-qui-ne-sert-.patch
@@ -12,6 +12,7 @@ Subject: =?utf-8?q?Balise_=23FORMULAIRE_=3A_nettoyer_du_code_mort_qui_ne_se?=
  =?utf-8?q?issue=29?=
 
 Origin: upstream, https://git.spip.net/spip/spip/commit/fea5b5b4507cc9c0b9e91bbfbf34fe40b0bea805
+Bug-Debian: https://security-tracker.debian.org/tracker/CVE-2021-44122
 ---
  ecrire/balise/formulaire_.php | 13 +++++++++++++
  ecrire/public/aiguiller.php   | 23 ++++++++++++++++++++++-
diff --git a/debian/patches/0043-Nom-nom_site-et-bio-etant-des-champs-librement-modif.patch b/debian/patches/0043-Nom-nom_site-et-bio-etant-des-champs-librement-modif.patch
index 055ee350f7..86a7130b43 100644
--- a/debian/patches/0043-Nom-nom_site-et-bio-etant-des-champs-librement-modif.patch
+++ b/debian/patches/0043-Nom-nom_site-et-bio-etant-des-champs-librement-modif.patch
@@ -8,6 +8,7 @@ Subject: Nom,
  lequel ne contient en general pas de < ce qui passe tres vite dans safehtml
 
 Origin: backport, https://git.spip.net/spip/spip/commit/361cc26080d1377bc55d2cb80736e5cfaf5fd242
+Bug-Debian: https://security-tracker.debian.org/tracker/CVE-2021-44120
 ---
  ecrire/public/interfaces.php | 4 +++-
  1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/debian/patches/0044-Lors-de-l-upload-de-documents-gerer-le-cas-des-fichi.patch b/debian/patches/0044-Lors-de-l-upload-de-documents-gerer-le-cas-des-fichi.patch
index 8ebc3ca857..1851a1c054 100644
--- a/debian/patches/0044-Lors-de-l-upload-de-documents-gerer-le-cas-des-fichi.patch
+++ b/debian/patches/0044-Lors-de-l-upload-de-documents-gerer-le-cas-des-fichi.patch
@@ -6,6 +6,7 @@ Subject: Lors de l'upload de documents,
  sinon on ne garde que la derniere
 
 Origin: upstream, https://git.spip.net/spip/spip/commit/28c2cd60bee60892c6660b81d98cc166aa442866
+Bug-Debian: https://security-tracker.debian.org/tracker/CVE-2021-44123
 ---
  ecrire/inc/documents.php | 13 +++++++++++++
  1 file changed, 13 insertions(+)
diff --git a/debian/patches/0045-Oups-erreur-dans-1b8e4f404-il-faut-utiliser-empty-ca.patch b/debian/patches/0045-Oups-erreur-dans-1b8e4f404-il-faut-utiliser-empty-ca.patch
index 1f15081dfe..52920a46e3 100644
--- a/debian/patches/0045-Oups-erreur-dans-1b8e4f404-il-faut-utiliser-empty-ca.patch
+++ b/debian/patches/0045-Oups-erreur-dans-1b8e4f404-il-faut-utiliser-empty-ca.patch
@@ -6,6 +6,7 @@ Subject: Oups,
  formulaire anonyme)
 
 Origin: upstream, https://git.spip.net/spip/spip/commit/2992190368197a0f966e85d6c5751b999be83cb4ZZ
+Bug-Debian: https://security-tracker.debian.org/tracker/CVE-2021-44122
 ---
  ecrire/public/aiguiller.php | 2 +-
  1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/debian/patches/0046-Il-faut-incrementer-spip_version_code-car-tous-les-f.patch b/debian/patches/0046-Il-faut-incrementer-spip_version_code-car-tous-les-f.patch
index df77a90a23..5db137b311 100644
--- a/debian/patches/0046-Il-faut-incrementer-spip_version_code-car-tous-les-f.patch
+++ b/debian/patches/0046-Il-faut-incrementer-spip_version_code-car-tous-les-f.patch
@@ -4,6 +4,7 @@ Subject: Il faut incrementer spip_version_code car tous les formulaires
  doivent etre recalcules
 
