Bug#1005217: bullseye-pu: package spip/3.2.11-3+deb11u2

David Prévot Tue, 08 Feb 2022 23:33:31 -0800

Le 09/02/2022 à 03:04, David Prévot a écrit :

   [x] attach debdiff against the package in (old)stable


For real now…

diff --git a/debian/changelog b/debian/changelog
index 5e67ca4afb..1b1f5f6fa7 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,8 +1,18 @@
+spip (3.2.11-3+deb11u2) bullseye; urgency=medium
+
+  * Document CVE fixed previously
+  * Backport security fixes (XSS) from 3.2.13
+
+ -- David Prévot <taf...@debian.org>  Sat, 05 Feb 2022 09:07:38 -0400
+
 spip (3.2.11-3+deb11u1) bullseye-security; urgency=high
 
   * Set up branch debian/bullseye
   * Backport security fixes from 3.2.12
-    - SQL injections, remote code execution, XSS
+    - SQL injections
+    - remote code execution [CVE-2021-44123]
+    - XSS [CVE-2021-44118] [CVE-2021-44120]
+    - CSRF [CVE-2021-44122]
   * Don’t ship vcs-control-file
 
  -- David Prévot <taf...@debian.org>  Wed, 15 Dec 2021 17:11:29 -0400
diff --git a/debian/patches/0006-Utiliser-valider_url_distante-en-plus-de-tester_url_.patch b/debian/patches/0006-Utiliser-valider_url_distante-en-plus-de-tester_url_.patch
index f60bc7beae..7f5f0a6922 100644
--- a/debian/patches/0006-Utiliser-valider_url_distante-en-plus-de-tester_url_.patch
+++ b/debian/patches/0006-Utiliser-valider_url_distante-en-plus-de-tester_url_.patch
@@ -8,6 +8,7 @@ Subject: Utiliser valider_url_distante() en plus de tester_url_absolue()
 (cherry picked from commit 9b8d1487ef067b5bdb2ce7365cc65d0e7ec0fa44)
 
 Origin: upstream, https://git.spip.net/spip/medias/commit/1a4b7024cf728ec531658967b374c5ec6f36ee42
+Bug-Debian: https://security-tracker.debian.org/tracker/CVE-2021-44118
 ---
  plugins-dist/medias/action/copier_local.php | 14 ++++++++++----
  1 file changed, 10 insertions(+), 4 deletions(-)
diff --git a/debian/patches/0007-Fix-refactoring-query_echappe_textes-qui-ne-detectai.patch b/debian/patches/0007-Fix-refactoring-query_echappe_textes-qui-ne-detectai.patch
index 3200a5c557..1af6bfe4d9 100644
--- a/debian/patches/0007-Fix-refactoring-query_echappe_textes-qui-ne-detectai.patch
+++ b/debian/patches/0007-Fix-refactoring-query_echappe_textes-qui-ne-detectai.patch
@@ -11,6 +11,7 @@ Subject: Fix/refactoring query_echappe_textes() qui ne detectait parfois pas
 On modifie aussi l'usage dans req/mysql en privilegiant de garder la requete initiale intacte si il n'y a rien a faire dessus
 
 Origin: upstream, https://git.spip.net/spip/spip/commit/fca83dc95ee279552382eeb5015d5dc3efed9de3
+Bug-Debian: https://security-tracker.debian.org/tracker/CVE-2021-44120
 ---
  ecrire/base/connect_sql.php | 47 ++++++++++++++++++++++++++++++++-------------
  ecrire/req/mysql.php        | 10 +++++-----
diff --git a/debian/patches/0008-Simplifier-la-regexp-c-est-pas-plus-mal-cfreal.patch b/debian/patches/0008-Simplifier-la-regexp-c-est-pas-plus-mal-cfreal.patch
index e5b01c4190..fd40418ead 100644
--- a/debian/patches/0008-Simplifier-la-regexp-c-est-pas-plus-mal-cfreal.patch
+++ b/debian/patches/0008-Simplifier-la-regexp-c-est-pas-plus-mal-cfreal.patch
@@ -2,6 +2,7 @@ From: Cerdic <ced...@yterium.com>
 Date: Fri, 17 Sep 2021 17:39:04 +0200
 Subject: Simplifier la regexp, c'est pas plus mal (cfreal)
 
