Control: retitle -1 bookworm-pu: package spip/4.1.9+dfsg-1+deb12u4 Le Sat, Dec 30, 2023 at 12:06:56PM +0100, Salvatore Bonaccorso a écrit : > On Fri, Dec 22, 2023 at 01:28:00PM +0100, David Prévot wrote: […] > > This issue is similar to #1059289 for oldstable. > > > > Another upstream release fixed a security (XSS) issue. The last two > > updates of this kind didn’t warrant a DSA, so I guess this one will not > > warrant one either (security team X-D-CCed in case I’m wrong). And here we are again, another XSS was fixed (in a plugin not provided by the version in oldstable), second debdiff attached, thanks in advance for considering. Regards, taffit
diff --git a/debian/changelog b/debian/changelog
index 333c4146c1..23a523a96a 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+spip (4.1.9+dfsg-1+deb12u4) bookworm; urgency=medium
+
+ * Backport security fix from 4.1.15
+ - fix XSS in uploaded files using bigup
+
+ -- David Prévot <taffit@debian.org> Fri, 12 Jan 2024 13:42:36 +0100
+
spip (4.1.9+dfsg-1+deb12u3) bookworm; urgency=medium
* Backport security fix from 4.1.13
diff --git a/debian/patches/0013-fix-viter-de-possibles-XSS-avec-le-nom-des-fichiers-.patch b/debian/patches/0013-fix-viter-de-possibles-XSS-avec-le-nom-des-fichiers-.patch
new file mode 100644
index 0000000000..7c72b8539d
--- /dev/null
+++ b/debian/patches/0013-fix-viter-de-possibles-XSS-avec-le-nom-des-fichiers-.patch
@@ -0,0 +1,79 @@
+From: Matthieu Marcillaud <marcimat@rezo.net>
+Date: Sun, 7 Jan 2024 22:07:19 +0100
+Subject: =?utf-8?q?fix=3A_=C3=89viter_de_possibles_XSS_avec_le_nom_des_fich?=
+ =?utf-8?q?iers_upload=C3=A9s_=28en_js=29?=
+
+(cherry picked from commit df7543f1dc9d04f068dd12c901b89a98db535961)
+
+Origin: upstream, https://git.spip.net/spip/bigup/commit/ada821c076d67d1147a195178223d0b4a6d8cecc
+---
+ plugins-dist/bigup/javascript/bigup.js | 34 ++++++++++++++++++----------
+ plugins-dist/bigup/javascript/bigup.utils.js | 12 +++++++++-
+ 2 files changed, 33 insertions(+), 13 deletions(-)
+
+diff --git a/plugins-dist/bigup/javascript/bigup.js b/plugins-dist/bigup/javascript/bigup.js
+index bd84fc1..5b9b5be 100644
+--- a/plugins-dist/bigup/javascript/bigup.js
++++ b/plugins-dist/bigup/javascript/bigup.js
+@@ -190,18 +190,28 @@ function Bigup(params, opts, callbacks) {
+ var extension = $.trouver_extension(file.name);
+
+ var template =
+- '\n<div class="fichier">'
+- + '\n\t<div class="description">'
+- + '\n\t\t<div class="vignette_extension ' + extension + '" title="' + file.type + '"><span></span></div>'
+- + '\n\t\t<div class="infos">'
+- + '\n\t\t\t<span class="name"><strong>' + file.name + '</strong></span>'
+- + '\n\t\t\t<span class="size">' + $.taille_en_octets(file.size) + '</span>'
+- + '\n\t\t</div>'
+- + '\n\t\t<div class="actions">'
+- + '\n\t\t\t<span class="bigup-btn btn btn-default cancel" onClick="$.bigup_enlever_fichier(this); return false;">' + _T("bigup:bouton_annuler") + '</span>'
+- + '\n\t\t</div>'
+- + '\n\t</div>'
+- + '\n</div>\n';
++ '\n<div class="fichier">' +
++ '\n\t<div class="description">' +
++ '\n\t\t<div class="vignette_extension ' +
++ $.escapeHtml(extension) +
++ '" title="' +
++ file.type +
++ '"><span></span></div>' +
++ '\n\t\t<div class="infos">' +
++ '\n\t\t\t<span class="name"><strong>' +
++ $.escapeHtml(file.name) +
++ '</strong></span>' +
++ '\n\t\t\t<span class="size">' +
++ $.taille_en_octets(file.size) +
++ '</span>' +
++ '\n\t\t</div>' +
++ '\n\t\t<div class="actions">' +
++ '\n\t\t\t<span class="bigup-btn btn btn-default cancel" onClick="$.bigup_enlever_fichier(this);">' +
++ _T('bigup:bouton_annuler') +
++ '</span>' +
++ '\n\t\t</div>' +
++ '\n\t</div>' +
++ '\n</div>\n';
+
+ return template;
+ }
+diff --git a/plugins-dist/bigup/javascript/bigup.utils.js b/plugins-dist/bigup/javascript/bigup.utils.js
+index 872123b..4a1bad9 100644
+--- a/plugins-dist/bigup/javascript/bigup.utils.js
++++ b/plugins-dist/bigup/javascript/bigup.utils.js
+@@ -171,4 +171,14 @@ $.mime_type_image = function(extension) {
+ break;
+ }
+ return mime;
+-};
+\ No newline at end of file
++};
++
++/** Escape HTML */
++$.escapeHtml = function(unsafe) {
++ return unsafe
++ .replaceAll('&', '&')
++ .replaceAll('<', '<')
++ .replaceAll('>', '>')
++ .replaceAll('"', '"')
++ .replaceAll("'", ''');
++}
diff --git a/debian/patches/0014-fix-Ajout-d-un-point-virgule-manquant.patch b/debian/patches/0014-fix-Ajout-d-un-point-virgule-manquant.patch
new file mode 100644
index 0000000000..33e6a87c7e
--- /dev/null
+++ b/debian/patches/0014-fix-Ajout-d-un-point-virgule-manquant.patch
@@ -0,0 +1,21 @@
+From: Glop <glopglop@riseup.net>
+Date: Thu, 11 Jan 2024 17:16:45 +0100
+Subject: fix: Ajout d'un point-virgule manquant
+
+(cherry picked from commit ac51139245cea6e6dd44dba47b30122b69ff1f1c)
+
+Origin: upstream, https://git.spip.net/spip/bigup/commit/0757f015717cb72b84dba0e9a375ec71caddf1c2
+---
+ plugins-dist/bigup/javascript/bigup.utils.js | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/plugins-dist/bigup/javascript/bigup.utils.js b/plugins-dist/bigup/javascript/bigup.utils.js
+index 4a1bad9..a255f2f 100644
+--- a/plugins-dist/bigup/javascript/bigup.utils.js
++++ b/plugins-dist/bigup/javascript/bigup.utils.js
+@@ -181,4 +181,4 @@ $.escapeHtml = function(unsafe) {
+ .replaceAll('>', '>')
+ .replaceAll('"', '"')
+ .replaceAll("'", ''');
+-}
++};
diff --git a/debian/patches/series b/debian/patches/series
index c0ceb74e71..38c2a1189b 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -10,3 +10,5 @@
0010-security-Utiliser-auth_desensibiliser_session-aussi-.patch
0011-fix-Inclusion-manquante-dans-5663.patch
0012-fix-les-mod-les-ins-r-s-dans-un-texte-h-ritent-autom.patch
+0013-fix-viter-de-possibles-XSS-avec-le-nom-des-fichiers-.patch
+0014-fix-Ajout-d-un-point-virgule-manquant.patch
Attachment:
signature.asc
Description: PGP signature