Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian@packages.debian.org
Usertags: pu
X-Debbugs-Cc: s...@packages.debian.org
Control: affects -1 + src:spip
Hi,
SPIP has been updated upstream to fix some security issues (link to the
French-only announcement follows), and we agreed with the security team
that they don’t warrant a DSA this time.
https://blog.spip.net/Mise-a-jour-de-maintenance-et-securite-sortie-de-SPIP-4-2-3-SPIP-4-1-10.html
The main backported fix is the one that limits recursion depth in
protege_champ() function.
The security screen fix (avoiding unserialize use) should already be
fixed in the main code, and the htaccess change is only provided as an
example (in /usr/share/doc/spip).
As usual, I’ve already deployed the proposed package on a server
providing over 30 SPIP websites.
[ Checklist ]
[x] *all* changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in oldstable
[x] the issue is verified as fixed in unstable
Regards,
David
diff -Nru spip-3.2.11/debian/changelog spip-3.2.11/debian/changelog
--- spip-3.2.11/debian/changelog 2023-02-28 22:51:50.0 +0100
+++ spip-3.2.11/debian/changelog 2023-06-11 15:47:39.0 +0200
@@ -1,3 +1,13 @@
+spip (3.2.11-3+deb11u8) bullseye; urgency=medium
+
+ * Backport security fixes from 4.1.10
+- Limit recursion depth in protege_champ() function
+- Avoid unserialize use in security screen
+- Properly block hidden files in provided htaccess
+- Update security screen to 1.5.3
+
+ -- David Prévot Sun, 11 Jun 2023 15:47:39 +0200
+
spip (3.2.11-3+deb11u7) bullseye-security; urgency=medium
* Backport security fixes from v3.2.18
diff -Nru spip-3.2.11/debian/patches/0052-security-limiter-la-profondeur-de-recursion-de-prote.patch spip-3.2.11/debian/patches/0052-security-limiter-la-profondeur-de-recursion-de-prote.patch
--- spip-3.2.11/debian/patches/0052-security-limiter-la-profondeur-de-recursion-de-prote.patch 1970-01-01 01:00:00.0 +0100
+++ spip-3.2.11/debian/patches/0052-security-limiter-la-profondeur-de-recursion-de-prote.patch 2023-06-11 15:47:34.0 +0200
@@ -0,0 +1,37 @@
+From: Cerdic
+Date: Tue, 7 Mar 2023 14:56:30 +0100
+Subject: security: limiter la profondeur de recursion de `protege_champ`
+
+(cherry picked from commit b362e987b41fac344150f97cc563bf4d8c8181fa)
+
+Origin: backport, https://git.spip.net/spip/spip/commit/9b73dbd66e50baf312ba1c7df21efebba4ae08f1
+---
+ ecrire/balise/formulaire_.php | 14 --
+ 1 file changed, 12 insertions(+), 2 deletions(-)
+
+diff --git a/ecrire/balise/formulaire_.php b/ecrire/balise/formulaire_.php
+index 34926cf..2b3639b 100644
+--- a/ecrire/balise/formulaire_.php
b/ecrire/balise/formulaire_.php
+@@ -33,9 +33,19 @@ include_spip('inc/texte');
+ * @return string|array
+ * Saisie protégée
+ **/
+-function protege_champ($texte) {
++function protege_champ($texte, $max_prof = 128) {
+ if (is_array($texte)) {
+- $texte = array_map('protege_champ', $texte);
++ // si on dépasse la prof max on tronque
++ if ($max_prof > 0) {
++ return array_map(
++function($v) use ($max_prof) {
++ return protege_champ($v, $max_prof-1);
++},
++$texte
++ );
++ }
++ // si on dépasse la prof max on tronque
++ return [];
+ } else {
+ if (is_null($texte)) {
+ return $texte;
diff -Nru spip-3.2.11/debian/patches/0053-security-Ameliorer-c76770a-en-vitant-un-unserialize-.patch spip-3.2.11/debian/patches/0053-security-Ameliorer-c76770a-en-vitant-un-unserialize-.patch
--- spip-3.2.11/debian/patches/0053-security-Ameliorer-c76770a-en-vitant-un-unserialize-.patch 1970-01-01 01:00:00.0 +0100
+++ spip-3.2.11/debian/patches/0053-security-Ameliorer-c76770a-en-vitant-un-unserialize-.patch 2023-06-11 15:47:34.0 +0200
@@ -0,0 +1,64 @@
+From: Cerdic
+Date: Tue, 7 Mar 2023 15:03:08 +0100
+Subject: =?utf-8?q?security=3A_Ameliorer_c76770a_en_=C3=A9vitant_un_=60unse?=
+ =?utf-8?q?rialize=60_dans_l=27=C3=A9cran_de_s=C3=A9curit=C3=A9?=
+
+(cherry picked from commit 9b1c3cf455b624163546f1521148897a5c96d5d6)
+
+Origin: upstream, https://git.spip.net/spip/spip/commit/9f55790164f7869d2e315a49b3fdc4af0c5b8fdd
+---
+ config/ecran_securite.php | 36 ++--
+ 1 file changed, 30 insertions(+), 6 deletions(-)
+
+diff --git a/config/ecran_securite.php b/config/ecran_securite.php
+index 57fc42f..4112e2e 100644
+--- a/config/ecran_securite.php
b/config/ecran_securite.php
+@@ -557,17 +557,41 @@ if (
+ ) {
+ foreach ($_REQUEST as $k => $v) {
+ if (is_string($v)
+- and strpos($v, ':') !== false
+- and strpos($v, '"') !==false
+- and preg_match(',[bidsaO]:,', $v)
+- and @unserialize($v)) {
+- $_REQUEST[$k] = htmlentities($v);
++ and strpbrk($v, "&\"'<>") !== false
++ and preg_match(',^[abis]:\d+[:;],', $v)
++ and __ecran_test_if_serialized($v)
++ ) {
++ $_REQUEST[$k] = htmlspecialchars(