Package: release.debian.org
Severity: normal
User: release.debian....@packages.debian.org
Usertags: pu
Hi release team,
You recently accepted 2.1.1-3squeeze4 for the next point release, that
fixes some security issues, but a new one has just been disclosed
(#683667), so here I am again. Upstream confirmed they can't reproduce
the last security issue with this version.
I didn't bug the security team since this last issue is less important
than the previous ones that have been handled via a stable upload.
Attached debdiff, thanks in advance for considering it.
The package is available on ravel:
http://people.debian.org/~taffit/spip/spip_2.1.1-3squeeze5.dsc
Cheers
David
-- System Information:
Debian Release: wheezy/sid
APT prefers unstable
APT policy: (500, 'unstable'), (500, 'testing'), (500, 'stable'), (1,
'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 3.2.0-3-amd64 (SMP w/1 CPU core)
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
diffstat for spip_2.1.1-3squeeze4 spip_2.1.1-3squeeze5
debian/patches/fix_base_disclosure.patch | 155 +++++++++++++++++++++++++++++++
spip-2.1.1/debian/changelog | 6 +
spip-2.1.1/debian/patches/series | 1
3 files changed, 162 insertions(+)
diff -u spip-2.1.1/debian/changelog spip-2.1.1/debian/changelog
--- spip-2.1.1/debian/changelog
+++ spip-2.1.1/debian/changelog
@@ -1,3 +1,9 @@
+spip (2.1.1-3squeeze5) stable; urgency=low
+
+ * Fix base name disclosure. Closes: #683667
+
+ -- David Prévot <taf...@debian.org> Thu, 02 Aug 2012 14:27:29 -0400
+
spip (2.1.1-3squeeze4) stable; urgency=low
* Updated security screen to 1.1.3. Prevent cross site scripting on referer
diff -u spip-2.1.1/debian/patches/series spip-2.1.1/debian/patches/series
--- spip-2.1.1/debian/patches/series
+++ spip-2.1.1/debian/patches/series
@@ -16,0 +17 @@
+fix_base_disclosure.patch
only in patch2:
unchanged:
--- spip-2.1.1.orig/debian/patches/fix_base_disclosure.patch
+++ spip-2.1.1/debian/patches/fix_base_disclosure.patch
@@ -0,0 +1,155 @@
+From: b b
+Subject: Fix base name disclosure from form text field
+
+* ecrire/base/connect_sql.php, ecrire/req/mysql.php,
+ ecrire/req/sqlite_generique.php: escape text in traiter_query
+ (thanks to Philippe Brehmer).
+
+Origin: upstream, http://core.spip.org/projects/spip/repository/revisions/19753
+Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=683667
+--- a/ecrire/base/connect_sql.php
++++ b/ecrire/base/connect_sql.php
+@@ -335,6 +335,75 @@
+ return '';
+ }
+
++/**
++ * Echapper les textes entre ' ' ou " " d'une requete SQL
++ * avant son pre-traitement
++ * On renvoi la query sans textes et les textes separes, dans
++ * leur ordre d'apparition dans la query
++ *
++ * @param string $query
++ * @return array
++ */
++function query_echappe_textes($query){
++ static $codeEchappements = array("''"=>"\x1@##@\x1", "\'"=>"\x2@##@\x2", "\\\""=>"\x3@##@\x3");
++ $query = str_replace(array_keys($codeEchappements), array_values($codeEchappements), $query);
++ if (preg_match_all("/((['])[^']*(\\2))|(([\"])[^\"]*(\\5))/S",$query,$textes)){
++ $textes = reset($textes); // indice 0 du match
++ switch(count($textes)){
++ case 0:$replace=array();break;
++ case 1:$replace=array('%1$s');break;
++ case 2:$replace=array('%1$s','%2$s');break;
++ case 3:$replace=array('%1$s','%2$s','%3$s');break;
++ case 4:$replace=array('%1$s','%2$s','%3$s','%4$s');break;
++ case 5:$replace=array('%1$s','%2$s','%3$s','%4$s','%5$s');break;
++ default:
++ $replace = range(1,count($textes));
++ $replace = '%'.implode('$s,%',$replace).'$s';
++ $replace = explode(',',$replace);
++ break;
++ }
++ $query = str_replace($textes,$replace,$query);
++ }
++ else
++ $textes = array();
++
++ return array($query, $textes);
++}
++
++/**
++ * Reinjecter les textes d'une requete SQL a leur place initiale,
++ * apres traitement de la requete
++ *
++ * @param string $query
++ * @param array $textes
++ * @return string
++ */
++function query_reinjecte_textes($query, $textes){
++ static $codeEchappements = array("''"=>"\x1@##@\x1", "\'"=>"\x2@##@\x2", "\\\""=>"\x3@##@\x3");
++ # debug de la substitution
++ #if (($c1=substr_count($query,"%"))!=($c2=count($textes))){
++ # spip_log("$c1 ::". $query,"tradquery"._LOG_ERREUR);
++ # spip_log("$c2 ::". var_export($textes,1),"tradquery"._LOG_ERREUR);
++ # spip_log("ini ::". $qi,"tradquery"._LOG_ERREUR);
++ #}
++ switch (count($textes)){
++ case 0:break;
++ case 1:$query=sprintf($query,$textes[0]);break;
++ case 2:$query=sprintf($query,$textes[0],$textes[1]);break;
++ case 3:$query=sprintf($query,$textes[0],$textes[1],$textes[2]);break;
++ case 4:$query=sprintf($query,$textes[0],$textes[1],$textes[2],$textes[3]);break;
++ case 5:$query=sprintf($query,$textes[0],$textes[1],$textes[2],$textes[3],$textes[4]);break;
++ default:
++ array_unshift($textes,$query);
++ $query = call_user_func_array('sprintf',$textes);
++ break;
++ }
++
++ $query = str_replace(array_values($codeEchappements), array_keys($codeEchappements), $query);
++
++ return $query;
++}
++
+ // Pour compatibilite. Ne plus utiliser.
+ // http://doc.spip.org/@spip_query
+ function spip_query($query, $serveur='') {
+--- a/ecrire/req/mysql.php
++++ b/ecrire/req/mysql.php
+@@ -286,8 +286,14 @@
+ } else {
+ $suite = strstr($query, $regs[0]);
+ $query = substr($query, 0, -strlen($suite));
+- if (preg_match('/^(.*?)([(]\s*SELECT\b.*)$/si', $suite, $r)) {
+- $suite = $r[1] . traite_query($r[2], $db, $prefixe);
++ // propager le prefixe en cas de requete imbriquee
++ // il faut alors echapper les chaine avant de le faire, pour ne pas risquer de
++ // modifier une requete qui est en fait juste du texte dans un champ
++ if (stripos($suite,"SELECT")!==false) {
++ list($suite,$textes) = query_echappe_textes($suite);
++ if (preg_match('/^(.*?)([(]\s*SELECT\b.*)$/si', $suite, $r))
++ $suite = $r[1] . traite_query($r[2], $db, $prefixe);
++ $suite = query_reinjecte_textes($suite, $textes);
+ }
+ }
+ $r = preg_replace(_SQL_PREFIXE_TABLE, '\1'.$pref, $query) . $suite;
+--- a/ecrire/req/sqlite_generique.php
++++ b/ecrire/req/sqlite_generique.php
+@@ -1611,7 +1611,6 @@
+
+ // Pour les corrections a effectuer sur les requetes :
+ var $textes = array(); // array(code=>'texte') trouvé
+- var $codeEchappements = "%@##@%";
+
+
+ // constructeur
+@@ -1681,16 +1680,13 @@
+ // enleve les textes, transforme la requete pour quelle soit
+ // bien interpretee par sqlite, puis remet les textes
+ // la fonction affecte $this->query
+-// http://doc.spip.org/@traduire_requete
++ // http://doc.spip.org/@traduire_requete
+ function traduire_requete(){
+ //
+ // 1) Protection des textes en les remplacant par des codes
+ //
+- // enlever les echappements ''
+- $this->query = str_replace("''", $this->codeEchappements, $this->query);
+- // enlever les 'textes'
+- $this->textes = array(); // vider
+- $this->query = preg_replace_callback("/('[^']*')/", array(&$this, '_remplacerTexteParCode'), $this->query);
++ // enlever les 'textes' et initialiser avec
++ list($this->query, $textes) = query_echappe_textes($this->query);
+
+ //
+ // 2) Corrections de la requete
+@@ -1791,12 +1787,12 @@
+ //
+ // 3) Remise en place des textes d'origine
+ //
+- // remettre les 'textes'
+- foreach ($this->textes as $cle=>$val){
+- $this->query = str_replace($cle, $val, $this->query);
+- }
+- // remettre les echappements ''
+- $this->query = str_replace($this->codeEchappements,"''",$this->query);
++ // Correction Antiquotes et echappements
++ // ` => rien
++ if (strpos($this->query,'`')!==false)
++ $this->query = str_replace('`','', $this->query);
++
++ $this->query = query_reinjecte_textes($this->query, $textes);
+ }
+
+
