[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#1038153: bullseye-pu: package spip/3.2.11-3+deb11u8

Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian.org@packages.debian.org
Usertags: pu
X-Debbugs-Cc: spip@packages.debian.org
Control: affects -1 + src:spip

Hi,

SPIP has been updated upstream to fix some security issues (link to the
French-only announcement follows), and we agreed with the security team
that they don’t warrant a DSA this time.

https://blog.spip.net/Mise-a-jour-de-maintenance-et-securite-sortie-de-SPIP-4-2-3-SPIP-4-1-10.html

The main backported fix is the one that limits recursion depth in
protege_champ() function.

The security screen fix (avoiding unserialize use) should already be
fixed in the main code, and the htaccess change is only provided as an
example (in /usr/share/doc/spip).

As usual, I’ve already deployed the proposed package on a server
providing over 30 SPIP websites.

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in oldstable
  [x] the issue is verified as fixed in unstable

Regards,

David

diff -Nru spip-3.2.11/debian/changelog spip-3.2.11/debian/changelog
--- spip-3.2.11/debian/changelog	2023-02-28 22:51:50.000000000 +0100
+++ spip-3.2.11/debian/changelog	2023-06-11 15:47:39.000000000 +0200
@@ -1,3 +1,13 @@
+spip (3.2.11-3+deb11u8) bullseye; urgency=medium
+
+  * Backport security fixes from 4.1.10
+    - Limit recursion depth in protege_champ() function
+    - Avoid unserialize use in security screen
+    - Properly block hidden files in provided htaccess
+    - Update security screen to 1.5.3
+
+ -- David Prévot <taffit@debian.org>  Sun, 11 Jun 2023 15:47:39 +0200
+
 spip (3.2.11-3+deb11u7) bullseye-security; urgency=medium
 
