[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#1040758: marked as done (bullseye-pu: package spip/3.2.11-3+deb11u9)

Your message dated Sat, 07 Oct 2023 12:41:28 +0100
with message-id <84bb5ff8312f749ebe536897993782bf35aa1977.camel@adam-barratt.org.uk>
and subject line Closing opu requests for updates included in 11.8
has caused the Debian Bug report #1040758,
regarding bullseye-pu: package spip/3.2.11-3+deb11u9
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
1040758: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1040758
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian.org@packages.debian.org
Usertags: pu
X-Debbugs-Cc: spip@packages.debian.org
Control: affects -1 + src:spip

This issue is similar to #1040756 in bookworm.

Another upstream release fixed a security issue. It introduces some
factorisation adding two more clean up in sessions. We agreed with the
security team that this don’t warrant a DSA.

https://blog.spip.net/Mise-a-jour-de-maintenance-et-securite-sortie-de-SPIP-4-2-4-SPIP-4-1-11.html

The 3.2 branch is not maintained upstream anymore, but the patches have
been cherry-picked directly from the 4.1 branch, except for the first
one that needed some slight editing. Also, I’ve already deployed the
proposed package on a server providing over 30 SPIP websites.

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
  [x] the issue is verified as fixed in unstable

Thanks in advance.

Regards,

taffit

diff -Nru spip-3.2.11/debian/changelog spip-3.2.11/debian/changelog
--- spip-3.2.11/debian/changelog	2023-06-11 15:47:39.000000000 +0200
+++ spip-3.2.11/debian/changelog	2023-07-08 20:38:26.000000000 +0200
@@ -1,3 +1,11 @@
+spip (3.2.11-3+deb11u9) bullseye; urgency=medium
+
+  * Backport security fix from 4.1.11
+    - use an auth_desensibiliser_session() function to centralize extended
+      authentification data filtering.
+
+ -- David Prévot <taffit@debian.org>  Sat, 08 Jul 2023 20:38:26 +0200
+
 spip (3.2.11-3+deb11u8) bullseye; urgency=medium
 
