Debian Bug report logs -
#391291
CVE-2006-509[89]: DokuWiki 2006-03-09e fixes security issues
Reported by: Stefan Fritsch <sf@sfritsch.de>
Date: Thu, 5 Oct 2006 21:04:05 UTC
Severity: grave
Tags: fixed, patch, security
Fixed in versions 0.0.20060309-5.2, dokuwiki/0.0.20060309e-1, dokuwiki/0.0.20061019~rc3-1
Done: Mohammed Adnène Trojette <adn+deb@diwi.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded to debian-bugs-dist@lists.debian.org, Debian Security Team <team@security.debian.org>, Matti Pöllä <mpo@iki.fi>:
Bug#391291; Package dokuwiki.
(full text, mbox, link).
Acknowledgement sent to Stefan Fritsch <sf@sfritsch.de>:
New Bug report received and forwarded. Copy sent to Debian Security Team <team@security.debian.org>, Matti Pöllä <mpo@iki.fi>.
(full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: dokuwiki
Severity: grave
Tags: security
Justification: user security hole
DokuWiki can be exploited by malicious people to cause a DoS (Denial of
Service) or potentially compromise a vulnerable system.
CVE-2006-5098:
lib/exec/fetch.php in DokuWiki before 2006-03-09e allows remote
attackers to cause a denial of service (CPU consumption) via large w
and h parameters, when resizing an image.
CVE-2006-5099:
lib/exec/fetch.php in DokuWiki before 2006-03-09e, when
conf[imconvert] is configured to use ImageMagick, allows remote
attackers to execute arbitrary commands via shell metacharacters in
the (1) w and (2) h parameters, which are not filtered when invoking
convert.
Information forwarded to debian-bugs-dist@lists.debian.org, Matti Pöllä <mpo@iki.fi>:
Bug#391291; Package dokuwiki.
(full text, mbox, link).
Acknowledgement sent to Mohammed Adnène Trojette <adn+deb@diwi.org>:
Extra info received and forwarded to list. Copy sent to Matti Pöllä <mpo@iki.fi>.
(full text, mbox, link).
Message #10 received at 391291@bugs.debian.org (full text, mbox, reply):
tag 391291 patch
thanks
On Thu, Oct 05, 2006, Stefan Fritsch wrote:
> Package: dokuwiki
> Severity: grave
> Tags: security
> Justification: user security hole
>
> DokuWiki can be exploited by malicious people to cause a DoS (Denial of
> Service) or potentially compromise a vulnerable system.
>
> CVE-2006-5098:
> lib/exec/fetch.php in DokuWiki before 2006-03-09e allows remote
> attackers to cause a denial of service (CPU consumption) via large w
> and h parameters, when resizing an image.
>
> CVE-2006-5099:
> lib/exec/fetch.php in DokuWiki before 2006-03-09e, when
> conf[imconvert] is configured to use ImageMagick, allows remote
> attackers to execute arbitrary commands via shell metacharacters in
> the (1) w and (2) h parameters, which are not filtered when invoking
> convert.
Here is the patch to apply:
diff -urNb dokuwiki-2006-03-09d/lib/exe/fetch.php dokuwiki-2006-03-09e/lib/exe/fetch.php
--- dokuwiki-2006-03-09d/lib/exe/fetch.php 2006-03-09 21:32:34.000000000 +0100
+++ dokuwiki-2006-03-09e/lib/exe/fetch.php 2006-09-26 22:09:40.000000000 +0200
@@ -21,8 +21,8 @@
//get input
$MEDIA = getID('media',false); // no cleaning - maybe external
$CACHE = calc_cache($_REQUEST['cache']);
- $WIDTH = $_REQUEST['w'];
- $HEIGHT = $_REQUEST['h'];
+ $WIDTH = (int) $_REQUEST['w'];
+ $HEIGHT = (int) $_REQUEST['h'];
list($EXT,$MIME) = mimetype($MEDIA);
if($EXT === false){
$EXT = 'unknown';
@@ -198,6 +198,8 @@
$info = getimagesize($file);
if(!$h) $h = round(($w * $info[1]) / $info[0]);
+ // we wont scale up to infinity
+ if($w > 2000 || $h > 2000) return $file;
//cache
$local = getCacheName($file,'.media.'.$w.'x'.$h.'.'.$ext);
diff -urNb dokuwiki-2006-03-09d/VERSION dokuwiki-2006-03-09e/VERSION
--- dokuwiki-2006-03-09d/VERSION 2006-09-13 20:46:59.000000000 +0200
+++ dokuwiki-2006-03-09e/VERSION 2006-09-26 22:08:13.000000000 +0200
@@ -1 +1 @@
-2006-03-09d
+2006-03-09e
Matti, please could you prepare a maintainer upload for that? Or should
I NMU it?
--
adn
Mohammed Adnène Trojette
Tags added: patch
Request was from Mohammed Adnène Trojette <adn+deb@diwi.org>
to control@bugs.debian.org.
(full text, mbox, link).
