Your message dated Sat, 22 Jul 2023 13:19:41 +0000 with message-id <E1qNCWL-005roP-6s@coccia.debian.org> and subject line Released with 12.1 has caused the Debian Bug report #1038154, regarding bookworm-pu: package spip/4.1.9+dfsg-1+deb12u1 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact owner@bugs.debian.org immediately.) -- 1038154: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1038154 Debian Bug Tracking System Contact owner@bugs.debian.org with problems
--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: bookworm-pu: package spip/4.1.9+dfsg-1+deb12u1
- From: David Prévot <taffit@debian.org>
- Date: Fri, 16 Jun 2023 08:40:52 +0200
- Message-id: <ZIwD9LC7TCA1zwve@persil.tilapin.org>
Package: release.debian.org Severity: normal Tags: bookworm User: release.debian.org@packages.debian.org Usertags: pu X-Debbugs-Cc: spip@packages.debian.org Control: affects -1 + src:spip [ Request similar to #1038153 for Bullseye ] Hi, Congrats to the team for the Bookworm release! SPIP has been updated upstream to fix some security issues (link to the French-only announcement follows), and we agreed with the security team that they don’t warrant a DSA this time. https://blog.spip.net/Mise-a-jour-de-maintenance-et-securite-sortie-de-SPIP-4-2-3-SPIP-4-1-10.html The main backported fix is the one that limits recursion depth in protege_champ() function. The security screen fix (avoiding unserialize use) should already be fixed in the main code, and the htaccess change is only provided as an example (in /usr/share/doc/spip). This version also ships a compatibility fix for PHP 8.1 in the mutualisation plugin shipped in the Debian package, and some metadata changes (d/{changelog,control,gbp.conf}). As an alternative, a 4.1.10+dfsg-1~deb12u1 version could be proposed. [ Checklist ] [x] *all* changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in (old)stable [x] the issue is verified as fixed in unstablediff -Nru spip-4.1.9+dfsg/debian/changelog spip-4.1.9+dfsg/debian/changelog --- spip-4.1.9+dfsg/debian/changelog 2023-02-28 21:25:27.000000000 +0100 +++ spip-4.1.9+dfsg/debian/changelog 2023-06-11 15:38:54.000000000 +0200 @@ -1,3 +1,19 @@ +spip (4.1.9+dfsg-1+deb12u1) bookworm; urgency=medium + + [ David Prévot ] + * Add CVE to previous changelog entry + * Update documented branch + * Backport security fixes from 4.1.10 + - Limit recursion depth in protege_champ() function + - Avoid unserialize use in security screen + - Properly block hidden files in provided htaccess + - Update security screen to 1.5.3 + + [ RealET ] + * mutualisation: PHP 8.1 compatibility fixes #2 + + -- David Prévot <taffit@debian.org> Sun, 11 Jun 2023 15:38:54 +0200 + spip (4.1.9+dfsg-1) unstable; urgency=medium [ Cerdic ] @@ -15,7 +31,7 @@ * build: Version SPIP 4.1.8 [ Cerdic ] - * Fix: Sanitizer toutes les valeurs passées aux formulaires + * Fix: Sanitizer toutes les valeurs passées aux formulaires [CVE-2023-27372] * fix: Sanitizer toutes les valeurs passées aux formulaires preventivement dans l'écran de sécurité diff -Nru spip-4.1.9+dfsg/debian/control spip-4.1.9+dfsg/debian/control --- spip-4.1.9+dfsg/debian/control 2023-02-28 19:47:19.000000000 +0100 +++ spip-4.1.9+dfsg/debian/control 