Version in base suite: 3.2.11-3+deb11u5 Version in overlay suite: 3.2.11-3+deb11u6 Base version: spip_3.2.11-3+deb11u6 Target version: spip_3.2.11-3+deb11u7 Base file: /srv/ftp-master.debian.org/ftp/pool/main/s/spip/spip_3.2.11-3+deb11u6.dsc Target file: /srv/ftp-master.debian.org/policy/pool/main/s/spip/spip_3.2.11-3+deb11u7.dsc changelog | 10 + patches/0049-Fix-Sanitizer-toutes-les-valeurs-pass-es-aux-formula.patch | 28 +++ patches/0050-fix-Sanitizer-toutes-les-valeurs-pass-es-aux-formula.patch | 52 ++++++ patches/0051-fix-Correction-des-ordres-_todo-adress-es-SVP.patch | 78 ++++++++++ patches/series | 3 salsa-ci.yml | 8 + 6 files changed, 179 insertions(+) diff -Nru spip-3.2.11/debian/changelog spip-3.2.11/debian/changelog --- spip-3.2.11/debian/changelog 2023-01-17 12:07:09.000000000 +0000 +++ spip-3.2.11/debian/changelog 2023-02-28 21:51:50.000000000 +0000 @@ -1,3 +1,13 @@ +spip (3.2.11-3+deb11u7) bullseye-security; urgency=medium + + * Backport security fixes from v3.2.18 + - Fix remote code execution vulnerability in forms [CVE-2023-27372] + - Bump security screen to 1.5.0 + * Backport regression fix from v3.2.19 + - Fix plugins dependencies activation + + -- David Prévot Tue, 28 Feb 2023 22:51:50 +0100 + spip (3.2.11-3+deb11u6) bullseye-security; urgency=medium * Backport security fixes from 3.2.17 diff -Nru spip-3.2.11/debian/patches/0049-Fix-Sanitizer-toutes-les-valeurs-pass-es-aux-formula.patch spip-3.2.11/debian/patches/0049-Fix-Sanitizer-toutes-les-valeurs-pass-es-aux-formula.patch --- spip-3.2.11/debian/patches/0049-Fix-Sanitizer-toutes-les-valeurs-pass-es-aux-formula.patch 1970-01-01 00:00:00.000000000 +0000 +++ spip-3.2.11/debian/patches/0049-Fix-Sanitizer-toutes-les-valeurs-pass-es-aux-formula.patch 2023-02-28 21:51:50.000000000 +0000 @@ -0,0 +1,28 @@ +From: Cerdic +Date: Mon, 27 Feb 2023 14:58:17 +0100 +Subject: =?utf-8?q?Fix=3A_Sanitizer_toutes_les_valeurs_pass=C3=A9es_aux_for?= + =?utf-8?q?mulaires?= + +Refs: spip-team/securite#4839 +(cherry picked from commit bbd88bd24a25e4e4aa9b0d12ff0124df8df9c4f1) +(cherry picked from commit 0d4a43f8bc14067572337133b75eb8b01de96c80) + +Origin: https://git.spip.net/spip/spip/commit/5aedf49b89415a4df3eb775eee3801a2b4b88266 +--- + ecrire/balise/formulaire_.php | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/ecrire/balise/formulaire_.php b/ecrire/balise/formulaire_.php +index d119765..34926cf 100644 +--- a/ecrire/balise/formulaire_.php ++++ b/ecrire/balise/formulaire_.php +@@ -37,8 +37,7 @@ function protege_champ($texte) { + if (is_array($texte)) { + $texte = array_map('protege_champ', $texte); + } else { +- // ne pas corrompre une valeur serialize +- if ((preg_match(",^[abis]:\d+[:;],", $texte) and @unserialize($texte) != false) or is_null($texte)) { ++ if (is_null($texte)) { + return $texte; + } + if (is_string($texte) diff -Nru spip-3.2.11/debian/patches/0050-fix-Sanitizer-toutes-les-valeurs-pass-es-aux-formula.patch spip-3.2.11/debian/patches/0050-fix-Sanitizer-toutes-les-valeurs-pass-es-aux-formula.patch --- spip-3.2.11/debian/patches/0050-fix-Sanitizer-toutes-les-valeurs-pass-es-aux-formula.patch 1970-01-01 00:00:00.000000000 +0000 +++ spip-3.2.11/debian/patches/0050-fix-Sanitizer-toutes-les-valeurs-pass-es-aux-formula.patch 2023-02-28 21:51:50.000000000 +0000 @@ -0,0 +1,52 @@ +From: Cerdic +Date: Mon, 27 Feb 2023 15:00:09 +0100 +Subject: =?utf-8?q?fix=3A_Sanitizer_toutes_les_valeurs_pass=C3=A9es_aux_for?