[Pkg-sogo-maintainers] Bug#1107596: unblock: sogo/5.12.1-2
Jordi Mallach
jordi at debian.org
Tue Jun 10 13:51:19 BST 2025
Package: release.debian.org
Severity: normal
X-Debbugs-Cc: sogo at packages.debian.org
Control: affects -1 + src:sogo
User: release.debian.org at packages.debian.org
Usertags: unblock
Please unblock package sogo
The main fix for this unblock request is the fix for
#1104813, to use Debian packaged versions of some javascript
libs.
Additionally, I have included some upstream git cherrypicks for the
new OIDC support in SOGo, which debuted in 5.12.0, and after a few
months, SOGo users have found some issues with it.
The final cherry-pick fixes escaping in a regex for the password changing
functionality.
[ Impact ]
If this isn't accepted, the biggest issue is the release team needing to
update SOGo when/if they fix some JS vulnerabilities in angularjs,
lodash, etc., as well as the OIDC support not playing well with some
IDPs.
[ Tests ]
I have tested the packages in one of my own deployments.
[ Risks ]
The main risk is that I might not have been able to test some code path
that uses one of the replaced JS libs, and thus have not found an issue.
I did diff the vendored versions against the debian versions and
concluded they were the exact same code.
[ Checklist ]
[x] all changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in testing
unblock sogo/5.12.1-2
-------------- next part --------------
diff -Nru sogo-5.12.1/debian/changelog sogo-5.12.1/debian/changelog
--- sogo-5.12.1/debian/changelog 2025-05-04 23:21:03.000000000 +0200
+++ sogo-5.12.1/debian/changelog 2025-06-06 11:37:50.000000000 +0200
@@ -1,3 +1,11 @@
+sogo (5.12.1-2) unstable; urgency=medium
+
+ * Replace vendoring of lodash, FileSaver and angularjs with packaged versions.
+ (Closes: #1104813)
+ * Cherry-pick post 5.12.1 fixes for OpenID and password management.
+
+ -- Jordi Mallach <jordi at debian.org> Fri, 06 Jun 2025 11:37:50 +0200
+
sogo (5.12.1-1) unstable; urgency=medium
* New upstream release.
diff -Nru sogo-5.12.1/debian/control sogo-5.12.1/debian/control
--- sogo-5.12.1/debian/control 2025-03-24 14:34:01.000000000 +0100
+++ sogo-5.12.1/debian/control 2025-06-06 11:37:34.000000000 +0200
@@ -62,7 +62,7 @@
Package: sogo-common
Architecture: all
-Depends: ${misc:Depends}
+Depends: libjs-angularjs, libjs-filesaver, libjs-lodash, ${misc:Depends}
Suggests: httpd
Multi-Arch: foreign
Description: Scalable groupware server - common files
diff -Nru sogo-5.12.1/debian/patches/series sogo-5.12.1/debian/patches/series
--- sogo-5.12.1/debian/patches/series 2025-05-04 23:16:30.000000000 +0200
+++ sogo-5.12.1/debian/patches/series 2025-06-06 09:45:21.000000000 +0200
@@ -11,3 +11,5 @@
python3.patch
disable_isIpv4_test.patch
cross.patch
+upstream_openid_fixes.patch
+upstream_password_regex.patch
diff -Nru sogo-5.12.1/debian/patches/upstream_openid_fixes.patch sogo-5.12.1/debian/patches/upstream_openid_fixes.patch
--- sogo-5.12.1/debian/patches/upstream_openid_fixes.patch 1970-01-01 01:00:00.000000000 +0100
+++ sogo-5.12.1/debian/patches/upstream_openid_fixes.patch 2025-06-06 09:45:21.000000000 +0200
@@ -0,0 +1,161 @@
+commit c5fb3482e22f1bfc935213e8ed7208becd9bd1f4
+Author: Hivert Quentin <quentin.hivert.fr at gmail.com>
+Date: Tue May 13 16:03:13 2025 +0200
+
+ fix(openid): make end_session_endpoint optional
+
+diff --git a/Documentation/SOGoInstallationGuide.asciidoc b/Documentation/SOGoInstallationGuide.asciidoc
+index ae9951da9..372f6b4f8 100644
+--- a/Documentation/SOGoInstallationGuide.asciidoc
++++ b/Documentation/SOGoInstallationGuide.asciidoc
+@@ -1612,7 +1612,7 @@ Defaults to `0` when unset.
+
+ |S |SOGoOpenIdLogoutEnabled
+ |Allow user to end their openId with the webmail. Meaning that will disconnect them from
+-the others applicaitons as well.
++the others applicaitons as well. The openid server must have a end_session_endpoint.
+
+ Defaults to `NO` when unset.
+ |=======================================================================
+diff --git a/SoObjects/SOGo/SOGoOpenIdSession.m b/SoObjects/SOGo/SOGoOpenIdSession.m
+index 024d27e15..0dda9b5c2 100644
+--- a/SoObjects/SOGo/SOGoOpenIdSession.m
++++ b/SoObjects/SOGo/SOGoOpenIdSession.m
+@@ -238,7 +238,9 @@ static BOOL SOGoOpenIDDebugEnabled = YES;
+ self->authorizationEndpoint = [config objectForKey: @"authorization_endpoint"];
+ self->tokenEndpoint = [config objectForKey: @"token_endpoint"];
+ self->userinfoEndpoint = [config objectForKey: @"userinfo_endpoint"];
+- self->endSessionEndpoint = [config objectForKey: @"end_session_endpoint"];
++
++ if([config objectForKey: @"end_session_endpoint"])
++ self->endSessionEndpoint = [config objectForKey: @"end_session_endpoint"];
+
+ //Optionnals?
+ if([config objectForKey: @"introspection_endpoint"])
+@@ -346,7 +348,8 @@ static BOOL SOGoOpenIDDebugEnabled = YES;
+ ASSIGN (authorizationEndpoint, [sessionDict objectForKey: @"authorization_endpoint"]);
+ ASSIGN (tokenEndpoint, [sessionDict objectForKey: @"token_endpoint"]);
+ ASSIGN (userinfoEndpoint, [sessionDict objectForKey: @"userinfo_endpoint"]);
+- ASSIGN (endSessionEndpoint, [sessionDict objectForKey: @"end_session_endpoint"]);
++ if([sessionDict objectForKey: @"end_session_endpoint"])
++ ASSIGN (endSessionEndpoint, [sessionDict objectForKey: @"end_session_endpoint"]);
+
+ //Optionnals?
+ if([sessionDict objectForKey: @"introspection_endpoint"])
+@@ -370,7 +373,8 @@ static BOOL SOGoOpenIDDebugEnabled = YES;
+ [sessionDict setObject: authorizationEndpoint forKey: @"authorization_endpoint"];
+ [sessionDict setObject: tokenEndpoint forKey: @"token_endpoint"];
+ [sessionDict setObject: userinfoEndpoint forKey: @"userinfo_endpoint"];
+- [sessionDict setObject: endSessionEndpoint forKey: @"end_session_endpoint"];
++ if(endSessionEndpoint)
++ [sessionDict setObject: endSessionEndpoint forKey: @"end_session_endpoint"];
+
+ //Optionnals?
+ if(introspectionEndpoint)
+commit 085fc4a9eb7d1e2a0f7b48baa1f09a8ba0d515e1
+Author: Hivert Quentin <quentin.hivert.fr at gmail.com>
+Date: Tue May 20 09:08:46 2025 +0200
+
+ fix(openid): add state in connection flow
+
+diff --git a/SoObjects/SOGo/SOGoOpenIdSession.m b/SoObjects/SOGo/SOGoOpenIdSession.m
+index 0dda9b5c2..38710f4a1 100644
+--- a/SoObjects/SOGo/SOGoOpenIdSession.m
++++ b/SoObjects/SOGo/SOGoOpenIdSession.m
+@@ -18,6 +18,8 @@
+ * Boston, MA 02111-1307, USA.
