Bug#1059291: marked as done (bookworm-pu: package spip/4.1.9+dfsg-1+deb12u4)

To: Jonathan Wiltshire <jmw@coccia.debian.org>
Subject: Bug#1059291: marked as done (bookworm-pu: package spip/4.1.9+dfsg-1+deb12u4)
From: "Debian Bug Tracking System" <owner@bugs.debian.org>
Date: Sat, 10 Feb 2024 13:15:37 +0000
Message-id: <[🔎] handler.1059291.D1059291.1707570685683891.ackdone@bugs.debian.org>
Reply-to: 1059291@bugs.debian.org
References: <E1rYn8a-002yZY-5w@coccia.debian.org> <ZYWA0LIOltTX34dr@persil.tilapin.org>

Your message dated Sat, 10 Feb 2024 13:11:20 +0000
with message-id <E1rYn8a-002yZY-5w@coccia.debian.org>
and subject line Released with 12.5
has caused the Debian Bug report #1059291,
regarding bookworm-pu: package spip/4.1.9+dfsg-1+deb12u4
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
1059291: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1059291
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: bookworm-pu: package spip/4.1.9+dfsg-1+deb12u3
From: David Prévot <taffit@debian.org>
Date: Fri, 22 Dec 2023 13:28:00 +0100
Message-id: <ZYWA0LIOltTX34dr@persil.tilapin.org>

Package: release.debian.org
Severity: normal
Tags: bookworm
User: release.debian.org@packages.debian.org
Usertags: pu
X-Debbugs-Cc: spip@packages.debian.org, team@security.debian.org
Control: affects -1 + src:spip

Hi,

This issue is similar to #1059289 for oldstable.

Another upstream release fixed a security (XSS) issue. The last two
updates of this kind didn’t warrant a DSA, so I guess this one will not
warrant one either (security team X-D-CCed in case I’m wrong).

https://blog.spip.net/Mise-a-jour-de-maintenance-et-securite-sortie-de-SPIP-4-2-7-SPIP-4-1-13.html

The 4.1 branch is mostly in maintenance mode, and the patch has been
cherry-picked directly from upstream.

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in stable
  [x] the issue is verified as fixed in unstable

Thanks in advance.

Regards,

taffit

diff -Nru spip-4.1.9+dfsg/debian/changelog spip-4.1.9+dfsg/debian/changelog
--- spip-4.1.9+dfsg/debian/changelog	2023-07-08 20:29:04.000000000 +0200
+++ spip-4.1.9+dfsg/debian/changelog	2023-12-21 19:24:13.000000000 +0100
@@ -1,3 +1,10 @@
+spip (4.1.9+dfsg-1+deb12u3) bookworm; urgency=medium
+
+  * Backport security fix from 4.1.13
+    - fix XSS when calling some templates
+
+ -- David Prévot <taffit@debian.org>  Thu, 21 Dec 2023 19:24:13 +0100
+
 spip (4.1.9+dfsg-1+deb12u2) bookworm; urgency=medium
 