+Bug-Debian: https://security-tracker.debian.org/tracker/CVE-2021-44120
 ---
  ecrire/base/connect_sql.php | 2 +-
  1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/debian/patches/0009-Complement-de-413ca3cc58-_mysql_traite_query-s-appel.patch b/debian/patches/0009-Complement-de-413ca3cc58-_mysql_traite_query-s-appel.patch
index f3271c3680..8664c37e94 100644
--- a/debian/patches/0009-Complement-de-413ca3cc58-_mysql_traite_query-s-appel.patch
+++ b/debian/patches/0009-Complement-de-413ca3cc58-_mysql_traite_query-s-appel.patch
@@ -7,6 +7,7 @@ Subject: Complement de 413ca3cc58 : _mysql_traite_query() s'appelle
  query_reinjecte_textes()
 
 Origin: upstream, https://git.spip.net/spip/spip/commit/a4fdb3b8ec11f067a6d09512c6f31dbda7fd57c6
+Bug-Debian: https://security-tracker.debian.org/tracker/CVE-2021-44120
 ---
  ecrire/req/mysql.php | 19 +++++++++++++++----
  1 file changed, 15 insertions(+), 4 deletions(-)
diff --git a/debian/patches/0010-Balise-FORMULAIRE-nettoyer-du-code-mort-qui-ne-sert-.patch b/debian/patches/0010-Balise-FORMULAIRE-nettoyer-du-code-mort-qui-ne-sert-.patch
index 90dca280de..99516e3a09 100644
--- a/debian/patches/0010-Balise-FORMULAIRE-nettoyer-du-code-mort-qui-ne-sert-.patch
+++ b/debian/patches/0010-Balise-FORMULAIRE-nettoyer-du-code-mort-qui-ne-sert-.patch
@@ -12,6 +12,7 @@ Subject: =?utf-8?q?Balise_=23FORMULAIRE_=3A_nettoyer_du_code_mort_qui_ne_se?=
  =?utf-8?q?issue=29?=
 
 Origin: upstream, https://git.spip.net/spip/spip/commit/fea5b5b4507cc9c0b9e91bbfbf34fe40b0bea805
+Bug-Debian: https://security-tracker.debian.org/tracker/CVE-2021-44122
 ---
  ecrire/balise/formulaire_.php | 13 +++++++++++++
  ecrire/public/aiguiller.php   | 23 ++++++++++++++++++++++-
diff --git a/debian/patches/0011-Nom-nom_site-et-bio-etant-des-champs-librement-modif.patch b/debian/patches/0011-Nom-nom_site-et-bio-etant-des-champs-librement-modif.patch
index 055ee350f7..86a7130b43 100644
--- a/debian/patches/0011-Nom-nom_site-et-bio-etant-des-champs-librement-modif.patch
+++ b/debian/patches/0011-Nom-nom_site-et-bio-etant-des-champs-librement-modif.patch
@@ -8,6 +8,7 @@ Subject: Nom,
  lequel ne contient en general pas de < ce qui passe tres vite dans safehtml
 
 Origin: backport, https://git.spip.net/spip/spip/commit/361cc26080d1377bc55d2cb80736e5cfaf5fd242
+Bug-Debian: https://security-tracker.debian.org/tracker/CVE-2021-44120
 ---
  ecrire/public/interfaces.php | 4 +++-
  1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/debian/patches/0012-Lors-de-l-upload-de-documents-gerer-le-cas-des-fichi.patch b/debian/patches/0012-Lors-de-l-upload-de-documents-gerer-le-cas-des-fichi.patch
index 8ebc3ca857..1851a1c054 100644
--- a/debian/patches/0012-Lors-de-l-upload-de-documents-gerer-le-cas-des-fichi.patch
+++ b/debian/patches/0012-Lors-de-l-upload-de-documents-gerer-le-cas-des-fichi.patch
@@ -6,6 +6,7 @@ Subject: Lors de l'upload de documents,
  sinon on ne garde que la derniere
 
 Origin: upstream, https://git.spip.net/spip/spip/commit/28c2cd60bee60892c6660b81d98cc166aa442866
+Bug-Debian: https://security-tracker.debian.org/tracker/CVE-2021-44123
 ---
  ecrire/inc/documents.php | 13 +++++++++++++
  1 file changed, 13 insertions(+)
diff --git a/debian/patches/0013-Oups-erreur-dans-1b8e4f404-il-faut-utiliser-empty-ca.patch b/debian/patches/0013-Oups-erreur-dans-1b8e4f404-il-faut-utiliser-empty-ca.patch
index 1f15081dfe..52920a46e3 100644
--- a/debian/patches/0013-Oups-erreur-dans-1b8e4f404-il-faut-utiliser-empty-ca.patch
+++ b/debian/patches/0013-Oups-erreur-dans-1b8e4f404-il-faut-utiliser-empty-ca.patch
@@ -6,6 +6,7 @@ Subject: Oups,
  formulaire anonyme)
 
