[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#1040758: bullseye-pu: package spip/3.2.11-3+deb11u9

Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian.org@packages.debian.org
Usertags: pu
X-Debbugs-Cc: spip@packages.debian.org
Control: affects -1 + src:spip

This issue is similar to #1040756 in bookworm.

Another upstream release fixed a security issue. It introduces some
factorisation adding two more clean up in sessions. We agreed with the
security team that this don’t warrant a DSA.

https://blog.spip.net/Mise-a-jour-de-maintenance-et-securite-sortie-de-SPIP-4-2-4-SPIP-4-1-11.html

The 3.2 branch is not maintained upstream anymore, but the patches have
been cherry-picked directly from the 4.1 branch, except for the first
one that needed some slight editing. Also, I’ve already deployed the
proposed package on a server providing over 30 SPIP websites.

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
  [x] the issue is verified as fixed in unstable

Thanks in advance.

Regards,

taffit

diff -Nru spip-3.2.11/debian/changelog spip-3.2.11/debian/changelog
--- spip-3.2.11/debian/changelog	2023-06-11 15:47:39.000000000 +0200
+++ spip-3.2.11/debian/changelog	2023-07-08 20:38:26.000000000 +0200
@@ -1,3 +1,11 @@
+spip (3.2.11-3+deb11u9) bullseye; urgency=medium
+
+  * Backport security fix from 4.1.11
+    - use an auth_desensibiliser_session() function to centralize extended
+      authentification data filtering.
+
+ -- David Prévot <taffit@debian.org>  Sat, 08 Jul 2023 20:38:26 +0200
+
 spip (3.2.11-3+deb11u8) bullseye; urgency=medium
 