   * Backport security fix from 4.1.11
diff -Nru spip-4.1.9+dfsg/debian/patches/0012-fix-les-mod-les-ins-r-s-dans-un-texte-h-ritent-autom.patch spip-4.1.9+dfsg/debian/patches/0012-fix-les-mod-les-ins-r-s-dans-un-texte-h-ritent-autom.patch
--- spip-4.1.9+dfsg/debian/patches/0012-fix-les-mod-les-ins-r-s-dans-un-texte-h-ritent-autom.patch	1970-01-01 01:00:00.000000000 +0100
+++ spip-4.1.9+dfsg/debian/patches/0012-fix-les-mod-les-ins-r-s-dans-un-texte-h-ritent-autom.patch	2023-12-21 13:56:02.000000000 +0100
@@ -0,0 +1,68 @@
+From: Cerdic <cedric@yterium.com>
+Date: Thu, 9 Nov 2023 16:46:19 +0100
+Subject: =?utf-8?q?fix=3A_les_mod=C3=A8les_ins=C3=A9r=C3=A9s_dans_un_texte_?=
+ =?utf-8?q?h=C3=A9ritent_automatiquement_du_contexte=2C_a_l=27insu_des_reda?=
+ =?utf-8?q?cteurs=2E_Securiser_ce_qui_proviendrait_de_variables_envoy=C3=A9?=
+ =?utf-8?q?es_par_l=27utilisateur?=
+
+(cherry picked from commit d993a9797d839218a3fee84f80be60409b2c05f1)
+
+Origin: upstream, https://git.spip.net/spip/spip/commit/e90f5344b8c82711053053e778d38a35e42b7bcb
+---
+ ecrire/public/assembler.php | 36 ++++++++++++++++++++++++++++++++++++
+ 1 file changed, 36 insertions(+)
+
+diff --git a/ecrire/public/assembler.php b/ecrire/public/assembler.php
+index a7e9a11..b44c2cb 100644
+--- a/ecrire/public/assembler.php
++++ b/ecrire/public/assembler.php
+@@ -643,6 +643,20 @@ function inclure_modele($type, $id, $params, $lien, string $connect = '', $env =
+ 	$fond = 'modeles/' . $fond;
+ 	// Creer le contexte
+ 	$contexte = $env;
++	// securiser le contexte des modèles : tout ce qui arrive de _request() doit être sanitizé
++	foreach ($contexte as $k => &$v) {
++		if (!is_null(_request($k)) && (!is_scalar($v) || (_request($k) === $v))) {
++			include_spip('inc/texte_mini');
++			if (is_scalar($v)) {
++				$v = spip_securise_valeur_env_modele($v);
++			} else {
++				array_walk_recursive($v, function (&$value, $index) {
++					$value = spip_securise_valeur_env_modele($value);
++				});
++			}
++		}
++	}
++
+ 	$contexte['dir_racine'] = _DIR_RACINE; # eviter de mixer un cache racine et un cache ecrire (meme si pour l'instant les modeles ne sont pas caches, le resultat etant different il faut que le contexte en tienne compte
+ 
+ 	// Le numero du modele est mis dans l'environnement
+@@ -703,6 +717,28 @@ function inclure_modele($type, $id, $params, $lien, string $connect = '', $env =
+ 		: $retour;
+ }
+ 
++/**
++ * Sanitizer une valeur venant de _request() et passée à un modèle :
++ * on laisse passer les null, bool et numeriques (id et pagination),
++ * les @+nombre (pagination indirecte)
++ * ou sinon le \w + espace et tirets uniquement, pour les tris/sens tri etc
++ * mais rien de compliqué suceptible d'être interprété
++ *
++ * @param $valeur
++ * @return array|float|int|mixed|string|string[]|null
++ */
++function spip_securise_valeur_env_modele($valeur) {
++	if (is_numeric($valeur) || is_bool($valeur) || is_null($valeur)) {
++		return $valeur;
++	}
++	$valeur = (string)$valeur;
++	if (strpos($valeur, '@') === 0 && is_numeric(substr($valeur, 1))) {
++		return $valeur;
++	}
++	// on laisse passer que les \w, les espaces et les -, le reste est supprimé
++	return preg_replace(",[^\w\s-],", "", $valeur);
++}
++
+ // Un inclure_page qui marche aussi pour l'espace prive
+ // fonction interne a spip, ne pas appeler directement
+ // pour recuperer $page complet, utiliser:
diff -Nru spip-4.1.9+dfsg/debian/patches/series spip-4.1.9+dfsg/debian/patches/series
--- spip-4.1.9+dfsg/debian/patches/series	2023-07-08 20:25:35.000000000 +0200
+++ spip-4.1.9+dfsg/debian/patches/series	2023-12-21 13:56:02.000000000 +0100
@@ -9,3 +9,4 @@
 0009-security-Utiliser-une-fonction-d-di-e-pour-nettoyer-.patch
 0010-security-Utiliser-auth_desensibiliser_session-aussi-.patch
 0011-fix-Inclusion-manquante-dans-5663.patch
+0012-fix-les-mod-les-ins-r-s-dans-un-texte-h-ritent-autom.patch

Attachment: signature.asc
Description: PGP signature

--- End Message ---

--- Begin Message ---

To: 1059291-done@bugs.debian.org

Subject: Released with 12.5

From: Jonathan Wiltshire <jmw@coccia.debian.org>

Date: Sat, 10 Feb 2024 13:11:20 +0000

Message-id: <E1rYn8a-002yZY-5w@coccia.debian.org>
Version: 12.5

The upload requested in this bug has been released as part of 12.5.
--- End Message ---

Reply to:

Prev by Date: Bug#1059235: marked as done (bookworm-pu: package fish/3.6.0-3.1+deb12u1)
Next by Date: Bug#1059343: marked as done (bookworm-pu: package libfirefox-marionette-perl/1.35-1+deb12u1)
Previous by thread: Bug#1059235: marked as done (bookworm-pu: package fish/3.6.0-3.1+deb12u1)
Next by thread: Bug#1059343: marked as done (bookworm-pu: package libfirefox-marionette-perl/1.35-1+deb12u1)
Index(es):
- Date
- Thread