Bug#1040756: marked as done (bookworm-pu: package spip/4.1.9+dfsg-1+deb12u2)

To: Jonathan Wiltshire <jmw@coccia.debian.org>
Subject: Bug#1040756: marked as done (bookworm-pu: package spip/4.1.9+dfsg-1+deb12u2)
From: "Debian Bug Tracking System" <owner@bugs.debian.org>
Date: Sat, 22 Jul 2023 13:23:07 +0000
Message-id: <[🔎] handler.1040756.D1040756.16900319872792474.ackdone@bugs.debian.org>
Reply-to: 1040756@bugs.debian.org
References: <E1qNCWN-005rsI-1n@coccia.debian.org> <[🔎] ZKuXF4yd9jF5IK8G@persil.tilapin.org>

Your message dated Sat, 22 Jul 2023 13:19:43 +0000
with message-id <E1qNCWN-005rsI-1n@coccia.debian.org>
and subject line Released with 12.1
has caused the Debian Bug report #1040756,
regarding bookworm-pu: package spip/4.1.9+dfsg-1+deb12u2
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
1040756: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1040756
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: bookworm-pu: package spip/4.1.9+dfsg-1+deb12u2
From: David Prévot <taffit@debian.org>
Date: Mon, 10 Jul 2023 07:28:55 +0200
Message-id: <[🔎] ZKuXF4yd9jF5IK8G@persil.tilapin.org>

Package: release.debian.org
Severity: normal
Tags: bookworm
User: release.debian.org@packages.debian.org
Usertags: pu
X-Debbugs-Cc: spip@packages.debian.org
Control: affects -1 + src:spip

Another upstream release fixed a security issue. It introduces some
factorisation adding two more clean up in sessions. We agreed with the
security team that this don’t warrant a DSA.

https://blog.spip.net/Mise-a-jour-de-maintenance-et-securite-sortie-de-SPIP-4-2-4-SPIP-4-1-11.html

The 4.1 branch is mostly in maintenance mode, and the patches have been
cherry-picked directly from upstream.

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
  [x] the issue is verified as fixed in unstable

Thanks in advance.

Regards,

taffit

diff -Nru spip-4.1.9+dfsg/debian/changelog spip-4.1.9+dfsg/debian/changelog
--- spip-4.1.9+dfsg/debian/changelog	2023-06-11 15:38:54.000000000 +0200
+++ spip-4.1.9+dfsg/debian/changelog	2023-07-08 20:29:04.000000000 +0200
@@ -1,3 +1,11 @@
+spip (4.1.9+dfsg-1+deb12u2) bookworm; urgency=medium
+
+  * Backport security fix from 4.1.11
+    - use an auth_desensibiliser_session() function to centralize extended
+      authentification data filtering.
+
+ -- David Prévot <taffit@debian.org>  Sat, 08 Jul 2023 20:29:04 +0200
+
 spip (4.1.9+dfsg-1+deb12u1) bookworm; urgency=medium
 