+ */
+
++#import <Foundation/NSProcessInfo.h>
++
+ #import <NGObjWeb/WOHTTPConnection.h>
+ #import <NGObjWeb/WORequest.h>
+ #import <NGObjWeb/WOResponse.h>
+@@ -435,6 +437,12 @@ static BOOL SOGoOpenIDDebugEnabled = YES;
+ nextCheckAfter: nextCheck];
+ }
+
++
++-(NSString *) _random_state
++{
++ return [[[NSProcessInfo processInfo] globallyUniqueString] asSHA1String];;
++}
++
+ - (NSString*) loginUrl: (NSString *) oldLocation
+ {
+ NSString* logUrl;
+@@ -442,6 +450,7 @@ static BOOL SOGoOpenIDDebugEnabled = YES;
+ logUrl = [logUrl stringByAppendingString: @"&response_type=code"];
+ logUrl = [logUrl stringByAppendingFormat: @"&client_id=%@", self->openIdClient];
+ logUrl = [logUrl stringByAppendingFormat: @"&redirect_uri=%@", oldLocation];
++ logUrl = [logUrl stringByAppendingFormat: @"&state=%@", [self _random_state]];
+ if(self->forDomain != nil && [self->forDomain length] > 0)
+ logUrl = [logUrl stringByAppendingFormat: @"&sogo_domain=%@", forDomain];
+ // logurl = [self->logurl stringByAppendingFormat: @"&state=%@", state];
+diff --git a/UI/MainUI/SOGoUserHomePage.m b/UI/MainUI/SOGoUserHomePage.m
+index 9a56ed962..e9c5d9573 100644
+--- a/UI/MainUI/SOGoUserHomePage.m
++++ b/UI/MainUI/SOGoUserHomePage.m
+@@ -447,9 +447,9 @@
+ }
+ else if ([authType isEqualToString: @"openid"])
+ {
+- SOGoOpenIdSession* session;
+- session = [SOGoOpenIdSession OpenIdSession: loginDomain];
+- redirectURL = [session logoutUrl];
++ SOGoOpenIdSession* sessionOidc;
++ sessionOidc = [SOGoOpenIdSession OpenIdSession: loginDomain];
++ redirectURL = [sessionOidc logoutUrl];
+ }
+ #if defined(SAML2_CONFIG)
+ else if ([authType isEqualToString: @"saml2"])
+commit 9954c3607bfda55424f5ac532a1075407235f345
+Author: Hivert Quentin <quentin.hivert.fr at gmail.com>
+Date: Wed May 21 14:50:41 2025 +0200
+
+ fix(openid): allow expires_in param to be null
+
+diff --git a/SOPE/GDLContentStore/GCSSpecialQueries.m b/SOPE/GDLContentStore/GCSSpecialQueries.m
+index 167b38559..ca7709e03 100644
+--- a/SOPE/GDLContentStore/GCSSpecialQueries.m
++++ b/SOPE/GDLContentStore/GCSSpecialQueries.m
+@@ -218,7 +218,7 @@
+ @" c_old_session VARCHAR(4096) NULL,"
+ @" c_session_started INT4 NOT NULL,"
+ @" c_refresh_token VARCHAR(4096) NULL,"
+- @" c_access_token_expires_in INT4 NOT NULL,"
++ @" c_access_token_expires_in INT4 NULL,"
+ @" c_refresh_token_expires_in INT4 NULL)");
+
+ return [NSString stringWithFormat: sqlFolderFormat, tableName];
+@@ -379,7 +379,7 @@
+ @" c_old_session VARCHAR(4096) NULL,"
+ @" c_session_started INT4 NOT NULL,"
+ @" c_refresh_token VARCHAR(4096) NULL,"
+- @" c_access_token_expires_in INT4 NOT NULL,"
++ @" c_access_token_expires_in INT4 NULL,"
+ @" c_refresh_token_expires_in INT4 NULL)");
+
+ return [NSString stringWithFormat: sqlFolderFormat, tableName];