   * Backport security fixes from 4.1.10
diff -Nru spip-3.2.11/debian/patches/0056-security-Utiliser-une-fonction-d-di-e-pour-nettoyer-.patch spip-3.2.11/debian/patches/0056-security-Utiliser-une-fonction-d-di-e-pour-nettoyer-.patch
--- spip-3.2.11/debian/patches/0056-security-Utiliser-une-fonction-d-di-e-pour-nettoyer-.patch	1970-01-01 01:00:00.000000000 +0100
+++ spip-3.2.11/debian/patches/0056-security-Utiliser-une-fonction-d-di-e-pour-nettoyer-.patch	2023-07-08 20:38:18.000000000 +0200
@@ -0,0 +1,69 @@
+From: Cerdic <cedric@yterium.com>
+Date: Mon, 3 Jul 2023 10:23:02 +0200
+Subject: =?utf-8?q?security=3A_Utiliser_une_fonction_d=C3=A9di=C3=A9e_pour_?=
+ =?utf-8?q?nettoyer_les_donn=C3=A9es_d=E2=80=99auteur_lors_de_la_pr=C3=A9pa?=
+ =?utf-8?q?ration_d=E2=80=99une_session?=
+MIME-Version: 1.0
+Content-Type: text/plain; charset="utf-8"
+Content-Transfer-Encoding: 8bit
+
+- Ajout d’une fonction `auth_desensibiliser_session()` pour desensibiliser une ligne auteur,
+- qu'on utilise lors de la preparation d'une session
+- et dans informer_login
+
+Refs:  spip-team/securite#4847
+(cherry picked from commit 2e4d6273cee8ec63ce7f565a73262a8aae70b7bb)
+
+Origin: backport, https://git.spip.net/spip/spip/commit/f1d2351c90a6127cab354be1647662ec5e941676
+---
+ ecrire/inc/auth.php | 23 ++++++++++++++++++-----
+ 1 file changed, 18 insertions(+), 5 deletions(-)
+
+diff --git a/ecrire/inc/auth.php b/ecrire/inc/auth.php
+index 12fc4ce..cb61446 100644
+--- a/ecrire/inc/auth.php
++++ b/ecrire/inc/auth.php
+@@ -249,11 +249,7 @@ function auth_init_droits($row) {
+ 	$GLOBALS['visiteur_session'] = array_merge((array)$GLOBALS['visiteur_session'], $row);
+ 
+ 	// au cas ou : ne pas memoriser les champs sensibles
+-	unset($GLOBALS['visiteur_session']['pass']);
+-	unset($GLOBALS['visiteur_session']['htpass']);
+-	unset($GLOBALS['visiteur_session']['alea_actuel']);
+-	unset($GLOBALS['visiteur_session']['alea_futur']);
+-	unset($GLOBALS['visiteur_session']['ldap_password']);
++	$GLOBALS['visiteur_session'] = auth_desensibiliser_session($GLOBALS['visiteur_session']);
+ 
+ 	// creer la session au besoin
+ 	if (!isset($_COOKIE['spip_session'])) {
+@@ -310,6 +306,22 @@ function auth_init_droits($row) {
+ 	return ''; // i.e. pas de pb.
+ }
+ 
++/**
++ * Enlever les clés sensibles d'une ligne auteur
++ * @param array $auteur
++ * @return array
++ */
++function auth_desensibiliser_session(array $auteur) {
++	$cles_sensibles = ['pass', 'htpass', 'alea_actuel', 'alea_futur', 'ldap_password', 'backup_cles'];
++	foreach ($cles_sensibles as $cle) {
++		if (isset($auteur[$cle])) {
++			unset($auteur[$cle]);
++		}
++	}
++
++	return $auteur;
++}
++
+ /**
+  * Retourne l'url de connexion
+  *
+@@ -490,6 +502,7 @@ function auth_informer_login($login, $serveur = '') {
+ 	}
+ 
+ 	$prefs = unserialize($row['prefs']);
++	$row = auth_desensibiliser_session($row);
+ 	$infos = array(
+ 		'id_auteur' => $row['id_auteur'],
+ 		'login' => $row['login'],
diff -Nru spip-3.2.11/debian/patches/0057-security-Utiliser-auth_desensibiliser_session-aussi-.patch spip-3.2.11/debian/patches/0057-security-Utiliser-auth_desensibiliser_session-aussi-.patch
--- spip-3.2.11/debian/patches/0057-security-Utiliser-auth_desensibiliser_session-aussi-.patch	1970-01-01 01:00:00.000000000 +0100
+++ spip-3.2.11/debian/patches/0057-security-Utiliser-auth_desensibiliser_session-aussi-.patch	2023-07-08 20:38:18.000000000 +0200
@@ -0,0 +1,69 @@
+From: Matthieu Marcillaud <marcimat@rezo.net>
+Date: Mon, 3 Jul 2023 10:55:19 +0200
+Subject: =?utf-8?q?security=3A_Utiliser_=60auth=5Fdesensibiliser=5Fsession?=
+ =?utf-8?q?=28=29=60_aussi_=C3=A0_la_cr=C3=A9ation_du_fichier_de_session?=
+
+Refs:  spip-team/securite#4847
+(cherry picked from commit 5a73e07745bb6753557f0dc2b5404aa49f3ab900)
+
+Origin: upstream, https://git.spip.net/spip/spip/commit/f2fb631f0034728fd275ffa619fd6ddb7b841bdf
+---
+ ecrire/inc/auth.php    | 10 ++++------
+ ecrire/inc/session.php | 12 ++++--------
+ 2 files changed, 8 insertions(+), 14 deletions(-)
+
+diff --git a/ecrire/inc/auth.php b/ecrire/inc/auth.php
+index cb61446..3378c43 100644
+--- a/ecrire/inc/auth.php
++++ b/ecrire/inc/auth.php
+@@ -246,7 +246,7 @@ function auth_init_droits($row) {