   [ David Prévot ]
diff -Nru spip-4.1.9+dfsg/debian/patches/0009-security-Utiliser-une-fonction-d-di-e-pour-nettoyer-.patch spip-4.1.9+dfsg/debian/patches/0009-security-Utiliser-une-fonction-d-di-e-pour-nettoyer-.patch
--- spip-4.1.9+dfsg/debian/patches/0009-security-Utiliser-une-fonction-d-di-e-pour-nettoyer-.patch	1970-01-01 01:00:00.000000000 +0100
+++ spip-4.1.9+dfsg/debian/patches/0009-security-Utiliser-une-fonction-d-di-e-pour-nettoyer-.patch	2023-07-08 20:25:35.000000000 +0200
@@ -0,0 +1,69 @@
+From: Cerdic <cedric@yterium.com>
+Date: Mon, 3 Jul 2023 10:23:02 +0200
+Subject: =?utf-8?q?security=3A_Utiliser_une_fonction_d=C3=A9di=C3=A9e_pour_?=
+ =?utf-8?q?nettoyer_les_donn=C3=A9es_d=E2=80=99auteur_lors_de_la_pr=C3=A9pa?=
+ =?utf-8?q?ration_d=E2=80=99une_session?=
+MIME-Version: 1.0
+Content-Type: text/plain; charset="utf-8"
+Content-Transfer-Encoding: 8bit
+
+- Ajout d’une fonction `auth_desensibiliser_session()` pour desensibiliser une ligne auteur,
+- qu'on utilise lors de la preparation d'une session
+- et dans informer_login
+
+Refs:  spip-team/securite#4847
+(cherry picked from commit 2e4d6273cee8ec63ce7f565a73262a8aae70b7bb)
+
+Origin: upstream, https://git.spip.net/spip/spip/commit/f1d2351c90a6127cab354be1647662ec5e941676
+---
+ ecrire/inc/auth.php | 23 ++++++++++++++++++-----
+ 1 file changed, 18 insertions(+), 5 deletions(-)
+
+diff --git a/ecrire/inc/auth.php b/ecrire/inc/auth.php
+index 85d5ab1..6185aff 100644
+--- a/ecrire/inc/auth.php
++++ b/ecrire/inc/auth.php
+@@ -250,11 +250,7 @@ function auth_init_droits($row) {
+ 	$GLOBALS['visiteur_session'] = array_merge((array)$GLOBALS['visiteur_session'], $row);
+ 
+ 	// au cas ou : ne pas memoriser les champs sensibles
+-	unset($GLOBALS['visiteur_session']['pass']);
+-	unset($GLOBALS['visiteur_session']['htpass']);
+-	unset($GLOBALS['visiteur_session']['alea_actuel']);
+-	unset($GLOBALS['visiteur_session']['alea_futur']);
+-	unset($GLOBALS['visiteur_session']['ldap_password']);
++	$GLOBALS['visiteur_session'] = auth_desensibiliser_session($GLOBALS['visiteur_session']);
+ 
+ 	// creer la session au besoin
+ 	if (!isset($_COOKIE['spip_session'])) {
+@@ -314,6 +310,22 @@ function auth_init_droits($row) {
+ 	return ''; // i.e. pas de pb.
+ }
+ 
++/**
++ * Enlever les clés sensibles d'une ligne auteur
++ * @param array $auteur
++ * @return array
++ */
++function auth_desensibiliser_session(array $auteur) {
++	$cles_sensibles = ['pass', 'htpass', 'alea_actuel', 'alea_futur', 'ldap_password', 'backup_cles'];
++	foreach ($cles_sensibles as $cle) {
++		if (isset($auteur[$cle])) {
++			unset($auteur[$cle]);
++		}
++	}
++
++	return $auteur;
++}
++
+ /**
+  * Retourne l'url de connexion
+  *
+@@ -480,6 +492,7 @@ function auth_informer_login($login, $serveur = '') {
+ 	}
+ 
+ 	$prefs = @unserialize($row['prefs']);
++	$row = auth_desensibiliser_session($row);
+ 	$infos = [
+ 		'id_auteur' => $row['id_auteur'],
+ 		'login' => $row['login'],
diff -Nru spip-4.1.9+dfsg/debian/patches/0010-security-Utiliser-auth_desensibiliser_session-aussi-.patch spip-4.1.9+dfsg/debian/patches/0010-security-Utiliser-auth_desensibiliser_session-aussi-.patch
--- spip-4.1.9+dfsg/debian/patches/0010-security-Utiliser-auth_desensibiliser_session-aussi-.patch	1970-01-01 01:00:00.000000000 +0100
+++ spip-4.1.9+dfsg/debian/patches/0010-security-Utiliser-auth_desensibiliser_session-aussi-.patch	2023-07-08 20:25:35.000000000 +0200
@@ -0,0 +1,69 @@
+From: Matthieu Marcillaud <marcimat@rezo.net>
+Date: Mon, 3 Jul 2023 10:55:19 +0200
+Subject: =?utf-8?q?security=3A_Utiliser_=60auth=5Fdesensibiliser=5Fsession?=
+ =?utf-8?q?=28=29=60_aussi_=C3=A0_la_cr=C3=A9ation_du_fichier_de_session?=
+
+Refs:  spip-team/securite#4847
+(cherry picked from commit 5a73e07745bb6753557f0dc2b5404aa49f3ab900)
+
+Origin: upstream, https://git.spip.net/spip/spip/commit/f2fb631f0034728fd275ffa619fd6ddb7b841bdf
+---
+ ecrire/inc/auth.php    | 10 ++++------
+ ecrire/inc/session.php | 12 ++++--------
+ 2 files changed, 8 insertions(+), 14 deletions(-)
+
+diff --git a/ecrire/inc/auth.php b/ecrire/inc/auth.php
+index 6185aff..d20af70 100644
+--- a/ecrire/inc/auth.php
++++ b/ecrire/inc/auth.php
+@@ -247,7 +247,7 @@ function auth_init_droits($row) {
+ 	$GLOBALS['connect_login'] = $row['login'];
+ 	$GLOBALS['connect_statut'] = $row['statut'];
+ 
+-	$GLOBALS['visiteur_session'] = array_merge((array)$GLOBALS['visiteur_session'], $row);
++	$GLOBALS['visiteur_session'] = array_merge((array) $GLOBALS['visiteur_session'], $row);
+ 