+@@ -540,7 +540,7 @@
+ @" c_old_session VARCHAR2(4096) NULL,"
+ @" c_session_started INTEGER NOT NULL,"
+ @" c_refresh_token VARCHAR2(4096) NULL,"
+- @" c_access_token_expires_in INTEGER NOT NULL,"
++ @" c_access_token_expires_in INTEGER NULL,"
+ @" c_refresh_token_expires_in INTEGER NULL)");
+
+ return [NSString stringWithFormat: sqlFolderFormat, tableName];
+diff --git a/Scripts/mysql-utf8mb4.sql b/Scripts/mysql-utf8mb4.sql
+index 38dd90ecb..41a8824e5 100644
+--- a/Scripts/mysql-utf8mb4.sql
++++ b/Scripts/mysql-utf8mb4.sql
+@@ -170,7 +170,7 @@ CREATE TABLE sogo_opend_id (
+ c_old_session varchar(4096) DEFAULT '',
+ c_session_started int(11) NOT NULL,
+ c_refresh_token varchar(4096) DEFAULT '',
+- c_access_token_expires_in int(11) NOT NULL,
++ c_access_token_expires_in int(11) DEFAULT '',
+ c_refresh_token_expires_in int(11) DEFAULT NULL,
+ PRIMARY KEY (c_user_session)
+ ) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 ROW_FORMAT=DYNAMIC;
diff -Nru sogo-5.12.1/debian/patches/upstream_password_regex.patch sogo-5.12.1/debian/patches/upstream_password_regex.patch
--- sogo-5.12.1/debian/patches/upstream_password_regex.patch 1970-01-01 01:00:00.000000000 +0100
+++ sogo-5.12.1/debian/patches/upstream_password_regex.patch 2025-06-06 09:45:21.000000000 +0200
@@ -0,0 +1,19 @@
+commit e36d0d219baed8c7d57af0069fadb8d1bf7df072
+Author: Hivert Quentin <quentin.hivert.fr at gmail.com>
+Date: Tue May 13 16:51:08 2025 +0200
+
+ fix(password): put correct regex for special char
+
+diff --git a/SoObjects/SOGo/SOGoPasswordPolicy.m b/SoObjects/SOGo/SOGoPasswordPolicy.m
+index 02bb8be07..5db36c4a5 100644
+--- a/SoObjects/SOGo/SOGoPasswordPolicy.m
++++ b/SoObjects/SOGo/SOGoPasswordPolicy.m
+@@ -33,7 +33,7 @@ static const NSString *POLICY_MIN_DIGIT = @"POLICY_MIN_DIGIT";
+ static const NSString *POLICY_MIN_SPECIAL_SYMBOLS = @"POLICY_MIN_SPECIAL_SYMBOLS";
+ static const NSString *POLICY_MIN_LENGTH = @"POLICY_MIN_LENGTH";
+
+-static const NSString *SPECIAL_SYMBOL_ALLOWED = @"%$&*(){}!?\\@#.,:;+=\\[\\]\\|<>\\/-_";
++static const NSString *SPECIAL_SYMBOL_ALLOWED = @"%$&*(){}!?\\@#.,:;+=\\[\\]\\|<>\\/\\-_";
+
+ @implementation SOGoPasswordPolicy
+
diff -Nru sogo-5.12.1/debian/rules sogo-5.12.1/debian/rules
--- sogo-5.12.1/debian/rules 2025-03-21 13:22:07.000000000 +0100
+++ sogo-5.12.1/debian/rules 2025-06-06 11:37:34.000000000 +0200
@@ -45,6 +45,15 @@
mkdir -p debian/tmp/usr/share/GNUstep/SOGo
mv debian/tmp/usr/lib/*/GNUstep/SOGo/Templates debian/tmp/usr/lib/*/GNUstep/SOGo/WebServerResources debian/tmp/usr/share/GNUstep/SOGo
+ # Use packaged 3rd party javascript libraries available in Debian
+ rm -f debian/tmp/usr/share/GNUstep/SOGo/WebServerResources/js/vendor/FileSaver.min.js*
