Multiple vulnerabilities in Bionic and Impish

Thanks for taking the time to report this bug and helping to make Ubuntu better. Since the package referred to in this bug is in universe or multiverse, it is community maintained. If you are able, I suggest coordinating with upstream and posting a debdiff for this issue. When a debdiff is available, members of the security team will review it and publish the package. See the following link for more information: https://wiki.ubuntu.com/SecurityTeam/UpdateProcedures

SPIP 3.1 is no longer maintained upstream and Debian has not released fixes for CVE-2022-28959, CVE-2022-28960 and CVE-2022-28961 in Stretch. Therefore, I am not patching these CVEs in Bionic.

The attachment "spip_bionic.debdiff" seems to be a debdiff. The ubuntu-sponsors team has been subscribed to the bug report so that they can review and hopefully sponsor the debdiff. If the attachment isn't a patch, please remove the "patch" flag from the attachment, remove the "patch" tag, and if you are member of the ~ubuntu-sponsors, unsubscribe the team.

[This is an automated message performed by a Launchpad user owned by ~brian-murray, for any issue please contact him.]

Hello Luís, 4.5MB feels pretty unlikely for a security fix; the diffstat on that debdiff is all over the place:

$ diffstat spip_focal.debdiff
 /tmp/9oDFeUYni8/spip-3.2.15/plugins-dist/medias/lib/mejs/mediaelement-flash-audio-ogg.swf |binary
 /tmp/9oDFeUYni8/spip-3.2.15/plugins-dist/medias/lib/mejs/mediaelement-flash-audio.swf |binary
 /tmp/9oDFeUYni8/spip-3.2.15/plugins-dist/medias/lib/mejs/mediaelement-flash-video-hls.swf |binary
 /tmp/9oDFeUYni8/spip-3.2.15/plugins-dist/medias/lib/mejs/mediaelement-flash-video-mdash.swf |binary
 /tmp/9oDFeUYni8/spip-3.2.15/plugins-dist/medias/lib/mejs/mediaelement-flash-video.swf |binary
 spip-3.2.15/.gitignore | 129
 spip-3.2.15/CHANGELOG.TXT | 318 +
 spip-3.2.15/config/ecran_securite.php | 23
...

Normally security fixes add patches to debian/patches/ directory, modify a debian/patches/series file, modifies the debian/changelog. It's very rare to modify files outside of this hierarchy (except for 'native packages', but those don't typically have version numbers this complex).

Could you double-check that you've prepared the patches that you thought you prepared?

Thanks

My patches (except for Bionic) are an upgrade to new upstream security and maintenance releases, because I also want that users of this package in Ubuntu get non-security bug fixes.

Except for a few exceptions, such as ffmpeg, we generally don't accept new upstream maintenance releases into the security sponsoring process.

If you really want to introduce new upstream microreleases, you can perhaps try getting them sponsored as Stable Release Updates:

https://wiki.ubuntu.com/StableReleaseUpdates

Please publish the patched package for Bionic.

I have just uploaded a package for Focal to my PPA (https://launchpad.net/~luis220413/+archive/ubuntu/security-updates), with the upstream version number set to 3.2.15.1 to circumvent the Launchpad prohibition on uploading original tarballs with the same version number even after deletion.

Same for Impish.

Same for Jammy, but the modified upstream version is 4.0.7.1.

Hi Luís,

I will be taking a deeper look at the debdiffs, but I'm already seeing that you are trying to upgrade versions for focal, impish and jammy. Those we won't be sponsoring as they should be requested through the SRU process on a new bug ticket.

In the meantime, what I can do for impish is similar to what you are trying for bionic, in this case, sync to the debian version 3.2.11-3+deb11u3. That will fix 6 CVEs for impish.

Please do so for Impish and also publish a patched package for Bionic.

For Focal and Jammy, I have opened bug #1978555.

Eduardo Barretto, what CVEs will be fixed in Impish? This report only lists 5.

For impish we have: CVE-2021-44118, CVE-2021-44120, CVE-2021-44122, CVE-2021-44123, CVE-2022-26846 and CVE-2022-26847.

This bug was fixed in the package spip - 3.1.4-4~deb9u5build0.18.04.1

---------------
spip (3.1.4-4~deb9u5build0.18.04.1) bionic-security; urgency=medium

  * fake sync from Debian to fix CVE-2020-28984, CVE-2022-26846 and
    CVE-2022-26847 (LP: #1971185).

spip (3.1.4-4~deb9u5) stretch-security; urgency=medium

  * Non-maintainer upload.
  * Switch back to a sane version number.
  * Add missing dependency on php-xml.
  * Recommend php-gd.
  * Fix security issues, backported from buster:
  * XSS:
    - 0049-Verifier-qu-on-a-bien-le-droit-de-modifier-le-login-.patch
    - 0050-appliquer-rawurlencode-aussi-sur-les-tableaux-qu-on-.patch
  * CVE-2022-26846, CVE-2022-26847:
    - 0022-Utilisation-des-fonctions-de-sanitization-sur-galeri.patch
      + prerequisite.
    - 0051-D-pr-cier-et-s-curiser-l-insertion-d-une-galerie-dan.patch
      + Don't use nullable types, not available in PHP 7.0 in stretch.

spip (3.1.4-4~deb9u4+deb9u2) stretch-security; urgency=high

  * Non-maintainer upload by the LTS Security Team.
  * Backport security fixes from 3.2.12
    - SQL injections, remote code execution, XSS
  * Fix Articles and Sections editing screens in admin area, which got broken in
    previous upload.
  * Fix user Preferences screen, which got broken in 3.1.4-4~deb9u4.

spip (3.1.4-4~deb9u4+deb9u1) stretch-security; urgency=medium

  * Non-maintainer upload by the Debian LTS Team.
  * Fix TEMP-0000000-803658

spip (3.1.4-4~deb9u4) stretch-security; urgency=medium

  * Non-maintainer upload by the LTS Security Team.
  * Fix CVE-2020-28984: did not correctly validate he couleur,
    display, display_navigation, display_outils, imessage, and
    spip_ecran parameters.

 -- Luís Infante da Câmara <email address hidden> Tue, 14 Jun 2022 16:41:55 +0200

Impish SPIP version 3.2.11-3+deb11u3build0.21.10.1 released today