 Origin: upstream, https://git.spip.net/spip/spip/commit/aefb90d6a186f81c2596dc39a010a5827921b6c1
+Bug-Debian: https://security-tracker.debian.org/tracker/CVE-2021-44122
 ---
  ecrire/inc_version.php | 4 ++--
  1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/debian/patches/0047-Le-plugin-mots-et-son-formulaire-editer_mot-contient.patch b/debian/patches/0047-Le-plugin-mots-et-son-formulaire-editer_mot-contient.patch
index 2ad0ab37db..36d3ab2243 100644
--- a/debian/patches/0047-Le-plugin-mots-et-son-formulaire-editer_mot-contient.patch
+++ b/debian/patches/0047-Le-plugin-mots-et-son-formulaire-editer_mot-contient.patch
@@ -5,6 +5,7 @@ Subject: Le plugin mots et son formulaire editer_mot() contient encore du
  c'etait casse gueule de changer ca sur cette branche
 
 Origin: upstream, https://git.spip.net/spip/spip/commit/685a2c0bdcde2ef1804b4ac794243b54c4a22585
+Bug-Debian: https://security-tracker.debian.org/tracker/CVE-2021-44122
 ---
  ecrire/balise/formulaire_.php | 5 +----
  1 file changed, 1 insertion(+), 4 deletions(-)
diff --git a/debian/patches/0048-Ameliorer-valider_url_distante-on-utilise-filter_var.patch b/debian/patches/0048-Ameliorer-valider_url_distante-on-utilise-filter_var.patch
index f99c095188..28ac4c715d 100644
--- a/debian/patches/0048-Ameliorer-valider_url_distante-on-utilise-filter_var.patch
+++ b/debian/patches/0048-Ameliorer-valider_url_distante-on-utilise-filter_var.patch
@@ -7,6 +7,7 @@ Subject: Ameliorer valider_url_distante() : on utilise filter_var plutot que
 (cherry picked from commit a4a09d103500bb7f598833d746540e4b417dfd72)
 
