Bug#804172: jessie-pu: package spip/3.0.17-2+deb8u1

Thu, 05 Nov 2015 10:13:05 -0800 

Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian....@packages.debian.org
Usertags: pu

Hi,

As agreed with the security team, the two XSS fixes from the latest
upstream version do not deserve a DSA, yet I’d like to fix them via pu
if you agree, debdiff attached. There is no upstream fix available (yet)
for the 2.1 branch (that is still supported), so I won’t follow up with
a pu request for Wheezy for the moment.

Regards

David

diff -Nru spip-3.0.17/debian/changelog spip-3.0.17/debian/changelog
--- spip-3.0.17/debian/changelog	2014-10-25 20:52:48.000000000 -0400
+++ spip-3.0.17/debian/changelog	2015-11-01 15:34:31.000000000 -0400
@@ -1,3 +1,10 @@
+spip (3.0.17-2+deb8u1) jessie; urgency=medium
+
+  * Track Jessie
+  * Backport XSS fixes in private content from 3.0.21
+
+ -- David Prévot <taf...@debian.org>  Sun, 01 Nov 2015 15:34:00 -0400
+
 spip (3.0.17-2) unstable; urgency=medium
 
   [ Frans Spiesschaert ]
diff -Nru spip-3.0.17/debian/gbp.conf spip-3.0.17/debian/gbp.conf
--- spip-3.0.17/debian/gbp.conf	2014-10-25 20:50:16.000000000 -0400
+++ spip-3.0.17/debian/gbp.conf	2015-11-01 15:11:01.000000000 -0400
@@ -1,3 +1,3 @@
 [DEFAULT]
-debian-branch = 3.0
+debian-branch = jessie
 upstream-branch = upstream-3.0
diff -Nru spip-3.0.17/debian/patches/0005-Fix-XSS-in-private-content.patch spip-3.0.17/debian/patches/0005-Fix-XSS-in-private-content.patch
--- spip-3.0.17/debian/patches/0005-Fix-XSS-in-private-content.patch	1969-12-31 20:00:00.000000000 -0400
+++ spip-3.0.17/debian/patches/0005-Fix-XSS-in-private-content.patch	2015-11-01 15:31:01.000000000 -0400
@@ -0,0 +1,173 @@
+From: =?utf-8?q?C=C3=A9dric_Morin?= <cedric.mo...@yterium.com>
+Date: Sat, 10 Oct 2015 10:44:19 +0000
+Subject: Fix XSS in private content
+
+Bug: https://core.spip.net/issues/3371
+Origin: Upstream, http://zone.spip.org/trac/spip-zone/changeset/92236,
+ https://core.spip.net/projects/spip/repository/revisions/22427,
+ https://core.spip.net/projects/spip/repository/revisions/22450,
+ https://core.spip.net/projects/spip/repository/revisions/22429
+---
+ ecrire/inc/texte.php                               |  7 ++++
+ ecrire/inc/texte_mini.php                          | 43 ++++++++++++++++++++--
+ plugins-dist/revisions/inc/revisions.php           |  3 ++
+ .../prive/squelettes/contenu/revision.html         |  6 +--
+ prive/squelettes/ajax.html                         |  2 +-
+ prive/squelettes/head/dist.html                    |  2 +-
+ prive/squelettes/structure.html                    |  4 +-
+ 7 files changed, 57 insertions(+), 10 deletions(-)
+
+diff --git a/ecrire/inc/texte.php b/ecrire/inc/texte.php
+index af706b3..c0cec0b 100644
+--- a/ecrire/inc/texte.php
++++ b/ecrire/inc/texte.php
+@@ -156,6 +156,7 @@ function typo($letexte, $echapper=true, $connect=null, $env=array()) {
+ 	if (is_null($connect)){
+ 		$connect = '';
+ 		$interdire_script = true;
++		$env['espace_prive'] = 1;
+ 	}
+ 
+ 	// Echapper les codes <html> etc
+@@ -183,6 +184,12 @@ function typo($letexte, $echapper=true, $connect=null, $env=array()) {
+ 	if ($interdire_script)
+ 		$letexte = interdire_scripts($letexte);
+ 
++	// Dans l'espace prive on se mefie de tout contenu dangereux
++	// https://core.spip.net/issues/3371
++	if (isset($env['espace_prive']) AND $env['espace_prive']){
++		$letexte = echapper_html_suspect($letexte);
++	}
++
+ 	return $letexte;
+ }
+ 
+diff --git a/ecrire/inc/texte_mini.php b/ecrire/inc/texte_mini.php
+index f3c2429..901d903 100644
+--- a/ecrire/inc/texte_mini.php
++++ b/ecrire/inc/texte_mini.php
+@@ -385,15 +385,52 @@ function echapper_faux_tags($letexte){
+   $letexte = "";
+   while (count($textMatches)) {
+   	// un texte a echapper
+-  	$letexte .= str_replace(array("<"),array('&lt;'),array_shift($textMatches));
++  	$letexte .= str_replace("<",'&lt;',array_shift($textMatches));
+   	// un tag html qui a servit a faite le split
+  		$letexte .= array_shift($textMatches);
+   }
+   return $letexte;
+ }
+ 
+-// Securite : utiliser SafeHTML s'il est present dans ecrire/safehtml/
+-// http://doc.spip.org/@safehtml
++/**
++ * Si le html contenu dans un texte ne passe pas sans transformation a travers safehtml
++ * on l'echappe
++ * si safehtml ne renvoie pas la meme chose on echappe les < en &lt; pour montrer le contenu brut
++ *
++ * @param string $texte
++ * @return string
++ */
++function echapper_html_suspect($texte){
++	if (strpos($texte,'<')===false OR strpos($texte,'=')===false)
++		return $texte;
++
++	// on teste sur strlen car safehtml supprime le contenu dangereux
++	// mais il peut aussi changer des ' en " sur les attributs html,
++	// donc un test d'egalite est trop strict
++	if (strlen(safehtml($texte))!==strlen($texte)){
++		$texte = str_replace("<","&lt;",$texte);
++	}
++
++	return $texte;
++}
++
++
++/**
++ * Sécurise un texte HTML 
++ *
++ * Échappe le code PHP et JS.
++ * Applique en plus safehtml si un plugin le définit dans inc/safehtml.php
++ *
++ * Permet de protéger les textes issus d'une origine douteuse (forums, syndications...)
++ *
++ * @filtre
++ * @link http://www.spip.net/4310
++ * 
++ * @param string $t
++ *      Texte à sécuriser
++ * @return string
++ *      Texte sécurisé
++**/
+ function safehtml($t) {
+ 	static $safehtml;
+ 
+diff --git a/plugins-dist/revisions/inc/revisions.php b/plugins-dist/revisions/inc/revisions.php
+index 16d6f86..c9ab05e 100644
+--- a/plugins-dist/revisions/inc/revisions.php
++++ b/plugins-dist/revisions/inc/revisions.php
+@@ -605,6 +605,9 @@ function propre_diff($texte) {
+ 	$reg = end($regs);
+ 	if (!$reg[1] AND $reg[2]) $texte.="</$reg[2]>";
+ 
++	// et interdire_scripts !
++	$texte = interdire_scripts($texte);
++
+ 	return $texte;
+ }
+ 
+diff --git a/plugins-dist/revisions/prive/squelettes/contenu/revision.html b/plugins-dist/revisions/prive/squelettes/contenu/revision.html
+index 935e6bf..a59a716 100644
+--- a/plugins-dist/revisions/prive/squelettes/contenu/revision.html
++++ b/plugins-dist/revisions/prive/squelettes/contenu/revision.html
+@@ -40,9 +40,9 @@
+ 		]
+ 	]
+ 	[<div class='id_rubrique'>(#GET{textes}|table_valeur{id_rubrique})</div>]
+-	[<h4 class='surtitre'>(#GET{textes}|table_valeur{surtitre})</h4>]
+-	<h1>[(#INFO_STATUT{#OBJET,#ID_OBJET}|puce_statut{#OBJET}) ][(#GET{textes}|table_valeur{titre}|sinon{<:info_sans_titre:>})]</h1>
+-	[<h2 class='soustitre'>(#GET{textes}|table_valeur{soustitre})</h2>]
++	[<h4 class='surtitre'>(#GET{textes}|table_valeur{surtitre}|interdire_scripts)</h4>]
++	<h1>[(#INFO_STATUT{#OBJET,#ID_OBJET}|puce_statut{#OBJET}) ][(#GET{textes}|table_valeur{titre}|sinon{<:info_sans_titre:>}|interdire_scripts)]</h1>
++	[<h2 class='soustitre'>(#GET{textes}|table_valeur{soustitre}|interdire_scripts)</h2>]
+ 
+ 	<div class="nettoyeur"></div>
+ 	<div id="wysiwyg" class="revision">
+diff --git a/prive/squelettes/ajax.html b/prive/squelettes/ajax.html
+index dcd9319..b6bc56a 100644
+--- a/prive/squelettes/ajax.html
++++ b/prive/squelettes/ajax.html
+@@ -4,4 +4,4 @@
+ 
+ ]
+ #SET{zajax,#VAL{var_zajax}|_request|replace{\W,''}}
+-<INCLURE{fond=prive/squelettes/#GET{zajax}|concat{'/',#ENV{type-page}},ajax=#GET{zajax},env}>
+\ No newline at end of file
++<INCLURE{fond=prive/squelettes/#GET{zajax}|concat{'/',#ENV{type-page}},ajax=#GET{zajax},espace_prive=1,env}>
+\ No newline at end of file
+diff --git a/prive/squelettes/head/dist.html b/prive/squelettes/head/dist.html
+index d770c45..9dc5b63 100644
+--- a/prive/squelettes/head/dist.html
++++ b/prive/squelettes/head/dist.html
+@@ -8,4 +8,4 @@
+ [(#REM) Si pas de title, celui ci sera mis automatiquement par f_title_auto
+ en capturant le premier <h1> de la page]
+ #SET{paramcss,#REM|parametres_css_prive}
+-#PIPELINE{header_prive,#INCLURE{fond=prive/squelettes/inclure/head,titre,minipres,paramcss=#GET{paramcss}}}
+\ No newline at end of file
++#PIPELINE{header_prive,#INCLURE{fond=prive/squelettes/inclure/head,titre,minipres,paramcss=#GET{paramcss},espace_prive}}
+\ No newline at end of file
+diff --git a/prive/squelettes/structure.html b/prive/squelettes/structure.html
+index b9dd987..7520bd8 100644
+--- a/prive/squelettes/structure.html
++++ b/prive/squelettes/structure.html
+@@ -8,7 +8,7 @@
+ <!--[if IE 9 ]>    <html class="[(#LANG_DIR)][ (#LANG)] no-js ie ie9 lte9" xmlns="http://www.w3.org/1999/xhtml"; xml:lang="#LANG" lang="#LANG" dir="#LANG_DIR"> <![endif]-->
+ <!--[if (gt IE 9)|!(IE)]><!--> <html class="[(#LANG_DIR)][ (#LANG)] no-js" xmlns="http://www.w3.org/1999/xhtml"; xml:lang="#LANG" lang="#LANG" dir="#LANG_DIR"> <!--<![endif]-->
+ <head>
+-<INCLURE{fond=prive/squelettes/head/#ENV{type-page},env}>
++<INCLURE{fond=prive/squelettes/head/#ENV{type-page},env,espace_prive=1}>
+ </head>
+-<INCLURE{fond=prive/squelettes/body,env}>
++<INCLURE{fond=prive/squelettes/body,env,espace_prive=1}>
+ </html>
diff -Nru spip-3.0.17/debian/patches/0006-Fix-XSS-from-iframe-in-private-content.patch spip-3.0.17/debian/patches/0006-Fix-XSS-from-iframe-in-private-content.patch
--- spip-3.0.17/debian/patches/0006-Fix-XSS-from-iframe-in-private-content.patch	1969-12-31 20:00:00.000000000 -0400
+++ spip-3.0.17/debian/patches/0006-Fix-XSS-from-iframe-in-private-content.patch	2015-11-01 15:31:01.000000000 -0400
@@ -0,0 +1,130 @@
+From: =?utf-8?q?C=C3=A9dric_Morin?= <cedric.mo...@yterium.com>
+Date: Thu, 29 Oct 2015 16:58:27 +0100
+Subject: Fix XSS from iframe in private content
+
+Bug: https://core.spip.net/issues/1994, https://core.spip.net/issues/1998
+Origin: http://zone.spip.org/trac/spip-zone/changeset/92321,
+ http://zone.spip.org/trac/spip-zone/changeset/92519,
+ http://zone.spip.org/trac/spip-zone/changeset/92520
+---
+ plugins-dist/textwheel/wheels/spip/echappe-js.php  | 39 ++++++++++++++++++
+ plugins-dist/textwheel/wheels/spip/echappe-js.yaml | 48 ++++++++++++++++++++++
+ .../textwheel/wheels/spip/interdire-scripts.yaml   |  3 +-
+ 3 files changed, 89 insertions(+), 1 deletion(-)
+ create mode 100644 plugins-dist/textwheel/wheels/spip/echappe-js.php
+
+diff --git a/plugins-dist/textwheel/wheels/spip/echappe-js.php b/plugins-dist/textwheel/wheels/spip/echappe-js.php
+new file mode 100644
+index 0000000..66b0717
+--- /dev/null
++++ b/plugins-dist/textwheel/wheels/spip/echappe-js.php
+@@ -0,0 +1,39 @@
++<?php
++
++/**
++ * Fonctions utiles pour la wheel echappe-js
++ *
++ * @SPIP\Textwheel\Wheel\SPIP\Fonctions
++**/
++
++if (!defined('_ECRIRE_INC_VERSION')) return;
++
++function echappe_anti_xss($match){
++	static $safehtml;
++
++	if (!is_array($match) OR !strlen($match[0])) {
++		return "";
++	}
++	$texte = &$match[0];
++
++	// on echappe les urls data: javascript: et tout ce qui ressemble
++	if (strpos($texte,":")!==false
++		AND preg_match(",(data|script)\s*:,iS",$texte)){
++		$texte = nl2br(htmlspecialchars($texte));
++	}
++	// on echappe si on a possiblement un attribut onxxx et que ca passe pas dans safehtml
++	elseif(stripos($texte,"on")!==false
++	  AND preg_match(",\bon\w+\s*=,i",$texte)){
++		if (!isset($safehtml))
++			$safehtml = charger_fonction('safehtml', 'inc', true);
++		if (!$safehtml OR strlen($safehtml($texte))!==strlen($texte)){
++			$texte = nl2br(htmlspecialchars($texte));
++		}
++	}
++
++	if (strpos($texte,"<")===false){
++		$texte = "<code class=\"echappe-js\">$texte</code>";
++	}
++
++	return $texte;
++}
+diff --git a/plugins-dist/textwheel/wheels/spip/echappe-js.yaml b/plugins-dist/textwheel/wheels/spip/echappe-js.yaml
+index 9684738..84c65f2 100644
+--- a/plugins-dist/textwheel/wheels/spip/echappe-js.yaml
++++ b/plugins-dist/textwheel/wheels/spip/echappe-js.yaml
+@@ -18,3 +18,51 @@
+     -
+       type: all
+       replace: "<code class=\"echappe-js\">$0</code>"
++
++-
++  if_str: "<iframe"
++  match: "{<iframe.*?($|</iframe.)}isS"
++  is_callback: Y
++  replace: echappe_anti_xss
++
++-
++  if_str: "<embed"
++  match: "{<embed.*?($|</embed.)}isS"
++  is_callback: Y
++  replace: echappe_anti_xss
++
++-
++  if_str: "<object"
++  match: "{<object.*?($|</object.)}isS"
++  is_callback: Y
++  replace: echappe_anti_xss
++
++-
++  if_str: "<img"
++  match: "{<img.*?($|>)}isS"
++  is_callback: Y
++  replace: echappe_anti_xss
++
++-
++  if_str: "<image"
++  match: "{<image.*?($|>)}isS"
++  is_callback: Y
++  replace: echappe_anti_xss
++
++-
++  if_str: "<body"
++  match: "{<body.*?($|>)}isS"
++  is_callback: Y
++  replace: echappe_anti_xss
++
++-
++  if_str: "<bgsound"
++  match: "{<bgsound.*?($|>)}isS"
++  is_callback: Y
++  replace: echappe_anti_xss
++
++-
++  if_str: "<meta"
++  match: "{<meta.*?($|>)}isS"
++  is_callback: Y
++  replace: echappe_anti_xss
+diff --git a/plugins-dist/textwheel/wheels/spip/interdire-scripts.yaml b/plugins-dist/textwheel/wheels/spip/interdire-scripts.yaml
+index 790f34d..d809847d 100644
+--- a/plugins-dist/textwheel/wheels/spip/interdire-scripts.yaml
++++ b/plugins-dist/textwheel/wheels/spip/interdire-scripts.yaml
+@@ -19,7 +19,8 @@ securite-script-php:
+   replace: "&lt;$1"
+ 
+ securite-js:
+-  if_str: "<script"
++  if_str: "<"
++  if_match: "/<(?:script|iframe|embed|object|img|image|body|bgsound|meta)/iS"
+   type: all
+   replace: "echappe_js"
+   is_callback: Y
diff -Nru spip-3.0.17/debian/patches/series spip-3.0.17/debian/patches/series
--- spip-3.0.17/debian/patches/series	2014-08-26 12:06:06.000000000 -0400
+++ spip-3.0.17/debian/patches/series	2015-11-01 15:31:01.000000000 -0400
@@ -2,3 +2,5 @@
 0002-Use-php-html-safe.patch
 0003-No-next-upstream-version-display-in-private-area.patch
 0004-Fix-displayed-version-in-the-private-interface.patch
+0005-Fix-XSS-in-private-content.patch
+0006-Fix-XSS-from-iframe-in-private-content.patch

Attachment: signature.asc
Description: OpenPGP digital signature

Reply via email to