   * Backport security fixes from v3.2.18
diff -Nru spip-3.2.11/debian/patches/0052-security-limiter-la-profondeur-de-recursion-de-prote.patch spip-3.2.11/debian/patches/0052-security-limiter-la-profondeur-de-recursion-de-prote.patch
--- spip-3.2.11/debian/patches/0052-security-limiter-la-profondeur-de-recursion-de-prote.patch	1970-01-01 01:00:00.000000000 +0100
+++ spip-3.2.11/debian/patches/0052-security-limiter-la-profondeur-de-recursion-de-prote.patch	2023-06-11 15:47:34.000000000 +0200
@@ -0,0 +1,37 @@
+From: Cerdic <cedric@yterium.com>
+Date: Tue, 7 Mar 2023 14:56:30 +0100
+Subject: security: limiter la profondeur de recursion de `protege_champ`
+
+(cherry picked from commit b362e987b41fac344150f97cc563bf4d8c8181fa)
+
+Origin: backport, https://git.spip.net/spip/spip/commit/9b73dbd66e50baf312ba1c7df21efebba4ae08f1
+---
+ ecrire/balise/formulaire_.php | 14 ++++++++++++--
+ 1 file changed, 12 insertions(+), 2 deletions(-)
+
+diff --git a/ecrire/balise/formulaire_.php b/ecrire/balise/formulaire_.php
+index 34926cf..2b3639b 100644
+--- a/ecrire/balise/formulaire_.php
++++ b/ecrire/balise/formulaire_.php
+@@ -33,9 +33,19 @@ include_spip('inc/texte');
+  * @return string|array
+  *     Saisie protégée
+  **/
+-function protege_champ($texte) {
++function protege_champ($texte, $max_prof = 128) {
+ 	if (is_array($texte)) {
+-		$texte = array_map('protege_champ', $texte);
++		// si on dépasse la prof max on tronque
++		if ($max_prof > 0) {
++			return array_map(
++				function($v) use ($max_prof) {
++					return protege_champ($v, $max_prof-1);
++				},
++				$texte
++			);
++		}
++		// si on dépasse la prof max on tronque
++		return [];
+ 	} else {
+ 		if (is_null($texte)) {
+ 			return $texte;
diff -Nru spip-3.2.11/debian/patches/0053-security-Ameliorer-c76770a-en-vitant-un-unserialize-.patch spip-3.2.11/debian/patches/0053-security-Ameliorer-c76770a-en-vitant-un-unserialize-.patch
--- spip-3.2.11/debian/patches/0053-security-Ameliorer-c76770a-en-vitant-un-unserialize-.patch	1970-01-01 01:00:00.000000000 +0100
+++ spip-3.2.11/debian/patches/0053-security-Ameliorer-c76770a-en-vitant-un-unserialize-.patch	2023-06-11 15:47:34.000000000 +0200
@@ -0,0 +1,64 @@
+From: Cerdic <cedric@yterium.com>
+Date: Tue, 7 Mar 2023 15:03:08 +0100
+Subject: =?utf-8?q?security=3A_Ameliorer_c76770a_en_=C3=A9vitant_un_=60unse?=
+ =?utf-8?q?rialize=60_dans_l=27=C3=A9cran_de_s=C3=A9curit=C3=A9?=
+
+(cherry picked from commit 9b1c3cf455b624163546f1521148897a5c96d5d6)
+
+Origin: upstream, https://git.spip.net/spip/spip/commit/9f55790164f7869d2e315a49b3fdc4af0c5b8fdd
+---
+ config/ecran_securite.php | 36 ++++++++++++++++++++++++++++++------
+ 1 file changed, 30 insertions(+), 6 deletions(-)
+
+diff --git a/config/ecran_securite.php b/config/ecran_securite.php
+index 57fc42f..4112e2e 100644
+--- a/config/ecran_securite.php
++++ b/config/ecran_securite.php
+@@ -557,17 +557,41 @@ if (
+ ) {
+ 	foreach ($_REQUEST as $k => $v) {
+ 		if (is_string($v)
+-		  and strpos($v, ':') !== false
+-		  and strpos($v, '"') !==false
+-		  and preg_match(',[bidsaO]:,', $v)
+-		  and @unserialize($v)) {
+-			$_REQUEST[$k] = htmlentities($v);
++		  and strpbrk($v, "&\"'<>") !== false
++		  and preg_match(',^[abis]:\d+[:;],', $v)
++		  and __ecran_test_if_serialized($v)
++		) {
++			$_REQUEST[$k] = htmlspecialchars($v, ENT_QUOTES);
+ 			if (isset($_POST[$k])) $_POST[$k] = $_REQUEST[$k];
