Package: release.debian.org Severity: normal Tags: bookworm User: release.debian.org@packages.debian.org Usertags: pu X-Debbugs-Cc: spip@packages.debian.org Control: affects -1 + src:spip Another upstream release fixed a security issue. It introduces some factorisation adding two more clean up in sessions. We agreed with the security team that this don’t warrant a DSA. https://blog.spip.net/Mise-a-jour-de-maintenance-et-securite-sortie-de-SPIP-4-2-4-SPIP-4-1-11.html The 4.1 branch is mostly in maintenance mode, and the patches have been cherry-picked directly from upstream. [ Checklist ] [x] *all* changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in (old)stable [x] the issue is verified as fixed in unstable Thanks in advance. Regards, taffit
diff -Nru spip-4.1.9+dfsg/debian/changelog spip-4.1.9+dfsg/debian/changelog
--- spip-4.1.9+dfsg/debian/changelog 2023-06-11 15:38:54.000000000 +0200
+++ spip-4.1.9+dfsg/debian/changelog 2023-07-08 20:29:04.000000000 +0200
@@ -1,3 +1,11 @@
+spip (4.1.9+dfsg-1+deb12u2) bookworm; urgency=medium
+
+ * Backport security fix from 4.1.11
+ - use an auth_desensibiliser_session() function to centralize extended
+ authentification data filtering.
+
+ -- David Prévot <taffit@debian.org> Sat, 08 Jul 2023 20:29:04 +0200
+
spip (4.1.9+dfsg-1+deb12u1) bookworm; urgency=medium
[ David Prévot ]
diff -Nru spip-4.1.9+dfsg/debian/patches/0009-security-Utiliser-une-fonction-d-di-e-pour-nettoyer-.patch spip-4.1.9+dfsg/debian/patches/0009-security-Utiliser-une-fonction-d-di-e-pour-nettoyer-.patch
--- spip-4.1.9+dfsg/debian/patches/0009-security-Utiliser-une-fonction-d-di-e-pour-nettoyer-.patch 1970-01-01 01:00:00.000000000 +0100
+++ spip-4.1.9+dfsg/debian/patches/0009-security-Utiliser-une-fonction-d-di-e-pour-nettoyer-.patch 2023-07-08 20:25:35.000000000 +0200
@@ -0,0 +1,69 @@
+From: Cerdic <cedric@yterium.com>
+Date: Mon, 3 Jul 2023 10:23:02 +0200
+Subject: =?utf-8?q?security=3A_Utiliser_une_fonction_d=C3=A9di=C3=A9e_pour_?=
+ =?utf-8?q?nettoyer_les_donn=C3=A9es_d=E2=80=99auteur_lors_de_la_pr=C3=A9pa?=
+ =?utf-8?q?ration_d=E2=80=99une_session?=
+MIME-Version: 1.0
+Content-Type: text/plain; charset="utf-8"
+Content-Transfer-Encoding: 8bit
+
+- Ajout d’une fonction `auth_desensibiliser_session()` pour desensibiliser une ligne auteur,
+- qu'on utilise lors de la preparation d'une session
+- et dans informer_login
+
+Refs: spip-team/securite#4847
+(cherry picked from commit 2e4d6273cee8ec63ce7f565a73262a8aae70b7bb)
+
+Origin: upstream, https://git.spip.net/spip/spip/commit/f1d2351c90a6127cab354be1647662ec5e941676
+---
+ ecrire/inc/auth.php | 23 ++++++++++++++++++-----
+ 1 file changed, 18 insertions(+), 5 deletions(-)
+
+diff --git a/ecrire/inc/auth.php b/ecrire/inc/auth.php
+index 85d5ab1..6185aff 100644
+--- a/ecrire/inc/auth.php
++++ b/ecrire/inc/auth.php
+@@ -250,11 +250,7 @@ function auth_init_droits($row) {
+ $GLOBALS['visiteur_session'] = array_merge((array)$GLOBALS['visiteur_session'], $row);
+
+ // au cas ou : ne pas memoriser les champs sensibles
+- unset($GLOBALS['visiteur_session']['pass']);
+- unset($GLOBALS['visiteur_session']['htpass']);
+- unset($GLOBALS['visiteur_session']['alea_actuel']);
+- unset($GLOBALS['visiteur_session']['alea_futur']);
+- unset($GLOBALS['visiteur_session']['ldap_password']);
++ $GLOBALS['visiteur_session'] = auth_desensibiliser_session($GLOBALS['visiteur_session']);
+
+ // creer la session au besoin
+ if (!isset($_COOKIE['spip_session'])) {
+@@ -314,6 +310,22 @@ function auth_init_droits($row) {
+ return ''; // i.e. pas de pb.