   * Backport security fixes from 4.1.10
diff -Nru spip-3.2.11/debian/patches/0056-security-Utiliser-une-fonction-d-di-e-pour-nettoyer-.patch spip-3.2.11/debian/patches/0056-security-Utiliser-une-fonction-d-di-e-pour-nettoyer-.patch
--- spip-3.2.11/debian/patches/0056-security-Utiliser-une-fonction-d-di-e-pour-nettoyer-.patch	1970-01-01 01:00:00.000000000 +0100
+++ spip-3.2.11/debian/patches/0056-security-Utiliser-une-fonction-d-di-e-pour-nettoyer-.patch	2023-07-08 20:38:18.000000000 +0200
@@ -0,0 +1,69 @@
+From: Cerdic <cedric@yterium.com>
+Date: Mon, 3 Jul 2023 10:23:02 +0200
+Subject: =?utf-8?q?security=3A_Utiliser_une_fonction_d=C3=A9di=C3=A9e_pour_?=
+ =?utf-8?q?nettoyer_les_donn=C3=A9es_d=E2=80=99auteur_lors_de_la_pr=C3=A9pa?=
+ =?utf-8?q?ration_d=E2=80=99une_session?=
+MIME-Version: 1.0
+Content-Type: text/plain; charset="utf-8"
+Content-Transfer-Encoding: 8bit
+
+- Ajout d’une fonction `auth_desensibiliser_session()` pour desensibiliser une ligne auteur,
+- qu'on utilise lors de la preparation d'une session
+- et dans informer_login
+
+Refs:  spip-team/securite#4847
+(cherry picked from commit 2e4d6273cee8ec63ce7f565a73262a8aae70b7bb)
+
+Origin: backport, https://git.spip.net/spip/spip/commit/f1d2351c90a6127cab354be1647662ec5e941676
+---
+ ecrire/inc/auth.php | 23 ++++++++++++++++++-----
+ 1 file changed, 18 insertions(+), 5 deletions(-)
+
+diff --git a/ecrire/inc/auth.php b/ecrire/inc/auth.php
+index 12fc4ce..cb61446 100644
+--- a/ecrire/inc/auth.php
++++ b/ecrire/inc/auth.php
+@@ -249,11 +249,7 @@ function auth_init_droits($row) {
+ 	$GLOBALS['visiteur_session'] = array_merge((array)$GLOBALS['visiteur_session'], $row);
+ 
+ 	// au cas ou : ne pas memoriser les champs sensibles
+-	unset($GLOBALS['visiteur_session']['pass']);
+-	unset($GLOBALS['visiteur_session']['htpass']);
+-	unset($GLOBALS['visiteur_session']['alea_actuel']);
+-	unset($GLOBALS['visiteur_session']['alea_futur']);
+-	unset($GLOBALS['visiteur_session']['ldap_password']);
++	$GLOBALS['visiteur_session'] = auth_desensibiliser_session($GLOBALS['visiteur_session']);
+ 
+ 	// creer la session au besoin
+ 	if (!isset($_COOKIE['spip_session'])) {
+@@ -310,6 +306,22 @@ function auth_init_droits($row) {
+ 	return ''; // i.e. pas de pb.
+ }
+ 
++/**
++ * Enlever les clés sensibles d'une ligne auteur
++ * @param array $auteur
++ * @return array
++ */
++function auth_desensibiliser_session(array $auteur) {
++	$cles_sensibles = ['pass', 'htpass', 'alea_actuel', 'alea_futur', 'ldap_password', 'backup_cles'];
++	foreach ($cles_sensibles as $cle) {
++		if (isset($auteur[$cle])) {
++			unset($auteur[$cle]);
++		}
++	}
++
++	return $auteur;
++}
++
+ /**
+  * Retourne l'url de connexion
+  *
+@@ -490,6 +502,7 @@ function auth_informer_login($login, $serveur = '') {
+ 	}
+ 
+ 	$prefs = unserialize($row['prefs']);
++	$row = auth_desensibiliser_session($row);
+ 	$infos = array(
+ 		'id_auteur' => $row['id_auteur'],
+ 		'login' => $row['login'],
diff -Nru spip-3.2.11/debian/patches/0057-security-Utiliser-auth_desensibiliser_session-aussi-.patch spip-3.2.11/debian/patches/0057-security-Utiliser-auth_desensibiliser_session-aussi-.patch
--- spip-3.2.11/debian/patches/0057-security-Utiliser-auth_desensibiliser_session-aussi-.patch	1970-01-01 01:00:00.000000000 +0100
+++ spip-3.2.11/debian/patches/0057-security-Utiliser-auth_desensibiliser_session-aussi-.patch	2023-07-08 20:38:18.000000000 +0200
@@ -0,0 +1,69 @@
+From: Matthieu Marcillaud <marcimat@rezo.net>
+Date: Mon, 3 Jul 2023 10:55:19 +0200
+Subject: =?utf-8?q?security=3A_Utiliser_=60auth=5Fdesensibiliser=5Fsession?=
+ =?utf-8?q?=28=29=60_aussi_=C3=A0_la_cr=C3=A9ation_du_fichier_de_session?=
+
+Refs:  spip-team/securite#4847
+(cherry picked from commit 5a73e07745bb6753557f0dc2b5404aa49f3ab900)
+
+Origin: upstream, https://git.spip.net/spip/spip/commit/f2fb631f0034728fd275ffa619fd6ddb7b841bdf
+---
+ ecrire/inc/auth.php    | 10 ++++------
+ ecrire/inc/session.php | 12 ++++--------
+ 2 files changed, 8 insertions(+), 14 deletions(-)
+
+diff --git a/ecrire/inc/auth.php b/ecrire/inc/auth.php