+ 			if (isset($_GET[$k])) $_GET[$k] = $_REQUEST[$k];
+ 		}
+ 	}
+ }
+-
++/**
++ * Version simplifiée de https://developer.wordpress.org/reference/functions/is_serialized/
++ */
++function __ecran_test_if_serialized($data) {
++	$data = trim($data);
++	if ('N;' === $data) {return true;}
++	if (strlen($data) < 4) {return false;}
++	if (':' !== $data[1]) {return false;}
++	$semicolon = strpos($data, ';');
++	$brace = strpos($data, '}');
++	// Either ; or } must exist.
++	if (false === $semicolon && false === $brace) {return false;}
++	// But neither must be in the first X characters.
++	if (false !== $semicolon && $semicolon < 3) {return false;}
++	if (false !== $brace && $brace < 4) {return false;}
++	$token = $data[0];
++	if (in_array($token, array('s', 'S'))) {
++		if (false === strpos($data, '"')) {return false;}
++	} elseif (in_array($token, array('a', 'O', 'C', 'o', 'E'))) {
++		return (bool)preg_match("/^{$token}:[0-9]+:/s", $data);
++	} elseif (in_array($token, array('b', 'i', 'd'))) {
++		return (bool)preg_match("/^{$token}:[0-9.E+-]+;/", $data);
++	}
++	return false;
++}
+ 
+ /*
+  * S'il y a une raison de mourir, mourons
diff -Nru spip-3.2.11/debian/patches/0054-security-Effectivement-bloquer-les-fichiers-cach-s-d.patch spip-3.2.11/debian/patches/0054-security-Effectivement-bloquer-les-fichiers-cach-s-d.patch
--- spip-3.2.11/debian/patches/0054-security-Effectivement-bloquer-les-fichiers-cach-s-d.patch	1970-01-01 01:00:00.000000000 +0100
+++ spip-3.2.11/debian/patches/0054-security-Effectivement-bloquer-les-fichiers-cach-s-d.patch	2023-06-11 15:47:34.000000000 +0200
@@ -0,0 +1,59 @@
+From: Matthieu Marcillaud <marcimat@rezo.net>
+Date: Wed, 7 Jun 2023 09:40:00 +0200
+Subject: =?utf-8?q?security=3A_Effectivement_bloquer_les_fichiers_cach?=
+ =?utf-8?q?=C3=A9s_dans_le_htaccess?=
+MIME-Version: 1.0
+Content-Type: text/plain; charset="utf-8"
+Content-Transfer-Encoding: 8bit
+
+L’histoire est quelque peu ubuesque, et remonte à il y a 16 ans via 26a1f4906d23
+qui a déplacé des règles trop bas. Ça ne bloquait plus les .svn depuis,
+à cause du fait que plus haut, si c’est un fichier, on exécute la règle
+`[S=100]` qui saute les prochaines `RewriteRule`.
+
+- #5109 a semblé corriger en utilisant `RedirectMatch`, qui n’est pas affecté
+  par le Skip (sans se rendre compte du problème initial)
+- #5432 a remis une `RewriteRule`, et du coup, de nouveau paf.
+
+Ce n’est pas toujours très visible car les serveurs eux-mêmes bloquent
+déjà souvent ces répertoires cachés.
+
+Donc, on remonte bien plus haut les règles de blocage des fichiers cachés
+et on leur fait un titre dédié.
+
+Refs: #5109 #5432 spip-team/securite#4844
+(cherry picked from commit d50cb7bbc7a71ff23a77dfe02215c16991437336)
+
+Origin: backport, https://git.spip.net/spip/spip/commit/36ec7947e96e44af095c3cf87f25cf27a963fe40
+---
+ htaccess.txt | 10 +++++++---
+ 1 file changed, 7 insertions(+), 3 deletions(-)
+
+diff --git a/htaccess.txt b/htaccess.txt
+index ec4e51d..e7a699c 100644
+--- a/htaccess.txt
++++ b/htaccess.txt
+@@ -58,6 +58,13 @@ RewriteCond %{QUERY_STRING} action=ical
+ RewriteRule spip.php	spip.php?page=ical_prive [QSA,L]
+ 
+ ###
++
++# bloquer les acces aux fichiers caches (.svn, .git, etc)
++RewriteCond %{REQUEST_URI} !^/.well-known/
++RewriteRule "(^|/)\." - [R=404,NC,L]
++# bloquer les informations Composer
++RedirectMatch 404 ^/composer\.(json|lock|phar)$
++
+ # Si le fichier ou repertoire demande existe
+ # ignorer toutes les regles qui suivent
+ <IfModule mod_headers.c>
+@@ -123,9 +130,6 @@ RewriteRule ^[^\.]+(\.html)?$		spip.php [QSA,E=url_propre:$0,L]
+ ###
+ # Divers
+ 
+-# bloquer les acces aux fichiers caches (.svn, .git, etc)
+-RewriteRule /\\..*(/.*|$) - [F]
+-
+ ###
+ # Fichiers "standards" (si absents de la racine)
+ #
diff -Nru spip-3.2.11/debian/patches/0055-build-Up-cran-de-s-cu-en-1.5.3.patch spip-3.2.11/debian/patches/0055-build-Up-cran-de-s-cu-en-1.5.3.patch
--- spip-3.2.11/debian/patches/0055-build-Up-cran-de-s-cu-en-1.5.3.patch	1970-01-01 01:00:00.000000000 +0100
+++ spip-3.2.11/debian/patches/0055-build-Up-cran-de-s-cu-en-1.5.3.patch	2023-06-11 15:47:34.000000000 +0200
@@ -0,0 +1,51 @@
+From: Matthieu Marcillaud <marcimat@rezo.net>
+Date: Wed, 7 Jun 2023 12:12:57 +0200
+Subject: =?utf-8?q?build=3A_Up_=C3=A9cran_de_s=C3=A9cu_en_1=2E5=2E3?=
+
+Origin: upstream, https://git.spip.net/spip/spip/commit/536192d895c051b0859374710fbdd5bf15205e3f
+---
+ config/ecran_securite.php | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+diff --git a/config/ecran_securite.php b/config/ecran_securite.php
+index 4112e2e..5118d55 100644
+--- a/config/ecran_securite.php
++++ b/config/ecran_securite.php
+@@ -5,7 +5,7 @@
+  * ------------------
+  */
+ 
+-define('_ECRAN_SECURITE', '1.5.0'); // 2023-02-27
++define('_ECRAN_SECURITE', '1.5.3'); // 2023-05-31
+ 
+ /*
+  * Documentation : http://www.spip.net/fr_article4200.html
+@@ -553,7 +553,7 @@ if (
+ }
+ 
+ if (
+-	isset($_REQUEST['formulaire_action_args'])
++	isset($_REQUEST['formulaire_action_args']) || isset($_REQUEST['var_login'])
+ ) {
+ 	foreach ($_REQUEST as $k => $v) {
+ 		if (is_string($v)
+@@ -583,9 +583,8 @@ function __ecran_test_if_serialized($data) {
+ 	if (false !== $semicolon && $semicolon < 3) {return false;}
+ 	if (false !== $brace && $brace < 4) {return false;}
+ 	$token = $data[0];
+-	if (in_array($token, array('s', 'S'))) {
+-		if (false === strpos($data, '"')) {return false;}
+-	} elseif (in_array($token, array('a', 'O', 'C', 'o', 'E'))) {
++    if (in_array($token, array('s', 'S', 'a', 'O', 'C', 'o', 'E'))) {
++		if (in_array($token, array('s', 'S')) and false === strpos($data, '"')) {return false;}
+ 		return (bool)preg_match("/^{$token}:[0-9]+:/s", $data);
+ 	} elseif (in_array($token, array('b', 'i', 'd'))) {
+ 		return (bool)preg_match("/^{$token}:[0-9.E+-]+;/", $data);
+@@ -593,6 +592,7 @@ function __ecran_test_if_serialized($data) {
+ 	return false;
+ }
+ 
++
+ /*
+  * S'il y a une raison de mourir, mourons
+  */
diff -Nru spip-3.2.11/debian/patches/series spip-3.2.11/debian/patches/series
--- spip-3.2.11/debian/patches/series	2023-02-28 22:51:50.000000000 +0100
+++ spip-3.2.11/debian/patches/series	2023-06-11 15:47:34.000000000 +0200
@@ -49,3 +49,7 @@
 0049-Fix-Sanitizer-toutes-les-valeurs-pass-es-aux-formula.patch
 0050-fix-Sanitizer-toutes-les-valeurs-pass-es-aux-formula.patch
 0051-fix-Correction-des-ordres-_todo-adress-es-SVP.patch
+0052-security-limiter-la-profondeur-de-recursion-de-prote.patch
+0053-security-Ameliorer-c76770a-en-vitant-un-unserialize-.patch
+0054-security-Effectivement-bloquer-les-fichiers-cach-s-d.patch
+0055-build-Up-cran-de-s-cu-en-1.5.3.patch

Attachment: signature.asc
Description: PGP signature

Reply to: