[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#1107596: marked as done (unblock: sogo/5.12.1-2)

Your message dated Wed, 11 Jun 2025 05:01:51 +0000
with message-id <E1uPDax-00E0as-0W@respighi.debian.org>
and subject line unblock sogo
has caused the Debian Bug report #1107596,
regarding unblock: sogo/5.12.1-2
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
1107596: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1107596
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
X-Debbugs-Cc: sogo@packages.debian.org
Control: affects -1 + src:sogo
User: release.debian.org@packages.debian.org
Usertags: unblock

Please unblock package sogo

The main fix for this unblock request is the fix for
#1104813, to use Debian packaged versions of some javascript
libs.

Additionally, I have included some upstream git cherrypicks for the
new OIDC support in SOGo, which debuted in 5.12.0, and after a few
months, SOGo users have found some issues with it.

The final cherry-pick fixes escaping in a regex for the password changing
functionality.

[ Impact ]
If this isn't accepted, the biggest issue is the release team needing to
update SOGo when/if they fix some JS vulnerabilities in angularjs,
lodash, etc., as well as the OIDC support not playing well with some
IDPs.

[ Tests ]
I have tested the packages in one of my own deployments.


[ Risks ]
The main risk is that I might not have been able to test some code path
that uses one of the replaced JS libs, and thus have not found an issue.
I did diff the vendored versions against the debian versions and
concluded they were the exact same code.

[ Checklist ]
  [x] all changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in testing


unblock sogo/5.12.1-2

diff -Nru sogo-5.12.1/debian/changelog sogo-5.12.1/debian/changelog
--- sogo-5.12.1/debian/changelog	2025-05-04 23:21:03.000000000 +0200
+++ sogo-5.12.1/debian/changelog	2025-06-06 11:37:50.000000000 +0200
@@ -1,3 +1,11 @@
+sogo (5.12.1-2) unstable; urgency=medium
+
+  * Replace vendoring of lodash, FileSaver and angularjs with packaged versions.
+    (Closes: #1104813)
+  * Cherry-pick post 5.12.1 fixes for OpenID and password management.
+
+ -- Jordi Mallach <jordi@debian.org>  Fri, 06 Jun 2025 11:37:50 +0200
+
 sogo (5.12.1-1) unstable; urgency=medium
 
   * New upstream release.
diff -Nru sogo-5.12.1/debian/control sogo-5.12.1/debian/control
--- sogo-5.12.1/debian/control	2025-03-24 14:34:01.000000000 +0100
+++ sogo-5.12.1/debian/control	2025-06-06 11:37:34.000000000 +0200
@@ -62,7 +62,7 @@
 
