Version in base suite: 4.4.3+dfsg-1 Base version: spip_4.4.3+dfsg-1 Target version: spip_4.4.3+dfsg-1+deb13u1 Base file: /srv/ftp-master.debian.org/ftp/pool/main/s/spip/spip_4.4.3+dfsg-1.dsc Target file: /srv/ftp-master.debian.org/policy/pool/main/s/spip/spip_4.4.3+dfsg-1+deb13u1.dsc changelog | 7 ++ control | 2 gbp.conf | 2 patches/0001-Fix-created-directories-and-files-default-rights.patch | 2 patches/0003-Fix-displayed-version-in-the-private-interface.patch | 2 patches/0006-security-fix-open-redirect-sur-formulaire-de-login-e.patch | 34 ++++++++++ patches/series | 1 7 files changed, 46 insertions(+), 4 deletions(-) diff -Nru spip-4.4.3+dfsg/debian/changelog spip-4.4.3+dfsg/debian/changelog --- spip-4.4.3+dfsg/debian/changelog 2025-04-10 11:59:24.000000000 +0000 +++ spip-4.4.3+dfsg/debian/changelog 2025-09-09 05:21:38.000000000 +0000 @@ -1,3 +1,10 @@ +spip (4.4.3+dfsg-1+deb13u1) trixie; urgency=medium + + * Track debian/trixie + * Backport security fix from 4.4.5: Fix open redirect on ajax login form + + -- David Prévot Tue, 09 Sep 2025 07:21:38 +0200 + spip (4.4.3+dfsg-1) unstable; urgency=medium * Upload to unstable diff -Nru spip-4.4.3+dfsg/debian/control spip-4.4.3+dfsg/debian/control --- spip-4.4.3+dfsg/debian/control 2025-03-17 23:01:51.000000000 +0000 +++ spip-4.4.3+dfsg/debian/control 2025-09-09 05:21:38.000000000 +0000 @@ -15,7 +15,7 @@ uglifyjs Homepage: https://www.spip.net/ Standards-Version: 4.7.0 -Vcs-Git: https://salsa.debian.org/debian/spip.git +Vcs-Git: https://salsa.debian.org/debian/spip.git -b debian/trixie Vcs-Browser: https://salsa.debian.org/debian/spip Rules-Requires-Root: no diff -Nru spip-4.4.3+dfsg/debian/gbp.conf spip-4.4.3+dfsg/debian/gbp.conf --- spip-4.4.3+dfsg/debian/gbp.conf 2025-04-10 11:52:41.000000000 +0000 +++ spip-4.4.3+dfsg/debian/gbp.conf 2025-09-09 05:21:38.000000000 +0000 @@ -1,4 +1,4 @@ [DEFAULT] -debian-branch = debian/latest +debian-branch = debian/trixie pristine-tar = True upstream-vcs-tag = %(version%~%-)s diff -Nru spip-4.4.3+dfsg/debian/patches/0001-Fix-created-directories-and-files-default-rights.patch spip-4.4.3+dfsg/debian/patches/0001-Fix-created-directories-and-files-default-rights.patch --- spip-4.4.3+dfsg/debian/patches/0001-Fix-created-directories-and-files-default-rights.patch 2025-03-19 09:51:07.000000000 +0000 +++ spip-4.4.3+dfsg/debian/patches/0001-Fix-created-directories-and-files-default-rights.patch 2025-09-09 05:21:38.000000000 +0000 @@ -13,7 +13,7 @@ 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ecrire/inc_version.php b/ecrire/inc_version.php -index 3b7d61b..effba72 100644 +index 45469b1..ab41a12 100644 --- a/ecrire/inc_version.php +++ b/ecrire/inc_version.php @@ -436,7 +436,7 @@ $liste_des_authentifications = [ diff -Nru spip-4.4.3+dfsg/debian/patches/0003-Fix-displayed-version-in-the-private-interface.patch spip-4.4.3+dfsg/debian/patches/0003-Fix-displayed-version-in-the-private-interface.patch --- spip-4.4.3+dfsg/debian/patches/0003-Fix-displayed-version-in-the-private-interface.patch 2025-03-19 09:51:07.000000000 +0000 +++ spip-4.4.3+dfsg/debian/patches/0003-Fix-displayed-version-in-the-private-interface.patch 2025-09-09 05:21:38.000000000 +0000 @@ -14,7 +14,7 @@ 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ecrire/inc_version.php b/ecrire/inc_version.php -index effba72..c80f544 100644 +index ab41a12..157717f 100644 --- a/ecrire/inc_version.php +++ b/ecrire/inc_version.php @@ -461,7 +461,7 @@ $spip_sql_version = 1; diff -Nru spip-4.4.3+dfsg/debian/patches/0006-security-fix-open-redirect-sur-formulaire-de-login-e.patch spip-4.4.3+dfsg/debian/patches/0006-security-fix-open-redirect-sur-formulaire-de-login-e.patch --- spip-4.4.3+dfsg/debian/patches/0006-security-fix-open-redirect-sur-formulaire-de-login-e.patch 1970-01-01 00:00:00.000000000 +0000 +++ spip-4.4.3+dfsg/debian/patches/0006-security-fix-open-redirect-sur-formulaire-de-login-e.patch 2025-09-09 05:21:38.000000000 +0000 @@ -0,0 +1,34 @@ +From: b_b +Date: Mon, 8 Sep 2025 10:04:10 +0200 +Subject: security: fix open redirect sur formulaire de login en ajax +MIME-Version: 1.0 +Content-Type: text/plain; charset="utf-8" +Content-Transfer-Encoding: 8bit + +Dans certains cas, si la page de login est surchargée pour fonctionner en ajax, +le formulaire de login pouvait permettre de rediriger sur un site externe non prévu. + +Refs: spip-security/securite#4865 + +Origin: upstream, https://git.spip.net/spip/ecrire/-/commit/e434659fdedebc6f9bdaa862e45057f430dcf357 +--- + ecrire/inc/headers.php | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/ecrire/inc/headers.php b/ecrire/inc/headers.php +index 401f031..e581b37 100644 +--- a/ecrire/inc/headers.php ++++ b/ecrire/inc/headers.php +@@ -144,9 +144,10 @@ function redirige_formulaire($url, $equiv = '', $format = 'message') { + $url = strtr($url, "\n\r", ' '); + # en theorie on devrait faire ca tout le temps, mais quand la chaine + # commence par ? c'est imperatif, sinon l'url finale n'est pas la bonne +- if ($url[0] == '?') { +- $url = url_de_base() . $url; ++ if (in_array($url[0], ['?', '/']) && !str_starts_with($url, '//')) { ++ $url = url_de_base() . ltrim($url, '/'); + } ++ + $url = str_replace('&', '&', $url); + spip_log("redirige formulaire ajax: $url"); + include_spip('inc/filtres'); diff -Nru spip-4.4.3+dfsg/debian/patches/series spip-4.4.3+dfsg/debian/patches/series --- spip-4.4.3+dfsg/debian/patches/series 2025-03-19 09:51:07.000000000 +0000 +++ spip-4.4.3+dfsg/debian/patches/series 2025-09-09 05:21:38.000000000 +0000 @@ -3,3 +3,4 @@ 0003-Fix-displayed-version-in-the-private-interface.patch 0004-Use-getid3-class-from-the-php-getid3-package.patch 0005-Workaround-Composer-InstalledVersions-feature.patch +0006-security-fix-open-redirect-sur-formulaire-de-login-e.patch