 Origin: upstream, https://git.spip.net/spip/spip/commit/19c3592b93343c222589ffd3aeace97213e25745
+ug-Debian: https://security-tracker.debian.org/tracker/CVE-2021-44118
 ---
  ecrire/inc/distant.php | 23 +++++++++++++++--------
  1 file changed, 15 insertions(+), 8 deletions(-)
diff --git a/debian/patches/0049-Verifier-qu-on-a-bien-le-droit-de-modifier-le-login-.patch b/debian/patches/0049-Verifier-qu-on-a-bien-le-droit-de-modifier-le-login-.patch
new file mode 100644
index 0000000000..c4f3760a77
--- /dev/null
+++ b/debian/patches/0049-Verifier-qu-on-a-bien-le-droit-de-modifier-le-login-.patch
@@ -0,0 +1,64 @@
+From: Cerdic <cedric@yterium.com>
+Date: Wed, 2 Feb 2022 09:51:56 +0100
+Subject: Verifier qu'on a bien le droit de modifier le login avant d'accepter
+ un post sur cette variable
+
+Origin: upstream, https://git.spip.net/spip/spip/commit/9ed1818f14be283b0b6e8469bfbc54ba2d10763b
+---
+ prive/formulaires/editer_auteur.php | 42 ++++++++++++++++++++++++++-----------
+ 1 file changed, 30 insertions(+), 12 deletions(-)
+
+diff --git a/prive/formulaires/editer_auteur.php b/prive/formulaires/editer_auteur.php
+index bd4efd2..3b7ac39 100644
+--- a/prive/formulaires/editer_auteur.php
++++ b/prive/formulaires/editer_auteur.php
+@@ -236,19 +236,37 @@ function formulaires_editer_auteur_verifier_dist(
+ 	}
+ 
+ 	$erreurs['message_erreur'] = '';
++	if (_request('login')) {
++		// on n'est jamais cense poster le name login
++		$erreurs['login'] = _T('info_non_modifiable');
++	}
++	elseif (
++		($login = _request('new_login')) and
++		$login !== sql_getfetsel('login', 'spip_auteurs', 'id_auteur=' . intval($id_auteur))
++	) {
++		// on verifie la meme chose que dans auteurs_edit_config()
++		if (
++			! auth_autoriser_modifier_login($auth_methode)
++			or !autoriser('modifier', 'auteur', intval($id_auteur), null, ['email' => true])
++		) {
++			$erreurs['login'] = _T('info_non_modifiable');
++		}
++	}
+ 
+-	if ($err = auth_verifier_login($auth_methode, _request('new_login'), $id_auteur)) {
+-		$erreurs['new_login'] = $err;
+-		$erreurs['message_erreur'] .= $err;
+-	} else {
+-		// pass trop court ou confirmation non identique
+-		if ($p = _request('new_pass')) {
+-			if ($p != _request('new_pass2')) {
+-				$erreurs['new_pass'] = _T('info_passes_identiques');
+-				$erreurs['message_erreur'] .= _T('info_passes_identiques');
+-			} elseif ($err = auth_verifier_pass($auth_methode, _request('new_login'), $p, $id_auteur)) {
+-				$erreurs['new_pass'] = $err;
+-				$erreurs['message_erreur'] .= $err;
++	if (empty($erreurs['login'])){
++		if ($err = auth_verifier_login($auth_methode, _request('new_login'), $id_auteur)){
++			$erreurs['new_login'] = $err;
++			$erreurs['message_erreur'] .= $err;
++		} else {
++			// pass trop court ou confirmation non identique
++			if ($p = _request('new_pass')){
++				if ($p!=_request('new_pass2')){
++					$erreurs['new_pass'] = _T('info_passes_identiques');
++					$erreurs['message_erreur'] .= _T('info_passes_identiques');
++				} elseif ($err = auth_verifier_pass($auth_methode, _request('new_login'), $p, $id_auteur)) {
++					$erreurs['new_pass'] = $err;
++					$erreurs['message_erreur'] .= $err;
++				}
+ 			}
+ 		}
+ 	}
diff --git a/debian/patches/0050-appliquer-rawurlencode-aussi-sur-les-tableaux-qu-on-.patch b/debian/patches/0050-appliquer-rawurlencode-aussi-sur-les-tableaux-qu-on-.patch
new file mode 100644
index 0000000000..f95d4333fa
--- /dev/null
+++ b/debian/patches/0050-appliquer-rawurlencode-aussi-sur-les-tableaux-qu-on-.patch
@@ -0,0 +1,23 @@
+From: Cerdic <cedric@yterium.com>
+Date: Wed, 29 Dec 2021 10:50:27 +0100
+Subject: appliquer rawurlencode() aussi sur les tableaux qu'on passe en
+ argument de parametre_url() #4819
+
+Origin: upstream, https://git.spip.net/spip/spip/commit/b2f8e3a59ccbf958197e22609938871884438b5f
+---
+ ecrire/inc/utils.php | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/ecrire/inc/utils.php b/ecrire/inc/utils.php
+index 40f892e..9fc3ee3 100644
+--- a/ecrire/inc/utils.php
++++ b/ecrire/inc/utils.php
+@@ -600,7 +600,7 @@ function parametre_url($url, $c, $v = null, $sep = '&amp;') {
+ 			} else {
+ 				$id = (substr($k, -2) == '[]') ? $k : ($k . "[]");
+ 				foreach ($v as $w) {
+-					$url[] = $id . '=' . (is_array($w) ? 'Array' : $w);
++					$url[] = $id . '=' . (is_array($w) ? 'Array' : rawurlencode($w));
+ 				}
+ 			}
+ 		}
diff --git a/debian/patches/series b/debian/patches/series
index faecf747dc..4707b67d85 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -46,3 +46,5 @@
 0046-Il-faut-incrementer-spip_version_code-car-tous-les-f.patch
 0047-Le-plugin-mots-et-son-formulaire-editer_mot-contient.patch
 0048-Ameliorer-valider_url_distante-on-utilise-filter_var.patch
+0049-Verifier-qu-on-a-bien-le-droit-de-modifier-le-login-.patch
+0050-appliquer-rawurlencode-aussi-sur-les-tableaux-qu-on-.patch