+ }
+
++/**
++ * Enlever les clés sensibles d'une ligne auteur
++ * @param array $auteur
++ * @return array
++ */
++function auth_desensibiliser_session(array $auteur) {
++ $cles_sensibles = ['pass', 'htpass', 'alea_actuel', 'alea_futur', 'ldap_password', 'backup_cles'];
++ foreach ($cles_sensibles as $cle) {
++ if (isset($auteur[$cle])) {
++ unset($auteur[$cle]);
++ }
++ }
++
++ return $auteur;
++}
++
+ /**
+ * Retourne l'url de connexion
+ *
+@@ -480,6 +492,7 @@ function auth_informer_login($login, $serveur = '') {
+ }
+
+ $prefs = @unserialize($row['prefs']);
++ $row = auth_desensibiliser_session($row);
+ $infos = [
+ 'id_auteur' => $row['id_auteur'],
+ 'login' => $row['login'],
diff -Nru spip-4.1.9+dfsg/debian/patches/0010-security-Utiliser-auth_desensibiliser_session-aussi-.patch spip-4.1.9+dfsg/debian/patches/0010-security-Utiliser-auth_desensibiliser_session-aussi-.patch
--- spip-4.1.9+dfsg/debian/patches/0010-security-Utiliser-auth_desensibiliser_session-aussi-.patch 1970-01-01 01:00:00.000000000 +0100
+++ spip-4.1.9+dfsg/debian/patches/0010-security-Utiliser-auth_desensibiliser_session-aussi-.patch 2023-07-08 20:25:35.000000000 +0200
@@ -0,0 +1,69 @@
+From: Matthieu Marcillaud <marcimat@rezo.net>
+Date: Mon, 3 Jul 2023 10:55:19 +0200
+Subject: =?utf-8?q?security=3A_Utiliser_=60auth=5Fdesensibiliser=5Fsession?=
+ =?utf-8?q?=28=29=60_aussi_=C3=A0_la_cr=C3=A9ation_du_fichier_de_session?=
+
+Refs: spip-team/securite#4847
+(cherry picked from commit 5a73e07745bb6753557f0dc2b5404aa49f3ab900)
+
+Origin: upstream, https://git.spip.net/spip/spip/commit/f2fb631f0034728fd275ffa619fd6ddb7b841bdf
+---
+ ecrire/inc/auth.php | 10 ++++------
+ ecrire/inc/session.php | 12 ++++--------
+ 2 files changed, 8 insertions(+), 14 deletions(-)
+
+diff --git a/ecrire/inc/auth.php b/ecrire/inc/auth.php
+index 6185aff..d20af70 100644
+--- a/ecrire/inc/auth.php
++++ b/ecrire/inc/auth.php
+@@ -247,7 +247,7 @@ function auth_init_droits($row) {
+ $GLOBALS['connect_login'] = $row['login'];
+ $GLOBALS['connect_statut'] = $row['statut'];
+
+- $GLOBALS['visiteur_session'] = array_merge((array)$GLOBALS['visiteur_session'], $row);
++ $GLOBALS['visiteur_session'] = array_merge((array) $GLOBALS['visiteur_session'], $row);
+
+ // au cas ou : ne pas memoriser les champs sensibles
+ $GLOBALS['visiteur_session'] = auth_desensibiliser_session($GLOBALS['visiteur_session']);
+@@ -312,13 +312,11 @@ function auth_init_droits($row) {
+
+ /**
+ * Enlever les clés sensibles d'une ligne auteur
+- * @param array $auteur
+- * @return array
+ */
+-function auth_desensibiliser_session(array $auteur) {
+- $cles_sensibles = ['pass', 'htpass', 'alea_actuel', 'alea_futur', 'ldap_password', 'backup_cles'];
++function auth_desensibiliser_session(array $auteur): array {
++ $cles_sensibles = ['pass', 'htpass', 'low_sec', 'alea_actuel', 'alea_futur', 'ldap_password', 'backup_cles'];
+ foreach ($cles_sensibles as $cle) {