2023-06-11 15:37:44.000000000 +0200 @@ -5,7 +5,7 @@ Build-Depends: cssmin, debhelper-compat (= 13), dh-apache2, minify Homepage: https://www.spip.net/ Standards-Version: 4.6.2 -Vcs-Git: https://salsa.debian.org/debian/spip.git -b debian/latest +Vcs-Git: https://salsa.debian.org/debian/spip.git -b debian/bookworm-security Vcs-Browser: https://salsa.debian.org/debian/spip Rules-Requires-Root: no diff -Nru spip-4.1.9+dfsg/debian/gbp.conf spip-4.1.9+dfsg/debian/gbp.conf --- spip-4.1.9+dfsg/debian/gbp.conf 2023-02-28 19:47:26.000000000 +0100 +++ spip-4.1.9+dfsg/debian/gbp.conf 2023-06-11 15:37:44.000000000 +0200 @@ -1,5 +1,5 @@ [DEFAULT] -debian-branch = debian/bookworm +debian-branch = debian/bookworm-security pristine-tar = True upstream-branch = upstream-4.1 upstream-vcs-tag = v%(version%~%-)s diff -Nru spip-4.1.9+dfsg/debian/mutualisation/exec/mutualisation.php spip-4.1.9+dfsg/debian/mutualisation/exec/mutualisation.php --- spip-4.1.9+dfsg/debian/mutualisation/exec/mutualisation.php 2022-06-17 19:32:19.000000000 +0200 +++ spip-4.1.9+dfsg/debian/mutualisation/exec/mutualisation.php 2023-06-11 15:37:21.000000000 +0200 @@ -34,10 +34,6 @@ $url_admin_plugin = 'ecrire/?exec=admin_plugin'; $url_admin_vider = 'ecrire/?exec=admin_vider'; - if (!file_exists(_DIR_IMG . 'mutualiser-128.png')) { - @copy(find_in_path('mutualiser-128.png'), _DIR_IMG . 'mutualiser-128.png'); - } - $titre = _L(count($sites) . ' ' . 'sites mutualisés <em>(' . _T('version') . ' ' . $GLOBALS['spip_version_base'] . ')</em>'); //$page .= "<div id='trace'></div>" ; @@ -151,9 +147,9 @@ if ($compression == '') { $compression = _L('Activer'); } + $configsparticulieres = ''; if (isset($GLOBALS['mutualisation_afficher_config'])) { $configs = explode(",", $GLOBALS['mutualisation_afficher_config']); - $configsparticulieres = ''; foreach ($configs as $config) { $configsparticulieres .= '<em><small>' . $config . ':</small></em> ' . lire_config_distante($config, $meta) . "<br />\n"; @@ -226,17 +222,17 @@ . "\n" . '</tr>' . "\n"; - if ($_GET['tri'] AND isset($plnum[intval(count($c))])) { + if (!empty($_GET['tri']) AND isset($plnum[intval(count($c))])) { $plnum[intval(count($c))] .= $ligne; } else { - if ($_GET['tri']) { + if (!empty($_GET['tri'])) { $plnum[intval(count($c))] = $ligne; } else { $plnum[] = $ligne; } } } - if ($_GET['tri']) { + if (!empty($_GET['tri'])) { krsort($plnum); } $page .= implode('', $plnum); @@ -398,9 +394,9 @@ $debug_toolbar .= "<div class='toolbar-icon'><i class='icon-time'></i> <span>" . $page_load_time . " s</span></div>\n"; $debug_toolbar .= "<div class='toolbar-info'>"; $debug_toolbar .= "<div class='toolbar-info-element'><b>Début du script</b> <span>" . date('H:i:s', - $timestart) . "</span></div>\n"; + (int) $timestart) . "</span></div>\n"; $debug_toolbar .= "<div class='toolbar-info-element'><b>Fin du script</b> <span>" . date('H:i:s', - $timeend) . "</span></div>\n"; + (int) $timeend) . "</span></div>\n"; $debug_toolbar .= "<div class='toolbar-info-element'><b>Temps d'exécution</b> <span>" . $page_load_time . " s</span></div>\n"; $debug_toolbar .