= + =?utf-8?q?mulaires_preventivement_dans_l=27=C3=A9cran_de_s=C3=A9curit?= + =?utf-8?q?=C3=A9?= + +Refs: spip-team/securite#4839 +(cherry picked from commit 1e5d71bec1bbe889ff1db86e5881569b97409fed) +(cherry picked from commit 2e4b6c441369bec04c8af137adb2583dae2ec11f) +(cherry picked from commit c5d253cf056edc30aded829310d39e395c572712) + +Origin: https://git.spip.net/spip/spip/commit/d6d9e10e6486b077c0d4daa15a0e33aa952d4611 +--- + config/ecran_securite.php | 18 +++++++++++++++++- + 1 file changed, 17 insertions(+), 1 deletion(-) + +diff --git a/config/ecran_securite.php b/config/ecran_securite.php +index be5ef4f..57fc42f 100644 +--- a/config/ecran_securite.php ++++ b/config/ecran_securite.php +@@ -5,7 +5,7 @@ + * ------------------ + */ + +-define('_ECRAN_SECURITE', '1.4.2'); // 2022-07-12 ++define('_ECRAN_SECURITE', '1.5.0'); // 2023-02-27 + + /* + * Documentation : http://www.spip.net/fr_article4200.html +@@ -552,6 +552,22 @@ if ( + $ecran_securite_raison = "malformed _oups argument"; + } + ++if ( ++ isset($_REQUEST['formulaire_action_args']) ++) { ++ foreach ($_REQUEST as $k => $v) { ++ if (is_string($v) ++ and strpos($v, ':') !== false ++ and strpos($v, '"') !==false ++ and preg_match(',[bidsaO]:,', $v) ++ and @unserialize($v)) { ++ $_REQUEST[$k] = htmlentities($v); ++ if (isset($_POST[$k])) $_POST[$k] = $_REQUEST[$k]; ++ if (isset($_GET[$k])) $_GET[$k] = $_REQUEST[$k]; ++ } ++ } ++} ++ + + /* + * S'il y a une raison de mourir, mourons diff -Nru spip-3.2.11/debian/patches/0051-fix-Correction-des-ordres-_todo-adress-es-SVP.patch spip-3.2.11/debian/patches/0051-fix-Correction-des-ordres-_todo-adress-es-SVP.patch --- spip-3.2.11/debian/patches/0051-fix-Correction-des-ordres-_todo-adress-es-SVP.patch 1970-01-01 00:00:00.000000000 +0000 +++ spip-3.2.11/debian/patches/0051-fix-Correction-des-ordres-_todo-adress-es-SVP.patch 2023-02-28 21:51:50.000000000 +0000 @@ -0,0 +1,78 @@ +From: Matthieu Marcillaud +Date: Tue, 28 Feb 2023 11:16:45 +0100 +Subject: =?utf-8?q?fix=3A_Correction_des_ordres_=28=5Ftodo=29_adress=C3=A9e?= + =?utf-8?q?s_=C3=A0_SVP?= +MIME-Version: 1.0 +Content-Type: text/plain; charset="utf-8" +Content-Transfer-Encoding: 8bit + +On utilise encoder_contexte_ajax et decoder_contexte_ajax qui fonctionnent bien pour ça. + +Refs: #4877 +(cherry picked from commit ee6568ecb8c7a04dc99c9be76e35c4b6a8b4e90a) + +Origin: upstream, https://git.spip.net/spip/svp/commit/d463bc549b13bc45651051f83760e8ce274c98d9 +--- + plugins-dist/svp/formulaires/admin_plugin.php | 10 ++++++---- + plugins-dist/svp/formulaires/charger_plugin.php | 5 +++-- + plugins-dist/svp/inc/svp_decider.php | 3 ++- + 3 files changed, 11 insertions(+), 7 deletions(-) + +diff --git a/plugins-dist/svp/formulaires/admin_plugin.php b/plugins-dist/svp/formulaires/admin_plugin.php +index a2cc374..defe2b4 100644 +--- a/plugins-dist/svp/formulaires/admin_plugin.php ++++ b/plugins-dist/svp/formulaires/admin_plugin.php +@@ -144,8 +144,9 @@ function formulaires_admin_plugin_verifier_dist($voir = 'actif', $verrouille = ' + // verification des dependances + include_spip('inc/svp_decider'); + svp_decider_verifier_actions_demandees($a_actionner, $erreurs); +- $todo = _request('_todo') ? unserialize(_request('_todo')) : array(); +- $actions = _request('_decideur_actions') ? unserialize(_request('_decideur_actions')) : array(); ++ include_spip('inc/filtres'); ++ $todo = decoder_contexte_ajax(_request('_todo'), 'svp_todo') ?: []; ++ $actions = _request('_libelles_actions') ?: []; + // si c'est une action simple (hors suppression) sans rien a faire de plus que demande, on y go direct + if (in_array('stop', $todo) or in_array('kill', $todo)) { + if (in_array('stop', $todo)) { +@@ -201,8 +202,9 @@ function formulaires_admin_plugin_traiter_dist($voir = 'actif', $verrouille = 'n + refuser_traiter_formulaire_ajax(); + // Ajout de la liste des actions à l'actionneur + // c'est lui qui va effectuer rellement les actions +- // lors de l'appel de action/actionner +- $actions = unserialize(_request('_todo')); ++ // lors de l'appel de action/actionner ++ include_spip('inc/filtres'); ++ $actions = decoder_contexte_ajax(_request('_todo'), 'svp_todo'); + include_spip('inc/svp_actionner'); + svp_actionner_traiter_actions_demandees($actions, $retour, $redirect); + } +diff --git a/plugins-dist/svp/formulaires/charger_plugin.php b/plugins-dist/svp/formulaires/charger_plugin.php +index 88d271f..6a5cedc 100644 +--- a/plugins-dist/svp/formulaires/charger_plugin.php ++++ b/plugins-dist/svp/formulaires/charger_plugin.php +@@ -126,8 +126,9 @@ function formulaires_charger_plugin_traiter_dist() { + #refuser_traiter_formulaire_ajax(); + // Ajout de la liste des actions à l'actionneur + // c'est lui qui va effectuer rellement les actions +- // lors de l'appel de action/actionner +- $actions = unserialize(_request('_todo')); ++ // lors de l'appel de action/actionner ++ include_spip('inc/filtres'); ++ $actions = decoder_contexte_ajax(_request('_todo'), 'svp_todo') ?: []; + include_spip('inc/svp_actionner'); + // si toutes les actions sont des téléchargements (pas d'activation), on reste sur cette page + $redirect = null; +diff --git a/plugins-dist/svp/inc/svp_decider.php b/plugins-dist/svp/inc/svp_decider.php +index 3ef11f8..644ea40 100644 +--- a/plugins-dist/svp/inc/svp_decider.php ++++ b/plugins-dist/svp/inc/svp_decider.php +@@ -1275,7 +1275,8 @@ function svp_decider_verifier_actions_demandees($a_actionner, &$erreurs) { + foreach ($decideur->todo as $_todo) { + $todo[$_todo['i']] = $_todo['todo']; + } +- set_request('_todo', serialize($todo)); ++ include_spip('inc/filtres'); ++ set_request('_todo', encoder_contexte_ajax($todo, 'svp_todo')); + + return true; + } diff -Nru spip-3.2.11/debian/patches/series spip-3.2.11/debian/patches/series --- spip-3.2.11/debian/patches/series 2023-01-17 12:03:08.000000000 +0000 +++ spip-3.2.11/debian/patches/series 2023-02-28 21:51:50.000000000 +0000 @@ -46,3 +46,6 @@ 0046-fix-verifier-le-format-de-oups-avant-de-le-passer-ob.patch 0047-Fix-5021-et-5022.patch 0048-fix-ne-pas-permettre-de-changer-le-mot-de-passe-d-un.patch +0049-Fix-Sanitizer-toutes-les-valeurs-pass-es-aux-formula.patch +0050-fix-Sanitizer-toutes-les-valeurs-pass-es-aux-formula.patch +0051-fix-Correction-des-ordres-_todo-adress-es-SVP.patch diff -Nru spip-3.2.11/debian/salsa-ci.yml spip-3.2.11/debian/salsa-ci.yml --- spip-3.2.11/debian/salsa-ci.yml 1970-01-01 00:00:00.000000000 +0000 +++ spip-3.2.11/debian/salsa-ci.yml 2023-02-28 21:51:50.000000000 +0000 @@ -0,0 +1,8 @@ +--- +include: + - https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/recipes/debian.yml + +variables: + RELEASE: 'bullseye' + SALSA_CI_DISABLE_REPROTEST: 1 + SALSA_CI_DISABLE_LINTIAN: 1