+- if (isset($auteur[$cle])) {
++ if (array_key_exists($cle, $auteur)) {
+ unset($auteur[$cle]);
+ }
+ }
+diff --git a/ecrire/inc/session.php b/ecrire/inc/session.php
+index 853b501..855838f 100644
+--- a/ecrire/inc/session.php
++++ b/ecrire/inc/session.php
+@@ -613,16 +613,12 @@ function lister_sessions_auteur($id_auteur, $nb_max = null) {
+ * @param array $auteur
+ * @return array
+ */
+-function preparer_ecriture_session($auteur) {
++function preparer_ecriture_session(array $auteur): array {
++
+ $row = $auteur;
+
+- // ne pas enregistrer ces elements de securite
+- // dans le fichier de session
+- unset($auteur['pass']);
+- unset($auteur['htpass']);
+- unset($auteur['low_sec']);
+- unset($auteur['alea_actuel']);
+- unset($auteur['alea_futur']);
++ // ne pas enregistrer ces elements de securite dans le fichier de session
++ $auteur = auth_desensibiliser_session($auteur);
+
+ $auteur = pipeline('preparer_fichier_session', ['args' => ['row' => $row], 'data' => $auteur]);
+
diff -Nru spip-4.1.9+dfsg/debian/patches/0011-fix-Inclusion-manquante-dans-5663.patch spip-4.1.9+dfsg/debian/patches/0011-fix-Inclusion-manquante-dans-5663.patch
--- spip-4.1.9+dfsg/debian/patches/0011-fix-Inclusion-manquante-dans-5663.patch 1970-01-01 01:00:00.000000000 +0100
+++ spip-4.1.9+dfsg/debian/patches/0011-fix-Inclusion-manquante-dans-5663.patch 2023-07-08 20:25:35.000000000 +0200
@@ -0,0 +1,23 @@
+From: Matthieu Marcillaud <marcimat@rezo.net>
+Date: Mon, 3 Jul 2023 23:10:51 +0200
+Subject: fix: Inclusion manquante dans !5663
+
+(cherry picked from commit 13793c345bdc8ea362f71656c3b38103d6aaba2c)
+
+Origin: upstream, https://git.spip.net/spip/spip/commit/144f520ead7ca38a4644e35af4cac2278de6d3e9
+---
+ ecrire/inc/session.php | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/ecrire/inc/session.php b/ecrire/inc/session.php
+index 855838f..d9f9314 100644
+--- a/ecrire/inc/session.php
++++ b/ecrire/inc/session.php
+@@ -618,6 +618,7 @@ function preparer_ecriture_session(array $auteur): array {
+ $row = $auteur;
+
+ // ne pas enregistrer ces elements de securite dans le fichier de session
++ include_spip('inc/auth');
+ $auteur = auth_desensibiliser_session($auteur);
+
+ $auteur = pipeline('preparer_fichier_session', ['args' => ['row' => $row], 'data' => $auteur]);
diff -Nru spip-4.1.9+dfsg/debian/patches/series spip-4.1.9+dfsg/debian/patches/series
--- spip-4.1.9+dfsg/debian/patches/series 2023-06-11 15:37:44.000000000 +0200
+++ spip-4.1.9+dfsg/debian/patches/series 2023-07-08 20:25:35.000000000 +0200
@@ -6,3 +6,6 @@
0006-security-Ameliorer-c76770a-en-vitant-un-unserialize-.patch
0007-security-Effectivement-bloquer-les-fichiers-cach-s-d.patch
0008-build-Up-cran-de-s-cu-en-1.5.3.patch
+0009-security-Utiliser-une-fonction-d-di-e-pour-nettoyer-.patch
+0010-security-Utiliser-auth_desensibiliser_session-aussi-.patch
+0011-fix-Inclusion-manquante-dans-5663.patch
Attachment:
signature.asc
Description: PGP signature