 Package: sogo-common
 Architecture: all
-Depends: ${misc:Depends}
+Depends: libjs-angularjs, libjs-filesaver, libjs-lodash, ${misc:Depends}
 Suggests: httpd
 Multi-Arch: foreign
 Description: Scalable groupware server - common files
diff -Nru sogo-5.12.1/debian/patches/series sogo-5.12.1/debian/patches/series
--- sogo-5.12.1/debian/patches/series	2025-05-04 23:16:30.000000000 +0200
+++ sogo-5.12.1/debian/patches/series	2025-06-06 09:45:21.000000000 +0200
@@ -11,3 +11,5 @@
 python3.patch
 disable_isIpv4_test.patch
 cross.patch
+upstream_openid_fixes.patch
+upstream_password_regex.patch
diff -Nru sogo-5.12.1/debian/patches/upstream_openid_fixes.patch sogo-5.12.1/debian/patches/upstream_openid_fixes.patch
--- sogo-5.12.1/debian/patches/upstream_openid_fixes.patch	1970-01-01 01:00:00.000000000 +0100
+++ sogo-5.12.1/debian/patches/upstream_openid_fixes.patch	2025-06-06 09:45:21.000000000 +0200
@@ -0,0 +1,161 @@
+commit c5fb3482e22f1bfc935213e8ed7208becd9bd1f4
+Author: Hivert Quentin <quentin.hivert.fr@gmail.com>
+Date:   Tue May 13 16:03:13 2025 +0200
+
+    fix(openid): make end_session_endpoint optional
+
+diff --git a/Documentation/SOGoInstallationGuide.asciidoc b/Documentation/SOGoInstallationGuide.asciidoc
+index ae9951da9..372f6b4f8 100644
+--- a/Documentation/SOGoInstallationGuide.asciidoc
++++ b/Documentation/SOGoInstallationGuide.asciidoc
+@@ -1612,7 +1612,7 @@ Defaults to `0` when unset.
+ 
+ |S |SOGoOpenIdLogoutEnabled
+ |Allow user to end their openId with the webmail. Meaning that will disconnect them from
+-the others applicaitons as well.
++the others applicaitons as well. The openid server must have a end_session_endpoint.
+ 
+ Defaults to `NO` when unset.
+ |=======================================================================
+diff --git a/SoObjects/SOGo/SOGoOpenIdSession.m b/SoObjects/SOGo/SOGoOpenIdSession.m
+index 024d27e15..0dda9b5c2 100644
+--- a/SoObjects/SOGo/SOGoOpenIdSession.m
++++ b/SoObjects/SOGo/SOGoOpenIdSession.m
+@@ -238,7 +238,9 @@ static BOOL SOGoOpenIDDebugEnabled = YES;
+         self->authorizationEndpoint = [config objectForKey: @"authorization_endpoint"];
+         self->tokenEndpoint         = [config objectForKey: @"token_endpoint"];
+         self->userinfoEndpoint      = [config objectForKey: @"userinfo_endpoint"];
+-        self->endSessionEndpoint    = [config objectForKey: @"end_session_endpoint"];
++
++        if([config objectForKey: @"end_session_endpoint"]) 
++          self->endSessionEndpoint    = [config objectForKey: @"end_session_endpoint"];
+ 
+         //Optionnals?
+         if([config objectForKey: @"introspection_endpoint"])
+@@ -346,7 +348,8 @@ static BOOL SOGoOpenIDDebugEnabled = YES;
+     ASSIGN (authorizationEndpoint, [sessionDict objectForKey: @"authorization_endpoint"]);
+     ASSIGN (tokenEndpoint, [sessionDict objectForKey: @"token_endpoint"]);
+     ASSIGN (userinfoEndpoint, [sessionDict objectForKey: @"userinfo_endpoint"]);
+-    ASSIGN (endSessionEndpoint, [sessionDict objectForKey: @"end_session_endpoint"]);
++    if([sessionDict objectForKey: @"end_session_endpoint"])
++      ASSIGN (endSessionEndpoint, [sessionDict objectForKey: @"end_session_endpoint"]);
+ 
+     //Optionnals?
+     if([sessionDict objectForKey: @"introspection_endpoint"])
+@@ -370,7 +373,8 @@ static BOOL SOGoOpenIDDebugEnabled = YES;
+   [sessionDict setObject: authorizationEndpoint forKey: @"authorization_endpoint"];
+   [sessionDict setObject: tokenEndpoint forKey: @"token_endpoint"];
+   [sessionDict setObject: userinfoEndpoint forKey: @"userinfo_endpoint"];
+-  [sessionDict setObject: endSessionEndpoint forKey: @"end_session_endpoint"];
++  if(endSessionEndpoint)
++    [sessionDict setObject: endSessionEndpoint forKey: @"end_session_endpoint"];
+ 
+   //Optionnals?
+   if(introspectionEndpoint)
+commit 085fc4a9eb7d1e2a0f7b48baa1f09a8ba0d515e1
+Author: Hivert Quentin <quentin.hivert.fr@gmail.com>
+Date:   Tue May 20 09:08:46 2025 +0200
+
+    fix(openid): add state in connection flow
+
+diff --git a/SoObjects/SOGo/SOGoOpenIdSession.m b/SoObjects/SOGo/SOGoOpenIdSession.m
+index 0dda9b5c2..38710f4a1 100644
+--- a/SoObjects/SOGo/SOGoOpenIdSession.m
++++ b/SoObjects/SOGo/SOGoOpenIdSession.m
+@@ -18,6 +18,8 @@
+  * Boston, MA 02111-1307, USA.
+  */
+ 
++#import <Foundation/NSProcessInfo.h>
++
+ #import <NGObjWeb/WOHTTPConnection.h>
+ #import <NGObjWeb/WORequest.h>
+ #import <NGObjWeb/WOResponse.h>
+@@ -435,6 +437,12 @@ static BOOL SOGoOpenIDDebugEnabled = YES;
+          nextCheckAfter: nextCheck];
+ }
+ 
++
++-(NSString *) _random_state
++{
++    return [[[NSProcessInfo processInfo] globallyUniqueString] asSHA1String];;
++}
++
+ - (NSString*) loginUrl: (NSString *) oldLocation
+ {
+   NSString* logUrl;
+@@ -442,6 +450,7 @@ static BOOL SOGoOpenIDDebugEnabled = YES;
+   logUrl = [logUrl stringByAppendingString: @"&response_type=code"];
+   logUrl = [logUrl stringByAppendingFormat: @"&client_id=%@", self->openIdClient];
+   logUrl = [logUrl stringByAppendingFormat: @"&redirect_uri=%@", oldLocation];
++  logUrl = [logUrl stringByAppendingFormat: @"&state=%@", [self _random_state]];
+   if(self->forDomain != nil && [self->forDomain length] > 0)
+     logUrl = [logUrl stringByAppendingFormat: @"&sogo_domain=%@", forDomain];
+   // logurl = [self->logurl stringByAppendingFormat: @"&state=%@", state];
+diff --git a/UI/MainUI/SOGoUserHomePage.m b/UI/MainUI/SOGoUserHomePage.m
+index 9a56ed962..e9c5d9573 100644
+--- a/UI/MainUI/SOGoUserHomePage.m
++++ b/UI/MainUI/SOGoUserHomePage.m
+@@ -447,9 +447,9 @@
+   }
+   else if ([authType isEqualToString: @"openid"])
+   {
+-    SOGoOpenIdSession* session;
+-    session = [SOGoOpenIdSession OpenIdSession: loginDomain];
+-    redirectURL = [session logoutUrl];
++    SOGoOpenIdSession* sessionOidc;
++    sessionOidc = [SOGoOpenIdSession OpenIdSession: loginDomain];
++    redirectURL = [sessionOidc logoutUrl];
+   }
+ #if defined(SAML2_CONFIG)
+   else if ([authType isEqualToString: @"saml2"])
+commit 9954c3607bfda55424f5ac532a1075407235f345
+Author: Hivert Quentin <quentin.hivert.fr@gmail.com>
+Date:   Wed May 21 14:50:41 2025 +0200
+
+    fix(openid): allow expires_in param to be null
+
+diff --git a/SOPE/GDLContentStore/GCSSpecialQueries.m b/SOPE/GDLContentStore/GCSSpecialQueries.m
+index 167b38559..ca7709e03 100644
+--- a/SOPE/GDLContentStore/GCSSpecialQueries.m
++++ b/SOPE/GDLContentStore/GCSSpecialQueries.m
+@@ -218,7 +218,7 @@
+        @" c_old_session VARCHAR(4096) NULL,"
+        @" c_session_started INT4 NOT NULL,"
+        @" c_refresh_token VARCHAR(4096) NULL,"
+-       @" c_access_token_expires_in INT4 NOT NULL,"
++       @" c_access_token_expires_in INT4 NULL,"
+        @" c_refresh_token_expires_in INT4 NULL)");
+ 
+   return [NSString stringWithFormat: sqlFolderFormat, tableName];
+@@ -379,7 +379,7 @@
+        @" c_old_session VARCHAR(4096) NULL,"
+        @" c_session_started INT4 NOT NULL,"
+        @" c_refresh_token VARCHAR(4096) NULL,"
+-       @" c_access_token_expires_in INT4 NOT NULL,"
++       @" c_access_token_expires_in INT4 NULL,"
+        @" c_refresh_token_expires_in INT4 NULL)");
+ 
+   return [NSString stringWithFormat: sqlFolderFormat, tableName];
+@@ -540,7 +540,7 @@
+        @" c_old_session VARCHAR2(4096) NULL,"
+        @" c_session_started INTEGER NOT NULL,"
+        @" c_refresh_token VARCHAR2(4096) NULL,"
+-       @" c_access_token_expires_in INTEGER NOT NULL,"
++       @" c_access_token_expires_in INTEGER NULL,"
+        @" c_refresh_token_expires_in INTEGER NULL)");
+ 
+   return [NSString stringWithFormat: sqlFolderFormat, tableName];
+diff --git a/Scripts/mysql-utf8mb4.sql b/Scripts/mysql-utf8mb4.sql
+index 38dd90ecb..41a8824e5 100644
+--- a/Scripts/mysql-utf8mb4.sql
++++ b/Scripts/mysql-utf8mb4.sql
+@@ -170,7 +170,7 @@ CREATE TABLE sogo_opend_id (
+ 	c_old_session              varchar(4096) DEFAULT '',
+ 	c_session_started           int(11)       NOT NULL,
+ 	c_refresh_token             varchar(4096) DEFAULT '',
+-	c_access_token_expires_in    int(11)       NOT NULL,
++	c_access_token_expires_in    int(11)       DEFAULT '',
+ 	c_refresh_token_expires_in  int(11)       DEFAULT NULL,
+ 	PRIMARY KEY (c_user_session)
+ ) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 ROW_FORMAT=DYNAMIC;
diff -Nru sogo-5.12.1/debian/patches/upstream_password_regex.patch sogo-5.12.1/debian/patches/upstream_password_regex.patch
--- sogo-5.12.1/debian/patches/upstream_password_regex.patch	1970-01-01 01:00:00.000000000 +0100
+++ sogo-5.12.1/debian/patches/upstream_password_regex.patch	2025-06-06 09:45:21.000000000 +0200
@@ -0,0 +1,19 @@
+commit e36d0d219baed8c7d57af0069fadb8d1bf7df072
+Author: Hivert Quentin <quentin.hivert.fr@gmail.com>
+Date:   Tue May 13 16:51:08 2025 +0200
+
+    fix(password): put correct regex for special char
+
+diff --git a/SoObjects/SOGo/SOGoPasswordPolicy.m b/SoObjects/SOGo/SOGoPasswordPolicy.m
+index 02bb8be07..5db36c4a5 100644
+--- a/SoObjects/SOGo/SOGoPasswordPolicy.m
++++ b/SoObjects/SOGo/SOGoPasswordPolicy.m
+@@ -33,7 +33,7 @@ static const NSString *POLICY_MIN_DIGIT = @"POLICY_MIN_DIGIT";
+ static const NSString *POLICY_MIN_SPECIAL_SYMBOLS = @"POLICY_MIN_SPECIAL_SYMBOLS";
+ static const NSString *POLICY_MIN_LENGTH = @"POLICY_MIN_LENGTH";
+ 
+-static const NSString *SPECIAL_SYMBOL_ALLOWED = @"%$&*(){}!?\\@#.,:;+=\\[\\]\\|<>\\/-_";
++static const NSString *SPECIAL_SYMBOL_ALLOWED = @"%$&*(){}!?\\@#.,:;+=\\[\\]\\|<>\\/\\-_";
+ 
+ @implementation SOGoPasswordPolicy
+ 
diff -Nru sogo-5.12.1/debian/rules sogo-5.12.1/debian/rules
--- sogo-5.12.1/debian/rules	2025-03-21 13:22:07.000000000 +0100
+++ sogo-5.12.1/debian/rules	2025-06-06 11:37:34.000000000 +0200
@@ -45,6 +45,15 @@
 	mkdir -p debian/tmp/usr/share/GNUstep/SOGo
 	mv debian/tmp/usr/lib/*/GNUstep/SOGo/Templates debian/tmp/usr/lib/*/GNUstep/SOGo/WebServerResources debian/tmp/usr/share/GNUstep/SOGo
 
+	# Use packaged 3rd party javascript libraries available in Debian
+	rm -f debian/tmp/usr/share/GNUstep/SOGo/WebServerResources/js/vendor/FileSaver.min.js*
+	rm -f debian/tmp/usr/share/GNUstep/SOGo/WebServerResources/js/vendor/angular.js
+	rm -f debian/tmp/usr/share/GNUstep/SOGo/WebServerResources/js/vendor/angular.min.js*
+	rm -f debian/tmp/usr/share/GNUstep/SOGo/WebServerResources/js/vendor/angular-{animate,aria,cookies,messages,sanitize}.js
+	rm -f debian/tmp/usr/share/GNUstep/SOGo/WebServerResources/js/vendor/angular-{animate,aria,cookies,messages,sanitize}.min.js*
+	rm -f debian/tmp/usr/share/GNUstep/SOGo/WebServerResources/js/vendor/lodash.js
+	rm -f debian/tmp/usr/share/GNUstep/SOGo/WebServerResources/js/vendor/lodash.min.js*
+
 	dh_install
 
 override_dh_installchangelogs:
diff -Nru sogo-5.12.1/debian/sogo-common.links sogo-5.12.1/debian/sogo-common.links
--- sogo-5.12.1/debian/sogo-common.links	1970-01-01 01:00:00.000000000 +0100
+++ sogo-5.12.1/debian/sogo-common.links	2025-06-06 09:45:21.000000000 +0200
@@ -0,0 +1,15 @@
+usr/share/javascript/angular.js/angular.js usr/share/GNUstep/SOGo/WebServerResources/js/vendor/angular.js
+usr/share/javascript/angular.js/angular.min.js usr/share/GNUstep/SOGo/WebServerResources/js/vendor/angular.min.js
+usr/share/javascript/angular.js/angular-animate.js usr/share/GNUstep/SOGo/WebServerResources/js/vendor/angular-animate.js
+usr/share/javascript/angular.js/angular-animate.min.js usr/share/GNUstep/SOGo/WebServerResources/js/vendor/angular-animate.min.js
+usr/share/javascript/angular.js/angular-aria.js usr/share/GNUstep/SOGo/WebServerResources/js/vendor/angular-aria.js
+usr/share/javascript/angular.js/angular-aria.min.js usr/share/GNUstep/SOGo/WebServerResources/js/vendor/angular-aria.min.js
+usr/share/javascript/angular.js/angular-cookies.js usr/share/GNUstep/SOGo/WebServerResources/js/vendor/angular-cookies.js
+usr/share/javascript/angular.js/angular-cookies.min.js usr/share/GNUstep/SOGo/WebServerResources/js/vendor/angular-cookies.min.js
+usr/share/javascript/angular.js/angular-messages.js usr/share/GNUstep/SOGo/WebServerResources/js/vendor/angular-messages.js
+usr/share/javascript/angular.js/angular-messages.min.js usr/share/GNUstep/SOGo/WebServerResources/js/vendor/angular-messages.min.js
+usr/share/javascript/angular.js/angular-sanitize.js usr/share/GNUstep/SOGo/WebServerResources/js/vendor/angular-sanitize.js
+usr/share/javascript/angular.js/angular-sanitize.min.js usr/share/GNUstep/SOGo/WebServerResources/js/vendor/angular-sanitize.min.js
+usr/share/javascript/filesaver/FileSaver.min.js usr/share/GNUstep/SOGo/WebServerResources/js/vendor/FileSaver.min.js
+usr/share/javascript/lodash/lodash.js usr/share/GNUstep/SOGo/WebServerResources/js/vendor/lodash.js
+usr/share/javascript/lodash/lodash.min.js usr/share/GNUstep/SOGo/WebServerResources/js/vendor/lodash.min.js

--- End Message ---
--- Begin Message --- 
Unblocked.

--- End Message ---
Reply to: