Package: release.debian.org Severity: normal Tags: trixie X-Debbugs-Cc: spip@packages.debian.org Control: affects -1 + src:spip User: release.debian.org@packages.debian.org Usertags: pu Hi, SPIP upstream released a 4.4.5 version fixing an open redirect on an AJAX login form. It is not exploitable by default: the login form must have been explicitly set to work with AJAX. The fix has been reviewed by the security team, it does not warrant a DSA, yet it would be nice to have it fixed via a point release. [ Checklist ] [x] *all* changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in (old)stable [x] the issue is verified as fixed in unstable Regards, taffit
diff -Nru spip-4.4.3+dfsg/debian/changelog spip-4.4.3+dfsg/debian/changelog
--- spip-4.4.3+dfsg/debian/changelog 2025-04-10 13:59:24.000000000 +0200
+++ spip-4.4.3+dfsg/debian/changelog 2025-09-09 07:21:38.000000000 +0200
@@ -1,3 +1,10 @@
+spip (4.4.3+dfsg-1+deb13u1) trixie; urgency=medium
+
+ * Track debian/trixie
+ * Backport security fix from 4.4.5: Fix open redirect on ajax login form
+
+ -- David Prévot <taffit@debian.org> Tue, 09 Sep 2025 07:21:38 +0200
+
spip (4.4.3+dfsg-1) unstable; urgency=medium
* Upload to unstable
diff -Nru spip-4.4.3+dfsg/debian/control spip-4.4.3+dfsg/debian/control
--- spip-4.4.3+dfsg/debian/control 2025-03-18 00:01:51.000000000 +0100
+++ spip-4.4.3+dfsg/debian/control 2025-09-09 07:21:38.000000000 +0200
@@ -15,7 +15,7 @@
uglifyjs
Homepage: https://www.spip.net/
Standards-Version: 4.7.0
-Vcs-Git: https://salsa.debian.org/debian/spip.git
+Vcs-Git: https://salsa.debian.org/debian/spip.git -b debian/trixie
Vcs-Browser: https://salsa.debian.org/debian/spip
Rules-Requires-Root: no
diff -Nru spip-4.4.3+dfsg/debian/gbp.conf spip-4.4.3+dfsg/debian/gbp.conf
--- spip-4.4.3+dfsg/debian/gbp.conf 2025-04-10 13:52:41.000000000 +0200
+++ spip-4.4.3+dfsg/debian/gbp.conf 2025-09-09 07:21:38.000000000 +0200
@@ -1,4 +1,4 @@
[DEFAULT]
-debian-branch = debian/latest
+debian-branch = debian/trixie
pristine-tar = True
upstream-vcs-tag = %(version%~%-)s
diff -Nru spip-4.4.3+dfsg/debian/patches/0001-Fix-created-directories-and-files-default-rights.patch spip-4.4.3+dfsg/debian/patches/0001-Fix-created-directories-and-files-default-rights.patch
--- spip-4.4.3+dfsg/debian/patches/0001-Fix-created-directories-and-files-default-rights.patch 2025-03-19 10:51:07.000000000 +0100
+++ spip-4.4.3+dfsg/debian/patches/0001-Fix-created-directories-and-files-default-rights.patch 2025-09-09 07:21:38.000000000 +0200
@@ -13,7 +13,7 @@
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/ecrire/inc_version.php b/ecrire/inc_version.php
-index 3b7d61b..effba72 100644
+index 45469b1..ab41a12 100644
--- a/ecrire/inc_version.php
+++ b/ecrire/inc_version.php
@@ -436,7 +436,7 @@ $liste_des_authentifications = [
diff -Nru spip-4.4.3+dfsg/debian/patches/0003-Fix-displayed-version-in-the-private-interface.patch spip-4.4.3+dfsg/debian/patches/0003-Fix-displayed-version-in-the-private-interface.patch
--- spip-4.4.3+dfsg/debian/patches/0003-Fix-displayed-version-in-the-private-interface.patch 2025-03-19 10:51:07.000000000 +0100
+++ spip-4.4.3+dfsg/debian/patches/0003-Fix-displayed-version-in-the-private-interface.patch 2025-09-09 07:21:38.000000000 +0200
@@ -14,7 +14,7 @@
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/ecrire/inc_version.php b/ecrire/inc_version.php
-index effba72..c80f544 100644
+index ab41a12..157717f 100644
--- a/ecrire/inc_version.php
+++ b/ecrire/inc_version.php
@@ -461,7 +461,7 @@ $spip_sql_version = 1;
diff -Nru spip-4.4.3+dfsg/debian/patches/0006-security-fix-open-redirect-sur-formulaire-de-login-e.patch spip-4.4.3+dfsg/debian/patches/0006-security-fix-open-redirect-sur-formulaire-de-login-e.patch
--- spip-4.4.3+dfsg/debian/patches/0006-security-fix-open-redirect-sur-formulaire-de-login-e.patch 1970-01-01 01:00:00.000000000 +0100
+++ spip-4.4.3+dfsg/debian/patches/0006-security-fix-open-redirect-sur-formulaire-de-login-e.patch 2025-09-09 07:21:38.000000000 +0200
@@ -0,0 +1,34 @@
+From: b_b <bruno@eliaz.fr>
+Date: Mon, 8 Sep 2025 10:04:10 +0200
+Subject: security: fix open redirect sur formulaire de login en ajax
+MIME-Version: 1.0
+Content-Type: text/plain; charset="utf-8"
+Content-Transfer-Encoding: 8bit
+
+Dans certains cas, si la page de login est surchargée pour fonctionner en ajax,
+le formulaire de login pouvait permettre de rediriger sur un site externe non prévu.
+
+Refs: spip-security/securite#4865
+
+Origin: upstream, https://git.spip.net/spip/ecrire/-/commit/e434659fdedebc6f9bdaa862e45057f430dcf357
+---
+ ecrire/inc/headers.php | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/ecrire/inc/headers.php b/ecrire/inc/headers.php
+index 401f031..e581b37 100644
+--- a/ecrire/inc/headers.php
++++ b/ecrire/inc/headers.php
+@@ -144,9 +144,10 @@ function redirige_formulaire($url, $equiv = '', $format = 'message') {
+ $url = strtr($url, "\n\r", ' ');
+ # en theorie on devrait faire ca tout le temps, mais quand la chaine
+ # commence par ? c'est imperatif, sinon l'url finale n'est pas la bonne
+- if ($url[0] == '?') {
+- $url = url_de_base() . $url;
++ if (in_array($url[0], ['?', '/']) && !str_starts_with($url, '//')) {
++ $url = url_de_base() . ltrim($url, '/');
+ }
++
+ $url = str_replace('&', '&', $url);
+ spip_log("redirige formulaire ajax: $url");
+ include_spip('inc/filtres');
diff -Nru spip-4.4.3+dfsg/debian/patches/series spip-4.4.3+dfsg/debian/patches/series
--- spip-4.4.3+dfsg/debian/patches/series 2025-03-19 10:51:07.000000000 +0100
+++ spip-4.4.3+dfsg/debian/patches/series 2025-09-09 07:21:38.000000000 +0200
@@ -3,3 +3,4 @@
0003-Fix-displayed-version-in-the-private-interface.patch
0004-Use-getid3-class-from-the-php-getid3-package.patch
0005-Workaround-Composer-InstalledVersions-feature.patch
+0006-security-fix-open-redirect-sur-formulaire-de-login-e.patch
Attachment:
signature.asc
Description: PGP signature