= "</div></div>\n"; @@ -590,7 +586,7 @@ return false; } -function lire_config_distante($cfg = '', $meta) { +function lire_config_distante($cfg = '', $meta = '') { $def = null; $unserialize = true; // lire le stockage sous la forme valeur @@ -611,8 +607,8 @@ return $r; } else { $cfg = explode('/', $cfg); - $r = @unserialize($meta[$cfg[0]]); - $r = $r[$cfg[1]]; + $r = unserialize($meta[$cfg[0]] ?? ''); + $r = $r[$cfg[1]] ?? ''; return $r; } diff -Nru spip-4.1.9+dfsg/debian/mutualisation/paquet.xml spip-4.1.9+dfsg/debian/mutualisation/paquet.xml --- spip-4.1.9+dfsg/debian/mutualisation/paquet.xml 2022-06-17 19:32:19.000000000 +0200 +++ spip-4.1.9+dfsg/debian/mutualisation/paquet.xml 2023-06-11 15:37:21.000000000 +0200 @@ -1,24 +1,24 @@ -<paquet - prefix="Mutualisation" - categorie="maintenance" - version="1.4.10" - etat="stable" - compatibilite="[3.0.0;4.1.*]" - logo="mutualiser-128.png" - documentation="https://contrib.spip.net/La-mutualisation-facile-modifications-manuelles" -> - - <nom>Mutualisation facile</nom> - <!-- Créer une ferme à Spip --> - - <auteur>Fil</auteur> - <auteur>Teddy</auteur> - - <copyright>2007-2018</copyright> - - <licence lien="http://www.gnu.org/licenses/lgpl-3.0.html">LGPL 3</licence> - <licence lien="http://www.gnu.org/licenses/gpl-3.0.html">GPL 3 (2013)</licence> - <licence lien="http://www.wtfpl.net/about/">WTFPL 2 (2013)</licence> - - <chemin path="" type="aucun" /> -</paquet> +<paquet + prefix="Mutualisation" + categorie="maintenance" + version="1.4.11" + etat="stable" + compatibilite="[3.0.0;4.1.*]" + logo="mutualiser-128.png" + documentation="https://contrib.spip.net/La-mutualisation-facile-modifications-manuelles" +> + + <nom>Mutualisation facile</nom> + <!-- Créer une ferme à Spip --> + + <auteur>Fil</auteur> + <auteur>Teddy</auteur> + + <copyright>2007-2018</copyright> + + <licence lien="http://www.gnu.org/licenses/lgpl-3.0.html">LGPL 3</licence> + <licence lien="http://www.gnu.org/licenses/gpl-3.0.html">GPL 3 (2013)</licence> + <licence lien="http://www.wtfpl.net/about/">WTFPL 2 (2013)</licence> + + <chemin path="" type="aucun" /> +</paquet> diff -Nru spip-4.1.9+dfsg/debian/patches/0005-security-limiter-la-profondeur-de-recursion-de-prote.patch spip-4.1.9+dfsg/debian/patches/0005-security-limiter-la-profondeur-de-recursion-de-prote.patch --- spip-4.1.9+dfsg/debian/patches/0005-security-limiter-la-profondeur-de-recursion-de-prote.patch 1970-01-01 01:00:00.000000000 +0100 +++ spip-4.1.9+dfsg/debian/patches/0005-security-limiter-la-profondeur-de-recursion-de-prote.patch 2023-06-11 15:37:44.000000000 +0200 @@ -0,0 +1,37 @@ +From: Cerdic <cedric@yterium.com> +Date: Tue, 7 Mar 2023 14:56:30 +0100 +Subject: security: limiter la profondeur de recursion de `protege_champ` + +(cherry picked from commit b362e987b41fac344150f97cc563bf4d8c8181fa) + +Origin: upstream, https://git.spip.net/spip/spip/commit/9b73dbd66e50baf312ba1c7df21efebba4ae08f1 +--- + ecrire/balise/formulaire_.php | 14 ++++++++++++-- + 1 file changed, 12 insertions(+), 2 deletions(-) + +diff --git a/ecrire/balise/formulaire_.php b/ecrire/balise/formulaire_.php +index 71672cf..22d642b 100644 +--- a/ecrire/balise/formulaire_.php ++++ b/ecrire/balise/formulaire_.php +@@ -34,9 +34,19 @@ include_spip('inc/texte'); + * @return string|array|null + * Saisie protégée + **/ +-function protege_champ($texte) { ++function protege_champ($texte, $max_prof = 128) { + if (is_array($texte)) { +- return array_map('protege_champ', $texte); ++ // si on dépasse la prof max on tronque ++ if ($max_prof > 0) { ++ return array_map( ++ function($v) use ($max_prof) { ++ return protege_champ($v, $max_prof-1); ++ }, ++ $texte ++ ); ++ } ++ // si on dépasse la prof max on tronque ++ return []; + } elseif ($texte === null) { + return $texte; + } elseif (is_bool($texte)) { diff -Nru spip-4.1.9+dfsg/debian/patches/0006-security-Ameliorer-c76770a-en-vitant-un-unserialize-.patch spip-4.1.9+dfsg/debian/patches/0006-security-Ameliorer-c76770a-en-vitant-un-unserialize-.patch --- spip-4.1.9+dfsg/debian/patches/0006-security-Ameliorer-c76770a-en-vitant-un-unserialize-.patch 1970-01-01 01:00:00.000000000 +0100 +++ spip-4.1.9+dfsg/debian/patches/0006-security-Ameliorer-c76770a-en-vitant-un-unserialize-.patch 2023-06-11 15:37:44.000000000 +0200 @@ -0,0 +1,64 @@ +From: Cerdic <cedric@yterium.com> +Date: Tue, 7 Mar 2023 15:03:08 +0100 +Subject: =?utf-8?q?security=3A_Ameliorer_c76770a_en_=C3=A9vitant_un_=60unse?= + =?utf-8?q?rialize=60_dans_l=27=C3=A9cran_de_s=C3=A9curit=C3=A9?= + +(cherry picked from commit 9b1c3cf455b624163546f1521148897a5c96d5d6) + +Origin: upstream, https://git.spip.net/spip/spip/commit/9f55790164f7869d2e315a49b3fdc4af0c5b8fdd +--- + config/ecran_securite.php | 36 ++++++++++++++++++++++++++++++------ + 1 file changed, 30 insertions(+), 6 deletions(-) + +diff --git a/config/ecran_securite.php b/config/ecran_securite.php +index 4ff6917..7a4e153 100644 +--- a/config/ecran_securite.php ++++ b/config/ecran_securite.php +@@ -654,17 +654,41 @@ if ( + ) { + foreach ($_REQUEST as $k => $v) { + if (is_string($v) +- and strpos($v, ':') !== false +- and strpos($v, '"') !==false +- and preg_match(',[bidsaO]:,', $v) +- and @unserialize($v)) { +- $_REQUEST[$k] = htmlentities($v); ++ and strpbrk($v, "&\"'<>") !== false ++ and preg_match(',^[abis]:\d+[:;],', $v) ++ and __ecran_test_if_serialized($v) ++ ) { ++ $_REQUEST[$k] = htmlspecialchars($v, ENT_QUOTES); + if (isset($_POST[$k])) $_POST[$k] = $_REQUEST[$k]; + if (isset($_GET[$k])) $_GET[$k] = $_REQUEST[$k]; + } + } + } +- ++/** ++ * Version simplifiée de https://developer.wordpress.org/reference/functions/is_serialized/ ++ */ ++function __ecran_test_if_serialized($data) { ++ $data = trim($data); ++ if ('N;' === $data) {return true;} ++ if (strlen($data) < 4) {return false;} ++ if (':' !== $data[1]) {return false;} ++ $semicolon = strpos($data, ';'); ++ $brace = strpos($data, '}'); ++ // Either ; or } must exist. ++ if (false === $semicolon && false === $brace) {return false;} ++ // But neither must be in the first X characters. ++ if (false !== $semicolon && $semicolon < 3) {return false;} ++ if (false !== $brace && $brace < 4) {return false;} ++ $token = $data[0]; ++ if (in_array($token, array('s', 'S'))) { ++ if (false === strpos($data, '"')) {return false;} ++ } elseif (in_array($token, array('a', 'O', 'C', 'o', 'E'))) { ++ return (bool)preg_match("/^{$token}:[0-9]+:/s", $data); ++ } elseif (in_array($token, array('b', 'i', 'd'))) { ++ return (bool)preg_match("/^{$token}:[0-9.E+-]+;/", $data); ++ } ++ return false; ++} + + /* + * S'il y a une raison de mourir, mourons diff -Nru spip-4.1.9+dfsg/debian/patches/0007-security-Effectivement-bloquer-les-fichiers-cach-s-d.patch spip-4.1.9+dfsg/debian/patches/0007-security-Effectivement-bloquer-les-fichiers-cach-s-d.patch --- spip-4.1.9+dfsg/debian/patches/0007-security-Effectivement-bloquer-les-fichiers-cach-s-d.patch 1970-01-01 01:00:00.000000000 +0100 +++ spip-4.1.9+dfsg/debian/patches/0007-security-Effectivement-bloquer-les-fichiers-cach-s-d.patch 2023-06-11 15:37:44.000000000 +0200 @@ -0,0 +1,75 @@ +From: Matthieu Marcillaud <marcimat@rezo.net> +Date: Wed, 7 Jun 2023 09:40:00 +0200 +Subject: =?utf-8?q?security=3A_Effectivement_bloquer_les_fichiers_cach?= + =?utf-8?q?=C3=A9s_dans_le_htaccess?= +MIME-Version: 1.0 +Content-Type: text/plain; charset="utf-8" +Content-Transfer-Encoding: 8bit + +L’histoire est quelque peu ubuesque, et remonte à il y a 16 ans via 26a1f4906d23 +qui a déplacé des règles trop bas. Ça ne bloquait plus les .svn depuis, +à cause du fait que plus haut, si c’est un fichier, on exécute la règle +`[S=100]` qui saute les prochaines `RewriteRule`. + +- #5109 a semblé corriger en utilisant `RedirectMatch`, qui n’est pas affecté + par le Skip (sans se rendre compte du problème initial) +- #5432 a remis une `RewriteRule`, et du coup, de nouveau paf. + +Ce n’est pas toujours très visible car les serveurs eux-mêmes bloquent +déjà souvent ces répertoires cachés. + +Donc, on remonte bien plus haut les règles de blocage des fichiers cachés +et on leur fait un titre dédié. + +Refs: #5109 #5432 spip-team/securite#4844 +(cherry picked from commit d50cb7bbc7a71ff23a77dfe02215c16991437336) + +Origin: upstream, https://git.spip.net/spip/spip/commit/36ec7947e96e44af095c3cf87f25cf27a963fe40 +--- + htaccess.txt | 18 ++++++++++-------- + 1 file changed, 10 insertions(+), 8 deletions(-) + +diff --git a/htaccess.txt b/htaccess.txt +index 3154787..667cfc6 100644 +--- a/htaccess.txt ++++ b/htaccess.txt +@@ -37,9 +37,15 @@ RewriteRule ^(.*) - [E=BASE:%1] + + + +- +-################ GESTIONS DES URLS SPIP ####################### ++############# GESTIONS DES ACCES FICHIERS ##################### + ### ++ ++# bloquer les acces aux fichiers caches (.svn, .git, etc) ++RewriteCond %{REQUEST_URI} !^/.well-known/ ++RewriteRule "(^|/)\." - [R=404,NC,L] ++# bloquer les informations Composer ++RedirectMatch 404 ^/composer\.(json|lock|phar)$ ++ + # Si le fichier ou repertoire demande existe + # ignorer toutes les regles qui suivent + <IfModule mod_headers.c> +@@ -56,6 +62,8 @@ RewriteRule "." - [skip=100] + # + ### + ++################ GESTIONS DES URLS SPIP ####################### ++### + + ### + # Compatibilite avec les URLS "html" (pour transition sympa) +@@ -100,12 +108,6 @@ RewriteRule ^[^\.]+(\.html)?$ spip.php [QSA,E=url_propre:$0,L] + ### + # Divers + +-# bloquer les acces aux fichiers caches (.svn, .git, etc) +-RewriteCond %{REQUEST_URI} !^/.well-known/ +-RewriteRule "(^|/)\." - [R=404,NC,L] +-# bloquer les informations Composer +-RedirectMatch 404 ^/composer\.