+ rm -f debian/tmp/usr/share/GNUstep/SOGo/WebServerResources/js/vendor/angular.js
+ rm -f debian/tmp/usr/share/GNUstep/SOGo/WebServerResources/js/vendor/angular.min.js*
+ rm -f debian/tmp/usr/share/GNUstep/SOGo/WebServerResources/js/vendor/angular-{animate,aria,cookies,messages,sanitize}.js
+ rm -f debian/tmp/usr/share/GNUstep/SOGo/WebServerResources/js/vendor/angular-{animate,aria,cookies,messages,sanitize}.min.js*
+ rm -f debian/tmp/usr/share/GNUstep/SOGo/WebServerResources/js/vendor/lodash.js
+ rm -f debian/tmp/usr/share/GNUstep/SOGo/WebServerResources/js/vendor/lodash.min.js*
+
dh_install
override_dh_installchangelogs:
diff -Nru sogo-5.12.1/debian/sogo-common.links sogo-5.12.1/debian/sogo-common.links
--- sogo-5.12.1/debian/sogo-common.links 1970-01-01 01:00:00.000000000 +0100
+++ sogo-5.12.1/debian/sogo-common.links 2025-06-06 09:45:21.000000000 +0200
@@ -0,0 +1,15 @@
+usr/share/javascript/angular.js/angular.js usr/share/GNUstep/SOGo/WebServerResources/js/vendor/angular.js
+usr/share/javascript/angular.js/angular.min.js usr/share/GNUstep/SOGo/WebServerResources/js/vendor/angular.min.js
+usr/share/javascript/angular.js/angular-animate.js usr/share/GNUstep/SOGo/WebServerResources/js/vendor/angular-animate.js
+usr/share/javascript/angular.js/angular-animate.min.js usr/share/GNUstep/SOGo/WebServerResources/js/vendor/angular-animate.min.js
+usr/share/javascript/angular.js/angular-aria.js usr/share/GNUstep/SOGo/WebServerResources/js/vendor/angular-aria.js
+usr/share/javascript/angular.js/angular-aria.min.js usr/share/GNUstep/SOGo/WebServerResources/js/vendor/angular-aria.min.js
+usr/share/javascript/angular.js/angular-cookies.js usr/share/GNUstep/SOGo/WebServerResources/js/vendor/angular-cookies.js
+usr/share/javascript/angular.js/angular-cookies.min.js usr/share/GNUstep/SOGo/WebServerResources/js/vendor/angular-cookies.min.js
+usr/share/javascript/angular.js/angular-messages.js usr/share/GNUstep/SOGo/WebServerResources/js/vendor/angular-messages.js
+usr/share/javascript/angular.js/angular-messages.min.js usr/share/GNUstep/SOGo/WebServerResources/js/vendor/angular-messages.min.js
+usr/share/javascript/angular.js/angular-sanitize.js usr/share/GNUstep/SOGo/WebServerResources/js/vendor/angular-sanitize.js
+usr/share/javascript/angular.js/angular-sanitize.min.js usr/share/GNUstep/SOGo/WebServerResources/js/vendor/angular-sanitize.min.js
+usr/share/javascript/filesaver/FileSaver.min.js usr/share/GNUstep/SOGo/WebServerResources/js/vendor/FileSaver.min.js
+usr/share/javascript/lodash/lodash.js usr/share/GNUstep/SOGo/WebServerResources/js/vendor/lodash.js
+usr/share/javascript/lodash/lodash.min.js usr/share/GNUstep/SOGo/WebServerResources/js/vendor/lodash.min.js
More information about the Pkg-sogo-maintainers
mailing list