+ 	$GLOBALS['connect_login'] = $row['login'];
+ 	$GLOBALS['connect_statut'] = $row['statut'];
+ 
+-	$GLOBALS['visiteur_session'] = array_merge((array)$GLOBALS['visiteur_session'], $row);
++	$GLOBALS['visiteur_session'] = array_merge((array) $GLOBALS['visiteur_session'], $row);
+ 
+ 	// au cas ou : ne pas memoriser les champs sensibles
+ 	$GLOBALS['visiteur_session'] = auth_desensibiliser_session($GLOBALS['visiteur_session']);
+@@ -308,13 +308,11 @@ function auth_init_droits($row) {
+ 
+ /**
+  * Enlever les clés sensibles d'une ligne auteur
+- * @param array $auteur
+- * @return array
+  */
+-function auth_desensibiliser_session(array $auteur) {
+-	$cles_sensibles = ['pass', 'htpass', 'alea_actuel', 'alea_futur', 'ldap_password', 'backup_cles'];
++function auth_desensibiliser_session(array $auteur): array {
++	$cles_sensibles = ['pass', 'htpass', 'low_sec', 'alea_actuel', 'alea_futur', 'ldap_password', 'backup_cles'];
+ 	foreach ($cles_sensibles as $cle) {
+-		if (isset($auteur[$cle])) {
++		if (array_key_exists($cle, $auteur)) {
+ 			unset($auteur[$cle]);
+ 		}
+ 	}
+diff --git a/ecrire/inc/session.php b/ecrire/inc/session.php
+index 2e331bf..f572b44 100644
+--- a/ecrire/inc/session.php
++++ b/ecrire/inc/session.php
+@@ -597,16 +597,12 @@ function lister_sessions_auteur($id_auteur, $nb_max = null) {
+  * @param array $auteur
+  * @return array
+  */
+-function preparer_ecriture_session($auteur) {
++function preparer_ecriture_session(array $auteur): array {
++
+ 	$row = $auteur;
+ 
+-	// ne pas enregistrer ces elements de securite
+-	// dans le fichier de session
+-	unset($auteur['pass']);
+-	unset($auteur['htpass']);
+-	unset($auteur['low_sec']);
+-	unset($auteur['alea_actuel']);
+-	unset($auteur['alea_futur']);
++	// ne pas enregistrer ces elements de securite dans le fichier de session
++	$auteur = auth_desensibiliser_session($auteur);
+ 
+ 	$auteur = pipeline('preparer_fichier_session', array('args' => array('row' => $row), 'data' => $auteur));
+ 
diff -Nru spip-3.2.11/debian/patches/0058-fix-Inclusion-manquante-dans-5663.patch spip-3.2.11/debian/patches/0058-fix-Inclusion-manquante-dans-5663.patch
--- spip-3.2.11/debian/patches/0058-fix-Inclusion-manquante-dans-5663.patch	1970-01-01 01:00:00.000000000 +0100
+++ spip-3.2.11/debian/patches/0058-fix-Inclusion-manquante-dans-5663.patch	2023-07-08 20:38:18.000000000 +0200
@@ -0,0 +1,23 @@
+From: Matthieu Marcillaud <marcimat@rezo.net>
+Date: Mon, 3 Jul 2023 23:10:51 +0200
+Subject: fix: Inclusion manquante dans !5663
+
+(cherry picked from commit 13793c345bdc8ea362f71656c3b38103d6aaba2c)
+
+Origin: upstream, https://git.spip.net/spip/spip/commit/144f520ead7ca38a4644e35af4cac2278de6d3e9
+---
+ ecrire/inc/session.php | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/ecrire/inc/session.php b/ecrire/inc/session.php
+index f572b44..3288d66 100644
+--- a/ecrire/inc/session.php
++++ b/ecrire/inc/session.php
+@@ -602,6 +602,7 @@ function preparer_ecriture_session(array $auteur): array {
+ 	$row = $auteur;
+ 
+ 	// ne pas enregistrer ces elements de securite dans le fichier de session
++	include_spip('inc/auth');
+ 	$auteur = auth_desensibiliser_session($auteur);
+ 
+ 	$auteur = pipeline('preparer_fichier_session', array('args' => array('row' => $row), 'data' => $auteur));
diff -Nru spip-3.2.11/debian/patches/series spip-3.2.11/debian/patches/series
--- spip-3.2.11/debian/patches/series	2023-06-11 15:47:34.000000000 +0200
+++ spip-3.2.11/debian/patches/series	2023-07-08 20:38:18.000000000 +0200
@@ -53,3 +53,6 @@
 0053-security-Ameliorer-c76770a-en-vitant-un-unserialize-.patch
 0054-security-Effectivement-bloquer-les-fichiers-cach-s-d.patch
 0055-build-Up-cran-de-s-cu-en-1.5.3.patch
+0056-security-Utiliser-une-fonction-d-di-e-pour-nettoyer-.patch
+0057-security-Utiliser-auth_desensibiliser_session-aussi-.patch
+0058-fix-Inclusion-manquante-dans-5663.patch

Attachment: signature.asc
Description: PGP signature


--- End Message ---
--- Begin Message --- 
Package: release.debian.org
Version: 11.8

Hi,

The updates referred to by each of these requests were included in
today's 11.8 bullseye point release.

Regards,

Adam

--- End Message ---
Reply to: