[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#1038153: marked as done (bullseye-pu: package spip/3.2.11-3+deb11u8)

Your message dated Sat, 07 Oct 2023 12:41:28 +0100
with message-id <84bb5ff8312f749ebe536897993782bf35aa1977.camel@adam-barratt.org.uk>
and subject line Closing opu requests for updates included in 11.8
has caused the Debian Bug report #1038153,
regarding bullseye-pu: package spip/3.2.11-3+deb11u8
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
1038153: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1038153
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian.org@packages.debian.org
Usertags: pu
X-Debbugs-Cc: spip@packages.debian.org
Control: affects -1 + src:spip

Hi,

SPIP has been updated upstream to fix some security issues (link to the
French-only announcement follows), and we agreed with the security team
that they don’t warrant a DSA this time.

https://blog.spip.net/Mise-a-jour-de-maintenance-et-securite-sortie-de-SPIP-4-2-3-SPIP-4-1-10.html

The main backported fix is the one that limits recursion depth in
protege_champ() function.

The security screen fix (avoiding unserialize use) should already be
fixed in the main code, and the htaccess change is only provided as an
example (in /usr/share/doc/spip).

As usual, I’ve already deployed the proposed package on a server
providing over 30 SPIP websites.

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in oldstable
  [x] the issue is verified as fixed in unstable

Regards,

David

diff -Nru spip-3.2.11/debian/changelog spip-3.2.11/debian/changelog
--- spip-3.2.11/debian/changelog	2023-02-28 22:51:50.000000000 +0100
+++ spip-3.2.11/debian/changelog	2023-06-11 15:47:39.000000000 +0200
@@ -1,3 +1,13 @@
+spip (3.2.11-3+deb11u8) bullseye; urgency=medium
+
+  * Backport security fixes from 4.1.10
+    - Limit recursion depth in protege_champ() function
+    - Avoid unserialize use in security screen
+    - Properly block hidden files in provided htaccess
+    - Update security screen to 1.5.3
+
+ -- David Prévot <taffit@debian.org>  Sun, 11 Jun 2023 15:47:39 +0200
+
 spip (3.2.11-3+deb11u7) bullseye-security; urgency=medium
 
