[Spip-maintainers] Bug#742456: Log sanitizing and SQL injection
David Prévot
david at tilapin.org
Sun Mar 23 22:26:59 UTC 2014
Hi security team,
Le 23/03/2014 18:02, David Prévot a écrit :
> Package: spip
> Version: 2.1.17-1+deb7u3
> Severity: important
> Tags: security upstream
> Control: fixed -1 3.1~21281-1
> Control: fixed -1 3.0.16-1
> Control: found -1 2.1.1-3squeeze8
>
> Hi,
>
> The latest upstream update [1] fixes two security issues:
> - an SQL injection, already blocked by the security screen;
> - a lack of sanitizing visible in log files.
>
> I’ve already prepared the Wheezy [2] and Squeeze updates, and open this
> bug report in order to follow up with the security team and the release
> team to get these a priori minor issues fixed in the next (old)stable
> update.
Please find attached the two proposed debdiff for these issues. I don’t
believe they deserve a proper DSA (but they are ready to upload if you
think so), and am not sure they even deserve an (old)stable update,
please let me know if you think I should submit these updates to the
release team.
Thanks in advance.
Regards
David
-------------- next part --------------
diff --git a/debian/changelog b/debian/changelog
index d09ada5..e00ae22 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,12 @@
+spip (2.1.17-1+deb7u4) wheezy-security; urgency=medium
+
+ * Update displayed version
+ * Fix missing escape
+ * Fix missing escape in SQL
+ * Update security screen to 1.1.9 (Closes: #742456)
+
+ -- David Prévot <taffit at debian.org> Thu, 13 Mar 2014 16:50:23 -0300
+
spip (2.1.17-1+deb7u3) wheezy; urgency=medium
* Document fixed #729172
diff --git a/debian/patches/fix_displayed_version.patch b/debian/patches/fix_displayed_version.patch
index fdc1186..80ff1d0 100644
--- a/debian/patches/fix_displayed_version.patch
+++ b/debian/patches/fix_displayed_version.patch
@@ -2,7 +2,7 @@ Description: Fix displayed version in the private interface
Make it obvious it's a Debian (patched) version
Forwarded: not-needed
Author: David Prévot <taffit at debian.org>
-Last-Update: 2013-11-02
+Last-Update: 2014-01-24
--- a/ecrire/inc_version.php
+++ b/ecrire/inc_version.php
@@ -423,7 +423,7 @@
@@ -10,7 +10,7 @@ Last-Update: 2013-11-02
// 1.xxyy : xx00 versions stables publiees, xxyy versions de dev
// (ce qui marche pour yy ne marchera pas forcement sur une version plus ancienne)
-$spip_version_affichee = "$spip_version_branche";
-+$spip_version_affichee = "2.1.17-1+deb7u2 (Debian)";
++$spip_version_affichee = "2.1.17-1+deb7u4 (Debian)";
// ** Securite **
$visiteur_session = $auteur_session = $connect_statut = $connect_toutes_rubriques = $hash_recherche = $hash_recherche_strict = $ldap_present ='';
diff --git a/debian/patches/fix_missing_escape.patch b/debian/patches/fix_missing_escape.patch
new file mode 100644
index 0000000..7d08c36
--- /dev/null
+++ b/debian/patches/fix_missing_escape.patch
@@ -0,0 +1,19 @@
+From: Cédric Morin <cedric.morin at yterium.com>
+Subject: Fix missing escape
+
+ * ecrire/inc/log.php: Always escape < in logs, unless the _LOG_BRUT
+ constant is defined to true at the end of debug.
+
+Origin: upstream, http://core.spip.org/projects/spip/repository/revisions/21251
+Bug-Debian: http://bugs.debian.org/742456
+--- a/ecrire/inc/log.php
++++ b/ecrire/inc/log.php
+@@ -56,7 +56,7 @@
+
+ $f = @fopen($logfile, "ab");
+ if ($f) {
+- fputs($f, ($logname!==NULL) ? $m : str_replace('<','<',$m));
++ fputs($f, (defined('_LOG_BRUT') AND _LOG_BRUT) ? $m : str_replace('<','<',$m));
+ fclose($f);
+ }
+
diff --git a/debian/patches/fix_missing_escape_in_SQL.patch b/debian/patches/fix_missing_escape_in_SQL.patch
new file mode 100644
index 0000000..8024698
--- /dev/null
+++ b/debian/patches/fix_missing_escape_in_SQL.patch
@@ -0,0 +1,18 @@
+From: Cédric Morin <cedric.morin at yterium.com>
+Subject: Fix missing escape in SQL
+
+ * ecrire/inc/quete.php: Fix missing escape in a SQL request.
+
+Origin: upstream, http://core.spip.org/projects/spip/repository/revisions/21247
+Bug-Debian: http://bugs.debian.org/742456
+--- a/ecrire/public/quete.php
++++ b/ecrire/public/quete.php
+@@ -248,7 +248,7 @@
+ $exposer[$m][$type][$principal] = true;
+ if ($type == 'id_mot'){
+ if (!$parent) {
+- $parent = sql_getfetsel('id_groupe','spip_mots',"id_mot=" . $principal, '','','','',$connect);
++ $parent = sql_getfetsel('id_groupe','spip_mots',"id_mot=" . intval($principal), '','','','',$connect);
+ }
+ if ($parent)
+ $exposer[$m]['id_groupe'][$parent] = true;
diff --git a/debian/patches/series b/debian/patches/series
index 79be5e2..7de80f0 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -6,3 +6,5 @@ fix_privilege_escalation_2.1.21.patch
fix_CSRF_on_logout.patch
fix_XSS_on_author_page.patch
fix_XSS_on_signature.patch
+fix_missing_escape.patch
+fix_missing_escape_in_SQL.patch
diff --git a/debian/security/ecran_securite.php b/debian/security/ecran_securite.php
index 7e6ec1c..36b0044 100644
--- a/debian/security/ecran_securite.php
+++ b/debian/security/ecran_securite.php
@@ -5,7 +5,7 @@
* ------------------
*/
-define('_ECRAN_SECURITE', '1.1.8'); // 2013-08-29
+define('_ECRAN_SECURITE', '1.1.9'); // 2014-03-13
/*
* Documentation : http://www.spip.net/fr_article4200.html
@@ -254,13 +254,12 @@ if (isset($_REQUEST['connect'])
AND
// cas qui permettent de sortir d'un commentaire PHP
(strpos($_REQUEST['connect'], "?")!==false
+ OR strpos($_REQUEST['connect'], "<")!==false
OR strpos($_REQUEST['connect'], ">")!==false
OR strpos($_REQUEST['connect'], "\n")!==false
OR strpos($_REQUEST['connect'], "\r")!==false)
) {
- $_REQUEST['connect'] = str_replace(array("?", ">", "\r", "\n"), "", $_REQUEST['connect']);
- if (isset($_GET['connect'])) $_GET['connect'] = $_REQUEST['connect'];
- if (isset($_POST['connect'])) $_POST['connect'] = $_REQUEST['connect'];
+ $ecran_securite_raison = "malformed connect argument";
}
/*
@@ -317,4 +316,4 @@ if (
}
-?>
+?>
\ No newline at end of file
-------------- next part --------------
diff --git a/debian/changelog b/debian/changelog
index 0427965..25a8296 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,11 @@
+spip (2.1.1-3squeeze9) squeeze-security; urgency=medium
+
+ * Fix missing escape
+ * Fix missing escape in SQL
+ * Update security screen to 1.1.9 (Closes: #742456)
+
+ -- David Prévot <taffit at debian.org> Thu, 13 Mar 2014 16:58:14 -0300
+
spip (2.1.1-3squeeze8) squeeze; urgency=medium
* Document fixed #729172
diff --git a/debian/patches/fix_missing_escape.patch b/debian/patches/fix_missing_escape.patch
new file mode 100644
index 0000000..7d08c36
--- /dev/null
+++ b/debian/patches/fix_missing_escape.patch
@@ -0,0 +1,19 @@
+From: Cédric Morin <cedric.morin at yterium.com>
+Subject: Fix missing escape
+
+ * ecrire/inc/log.php: Always escape < in logs, unless the _LOG_BRUT
+ constant is defined to true at the end of debug.
+
+Origin: upstream, http://core.spip.org/projects/spip/repository/revisions/21251
+Bug-Debian: http://bugs.debian.org/742456
+--- a/ecrire/inc/log.php
++++ b/ecrire/inc/log.php
+@@ -56,7 +56,7 @@
+
+ $f = @fopen($logfile, "ab");
+ if ($f) {
+- fputs($f, ($logname!==NULL) ? $m : str_replace('<','<',$m));
++ fputs($f, (defined('_LOG_BRUT') AND _LOG_BRUT) ? $m : str_replace('<','<',$m));
+ fclose($f);
+ }
+
diff --git a/debian/patches/fix_missing_escape_in_SQL.patch b/debian/patches/fix_missing_escape_in_SQL.patch
new file mode 100644
index 0000000..8024698
--- /dev/null
+++ b/debian/patches/fix_missing_escape_in_SQL.patch
@@ -0,0 +1,18 @@
+From: Cédric Morin <cedric.morin at yterium.com>
+Subject: Fix missing escape in SQL
+
+ * ecrire/inc/quete.php: Fix missing escape in a SQL request.
+
+Origin: upstream, http://core.spip.org/projects/spip/repository/revisions/21247
+Bug-Debian: http://bugs.debian.org/742456
+--- a/ecrire/public/quete.php
++++ b/ecrire/public/quete.php
+@@ -248,7 +248,7 @@
+ $exposer[$m][$type][$principal] = true;
+ if ($type == 'id_mot'){
+ if (!$parent) {
+- $parent = sql_getfetsel('id_groupe','spip_mots',"id_mot=" . $principal, '','','','',$connect);
++ $parent = sql_getfetsel('id_groupe','spip_mots',"id_mot=" . intval($principal), '','','','',$connect);
+ }
+ if ($parent)
+ $exposer[$m]['id_groupe'][$parent] = true;
diff --git a/debian/patches/series b/debian/patches/series
index 7646257..1ec8a6c 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -19,3 +19,5 @@ fix_privilege_escalation_2.1.21.patch
fix_CSRF_on_logout.patch
fix_XSS_on_author_page.patch
fix_XSS_on_signature.patch
+fix_missing_escape.patch
+fix_missing_escape_in_SQL.patch
diff --git a/debian/security/ecran_securite.php b/debian/security/ecran_securite.php
index 7e6ec1c..36b0044 100644
--- a/debian/security/ecran_securite.php
+++ b/debian/security/ecran_securite.php
@@ -5,7 +5,7 @@
* ------------------
*/
-define('_ECRAN_SECURITE', '1.1.8'); // 2013-08-29
+define('_ECRAN_SECURITE', '1.1.9'); // 2014-03-13
/*
* Documentation : http://www.spip.net/fr_article4200.html
@@ -254,13 +254,12 @@ if (isset($_REQUEST['connect'])
AND
// cas qui permettent de sortir d'un commentaire PHP
(strpos($_REQUEST['connect'], "?")!==false
+ OR strpos($_REQUEST['connect'], "<")!==false
OR strpos($_REQUEST['connect'], ">")!==false
OR strpos($_REQUEST['connect'], "\n")!==false
OR strpos($_REQUEST['connect'], "\r")!==false)
) {
- $_REQUEST['connect'] = str_replace(array("?", ">", "\r", "\n"), "", $_REQUEST['connect']);
- if (isset($_GET['connect'])) $_GET['connect'] = $_REQUEST['connect'];
- if (isset($_POST['connect'])) $_POST['connect'] = $_REQUEST['connect'];
+ $ecran_securite_raison = "malformed connect argument";
}
/*
@@ -317,4 +316,4 @@ if (
}
-?>
+?>
\ No newline at end of file
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: OpenPGP digital signature
URL: <http://lists.alioth.debian.org/pipermail/spip-maintainers/attachments/20140323/409c2a24/attachment.sig>
More information about the Spip-maintainers
mailing list