(json|lock|phar)$ +- + ### + # Fichiers "standards" (si absents de la racine) + # diff -Nru spip-4.1.9+dfsg/debian/patches/0008-build-Up-cran-de-s-cu-en-1.5.3.patch spip-4.1.9+dfsg/debian/patches/0008-build-Up-cran-de-s-cu-en-1.5.3.patch --- spip-4.1.9+dfsg/debian/patches/0008-build-Up-cran-de-s-cu-en-1.5.3.patch 1970-01-01 01:00:00.000000000 +0100 +++ spip-4.1.9+dfsg/debian/patches/0008-build-Up-cran-de-s-cu-en-1.5.3.patch 2023-06-11 15:37:44.000000000 +0200 @@ -0,0 +1,51 @@ +From: Matthieu Marcillaud <marcimat@rezo.net> +Date: Wed, 7 Jun 2023 12:12:57 +0200 +Subject: =?utf-8?q?build=3A_Up_=C3=A9cran_de_s=C3=A9cu_en_1=2E5=2E3?= + +Origin: upstream, https://git.spip.net/spip/spip/commit/536192d895c051b0859374710fbdd5bf15205e3f +--- + config/ecran_securite.php | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +diff --git a/config/ecran_securite.php b/config/ecran_securite.php +index 7a4e153..53581fc 100644 +--- a/config/ecran_securite.php ++++ b/config/ecran_securite.php +@@ -5,7 +5,7 @@ + * ------------------ + */ + +-define('_ECRAN_SECURITE', '1.5.0'); // 2023-02-27 ++define('_ECRAN_SECURITE', '1.5.3'); // 2023-05-31 + + /* + * Documentation : https://www.spip.net/fr_article4200.html +@@ -650,7 +650,7 @@ if ( + } + + if ( +- isset($_REQUEST['formulaire_action_args']) ++ isset($_REQUEST['formulaire_action_args']) || isset($_REQUEST['var_login']) + ) { + foreach ($_REQUEST as $k => $v) { + if (is_string($v) +@@ -680,9 +680,8 @@ function __ecran_test_if_serialized($data) { + if (false !== $semicolon && $semicolon < 3) {return false;} + if (false !== $brace && $brace < 4) {return false;} + $token = $data[0]; +- if (in_array($token, array('s', 'S'))) { +- if (false === strpos($data, '"')) {return false;} +- } elseif (in_array($token, array('a', 'O', 'C', 'o', 'E'))) { ++ if (in_array($token, array('s', 'S', 'a', 'O', 'C', 'o', 'E'))) { ++ if (in_array($token, array('s', 'S')) and false === strpos($data, '"')) {return false;} + return (bool)preg_match("/^{$token}:[0-9]+:/s", $data); + } elseif (in_array($token, array('b', 'i', 'd'))) { + return (bool)preg_match("/^{$token}:[0-9.E+-]+;/", $data); +@@ -690,6 +689,7 @@ function __ecran_test_if_serialized($data) { + return false; + } + ++ + /* + * S'il y a une raison de mourir, mourons + */ diff -Nru spip-4.1.9+dfsg/debian/patches/series spip-4.1.9+dfsg/debian/patches/series --- spip-4.1.9+dfsg/debian/patches/series 2023-02-28 21:19:02.000000000 +0100 +++ spip-4.1.9+dfsg/debian/patches/series 2023-06-11 15:37:44.000000000 +0200 @@ -2,3 +2,7 @@ 0002-No-next-upstream-version-display-in-private-area.patch 0003-Fix-displayed-version-in-the-private-interface.patch 0004-Use-getid3-class-from-the-php-getid3-package.patch +0005-security-limiter-la-profondeur-de-recursion-de-prote.patch +0006-security-Ameliorer-c76770a-en-vitant-un-unserialize-.patch +0007-security-Effectivement-bloquer-les-fichiers-cach-s-d.patch +0008-build-Up-cran-de-s-cu-en-1.5.3.patchAttachment: signature.asc
Description: PGP signature
--- End Message ---
--- Begin Message ---
- To: 1038154-done@bugs.debian.org
- Subject: Released with 12.1
- From: Jonathan Wiltshire <jmw@coccia.debian.org>
- Date: Sat, 22 Jul 2023 13:19:41 +0000
- Message-id: <E1qNCWL-005roP-6s@coccia.debian.org>
Version: 12.1 The upload requested in this bug has been released as part of 12.1.
--- End Message ---