+index cb61446..3378c43 100644
+--- a/ecrire/inc/auth.php
++++ b/ecrire/inc/auth.php
+@@ -246,7 +246,7 @@ function auth_init_droits($row) {
+ 	$GLOBALS['connect_login'] = $row['login'];
+ 	$GLOBALS['connect_statut'] = $row['statut'];
+ 
+-	$GLOBALS['visiteur_session'] = array_merge((array)$GLOBALS['visiteur_session'], $row);
++	$GLOBALS['visiteur_session'] = array_merge((array) $GLOBALS['visiteur_session'], $row);
+ 
+ 	// au cas ou : ne pas memoriser les champs sensibles
+ 	$GLOBALS['visiteur_session'] = auth_desensibiliser_session($GLOBALS['visiteur_session']);
+@@ -308,13 +308,11 @@ function auth_init_droits($row) {
+ 
+ /**
+  * Enlever les clés sensibles d'une ligne auteur
+- * @param array $auteur
+- * @return array
+  */
+-function auth_desensibiliser_session(array $auteur) {
+-	$cles_sensibles = ['pass', 'htpass', 'alea_actuel', 'alea_futur', 'ldap_password', 'backup_cles'];
++function auth_desensibiliser_session(array $auteur): array {
++	$cles_sensibles = ['pass', 'htpass', 'low_sec', 'alea_actuel', 'alea_futur', 'ldap_password', 'backup_cles'];
+ 	foreach ($cles_sensibles as $cle) {
+-		if (isset($auteur[$cle])) {
++		if (array_key_exists($cle, $auteur)) {
+ 			unset($auteur[$cle]);
+ 		}
+ 	}
+diff --git a/ecrire/inc/session.php b/ecrire/inc/session.php
+index 2e331bf..f572b44 100644
+--- a/ecrire/inc/session.php
++++ b/ecrire/inc/session.php
+@@ -597,16 +597,12 @@ function lister_sessions_auteur($id_auteur, $nb_max = null) {
+  * @param array $auteur
+  * @return array
+  */
+-function preparer_ecriture_session($auteur) {
++function preparer_ecriture_session(array $auteur): array {
++
+ 	$row = $auteur;
+ 
+-	// ne pas enregistrer ces elements de securite
+-	// dans le fichier de session
+-	unset($auteur['pass']);
+-	unset($auteur['htpass']);
+-	unset($auteur['low_sec']);
+-	unset($auteur['alea_actuel']);
+-	unset($auteur['alea_futur']);
++	// ne pas enregistrer ces elements de securite dans le fichier de session
++	$auteur = auth_desensibiliser_session($auteur);
+ 
+ 	$auteur = pipeline('preparer_fichier_session', array('args' => array('row' => $row), 'data' => $auteur));
+ 
diff -Nru spip-3.2.11/debian/patches/0058-fix-Inclusion-manquante-dans-5663.patch spip-3.2.11/debian/patches/0058-fix-Inclusion-manquante-dans-5663.patch
--- spip-3.2.11/debian/patches/0058-fix-Inclusion-manquante-dans-5663.patch	1970-01-01 01:00:00.000000000 +0100
+++ spip-3.2.11/debian/patches/0058-fix-Inclusion-manquante-dans-5663.patch	2023-07-08 20:38:18.000000000 +0200
@@ -0,0 +1,23 @@
+From: Matthieu Marcillaud <marcimat@rezo.net>
+Date: Mon, 3 Jul 2023 23:10:51 +0200
+Subject: fix: Inclusion manquante dans !5663
+
+(cherry picked from commit 13793c345bdc8ea362f71656c3b38103d6aaba2c)
+
+Origin: upstream, https://git.spip.net/spip/spip/commit/144f520ead7ca38a4644e35af4cac2278de6d3e9
+---
+ ecrire/inc/session.php | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/ecrire/inc/session.php b/ecrire/inc/session.php
+index f572b44..3288d66 100644
+--- a/ecrire/inc/session.php
++++ b/ecrire/inc/session.php
+@@ -602,6 +602,7 @@ function preparer_ecriture_session(array $auteur): array {
+ 	$row = $auteur;
+ 
+ 	// ne pas enregistrer ces elements de securite dans le fichier de session
++	include_spip('inc/auth');
+ 	$auteur = auth_desensibiliser_session($auteur);
+ 
+ 	$auteur = pipeline('preparer_fichier_session', array('args' => array('row' => $row), 'data' => $auteur));
diff -Nru spip-3.2.11/debian/patches/series spip-3.2.11/debian/patches/series
--- spip-3.2.11/debian/patches/series	2023-06-11 15:47:34.000000000 +0200
+++ spip-3.2.11/debian/patches/series	2023-07-08 20:38:18.000000000 +0200
@@ -53,3 +53,6 @@
 0053-security-Ameliorer-c76770a-en-vitant-un-unserialize-.patch
 0054-security-Effectivement-bloquer-les-fichiers-cach-s-d.patch
 0055-build-Up-cran-de-s-cu-en-1.5.3.patch
+0056-security-Utiliser-une-fonction-d-di-e-pour-nettoyer-.patch
+0057-security-Utiliser-auth_desensibiliser_session-aussi-.patch
+0058-fix-Inclusion-manquante-dans-5663.patch

Attachment: signature.asc
Description: PGP signature

Reply to: