Package: release.debian.org Severity: normal Tags: bookworm User: release.debian....@packages.debian.org Usertags: pu X-Debbugs-Cc: s...@packages.debian.org Control: affects -1 + src:spip
[ Request similar to #1038153 for Bullseye ] Hi, Congrats to the team for the Bookworm release! SPIP has been updated upstream to fix some security issues (link to the French-only announcement follows), and we agreed with the security team that they don’t warrant a DSA this time. https://blog.spip.net/Mise-a-jour-de-maintenance-et-securite-sortie-de-SPIP-4-2-3-SPIP-4-1-10.html The main backported fix is the one that limits recursion depth in protege_champ() function. The security screen fix (avoiding unserialize use) should already be fixed in the main code, and the htaccess change is only provided as an example (in /usr/share/doc/spip). This version also ships a compatibility fix for PHP 8.1 in the mutualisation plugin shipped in the Debian package, and some metadata changes (d/{changelog,control,gbp.conf}). As an alternative, a 4.1.10+dfsg-1~deb12u1 version could be proposed. [ Checklist ] [x] *all* changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in (old)stable [x] the issue is verified as fixed in unstable
diff -Nru spip-4.1.9+dfsg/debian/changelog spip-4.1.9+dfsg/debian/changelog
--- spip-4.1.9+dfsg/debian/changelog 2023-02-28 21:25:27.000000000 +0100
+++ spip-4.1.9+dfsg/debian/changelog 2023-06-11 15:38:54.000000000 +0200
@@ -1,3 +1,19 @@
+spip (4.1.9+dfsg-1+deb12u1) bookworm; urgency=medium
+
+ [ David Prévot ]
+ * Add CVE to previous changelog entry
+ * Update documented branch
+ * Backport security fixes from 4.1.10
+ - Limit recursion depth in protege_champ() function
+ - Avoid unserialize use in security screen
+ - Properly block hidden files in provided htaccess
+ - Update security screen to 1.5.3
+
+ [ RealET ]
+ * mutualisation: PHP 8.1 compatibility fixes #2
+
+ -- David Prévot <taf...@debian.org> Sun, 11 Jun 2023 15:38:54 +0200
+
spip (4.1.9+dfsg-1) unstable; urgency=medium
[ Cerdic ]
@@ -15,7 +31,7 @@
* build: Version SPIP 4.1.8
[ Cerdic ]
- * Fix: Sanitizer toutes les valeurs passées aux formulaires
+ * Fix: Sanitizer toutes les valeurs passées aux formulaires [CVE-2023-27372]
* fix: Sanitizer toutes les valeurs passées aux formulaires preventivement
dans l'écran de sécurité
diff -Nru spip-4.1.9+dfsg/debian/control spip-4.1.9+dfsg/debian/control
--- spip-4.1.9+dfsg/debian/control 2023-02-28 19:47:19.000000000 +0100
+++ spip-4.1.9+dfsg/debian/control 2023-06-11 15:37:44.000000000 +0200
@@ -5,7 +5,7 @@
Build-Depends: cssmin, debhelper-compat (= 13), dh-apache2, minify
Homepage: https://www.spip.net/
Standards-Version: 4.6.2
-Vcs-Git: https://salsa.debian.org/debian/spip.git -b debian/latest
+Vcs-Git: https://salsa.debian.org/debian/spip.git -b debian/bookworm-security
Vcs-Browser: https://salsa.debian.org/debian/spip
Rules-Requires-Root: no
diff -Nru spip-4.1.9+dfsg/debian/gbp.conf spip-4.1.9+dfsg/debian/gbp.conf
--- spip-4.1.9+dfsg/debian/gbp.conf 2023-02-28 19:47:26.000000000 +0100
+++ spip-4.1.9+dfsg/debian/gbp.conf 2023-06-11 15:37:44.000000000 +0200
@@ -1,5 +1,5 @@
[DEFAULT]
-debian-branch = debian/bookworm
+debian-branch = debian/bookworm-security
pristine-tar = True
upstream-branch = upstream-4.1
upstream-vcs-tag = v%(version%~%-)s
diff -Nru spip-4.1.9+dfsg/debian/mutualisation/exec/mutualisation.php spip-4.1.9+dfsg/debian/mutualisation/exec/mutualisation.php
--- spip-4.1.9+dfsg/debian/mutualisation/exec/mutualisation.php 2022-06-17 19:32:19.000000000 +0200
+++ spip-4.1.9+dfsg/debian/mutualisation/exec/mutualisation.php 2023-06-11 15:37:21.000000000 +0200
@@ -34,10 +34,6 @@
$url_admin_plugin = 'ecrire/?exec=admin_plugin';
$url_admin_vider = 'ecrire/?exec=admin_vider';
- if (!file_exists(_DIR_IMG . 'mutualiser-128.png')) {
- @copy(find_in_path('mutualiser-128.png'), _DIR_IMG . 'mutualiser-128.png');
- }
-
$titre = _L(count($sites) . ' ' . 'sites mutualisés <em>(' . _T('version') . ' ' . $GLOBALS['spip_version_base'] . ')</em>');
//$page .= "<div id='trace'></div>" ;
@@ -151,9 +147,9 @@
if ($compression == '') {
$compression = _L('Activer');
}
+ $configsparticulieres = '';
if (isset($GLOBALS['mutualisation_afficher_config'])) {
$configs = explode(",", $GLOBALS['mutualisation_afficher_config']);
- $configsparticulieres = '';
foreach ($configs as $config) {
$configsparticulieres .= '<em><small>' . $config . ':</small></em> ' . lire_config_distante($config, $meta) . "<br />\n";
@@ -226,17 +222,17 @@
. "\n"
. '</tr>'
. "\n";
- if ($_GET['tri'] AND isset($plnum[intval(count($c))])) {
+ if (!empty($_GET['tri']) AND isset($plnum[intval(count($c))])) {
$plnum[intval(count($c))] .= $ligne;
} else {
- if ($_GET['tri']) {
+ if (!empty($_GET['tri'])) {
$plnum[intval(count($c))] = $ligne;
} else {
$plnum[] = $ligne;
}
}
}
- if ($_GET['tri']) {
+ if (!empty($_GET['tri'])) {
krsort($plnum);
}
$page .= implode('', $plnum);
@@ -398,9 +394,9 @@
$debug_toolbar .= "<div class='toolbar-icon'><i class='icon-time'></i> <span>" . $page_load_time . " s</span></div>\n";
$debug_toolbar .= "<div class='toolbar-info'>";
$debug_toolbar .= "<div class='toolbar-info-element'><b>Début du script</b> <span>" . date('H:i:s',
- $timestart) . "</span></div>\n";
+ (int) $timestart) . "</span></div>\n";
$debug_toolbar .= "<div class='toolbar-info-element'><b>Fin du script</b> <span>" . date('H:i:s',
- $timeend) . "</span></div>\n";
+ (int) $timeend) . "</span></div>\n";
$debug_toolbar .= "<div class='toolbar-info-element'><b>Temps d'exécution</b> <span>" . $page_load_time . " s</span></div>\n";
$debug_toolbar .= "</div></div>\n";
@@ -590,7 +586,7 @@
return false;
}
-function lire_config_distante($cfg = '', $meta) {
+function lire_config_distante($cfg = '', $meta = '') {
$def = null;
$unserialize = true;
// lire le stockage sous la forme valeur
@@ -611,8 +607,8 @@
return $r;
} else {
$cfg = explode('/', $cfg);
- $r = @unserialize($meta[$cfg[0]]);
- $r = $r[$cfg[1]];
+ $r = unserialize($meta[$cfg[0]] ?? '');
+ $r = $r[$cfg[1]] ?? '';
return $r;
}
diff -Nru spip-4.1.9+dfsg/debian/mutualisation/paquet.xml spip-4.1.9+dfsg/debian/mutualisation/paquet.xml
--- spip-4.1.9+dfsg/debian/mutualisation/paquet.xml 2022-06-17 19:32:19.000000000 +0200
+++ spip-4.1.9+dfsg/debian/mutualisation/paquet.xml 2023-06-11 15:37:21.000000000 +0200
@@ -1,24 +1,24 @@
-<paquet
- prefix="Mutualisation"
- categorie="maintenance"
- version="1.4.10"
- etat="stable"
- compatibilite="[3.0.0;4.1.*]"
- logo="mutualiser-128.png"
- documentation="https://contrib.spip.net/La-mutualisation-facile-modifications-manuelles";
->
-
- <nom>Mutualisation facile</nom>
- <!-- Créer une ferme à Spip -->
-
- <auteur>Fil</auteur>
- <auteur>Teddy</auteur>
-
- <copyright>2007-2018</copyright>
-
- <licence lien="http://www.gnu.org/licenses/lgpl-3.0.html";>LGPL 3</licence>
- <licence lien="http://www.gnu.org/licenses/gpl-3.0.html";>GPL 3 (2013)</licence>
- <licence lien="http://www.wtfpl.net/about/";>WTFPL 2 (2013)</licence>
-
- <chemin path="" type="aucun" />
-</paquet>
+<paquet
+ prefix="Mutualisation"
+ categorie="maintenance"
+ version="1.4.11"
+ etat="stable"
+ compatibilite="[3.0.0;4.1.*]"
+ logo="mutualiser-128.png"
+ documentation="https://contrib.spip.net/La-mutualisation-facile-modifications-manuelles";
+>
+
+ <nom>Mutualisation facile</nom>
+ <!-- Créer une ferme à Spip -->
+
+ <auteur>Fil</auteur>
+ <auteur>Teddy</auteur>
+
+ <copyright>2007-2018</copyright>
+
+ <licence lien="http://www.gnu.org/licenses/lgpl-3.0.html";>LGPL 3</licence>
+ <licence lien="http://www.gnu.org/licenses/gpl-3.0.html";>GPL 3 (2013)</licence>
+ <licence lien="http://www.wtfpl.net/about/";>WTFPL 2 (2013)</licence>
+
+ <chemin path="" type="aucun" />
+</paquet>
diff -Nru spip-4.1.9+dfsg/debian/patches/0005-security-limiter-la-profondeur-de-recursion-de-prote.patch spip-4.1.9+dfsg/debian/patches/0005-security-limiter-la-profondeur-de-recursion-de-prote.patch
--- spip-4.1.9+dfsg/debian/patches/0005-security-limiter-la-profondeur-de-recursion-de-prote.patch 1970-01-01 01:00:00.000000000 +0100
+++ spip-4.1.9+dfsg/debian/patches/0005-security-limiter-la-profondeur-de-recursion-de-prote.patch 2023-06-11 15:37:44.000000000 +0200
@@ -0,0 +1,37 @@
+From: Cerdic <ced...@yterium.com>
+Date: Tue, 7 Mar 2023 14:56:30 +0100
+Subject: security: limiter la profondeur de recursion de `protege_champ`
+
+(cherry picked from commit b362e987b41fac344150f97cc563bf4d8c8181fa)
+
+Origin: upstream, https://git.spip.net/spip/spip/commit/9b73dbd66e50baf312ba1c7df21efebba4ae08f1
+---
+ ecrire/balise/formulaire_.php | 14 ++++++++++++--
+ 1 file changed, 12 insertions(+), 2 deletions(-)
+
+diff --git a/ecrire/balise/formulaire_.php b/ecrire/balise/formulaire_.php
+index 71672cf..22d642b 100644
+--- a/ecrire/balise/formulaire_.php
++++ b/ecrire/balise/formulaire_.php
+@@ -34,9 +34,19 @@ include_spip('inc/texte');
+ * @return string|array|null
+ * Saisie protégée
+ **/
+-function protege_champ($texte) {
++function protege_champ($texte, $max_prof = 128) {
+ if (is_array($texte)) {
+- return array_map('protege_champ', $texte);
++ // si on dépasse la prof max on tronque
++ if ($max_prof > 0) {
++ return array_map(
++ function($v) use ($max_prof) {
++ return protege_champ($v, $max_prof-1);
++ },
++ $texte
++ );
++ }
++ // si on dépasse la prof max on tronque
++ return [];
+ } elseif ($texte === null) {
+ return $texte;
+ } elseif (is_bool($texte)) {
diff -Nru spip-4.1.9+dfsg/debian/patches/0006-security-Ameliorer-c76770a-en-vitant-un-unserialize-.patch spip-4.1.9+dfsg/debian/patches/0006-security-Ameliorer-c76770a-en-vitant-un-unserialize-.patch
--- spip-4.1.9+dfsg/debian/patches/0006-security-Ameliorer-c76770a-en-vitant-un-unserialize-.patch 1970-01-01 01:00:00.000000000 +0100
+++ spip-4.1.9+dfsg/debian/patches/0006-security-Ameliorer-c76770a-en-vitant-un-unserialize-.patch 2023-06-11 15:37:44.000000000 +0200
@@ -0,0 +1,64 @@
+From: Cerdic <ced...@yterium.com>
+Date: Tue, 7 Mar 2023 15:03:08 +0100
+Subject: =?utf-8?q?security=3A_Ameliorer_c76770a_en_=C3=A9vitant_un_=60unse?=
+ =?utf-8?q?rialize=60_dans_l=27=C3=A9cran_de_s=C3=A9curit=C3=A9?=
+
+(cherry picked from commit 9b1c3cf455b624163546f1521148897a5c96d5d6)
+
+Origin: upstream, https://git.spip.net/spip/spip/commit/9f55790164f7869d2e315a49b3fdc4af0c5b8fdd
+---
+ config/ecran_securite.php | 36 ++++++++++++++++++++++++++++++------
+ 1 file changed, 30 insertions(+), 6 deletions(-)
+
+diff --git a/config/ecran_securite.php b/config/ecran_securite.php
+index 4ff6917..7a4e153 100644
+--- a/config/ecran_securite.php
++++ b/config/ecran_securite.php
+@@ -654,17 +654,41 @@ if (
+ ) {
+ foreach ($_REQUEST as $k => $v) {
+ if (is_string($v)
+- and strpos($v, ':') !== false
+- and strpos($v, '"') !==false
+- and preg_match(',[bidsaO]:,', $v)
+- and @unserialize($v)) {
+- $_REQUEST[$k] = htmlentities($v);
++ and strpbrk($v, "&\"'<>") !== false
++ and preg_match(',^[abis]:\d+[:;],', $v)
++ and __ecran_test_if_serialized($v)
++ ) {
++ $_REQUEST[$k] = htmlspecialchars($v, ENT_QUOTES);
+ if (isset($_POST[$k])) $_POST[$k] = $_REQUEST[$k];
+ if (isset($_GET[$k])) $_GET[$k] = $_REQUEST[$k];
+ }
+ }
+ }
+-
++/**
++ * Version simplifiée de https://developer.wordpress.org/reference/functions/is_serialized/
++ */
++function __ecran_test_if_serialized($data) {
++ $data = trim($data);
++ if ('N;' === $data) {return true;}
++ if (strlen($data) < 4) {return false;}
++ if (':' !== $data[1]) {return false;}
++ $semicolon = strpos($data, ';');
++ $brace = strpos($data, '}');
++ // Either ; or } must exist.
++ if (false === $semicolon && false === $brace) {return false;}
++ // But neither must be in the first X characters.
++ if (false !== $semicolon && $semicolon < 3) {return false;}
++ if (false !== $brace && $brace < 4) {return false;}
++ $token = $data[0];
++ if (in_array($token, array('s', 'S'))) {
++ if (false === strpos($data, '"')) {return false;}
++ } elseif (in_array($token, array('a', 'O', 'C', 'o', 'E'))) {
++ return (bool)preg_match("/^{$token}:[0-9]+:/s", $data);
++ } elseif (in_array($token, array('b', 'i', 'd'))) {
++ return (bool)preg_match("/^{$token}:[0-9.E+-]+;/", $data);
++ }
++ return false;
++}
+
+ /*
+ * S'il y a une raison de mourir, mourons
diff -Nru spip-4.1.9+dfsg/debian/patches/0007-security-Effectivement-bloquer-les-fichiers-cach-s-d.patch spip-4.1.9+dfsg/debian/patches/0007-security-Effectivement-bloquer-les-fichiers-cach-s-d.patch
--- spip-4.1.9+dfsg/debian/patches/0007-security-Effectivement-bloquer-les-fichiers-cach-s-d.patch 1970-01-01 01:00:00.000000000 +0100
+++ spip-4.1.9+dfsg/debian/patches/0007-security-Effectivement-bloquer-les-fichiers-cach-s-d.patch 2023-06-11 15:37:44.000000000 +0200
@@ -0,0 +1,75 @@
+From: Matthieu Marcillaud <marci...@rezo.net>
+Date: Wed, 7 Jun 2023 09:40:00 +0200
+Subject: =?utf-8?q?security=3A_Effectivement_bloquer_les_fichiers_cach?=
+ =?utf-8?q?=C3=A9s_dans_le_htaccess?=
+MIME-Version: 1.0
+Content-Type: text/plain; charset="utf-8"
+Content-Transfer-Encoding: 8bit
+
+L’histoire est quelque peu ubuesque, et remonte à il y a 16 ans via 26a1f4906d23
+qui a déplacé des règles trop bas. Ça ne bloquait plus les .svn depuis,
+à cause du fait que plus haut, si c’est un fichier, on exécute la règle
+`[S=100]` qui saute les prochaines `RewriteRule`.
+
+- #5109 a semblé corriger en utilisant `RedirectMatch`, qui n’est pas affecté
+ par le Skip (sans se rendre compte du problème initial)
+- #5432 a remis une `RewriteRule`, et du coup, de nouveau paf.
+
+Ce n’est pas toujours très visible car les serveurs eux-mêmes bloquent
+déjà souvent ces répertoires cachés.
+
+Donc, on remonte bien plus haut les règles de blocage des fichiers cachés
+et on leur fait un titre dédié.
+
+Refs: #5109 #5432 spip-team/securite#4844
+(cherry picked from commit d50cb7bbc7a71ff23a77dfe02215c16991437336)
+
+Origin: upstream, https://git.spip.net/spip/spip/commit/36ec7947e96e44af095c3cf87f25cf27a963fe40
+---
+ htaccess.txt | 18 ++++++++++--------
+ 1 file changed, 10 insertions(+), 8 deletions(-)
+
+diff --git a/htaccess.txt b/htaccess.txt
+index 3154787..667cfc6 100644
+--- a/htaccess.txt
++++ b/htaccess.txt
+@@ -37,9 +37,15 @@ RewriteRule ^(.*) - [E=BASE:%1]
+
+
+
+-
+-################ GESTIONS DES URLS SPIP #######################
++############# GESTIONS DES ACCES FICHIERS #####################
+ ###
++
++# bloquer les acces aux fichiers caches (.svn, .git, etc)
++RewriteCond %{REQUEST_URI} !^/.well-known/
++RewriteRule "(^|/)\." - [R=404,NC,L]
++# bloquer les informations Composer
++RedirectMatch 404 ^/composer\.(json|lock|phar)$
++
+ # Si le fichier ou repertoire demande existe
+ # ignorer toutes les regles qui suivent
+ <IfModule mod_headers.c>
+@@ -56,6 +62,8 @@ RewriteRule "." - [skip=100]
+ #
+ ###
+
++################ GESTIONS DES URLS SPIP #######################
++###
+
+ ###
+ # Compatibilite avec les URLS "html" (pour transition sympa)
+@@ -100,12 +108,6 @@ RewriteRule ^[^\.]+(\.html)?$ spip.php [QSA,E=url_propre:$0,L]
+ ###
+ # Divers
+
+-# bloquer les acces aux fichiers caches (.svn, .git, etc)
+-RewriteCond %{REQUEST_URI} !^/.well-known/
+-RewriteRule "(^|/)\." - [R=404,NC,L]
+-# bloquer les informations Composer
+-RedirectMatch 404 ^/composer\.(json|lock|phar)$
+-
+ ###
+ # Fichiers "standards" (si absents de la racine)
+ #
diff -Nru spip-4.1.9+dfsg/debian/patches/0008-build-Up-cran-de-s-cu-en-1.5.3.patch spip-4.1.9+dfsg/debian/patches/0008-build-Up-cran-de-s-cu-en-1.5.3.patch
--- spip-4.1.9+dfsg/debian/patches/0008-build-Up-cran-de-s-cu-en-1.5.3.patch 1970-01-01 01:00:00.000000000 +0100
+++ spip-4.1.9+dfsg/debian/patches/0008-build-Up-cran-de-s-cu-en-1.5.3.patch 2023-06-11 15:37:44.000000000 +0200
@@ -0,0 +1,51 @@
+From: Matthieu Marcillaud <marci...@rezo.net>
+Date: Wed, 7 Jun 2023 12:12:57 +0200
+Subject: =?utf-8?q?build=3A_Up_=C3=A9cran_de_s=C3=A9cu_en_1=2E5=2E3?=
+
+Origin: upstream, https://git.spip.net/spip/spip/commit/536192d895c051b0859374710fbdd5bf15205e3f
+---
+ config/ecran_securite.php | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+diff --git a/config/ecran_securite.php b/config/ecran_securite.php
+index 7a4e153..53581fc 100644
+--- a/config/ecran_securite.php
++++ b/config/ecran_securite.php
+@@ -5,7 +5,7 @@
+ * ------------------
+ */
+
+-define('_ECRAN_SECURITE', '1.5.0'); // 2023-02-27
++define('_ECRAN_SECURITE', '1.5.3'); // 2023-05-31
+
+ /*
+ * Documentation : https://www.spip.net/fr_article4200.html
+@@ -650,7 +650,7 @@ if (
+ }
+
+ if (
+- isset($_REQUEST['formulaire_action_args'])
++ isset($_REQUEST['formulaire_action_args']) || isset($_REQUEST['var_login'])
+ ) {
+ foreach ($_REQUEST as $k => $v) {
+ if (is_string($v)
+@@ -680,9 +680,8 @@ function __ecran_test_if_serialized($data) {
+ if (false !== $semicolon && $semicolon < 3) {return false;}
+ if (false !== $brace && $brace < 4) {return false;}
+ $token = $data[0];
+- if (in_array($token, array('s', 'S'))) {
+- if (false === strpos($data, '"')) {return false;}
+- } elseif (in_array($token, array('a', 'O', 'C', 'o', 'E'))) {
++ if (in_array($token, array('s', 'S', 'a', 'O', 'C', 'o', 'E'))) {
++ if (in_array($token, array('s', 'S')) and false === strpos($data, '"')) {return false;}
+ return (bool)preg_match("/^{$token}:[0-9]+:/s", $data);
+ } elseif (in_array($token, array('b', 'i', 'd'))) {
+ return (bool)preg_match("/^{$token}:[0-9.E+-]+;/", $data);
+@@ -690,6 +689,7 @@ function __ecran_test_if_serialized($data) {
+ return false;
+ }
+
++
+ /*
+ * S'il y a une raison de mourir, mourons
+ */
diff -Nru spip-4.1.9+dfsg/debian/patches/series spip-4.1.9+dfsg/debian/patches/series
--- spip-4.1.9+dfsg/debian/patches/series 2023-02-28 21:19:02.000000000 +0100
+++ spip-4.1.9+dfsg/debian/patches/series 2023-06-11 15:37:44.000000000 +0200
@@ -2,3 +2,7 @@
0002-No-next-upstream-version-display-in-private-area.patch
0003-Fix-displayed-version-in-the-private-interface.patch
0004-Use-getid3-class-from-the-php-getid3-package.patch
+0005-security-limiter-la-profondeur-de-recursion-de-prote.patch
+0006-security-Ameliorer-c76770a-en-vitant-un-unserialize-.patch
+0007-security-Effectivement-bloquer-les-fichiers-cach-s-d.patch
+0008-build-Up-cran-de-s-cu-en-1.5.3.patch
signature.asc
Description: PGP signature