   * Backport security fixes from v3.2.18
diff -Nru spip-3.2.11/debian/patches/0052-security-limiter-la-profondeur-de-recursion-de-prote.patch spip-3.2.11/debian/patches/0052-security-limiter-la-profondeur-de-recursion-de-prote.patch
--- spip-3.2.11/debian/patches/0052-security-limiter-la-profondeur-de-recursion-de-prote.patch	1970-01-01 01:00:00.000000000 +0100
+++ spip-3.2.11/debian/patches/0052-security-limiter-la-profondeur-de-recursion-de-prote.patch	2023-06-11 15:47:34.000000000 +0200
@@ -0,0 +1,37 @@
+From: Cerdic <cedric@yterium.com>
+Date: Tue, 7 Mar 2023 14:56:30 +0100
+Subject: security: limiter la profondeur de recursion de `protege_champ`
+
+(cherry picked from commit b362e987b41fac344150f97cc563bf4d8c8181fa)
+
+Origin: backport, https://git.spip.net/spip/spip/commit/9b73dbd66e50baf312ba1c7df21efebba4ae08f1
+---
+ ecrire/balise/formulaire_.php | 14 ++++++++++++--
+ 1 file changed, 12 insertions(+), 2 deletions(-)
+
+diff --git a/ecrire/balise/formulaire_.php b/ecrire/balise/formulaire_.php
+index 34926cf..2b3639b 100644
+--- a/ecrire/balise/formulaire_.php
++++ b/ecrire/balise/formulaire_.php
+@@ -33,9 +33,19 @@ include_spip('inc/texte');
+  * @return string|array
+  *     Saisie protégée
+  **/
+-function protege_champ($texte) {
++function protege_champ($texte, $max_prof = 128) {
+ 	if (is_array($texte)) {
+-		$texte = array_map('protege_champ', $texte);
++		// si on dépasse la prof max on tronque
++		if ($max_prof > 0) {
++			return array_map(
++				function($v) use ($max_prof) {
++					return protege_champ($v, $max_prof-1);
++				},
++				$texte
++			);
++		}
++		// si on dépasse la prof max on tronque
++		return [];
+ 	} else {
+ 		if (is_null($texte)) {
+ 			return $texte;
diff -Nru spip-3.2.11/debian/patches/0053-security-Ameliorer-c76770a-en-vitant-un-unserialize-.patch spip-3.2.11/debian/patches/0053-security-Ameliorer-c76770a-en-vitant-un-unserialize-.patch
--- spip-3.2.11/debian/patches/0053-security-Ameliorer-c76770a-en-vitant-un-unserialize-.patch	1970-01-01 01:00:00.000000000 +0100
+++ spip-3.2.11/debian/patches/0053-security-Ameliorer-c76770a-en-vitant-un-unserialize-.patch	2023-06-11 15:47:34.000000000 +0200
@@ -0,0 +1,64 @@
+From: Cerdic <cedric@yterium.com>
+Date: Tue, 7 Mar 2023 15:03:08 +0100
+Subject: =?utf-8?q?security=3A_Ameliorer_c76770a_en_=C3=A9vitant_un_=60unse?=
+ =?utf-8?q?rialize=60_dans_l=27=C3=A9cran_de_s=C3=A9curit=C3=A9?=
+
+(cherry picked from commit 9b1c3cf455b624163546f1521148897a5c96d5d6)
+
+Origin: upstream, https://git.spip.net/spip/spip/commit/9f55790164f7869d2e315a49b3fdc4af0c5b8fdd
+---
+ config/ecran_securite.php | 36 ++++++++++++++++++++++++++++++------
+ 1 file changed, 30 insertions(+), 6 deletions(-)
+
+diff --git a/config/ecran_securite.php b/config/ecran_securite.php
+index 57fc42f..4112e2e 100644
+--- a/config/ecran_securite.php
++++ b/config/ecran_securite.php
+@@ -557,17 +557,41 @@ if (
+ ) {
+ 	foreach ($_REQUEST as $k => $v) {
+ 		if (is_string($v)
+-		  and strpos($v, ':') !== false
+-		  and strpos($v, '"') !==false
+-		  and preg_match(',[bidsaO]:,', $v)
+-		  and @unserialize($v)) {
+-			$_REQUEST[$k] = htmlentities($v);
++		  and strpbrk($v, "&\"'<>") !== false
++		  and preg_match(',^[abis]:\d+[:;],', $v)
++		  and __ecran_test_if_serialized($v)
++		) {
++			$_REQUEST[$k] = htmlspecialchars($v, ENT_QUOTES);
+ 			if (isset($_POST[$k])) $_POST[$k] = $_REQUEST[$k];
+ 			if (isset($_GET[$k])) $_GET[$k] = $_REQUEST[$k];
+ 		}
+ 	}
+ }
+-
++/**
++ * Version simplifiée de https://developer.wordpress.org/reference/functions/is_serialized/
++ */
++function __ecran_test_if_serialized($data) {
++	$data = trim($data);
++	if ('N;' === $data) {return true;}
++	if (strlen($data) < 4) {return false;}
++	if (':' !== $data[1]) {return false;}
++	$semicolon = strpos($data, ';');
++	$brace = strpos($data, '}');
++	// Either ; or } must exist.
++	if (false === $semicolon && false === $brace) {return false;}
++	// But neither must be in the first X characters.
++	if (false !== $semicolon && $semicolon < 3) {return false;}
++	if (false !== $brace && $brace < 4) {return false;}
++	$token = $data[0];
++	if (in_array($token, array('s', 'S'))) {
++		if (false === strpos($data, '"')) {return false;}
++	} elseif (in_array($token, array('a', 'O', 'C', 'o', 'E'))) {
++		return (bool)preg_match("/^{$token}:[0-9]+:/s", $data);
++	} elseif (in_array($token, array('b', 'i', 'd'))) {
++		return (bool)preg_match("/^{$token}:[0-9.E+-]+;/", $data);
++	}
++	return false;
++}
+ 
+ /*
+  * S'il y a une raison de mourir, mourons
diff -Nru spip-3.2.11/debian/patches/0054-security-Effectivement-bloquer-les-fichiers-cach-s-d.patch spip-3.2.11/debian/patches/0054-security-Effectivement-bloquer-les-fichiers-cach-s-d.patch
--- spip-3.2.11/debian/patches/0054-security-Effectivement-bloquer-les-fichiers-cach-s-d.patch	1970-01-01 01:00:00.000000000 +0100
+++ spip-3.2.11/debian/patches/0054-security-Effectivement-bloquer-les-fichiers-cach-s-d.patch	2023-06-11 15:47:34.000000000 +0200
@@ -0,0 +1,59 @@
+From: Matthieu Marcillaud <marcimat@rezo.net>
+Date: Wed, 7 Jun 2023 09:40:00 +0200
+Subject: =?utf-8?q?security=3A_Effectivement_bloquer_les_fichiers_cach?=
+ =?utf-8?q?=C3=A9s_dans_le_htaccess?=
+MIME-Version: 1.0
+Content-Type: text/plain; charset="utf-8"
+Content-Transfer-Encoding: 8bit
+
+L’histoire est quelque peu ubuesque, et remonte à il y a 16 ans via 26a1f4906d23
+qui a déplacé des règles trop bas. Ça ne bloquait plus les .svn depuis,
+à cause du fait que plus haut, si c’est un fichier, on exécute la règle
+`[S=100]` qui saute les prochaines `RewriteRule`.
+
+- #5109 a semblé corriger en utilisant `RedirectMatch`, qui n’est pas affecté
+  par le Skip (sans se rendre compte du problème initial)
+- #5432 a remis une `RewriteRule`, et du coup, de nouveau paf.
+
+Ce n’est pas toujours très visible car les serveurs eux-mêmes bloquent
+déjà souvent ces répertoires cachés.
+
+Donc, on remonte bien plus haut les règles de blocage des fichiers cachés
+et on leur fait un titre dédié.
+
+Refs: #5109 #5432 spip-team/securite#4844
+(cherry picked from commit d50cb7bbc7a71ff23a77dfe02215c16991437336)
+
+Origin: backport, https://git.spip.net/spip/spip/commit/36ec7947e96e44af095c3cf87f25cf27a963fe40
+---
+ htaccess.txt | 10 +++++++---
+ 1 file changed, 7 insertions(+), 3 deletions(-)
+
+diff --git a/htaccess.txt b/htaccess.txt
+index ec4e51d..e7a699c 100644
+--- a/htaccess.txt
++++ b/htaccess.txt
+@@ -58,6 +58,13 @@ RewriteCond %{QUERY_STRING} action=ical
+ RewriteRule spip.php	spip.php?page=ical_prive [QSA,L]
+ 
+ ###
++
++# bloquer les acces aux fichiers caches (.svn, .git, etc)
++RewriteCond %{REQUEST_URI} !^/.well-known/
++RewriteRule "(^|/)\." - [R=404,NC,L]
++# bloquer les informations Composer
++RedirectMatch 404 ^/composer\.(json|lock|phar)$
++
+ # Si le fichier ou repertoire demande existe
+ # ignorer toutes les regles qui suivent
+ <IfModule mod_headers.c>
+@@ -123,9 +130,6 @@ RewriteRule ^[^\.]+(\.html)?$		spip.php [QSA,E=url_propre:$0,L]
+ ###
+ # Divers
+ 
+-# bloquer les acces aux fichiers caches (.svn, .git, etc)
+-RewriteRule /\\..*(/.*|$) - [F]
+-
+ ###
+ # Fichiers "standards" (si absents de la racine)
+ #
diff -Nru spip-3.2.11/debian/patches/0055-build-Up-cran-de-s-cu-en-1.5.3.patch spip-3.2.11/debian/patches/0055-build-Up-cran-de-s-cu-en-1.5.3.patch
--- spip-3.2.11/debian/patches/0055-build-Up-cran-de-s-cu-en-1.5.3.patch	1970-01-01 01:00:00.000000000 +0100
+++ spip-3.2.11/debian/patches/0055-build-Up-cran-de-s-cu-en-1.5.3.patch	2023-06-11 15:47:34.000000000 +0200
@@ -0,0 +1,51 @@
+From: Matthieu Marcillaud <marcimat@rezo.net>
+Date: Wed, 7 Jun 2023 12:12:57 +0200
+Subject: =?utf-8?q?build=3A_Up_=C3=A9cran_de_s=C3=A9cu_en_1=2E5=2E3?=
+
+Origin: upstream, https://git.spip.net/spip/spip/commit/536192d895c051b0859374710fbdd5bf15205e3f
+---
+ config/ecran_securite.php | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+diff --git a/config/ecran_securite.php b/config/ecran_securite.php
+index 4112e2e..5118d55 100644
+--- a/config/ecran_securite.php
++++ b/config/ecran_securite.php
+@@ -5,7 +5,7 @@
+  * ------------------
+  */
+ 
+-define('_ECRAN_SECURITE', '1.5.0'); // 2023-02-27
++define('_ECRAN_SECURITE', '1.5.3'); // 2023-05-31
+ 
+ /*
+  * Documentation : http://www.spip.net/fr_article4200.html
+@@ -553,7 +553,7 @@ if (
+ }
+ 
+ if (
+-	isset($_REQUEST['formulaire_action_args'])
++	isset($_REQUEST['formulaire_action_args']) || isset($_REQUEST['var_login'])
+ ) {
+ 	foreach ($_REQUEST as $k => $v) {
+ 		if (is_string($v)
+@@ -583,9 +583,8 @@ function __ecran_test_if_serialized($data) {
+ 	if (false !== $semicolon && $semicolon < 3) {return false;}
+ 	if (false !== $brace && $brace < 4) {return false;}
+ 	$token = $data[0];
+-	if (in_array($token, array('s', 'S'))) {
+-		if (false === strpos($data, '"')) {return false;}
+-	} elseif (in_array($token, array('a', 'O', 'C', 'o', 'E'))) {
++    if (in_array($token, array('s', 'S', 'a', 'O', 'C', 'o', 'E'))) {
++		if (in_array($token, array('s', 'S')) and false === strpos($data, '"')) {return false;}
+ 		return (bool)preg_match("/^{$token}:[0-9]+:/s", $data);
+ 	} elseif (in_array($token, array('b', 'i', 'd'))) {
+ 		return (bool)preg_match("/^{$token}:[0-9.E+-]+;/", $data);
+@@ -593,6 +592,7 @@ function __ecran_test_if_serialized($data) {
+ 	return false;
+ }
+ 
++
+ /*
+  * S'il y a une raison de mourir, mourons
+  */
diff -Nru spip-3.2.11/debian/patches/series spip-3.2.11/debian/patches/series
--- spip-3.2.11/debian/patches/series	2023-02-28 22:51:50.000000000 +0100
+++ spip-3.2.11/debian/patches/series	2023-06-11 15:47:34.000000000 +0200
@@ -49,3 +49,7 @@
 0049-Fix-Sanitizer-toutes-les-valeurs-pass-es-aux-formula.patch
 0050-fix-Sanitizer-toutes-les-valeurs-pass-es-aux-formula.patch
 0051-fix-Correction-des-ordres-_todo-adress-es-SVP.patch
+0052-security-limiter-la-profondeur-de-recursion-de-prote.patch
+0053-security-Ameliorer-c76770a-en-vitant-un-unserialize-.patch
+0054-security-Effectivement-bloquer-les-fichiers-cach-s-d.patch
+0055-build-Up-cran-de-s-cu-en-1.5.3.patch

Attachment: signature.asc
Description: PGP signature


--- End Message ---
--- Begin Message --- 
Package: release.debian.org
Version: 11.8

Hi,

The updates referred to by each of these requests were included in
today's 11.8 bullseye point release.

Regards,

Adam

--- End Message ---
Reply to: