Multiple vulnerabilities in Focal and Jammy

Bug #1978555 reported by Luís Infante da Câmara
256
This bug affects 1 person
Affects Status Importance Assigned to Milestone
spip (Ubuntu)
Fix Released
Medium
Unassigned
Focal
New
Undecided
Unassigned
Jammy
New
Undecided
Unassigned

Bug Description

The version in Focal is vulnerable to CVE-2020-28984, CVE-2022-26846 and CVE-2022-26847.

The version in Jammy is vulnerable to CVE-2022-26846 and CVE-2022-26847.

information type: Private Security → Public Security
description: updated
Revision history for this message
Luís Infante da Câmara (luis220413) wrote :
Revision history for this message
Luís Infante da Câmara (luis220413) wrote :
Mathew Hodson (mhodson)
Changed in spip (Ubuntu):
importance: Undecided → Medium
summary: - New upstream maintenance and security releases for Focal and Jammy
+ [SRU] New upstream maintenance and security releases for Focal and Jammy
Revision history for this message
Luís Infante da Câmara (luis220413) wrote : Re: [SRU] New upstream maintenance and security releases for Focal and Jammy

The version in Kinetic (4.1.2) is not affected by the vulnerabilities listed in this bug.

Changed in spip (Ubuntu):
status: New → Fix Released
Revision history for this message
Robie Basak (racb) wrote :

For a security update the usual method is to cherry-pick individual required security fixes.

If instead you want to use the SRU process to update to upstream microreleases, then the requirements are documented at https://wiki.ubuntu.com/StableReleaseUpdates#New_upstream_microreleases. Please provide details such that a reviewer can verify that these requirements are met.

Note that if you use the SRU process, then users electing to receive only security updates will not get the update.

Revision history for this message
Luís Infante da Câmara (luis220413) wrote :
Download full text (8.3 KiB)

SPIP does not meet the bulleted criteria in https://wiki.ubuntu.com/StableReleaseUpdates#New_upstream_microreleases. However, these microreleases are acceptable because all changes can be SRUed.

Approximate translation of the changes in CHANGELOG.TXT (added in the Focal debdiff):

3.2.14 -> 3.2.15
8283532c9 (1) Suppress argument `formulaire_action_sign` from the ACTION url
2ce34e62e (2) Increment spip_version_code to recompile the templates
ac67fc5be (1) Secure the return value of nettoyer_titre_email when it is used from a template
901f58302 (1) Also hide sensitive cookies from $_SERVER['HTTP_COOKIE'] and $_ENV['HTTP_COOKIE']
871777b0f (1) Escape sel_db before reinserting it in a hidden (but it is quite theoretical because if we arrive at it is because we have managed to connect it, so the name could not have special characters)
754677579 (1) Secure HTTP_HOST and REQUEST_URI in url_de_base()
97845aa30 (1) Use \b instead of \s for being more robust in the regex of _PROTEGE_BLOCS
d99890f66 (1) Secure construction of the regex in parametre_url
e9a03a38d (1) Secure the error display when it comes from the url
772a4baed (1) Secure the use of var_mode_xx in the debugger
b28e1f9a3 (1) spip_htmlspecialchars() over all variable displays in the html + filter $adresse_ldap
edb6a01c6 (1) Do not accept a test_dir with .. inside the test for writing directories
3b99287c9 (3) Fix the buggy function in not using in not using the unreliable shortcut keys, but the other (reliable) keys, depending on the requested source (link or not)
SVP/bf0ff95* (1) Escape the URL in the displayed html

3.2.13 -> 3.2.14
medias/e4a3137* (3) Remove typing from PHP views
medias/3014b84* (1,3) Deprecate and secure the insertion of a gallery in the add document forms. This mode is not used in SPIP since 3.0.
mots/844893f* (3) A question mark for id_groupe that allows the display of the groups you want in a public keyword association form
squelettes-dist/93cee41* (3) Report of 8505e7c0ed9118ee31 which was in the dist, and not reported from the neodist template

3.2.12 -> 3.2.13
9ed1818f1 (1) Verify that you have the right to modify the login before accepting a post on this variable
dec69cb7d (3) Tags of each plugin in plugins-dist.json
39fbb0a8e (3) feat(header_silencieux): apply filter |header_silencieux
00222255b (3) Do not store formulaire_action_sign in the plugin configurations
e48c92558 (4) Support .jpeg files when adding a remote document
b2f8e3a59 (1) Also apply rawurlencode() on arrays passed as an argument of parametre_url()
f1b7feae8 (3) Avoid undefined error if get_spip_script() is called after mes_options, before the _SPIP_SCRIPT constant is defined
b6236a92e (3) Restore treatment _TRAITEMENT_TYPO_SANS_NUMERO (multi, supprimer_numero, etc.) on the tag #NOM of the authors
712f5b5df (3) Redirect without loops in a var_mode problem (that sometimes happens on a somewhat wobbly installation)
d793f599e (1 or 3) On some sites, we absolutely want to keep certain caches, so we can inhibit the purge of these directories to avoid any problems.
c4a362f35 (2) Drop misplaced changelog
squelettes-dist/f872fdb* (2) Version 3.2.5
squelettes-dist/ae985dd* (4) feat(header_silencieux): ...

Read more...

Revision history for this message
Luís Infante da Câmara (luis220413) wrote :
Download full text (5.3 KiB)

In Jammy a fatal bug, that only affects servers where ini_set is disabled in PHP, is fixed by 3 commits.

Approximate translation of the changes in CHANGELOG.TXT (added in the Jammy debdiff):
4.0.6 -> 4.0.7
3263834e6 (5) Coding standard
24e66e71e (3) Do not break a serialized meta when a user enters an emoji in a configuration form
ea0820f20 (3) Avoid generating too large icons in the list of syndicated articles
a5e7bf2b3 (3) Allow to debug errors on ajax links: the fallback redirects to the URL, but suddenly we can no longer see the problem in the js console. Just raise the flag jQuery.spip.debug to disable fallback automatic redirection
1c2c59065 (3) shell on the option, which is well expires with an s like the http header that we send
1f3a1ad01 (3) Avoid warnings about exec=info in PHP 8
d39740cec (1) Suppress the argument `formulaire_action_sign` in the ACTION url
eb4170130 (2) Increment spip_version_code to recompile the templates
1e16d6a72 (1) Secure the return value of nettoyer_titre_email when it is used from a template
bf099935b (1) Also hide sensitive cookies from $_SERVER['HTTP_COOKIE'] and $_ENV['HTTP_COOKIE']
ae3d98849 (1) Escape sel_db before reinserting it in a hidden (but it is quite theoretical because if we arrive at it is because we have managed to connect it, so the name could not have special characters)
2629de6f0 (1) Secure HTTP_HOST and REQUEST_URI in url_de_base()
52d18a543 (1) Recognize secure cookies *even* if you use a cookie_prefix + allow to extend the list by default through the constant _COOKIE_SECURE_LIST
410a57406 (1) Use \b instead of \s for being more robust in the regex of _PROTEGE_BLOCS
843ed3a52 (1) Secure construction of the regex in parametre_url
91b9a9f5e (1) Secure the error display when it comes from the url
7108815fb (1) Secure the use of var_mode_xx in the debugger
707669e9d (1) spip_htmlspecialchars() over all variable displays in the html + filter $adresse_ldap
9828ab4ba (1) Do not accept a test_dir with .. inside the test for writing directories
Images/0c33dae* (3) Fix a warning in image_aplatir. Test the return value of the function after using it.
MediaBox/29762b9* (3) support for the overlayClose option that had not been implemented when switching to lity
Mots/a04faa9* (3) repair the update from an old SPIP to version 4
SVP/6752c89* (1) Escape the url in the displayed html

4.0.5 -> 4.0.6
12d62612e (3) prevent paginations from spilling over into the small screen
599a27b2e (3) Fix the buggy function in not using in not using the unreliable shortcut keys, but the other (reliable) keys, depending on the requested source (link or not)
688c1ec1b (3) A little JS to avoid double clicks on an action button that launches a long action: when a form.bouton_action_post is submit on disabled all its buttons, and we add a processing-submitted-form class on the form, for any useful purpose
0c00bd3f3 (3) this piece of code always returned false strangely in PHP <= 7.4 because the in_array() on ob_get_status() did not work (PHP seems to have fixed this in php 8+). As a result, we can consider that this code is dead, probably a relic of gz output by SPIP at a time, which is no longer done today.
ac226860e (5) ...

Read more...

Revision history for this message
Robie Basak (racb) wrote :

> SPIP does not meet the bulleted criteria in https://wiki.ubuntu.com/StableReleaseUpdates#New_upstream_microreleases. However, these microreleases are acceptable because all changes can be SRUed.

Sorry, I think you misunderstand the policy. If all the changes are acceptable but the bulleted criteria are not met, then you're expected to track and verify every single bug individually. That doesn't seem practical in this case.

I suggest that you proceed by cherry-picking the individual security fixes that are actually necessary and seeking security sponsorship for them.

An exception could be made to the usual requirements, but then a case for that needs to be made please.

Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

NACK from the security team on the debdiffs in comments #1 and #2 for the reasons stated above. I am unsubscribing ubuntu-security-sponsors for now. Please resubscribe the team once appropriate debdiffs have been attached to this bug. Thanks!

summary: - [SRU] New upstream maintenance and security releases for Focal and Jammy
+ Multiple vulnerabilities in Focal and Jammy
description: updated
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.