 Origin: upstream, https://git.spip.net/spip/spip/commit/2992190368197a0f966e85d6c5751b999be83cb4ZZ
+Bug-Debian: https://security-tracker.debian.org/tracker/CVE-2021-44122
 ---
  ecrire/public/aiguiller.php | 2 +-
  1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/debian/patches/0014-Il-faut-incrementer-spip_version_code-car-tous-les-f.patch b/debian/patches/0014-Il-faut-incrementer-spip_version_code-car-tous-les-f.patch
index 9efbc4a543..5a756440e5 100644
--- a/debian/patches/0014-Il-faut-incrementer-spip_version_code-car-tous-les-f.patch
+++ b/debian/patches/0014-Il-faut-incrementer-spip_version_code-car-tous-les-f.patch
@@ -4,6 +4,7 @@ Subject: Il faut incrementer spip_version_code car tous les formulaires
  doivent etre recalcules
 
 Origin: upstream, https://git.spip.net/spip/spip/commit/aefb90d6a186f81c2596dc39a010a5827921b6c1
+Bug-Debian: https://security-tracker.debian.org/tracker/CVE-2021-44122
 ---
  ecrire/inc_version.php | 4 ++--
  1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/debian/patches/0015-Le-plugin-mots-et-son-formulaire-editer_mot-contient.patch b/debian/patches/0015-Le-plugin-mots-et-son-formulaire-editer_mot-contient.patch
index 2ad0ab37db..36d3ab2243 100644
--- a/debian/patches/0015-Le-plugin-mots-et-son-formulaire-editer_mot-contient.patch
+++ b/debian/patches/0015-Le-plugin-mots-et-son-formulaire-editer_mot-contient.patch
@@ -5,6 +5,7 @@ Subject: Le plugin mots et son formulaire editer_mot() contient encore du
  c'etait casse gueule de changer ca sur cette branche
 
 Origin: upstream, https://git.spip.net/spip/spip/commit/685a2c0bdcde2ef1804b4ac794243b54c4a22585
+Bug-Debian: https://security-tracker.debian.org/tracker/CVE-2021-44122
 ---
  ecrire/balise/formulaire_.php | 5 +----
  1 file changed, 1 insertion(+), 4 deletions(-)
diff --git a/debian/patches/0016-Ameliorer-valider_url_distante-on-utilise-filter_var.patch b/debian/patches/0016-Ameliorer-valider_url_distante-on-utilise-filter_var.patch
index f99c095188..7f522b386d 100644
--- a/debian/patches/0016-Ameliorer-valider_url_distante-on-utilise-filter_var.patch
+++ b/debian/patches/0016-Ameliorer-valider_url_distante-on-utilise-filter_var.patch
@@ -7,6 +7,7 @@ Subject: Ameliorer valider_url_distante() : on utilise filter_var plutot que
 (cherry picked from commit a4a09d103500bb7f598833d746540e4b417dfd72)
 
