Your message dated Sat, 22 Jul 2023 13:19:43 +0000 with message-id <E1qNCWN-005rsI-1n@coccia.debian.org> and subject line Released with 12.1 has caused the Debian Bug report #1040756, regarding bookworm-pu: package spip/4.1.9+dfsg-1+deb12u2 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact owner@bugs.debian.org immediately.) -- 1040756: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1040756 Debian Bug Tracking System Contact owner@bugs.debian.org with problems
--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: bookworm-pu: package spip/4.1.9+dfsg-1+deb12u2
- From: David Prévot <taffit@debian.org>
- Date: Mon, 10 Jul 2023 07:28:55 +0200
- Message-id: <[🔎] ZKuXF4yd9jF5IK8G@persil.tilapin.org>
Package: release.debian.org Severity: normal Tags: bookworm User: release.debian.org@packages.debian.org Usertags: pu X-Debbugs-Cc: spip@packages.debian.org Control: affects -1 + src:spip Another upstream release fixed a security issue. It introduces some factorisation adding two more clean up in sessions. We agreed with the security team that this don’t warrant a DSA. https://blog.spip.net/Mise-a-jour-de-maintenance-et-securite-sortie-de-SPIP-4-2-4-SPIP-4-1-11.html The 4.1 branch is mostly in maintenance mode, and the patches have been cherry-picked directly from upstream. [ Checklist ] [x] *all* changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in (old)stable [x] the issue is verified as fixed in unstable Thanks in advance. Regards, taffitdiff -Nru spip-4.1.9+dfsg/debian/changelog spip-4.1.9+dfsg/debian/changelog --- spip-4.1.9+dfsg/debian/changelog 2023-06-11 15:38:54.000000000 +0200 +++ spip-4.1.9+dfsg/debian/changelog 2023-07-08 20:29:04.000000000 +0200 @@ -1,3 +1,11 @@ +spip (4.1.9+dfsg-1+deb12u2) bookworm; urgency=medium + + * Backport security fix from 4.1.11 + - use an auth_desensibiliser_session() function to centralize extended + authentification data filtering. + + -- David Prévot <taffit@debian.org> Sat, 08 Jul 2023 20:29:04 +0200 + spip (4.1.9+dfsg-1+deb12u1) bookworm; urgency=medium [ David Prévot ] diff -Nru spip-4.1.9+dfsg/debian/patches/0009-security-Utiliser-une-fonction-d-di-e-pour-nettoyer-.patch spip-4.1.9+dfsg/debian/patches/0009-security-Utiliser-une-fonction-d-di-e-pour-nettoyer-.patch --- spip-4.1.9+dfsg/debian/patches/0009-security-Utiliser-une-fonction-d-di-e-pour-nettoyer-.patch 1970-01-01 01:00:00.000000000 +0100 +++ spip-4.1.9+dfsg/debian/patches/0009-security-Utiliser-une-fonction-d-di-e-pour-nettoyer-.patch 2023-07-08 20:25:35.000000000 +0200 @@ -0,0 +1,69 @@ +From: Cerdic <cedric@yterium.com> +Date: Mon, 3 Jul 2023 10:23:02 +0200 +Subject: =?utf-8?q?security=3A_Utiliser_une_fonction_d=C3=A9di=C3=A9e_pour_?= + =?utf-8?q?nettoyer_les_donn=C3=A9es_d=E2=80=99auteur_lors_de_la_pr=C3=A9pa?= + =?utf-8?q?ration_d=E2=80=99une_session?= +MIME-Version: 1.0 +Content-Type: text/plain; charset="utf-8" +Content-Transfer-Encoding: 8bit + +- Ajout d’une fonction `auth_desensibiliser_session()` pour desensibiliser une ligne auteur, +- qu'on utilise lors de la preparation d'une session +- et dans informer_login + +Refs: spip-team/securite#4847 +(cherry picked from commit 2e4d6273cee8ec63ce7f565a73262a8aae70b7bb) + +Origin: upstream, https://git.spip.net/spip/spip/commit/f1d2351c90a6127cab354be1647662ec5e941676 +--- + ecrire/inc/auth.php | 23 ++++++++++++++++++----- + 1 file changed, 18 insertions(+), 5 deletions(-) + +diff --git a/ecrire/inc/auth.php b/ecrire/inc/auth.php +index 85d5ab1..6185aff 100644 +--- a/ecrire/inc/auth.php ++++ b/ecrire/inc/auth.php +@@ -250,11 +250,7 @@ function auth_init_droits($row) { + $GLOBALS['visiteur_session'] = array_merge((array)$GLOBALS['visiteur_session'], $row); + + // au cas ou : ne pas memoriser les champs sensibles +- unset($GLOBALS['visiteur_session']['pass']); +- unset($GLOBALS['visiteur_session']['htpass']); +- unset($GLOBALS['visiteur_session']['alea_actuel']); +- unset($GLOBALS['visiteur_session']['alea_futur']); +- unset($GLOBALS['visiteur_session']['ldap_password']); ++ $GLOBALS['visiteur_session'] = auth_desensibiliser_session($GLOBALS['visiteur_session']); + + // creer la session au besoin + if (!isset($_COOKIE['spip_session'])) { +@@ -314,6 +310,22 @@ function auth_init_droits($row) { + return ''; // i.e. pas de pb. + } + ++/** ++ * Enlever les clés sensibles d'une ligne auteur ++ * @param array $auteur ++ * @return array ++ */ ++function auth_desensibiliser_session(array $auteur) { ++ $cles_sensibles = ['pass', 'htpass', 'alea_actuel', 'alea_futur', 'ldap_password', 'backup_cles']; ++ foreach ($cles_sensibles as $cle) { ++ if (isset($auteur[$cle])) { ++ unset($auteur[$cle]); ++ } ++ } ++ ++ return $auteur; ++} ++ + /** + * Retourne l'url de connexion + * +@@ -480,6 +492,7 @@ function auth_informer_login($login, $serveur = '') { + } + + $prefs = @unserialize($row['prefs']); ++ $row = auth_desensibiliser_session($row); + $infos = [ + 'id_auteur' => $row['id_auteur'], + 'login' => $row['login'], diff -Nru spip-4.1.9+dfsg/debian/patches/0010-security-Utiliser-auth_desensibiliser_session-aussi-.patch spip-4.1.9+dfsg/debian/patches/0010-security-Utiliser-auth_desensibiliser_session-aussi-.patch --- spip-4.1.9+dfsg/debian/patches/0010-security-Utiliser-auth_desensibiliser_session-aussi-.patch 1970-01-01 01:00:00.000000000 +0100 +++ spip-4.1.9+dfsg/debian/patches/0010-security-Utiliser-auth_desensibiliser_session-aussi-.patch 2023-07-08 20:25:35.000000000 +0200 @@ -0,0 +1,69 @@ +From: Matthieu Marcillaud <marcimat@rezo.net> +Date: Mon, 3 Jul 2023 10:55:19 +0200 +Subject: =?utf-8?q?security=3A_Utiliser_=60auth=5Fdesensibiliser=5Fsession?= + =?utf-8?q?=28=29=60_aussi_=C3=A0_la_cr=C3=A9ation_du_fichier_de_session?= + +Refs: spip-team/securite#4847 +(cherry picked from commit 5a73e07745bb6753557f0dc2b5404aa49f3ab900) + +Origin: upstream, https://git.spip.net/spip/spip/commit/f2fb631f0034728fd275ffa619fd6ddb7b841bdf +--- + ecrire/inc/auth.php | 10 ++++------ + ecrire/inc/session.php | 12 ++++-------- + 2 files changed, 8 insertions(+), 14 deletions(-) + +diff --git a/ecrire/inc/auth.php b/ecrire/inc/auth.php +index 6185aff..d20af70 100644 +--- a/ecrire/inc/auth.php ++++ b/ecrire/inc/auth.php +@@ -247,7 +247,7 @@ function auth_init_droits($row) { + $GLOBALS['connect_login'] = $row['login']; + $GLOBALS['connect_statut'] = $row['statut']; + +- $GLOBALS['visiteur_session'] = array_merge((array)$GLOBALS['visiteur_session'], $row); ++ $GLOBALS['visiteur_session'] = array_merge((array) $GLOBALS['visiteur_session'], $row); + + // au cas ou : ne pas memoriser les champs sensibles + $GLOBALS['visiteur_session'] = auth_desensibiliser_session($GLOBALS['visiteur_session']); +@@ -312,13 +312,11 @@ function auth_init_droits($row) { + + /** + * Enlever les clés sensibles d'une ligne auteur +- * @param array $auteur +- * @return array + */ +-function auth_desensibiliser_session(array $auteur) { +- $cles_sensibles = ['pass', 'htpass', 'alea_actuel', 'alea_futur', 'ldap_password', 'backup_cles']; ++function auth_desensibiliser_session(array $auteur): array { ++ $cles_sensibles = ['pass', 'htpass', 'low_sec', 'alea_actuel', 'alea_futur', 'ldap_password', 'backup_cles']; + foreach ($cles_sensibles as $cle) { +- if (isset($auteur[$cle])) { ++ if (array_key_exists($cle, $auteur)) { + unset($auteur[$cle]); + } + } +diff --git a/ecrire/inc/session.php b/ecrire/inc/session.php +index 853b501..855838f 100644 +--- a/ecrire/inc/session.php ++++ b/ecrire/inc/session.php +@@ -613,16 +613,12 @@ function lister_sessions_auteur($id_auteur, $nb_max = null) { + * @param array $auteur + * @return array + */ +-function preparer_ecriture_session($auteur) { ++function preparer_ecriture_session(array $auteur): array { ++ + $row = $auteur; + +- // ne pas enregistrer ces elements de securite +- // dans le fichier de session +- unset($auteur['pass']); +- unset($auteur['htpass']); +- unset($auteur['low_sec']); +- unset($auteur['alea_actuel']); +- unset($auteur['alea_futur']); ++ // ne pas enregistrer ces elements de securite dans le fichier de session ++ $auteur = auth_desensibiliser_session($auteur); + + $auteur = pipeline('preparer_fichier_session', ['args' => ['row' => $row], 'data' => $auteur]); + diff -Nru spip-4.1.9+dfsg/debian/patches/0011-fix-Inclusion-manquante-dans-5663.patch spip-4.1.9+dfsg/debian/patches/0011-fix-Inclusion-manquante-dans-5663.patch --- spip-4.1.9+dfsg/debian/patches/0011-fix-Inclusion-manquante-dans-5663.patch 1970-01-01 01:00:00.000000000 +0100 +++ spip-4.1.9+dfsg/debian/patches/0011-fix-Inclusion-manquante-dans-5663.patch 2023-07-08 20:25:35.000000000 +0200 @@ -0,0 +1,23 @@ +From: Matthieu Marcillaud <marcimat@rezo.net> +Date: Mon, 3 Jul 2023 23:10:51 +0200 +Subject: fix: Inclusion manquante dans !5663 + +(cherry picked from commit 13793c345bdc8ea362f71656c3b38103d6aaba2c) + +Origin: upstream, https://git.spip.net/spip/spip/commit/144f520ead7ca38a4644e35af4cac2278de6d3e9 +--- + ecrire/inc/session.php | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/ecrire/inc/session.php b/ecrire/inc/session.php +index 855838f..d9f9314 100644 +--- a/ecrire/inc/session.php ++++ b/ecrire/inc/session.php +@@ -618,6 +618,7 @@ function preparer_ecriture_session(array $auteur): array { + $row = $auteur; + + // ne pas enregistrer ces elements de securite dans le fichier de session ++ include_spip('inc/auth'); + $auteur = auth_desensibiliser_session($auteur); + + $auteur = pipeline('preparer_fichier_session', ['args' => ['row' => $row], 'data' => $auteur]); diff -Nru spip-4.1.9+dfsg/debian/patches/series spip-4.1.9+dfsg/debian/patches/series --- spip-4.1.9+dfsg/debian/patches/series 2023-06-11 15:37:44.000000000 +0200 +++ spip-4.1.9+dfsg/debian/patches/series 2023-07-08 20:25:35.000000000 +0200 @@ -6,3 +6,6 @@ 0006-security-Ameliorer-c76770a-en-vitant-un-unserialize-.patch 0007-security-Effectivement-bloquer-les-fichiers-cach-s-d.patch 0008-build-Up-cran-de-s-cu-en-1.5.3.patch +0009-security-Utiliser-une-fonction-d-di-e-pour-nettoyer-.patch +0010-security-Utiliser-auth_desensibiliser_session-aussi-.patch +0011-fix-Inclusion-manquante-dans-5663.patchAttachment: signature.asc
Description: PGP signature
--- End Message ---
--- Begin Message ---
- To: 1040756-done@bugs.debian.org
- Subject: Released with 12.1
- From: Jonathan Wiltshire <jmw@coccia.debian.org>
- Date: Sat, 22 Jul 2023 13:19:43 +0000
- Message-id: <E1qNCWN-005rsI-1n@coccia.debian.org>
Version: 12.1 The upload requested in this bug has been released as part of 12.1.
--- End Message ---