Attachment: signature.asc
Description: PGP signature

--- End Message ---

--- Begin Message ---

To: 959469-done@bugs.debian.org, 985063-done@bugs.debian.org, 987376-done@bugs.debian.org, 992546-done@bugs.debian.org, 992613-done@bugs.debian.org, 995748-done@bugs.debian.org, 996023-done@bugs.debian.org, 996024-done@bugs.debian.org, 996600-done@bugs.debian.org, 996624-done@bugs.debian.org, 996695-done@bugs.debian.org, 996929-done@bugs.debian.org, 996997-done@bugs.debian.org, 997079-done@bugs.debian.org, 998042-done@bugs.debian.org, 998248-done@bugs.debian.org, 998344-done@bugs.debian.org, 1000218-done@bugs.debian.org, 1000341-done@bugs.debian.org, 1000386-done@bugs.debian.org, 1000408-done@bugs.debian.org, 1000473-done@bugs.debian.org, 1000479-done@bugs.debian.org, 1000480-done@bugs.debian.org, 1000486-done@bugs.debian.org, 1000608-done@bugs.debian.org, 1001043-done@bugs.debian.org, 1001149-done@bugs.debian.org, 1001280-done@bugs.debian.org, 1001454-done@bugs.debian.org, 1001556-done@bugs.debian.org, 1001749-done@bugs.debian.org, 1001752-done@bugs.debian.org, 1002297-done@bugs.debian.org, 1002298-done@bugs.debian.org, 1002740-done@bugs.debian.org, 1002912-done@bugs.debian.org, 1003795-done@bugs.debian.org, 1003825-done@bugs.debian.org, 1003826-done@bugs.debian.org, 1003827-done@bugs.debian.org, 1003841-done@bugs.debian.org, 1003842-done@bugs.debian.org, 1004049-done@bugs.debian.org, 1004055-done@bugs.debian.org, 1004056-done@bugs.debian.org, 1004249-done@bugs.debian.org, 1004261-done@bugs.debian.org, 1004265-done@bugs.debian.org, 1004267-done@bugs.debian.org, 1004268-done@bugs.debian.org, 1005000-done@bugs.debian.org, 1005218-done@bugs.debian.org, 1005233-done@bugs.debian.org, 1005353-done@bugs.debian.org, 1005374-done@bugs.debian.org, 1006377-done@bugs.debian.org, 1006417-done@bugs.debian.org, 1006494-done@bugs.debian.org, 1006525-done@bugs.debian.org, 1007745-done@bugs.debian.org, 1007746-done@bugs.debian.org, 1007879-done@bugs.debian.org, 1007938-done@bugs.debian.org, 1007948-done@bugs.debian.org, 1007964-done@bugs.debian.org, 1008030-done@bugs.debian.org, 1008072-done@bugs.debian.org, 1006142-done@bugs.debian.org

Subject: Closing requests for updates in 10.12

From: "Adam D. Barratt" <adam@adam-barratt.org.uk>

Date: Sat, 26 Mar 2022 12:02:22 +0000

Message-id: <540de30a27d37c3ff416b94b1adf7ff2a2cab257.camel@adam-barratt.org.uk>
Package: release.debian.org
Version: 10.12

Hi,

The updates referenced in these requests were included in oldstable as
part of today's 10.12 point release.

Regards,

Adam
--- End Message ---

Reply to:

Prev by Date: Bug#1004268: marked as done (buster-pu: package libextractor/1:1.8-2+deb10u1)
Next by Date: Bug#1005000: marked as done (buster-pu: package atftp/0.7.git20120829-3.2~deb10u2)
Previous by thread: Bug#1004268: marked as done (buster-pu: package libextractor/1:1.8-2+deb10u1)
Next by thread: Bug#1005000: marked as done (buster-pu: package atftp/0.7.git20120829-3.2~deb10u2)
Index(es):
- Date
- Thread