 Origin: upstream, https://git.spip.net/spip/spip/commit/19c3592b93343c222589ffd3aeace97213e25745
+Bug-Debian: https://security-tracker.debian.org/tracker/CVE-2021-44118
 ---
  ecrire/inc/distant.php | 23 +++++++++++++++--------
  1 file changed, 15 insertions(+), 8 deletions(-)
diff --git a/debian/patches/0017-Verifier-qu-on-a-bien-le-droit-de-modifier-le-login-.patch b/debian/patches/0017-Verifier-qu-on-a-bien-le-droit-de-modifier-le-login-.patch
new file mode 100644
index 0000000000..c4f3760a77
--- /dev/null
+++ b/debian/patches/0017-Verifier-qu-on-a-bien-le-droit-de-modifier-le-login-.patch
@@ -0,0 +1,64 @@
+From: Cerdic <ced...@yterium.com>
+Date: Wed, 2 Feb 2022 09:51:56 +0100
+Subject: Verifier qu'on a bien le droit de modifier le login avant d'accepter
+ un post sur cette variable
+
+Origin: upstream, https://git.spip.net/spip/spip/commit/9ed1818f14be283b0b6e8469bfbc54ba2d10763b
+---
+ prive/formulaires/editer_auteur.php | 42 ++++++++++++++++++++++++++-----------
+ 1 file changed, 30 insertions(+), 12 deletions(-)
+
+diff --git a/prive/formulaires/editer_auteur.php b/prive/formulaires/editer_auteur.php
+index bd4efd2..3b7ac39 100644
+--- a/prive/formulaires/editer_auteur.php
++++ b/prive/formulaires/editer_auteur.php
+@@ -236,19 +236,37 @@ function formulaires_editer_auteur_verifier_dist(
+ 	}
+ 
+ 	$erreurs['message_erreur'] = '';
++	if (_request('login')) {
++		// on n'est jamais cense poster le name login
++		$erreurs['login'] = _T('info_non_modifiable');
++	}
++	elseif (
++		($login = _request('new_login')) and
++		$login !== sql_getfetsel('login', 'spip_auteurs', 'id_auteur=' . intval($id_auteur))
++	) {
++		// on verifie la meme chose que dans auteurs_edit_config()
++		if (
++			! auth_autoriser_modifier_login($auth_methode)
++			or !autoriser('modifier', 'auteur', intval($id_auteur), null, ['email' => true])
++		) {
++			$erreurs['login'] = _T('info_non_modifiable');
++		}
++	}
+ 
+-	if ($err = auth_verifier_login($auth_methode, _request('new_login'), $id_auteur)) {
+-		$erreurs['new_login'] = $err;
+-		$erreurs['message_erreur'] .= $err;
+-	} else {
+-		// pass trop court ou confirmation non identique
+-		if ($p = _request('new_pass')) {
+-			if ($p != _request('new_pass2')) {
+-				$erreurs['new_pass'] = _T('info_passes_identiques');
+-				$erreurs['message_erreur'] .= _T('info_passes_identiques');
+-			} elseif ($err = auth_verifier_pass($auth_methode, _request('new_login'), $p, $id_auteur)) {
+-				$erreurs['new_pass'] = $err;
+-				$erreurs['message_erreur'] .= $err;
++	if (empty($erreurs['login'])){
++		if ($err = auth_verifier_login($auth_methode, _request('new_login'), $id_auteur)){
++			$erreurs['new_login'] = $err;
++			$erreurs['message_erreur'] .= $err;
++		} else {
++			// pass trop court ou confirmation non identique
++			if ($p = _request('new_pass')){
++				if ($p!=_request('new_pass2')){
++					$erreurs['new_pass'] = _T('info_passes_identiques');
++					$erreurs['message_erreur'] .= _T('info_passes_identiques');
++				} elseif ($err = auth_verifier_pass($auth_methode, _request('new_login'), $p, $id_auteur)) {
++					$erreurs['new_pass'] = $err;
++					$erreurs['message_erreur'] .= $err;
++				}
+ 			}
+ 		}
+ 	}
diff --git a/debian/patches/0018-appliquer-rawurlencode-aussi-sur-les-tableaux-qu-on-.patch b/debian/patches/0018-appliquer-rawurlencode-aussi-sur-les-tableaux-qu-on-.patch
new file mode 100644
index 0000000000..313343ff02
--- /dev/null
+++ b/debian/patches/0018-appliquer-rawurlencode-aussi-sur-les-tableaux-qu-on-.patch
@@ -0,0 +1,23 @@
+From: Cerdic <ced...@yterium.com>
+Date: Wed, 29 Dec 2021 10:50:27 +0100
+Subject: appliquer rawurlencode() aussi sur les tableaux qu'on passe en
+ argument de parametre_url() #4819
+
+Origin: upstream, https://git.spip.net/spip/spip/commit/b2f8e3a59ccbf958197e22609938871884438b5f
+---
+ ecrire/inc/utils.php | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/ecrire/inc/utils.php b/ecrire/inc/utils.php
+index afc4fbc..d927655 100644
+--- a/ecrire/inc/utils.php
++++ b/ecrire/inc/utils.php
+@@ -603,7 +603,7 @@ function parametre_url($url, $c, $v = null, $sep = '&amp;') {
+ 			} else {
+ 				$id = (substr($k, -2) == '[]') ? $k : ($k . "[]");
+ 				foreach ($v as $w) {
+-					$url[] = $id . '=' . (is_array($w) ? 'Array' : $w);
++					$url[] = $id . '=' . (is_array($w) ? 'Array' : rawurlencode($w));
+ 				}
+ 			}
+ 		}
diff --git a/debian/patches/series b/debian/patches/series
index dfeded50c9..eaefc246e6 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -14,3 +14,5 @@
 0014-Il-faut-incrementer-spip_version_code-car-tous-les-f.patch
 0015-Le-plugin-mots-et-son-formulaire-editer_mot-contient.patch
 0016-Ameliorer-valider_url_distante-on-utilise-filter_var.patch
+0017-Verifier-qu-on-a-bien-le-droit-de-modifier-le-login-.patch
+0018-appliquer-rawurlencode-aussi-sur-les-tableaux-qu-on-.patch

Bug#1005217: bullseye-pu: package spip/3.2.11-3+deb11u2

Reply via email to