+ 	// au cas ou : ne pas memoriser les champs sensibles
+ 	$GLOBALS['visiteur_session'] = auth_desensibiliser_session($GLOBALS['visiteur_session']);
+@@ -312,13 +312,11 @@ function auth_init_droits($row) {
+ 
+ /**
+  * Enlever les clés sensibles d'une ligne auteur
+- * @param array $auteur
+- * @return array
+  */
+-function auth_desensibiliser_session(array $auteur) {
+-	$cles_sensibles = ['pass', 'htpass', 'alea_actuel', 'alea_futur', 'ldap_password', 'backup_cles'];
++function auth_desensibiliser_session(array $auteur): array {
++	$cles_sensibles = ['pass', 'htpass', 'low_sec', 'alea_actuel', 'alea_futur', 'ldap_password', 'backup_cles'];
+ 	foreach ($cles_sensibles as $cle) {
+-		if (isset($auteur[$cle])) {
++		if (array_key_exists($cle, $auteur)) {
+ 			unset($auteur[$cle]);
+ 		}
+ 	}
+diff --git a/ecrire/inc/session.php b/ecrire/inc/session.php
+index 853b501..855838f 100644
+--- a/ecrire/inc/session.php
++++ b/ecrire/inc/session.php
+@@ -613,16 +613,12 @@ function lister_sessions_auteur($id_auteur, $nb_max = null) {
+  * @param array $auteur
+  * @return array
+  */
+-function preparer_ecriture_session($auteur) {
++function preparer_ecriture_session(array $auteur): array {
++
+ 	$row = $auteur;
+ 
+-	// ne pas enregistrer ces elements de securite
+-	// dans le fichier de session
+-	unset($auteur['pass']);
+-	unset($auteur['htpass']);
+-	unset($auteur['low_sec']);
+-	unset($auteur['alea_actuel']);
+-	unset($auteur['alea_futur']);
++	// ne pas enregistrer ces elements de securite dans le fichier de session
++	$auteur = auth_desensibiliser_session($auteur);
+ 
+ 	$auteur = pipeline('preparer_fichier_session', ['args' => ['row' => $row], 'data' => $auteur]);
+ 
diff -Nru spip-4.1.9+dfsg/debian/patches/0011-fix-Inclusion-manquante-dans-5663.patch spip-4.1.9+dfsg/debian/patches/0011-fix-Inclusion-manquante-dans-5663.patch
--- spip-4.1.9+dfsg/debian/patches/0011-fix-Inclusion-manquante-dans-5663.patch	1970-01-01 01:00:00.000000000 +0100
+++ spip-4.1.9+dfsg/debian/patches/0011-fix-Inclusion-manquante-dans-5663.patch	2023-07-08 20:25:35.000000000 +0200
@@ -0,0 +1,23 @@
+From: Matthieu Marcillaud <marcimat@rezo.net>
+Date: Mon, 3 Jul 2023 23:10:51 +0200
+Subject: fix: Inclusion manquante dans !5663
+
+(cherry picked from commit 13793c345bdc8ea362f71656c3b38103d6aaba2c)
+
+Origin: upstream, https://git.spip.net/spip/spip/commit/144f520ead7ca38a4644e35af4cac2278de6d3e9
+---
+ ecrire/inc/session.php | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/ecrire/inc/session.php b/ecrire/inc/session.php
+index 855838f..d9f9314 100644
+--- a/ecrire/inc/session.php
++++ b/ecrire/inc/session.php
+@@ -618,6 +618,7 @@ function preparer_ecriture_session(array $auteur): array {
+ 	$row = $auteur;
+ 
+ 	// ne pas enregistrer ces elements de securite dans le fichier de session
++	include_spip('inc/auth');
+ 	$auteur = auth_desensibiliser_session($auteur);
+ 
+ 	$auteur = pipeline('preparer_fichier_session', ['args' => ['row' => $row], 'data' => $auteur]);
diff -Nru spip-4.1.9+dfsg/debian/patches/series spip-4.1.9+dfsg/debian/patches/series
--- spip-4.1.9+dfsg/debian/patches/series	2023-06-11 15:37:44.000000000 +0200
+++ spip-4.1.9+dfsg/debian/patches/series	2023-07-08 20:25:35.000000000 +0200
@@ -6,3 +6,6 @@
 0006-security-Ameliorer-c76770a-en-vitant-un-unserialize-.patch
 0007-security-Effectivement-bloquer-les-fichiers-cach-s-d.patch
 0008-build-Up-cran-de-s-cu-en-1.5.3.patch
+0009-security-Utiliser-une-fonction-d-di-e-pour-nettoyer-.patch
+0010-security-Utiliser-auth_desensibiliser_session-aussi-.patch
+0011-fix-Inclusion-manquante-dans-5663.patch

Attachment: signature.asc
Description: PGP signature

--- End Message ---

--- Begin Message ---

To: 1040756-done@bugs.debian.org

Subject: Released with 12.1

From: Jonathan Wiltshire <jmw@coccia.debian.org>

Date: Sat, 22 Jul 2023 13:19:43 +0000

Message-id: <E1qNCWN-005rsI-1n@coccia.debian.org>
Version: 12.1

The upload requested in this bug has been released as part of 12.1.
--- End Message ---

Reply to:

References:
- Bug#1040756: bookworm-pu: package spip/4.1.9+dfsg-1+deb12u2
  - From: David Prévot <taffit@debian.org>

Prev by Date: Bug#1040713: marked as done (bookworm-pu: package installation-guide/20230508+deb12u1)
Next by Date: Bug#1040739: marked as done (bookworm-pu: package desktop-base/12.0.6+nmu1~deb12u1)
Previous by thread: Processed: spip 4.1.9+dfsg-1+deb12u2 flagged for acceptance
Next by thread: Bug#1040758: bullseye-pu: package spip/3.2.11-3+deb11u9
Index(es):
- Date
- Thread