Tags added: pending
Request was from Mohammed Adnène Trojette <adn+deb@diwi.org>
to control@bugs.debian.org.
(full text, mbox, link).
Tags added: fixed
Request was from Mohammed Adnène Trojette <adn+deb@diwi.org>
to control@bugs.debian.org.
(full text, mbox, link).
Bug marked as fixed in version 0.0.20060309-5.2, send any further explanations to Stefan Fritsch <sf@sfritsch.de>
Request was from Steve Langasek <vorlon@debian.org>
to control@bugs.debian.org.
(full text, mbox, link).
Message sent on to Stefan Fritsch <sf@sfritsch.de>:
Bug#391291.
(full text, mbox, link).
Message #21 received at 391291-submitter@bugs.debian.org (full text, mbox, reply):
# Hi folks,
#
# All of these bugs have been fixed in NMU, but not acknowledged by the
# maintainers. With version tracking in the Debian BTS, it is important to
# know which version of a package fixes each bug so that they can be tracked
# for release status in the BTS, so I'm closing these bugs with the relevant
# version number information now.
close 386081 0.99.10-1.1
close 386185 6.5.0.cvs.20060524-1.1
close 386201 2.0.14-0.1
close 386202 2.0.14-0.1
close 386222 0.13.alfa.8-3.1
close 386223 0.13-13.2
close 386229 0.35-6.1
close 386267 2.0.5-1.1
close 386305 0.0.26-5.1
close 386319 1.2.0-3.2
close 386491 1.1-2.1
close 386620 0.3.8-5.1
close 386707 20060907.1
close 386719 2.0.5-1.1
close 386829 0.65.1
close 386833 0.15-1.2
close 386902 2.2.3-1.2
close 387063 2.6.4-2.1
close 387094 2.2.3-1.3
close 387133 2:1.0.0-9
close 387220 0.65.1
close 387433 1.3-1.2
close 387972 0.0.20060309-5.1
close 387974 0.0.20060309-5.1
close 387983 2:0.92-3.1
close 388026 2.8.5-1.2
close 388082 0.0.20060309-5.1
close 388314 1:0.3.7-3.1
close 388535 1.4.3.dfsg-1.2
close 388605 1.0.2-0.1
close 388609 0.3.7-4.2
close 388661 0.15-16.1
close 389171 1.23-1.1
close 389233 1.99.beta2.1
close 389246 2.7.7-12.1
close 389304 3.2.3-1.1
close 389350 2.0.4-2.1
close 389352 3.3.0-5.4
close 389375 2.4.0-4.2
close 389377 1.0.4-1.2
close 389387 2.6.2-24.1
close 389391 0.3.8-1.2
close 389458 0.35-6.1
close 389560 2:0.92-3.1
close 389609 1.2.4par-0.2
close 389639 1.1.1-0.2
close 389640 0.3.7-4.2
close 389696 0.6-2.1
close 389760 1.1.0+1.1.1-a021-1.1
close 389769 3.0.8-0.2
close 389965 4.4rc.2-3.1
close 389968 4.51.5-1.1
close 390008 0.9.6-1.1
close 390276 2.13~beta3-0.1
close 390304 0.2.0-1
close 390384 0.12-5.1
close 390390 2.8.8-1.1
close 390403 0.0.20040112.dfsg-0.2
close 390467 1.0.0-1.1
close 390560 6.5.1-0.2
close 390657 1.0+dfsg0-0.1
close 390666 0.4.5+dfsg0-0.1
close 390671 3.13-7.1
close 390969 0.2-2.2
close 391025 1.1.2-1.1
close 391157 2.2.0-3.1
close 391181 2.0.10.1.1
close 391190 0.09-1.1
close 391199 0.84-6.1
close 391201 1.0.1-2.1
close 391206 2003.00.00-2.1
close 391208 0.7-9.1
close 391237 5.6.3-2.1
close 391257 0.20.1-1.1
close 391266 1.5.12.1-19.1
close 391291 0.0.20060309-5.2
close 391391 0.12-2.2
close 391465 2.0-8.1
close 391566 1:1.6.1-7.1
close 391601 3:20020927-3.1
close 391695 0.4.6-0.1
close 391696 1:3.9.20060704-2.1
close 391697 2.0-6.1
close 391749 1.0-1.1
close 391750 2.0.2-2.2
close 391752 1.1.1-6.1
close 391754 4.4rc.2-3.1
close 391755 1.1.4-3.1
close 391760 4.996-5.0-rc7-1.1
close 391767 2.0.48-4-2.2
close 391782 0.4-1.1
close 391791 1.2.6-1.1
close 391808 3.5-1.2
close 391848 0.2.7.1-1.1
close 392053 0.5.0-1.4
close 392154 3.06.dfsg.1-0.1
close 392164 0.31-5.1
close 392166 1.2
close 392318 1.5.1.dfsg-2.1
close 392422 0.2.0-1
close 392730 0.4.6-0.2
close 392855 1.4.29-1
close 393012 0.4-1.1
close 393044 5.4.2-1.1
close 393051 1.9~b3-1
close 393388 0.4.5+dfsg0-0.1
close 393726 1.71.0.dfsg.1-1.1
thanks
--
Steve Langasek Give me a lever long enough and a Free OS
Debian Developer to set it on, and I can move the world.
vorlon@debian.org http://www.debian.org/
Reply sent to Mohammed Adnène Trojette <adn+deb@diwi.org>:
You have taken responsibility.
(full text, mbox, link).
Notification sent to Stefan Fritsch <sf@sfritsch.de>:
Bug acknowledged by developer.
(full text, mbox, link).
Message #26 received at 391291-close@bugs.debian.org (full text, mbox, reply):
Source: dokuwiki
Source-Version: 0.0.20060309e-1
We believe that the bug you reported is fixed in the latest version of
dokuwiki, which is due to be installed in the Debian FTP archive:
dokuwiki_0.0.20060309e-1.diff.gz
to pool/main/d/dokuwiki/dokuwiki_0.0.20060309e-1.diff.gz
dokuwiki_0.0.20060309e-1.dsc
to pool/main/d/dokuwiki/dokuwiki_0.0.20060309e-1.dsc
dokuwiki_0.0.20060309e-1_all.deb
to pool/main/d/dokuwiki/dokuwiki_0.0.20060309e-1_all.deb
dokuwiki_0.0.20060309e.orig.tar.gz
to pool/main/d/dokuwiki/dokuwiki_0.0.20060309e.orig.tar.gz
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 391291@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Mohammed Adnène Trojette <adn+deb@diwi.org> (supplier of updated dokuwiki package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Sun, 5 Nov 2006 20:27:16 +0100
Source: dokuwiki
Binary: dokuwiki
Architecture: source all
Version: 0.0.20060309e-1
Distribution: unstable
Urgency: high
Maintainer: Mohammed Adnène Trojette <adn+deb@diwi.org>
Changed-By: Mohammed Adnène Trojette <adn+deb@diwi.org>
Description:
dokuwiki - a standards compliant simple to use wiki
Closes: 326810 340028 374094 374750 378250 384007 387972 387974 388082 389207 389442 391291 394083 394210 397030
Changes:
dokuwiki (0.0.20060309e-1) unstable; urgency=low
.
* New maintainer.
* Switch to quilt for patch management.
* Reorder Build-Depends and Build-Depends-Indep.
* New upstream version:
+ remove new_upstream_2006-03-09e.
* Ack Non Maintainer Uploads. (Closes: #389442)
* Use dh_install instead of copying:
+ makes .htaccess a conffile. (Closes: #394083)
* Add bin/ directory to installation. (Closes: #378250)
+ add php{4,5}-cli to Recommends.
* Debconf Translations updates:
+ German, thanks to Erik Schanze. (Closes: #397030)
* New debconf Translations:
+ Portuguese, thanks to Rui Branco. (Closes: #394210)
.
dokuwiki (0.0.20060309-5.2) unstable; urgency=high
.
* Non-maintainer upload.
* Refresh new_upstream_2006-03-09d into new_upstream_2006-03-09e.
(Closes: #391291)
* Correct templates:
+ patch from Thomas Huriaux.
* Debconf Translations updates:
+ Czech, thanks to Miroslav Kure.
+ Swedish, thanks to Daniel Nylander.
+ French, thanks to Steve Petruzzello.
.
dokuwiki (0.0.20060309-5.1) unstable; urgency=high
.
* Non-maintainer upload.
* Add a new_upstream_2006-03-09d dpatch (Closes: #388082):
+ integrate fixspellcheckersecurityflaw.dpatch.
* Stop removing conffiles in postinst/postrm (Closes: #387974):
+ unlink lines commented out.
* Stop relaunching webservers in postinst/postrm (Closes: #387972):
+ restart_webservers() not launched.
* Debconf Translations:
+ French, thanks to Steve. (Closes: #374750, #384007)
+ Czech, thanks to Miroslav Kure. (Closes: #389207)
* Run debconf-updatepo and fix templates:
+ patch from Simon Paillard. (Closes: #374094)
* Add a localhost entry in dokuwiki.conf. (Closes: #326810)
* Depend on apache2 instead of apache2-mpm-prefork.
* Recommends imagemagick | php4-gd | php5-gd to store different sized cached
images. (Closes: #340028)
Files:
e1159e292a345ab14dcfb3f60a1d2158 650 web optional dokuwiki_0.0.20060309e-1.dsc
d6d3aa9e2f32ebbdb04ee07cd84a19e5 835945 web optional dokuwiki_0.0.20060309e.orig.tar.gz
86835d4e6dab762edf948eed13ca0882 24261 web optional dokuwiki_0.0.20060309e-1.diff.gz
743d44b118a7f150dfdb63c014f0517f 875342 web optional dokuwiki_0.0.20060309e-1_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)
iD8DBQFFTkRCOU3FkQ7XBOoRAiIXAJ4wnO4lAM5dvlpB2ZaMTaiWh7+hZgCg7J0z
YDZP2yZthMO/3qa2Q2yErVs=
=J2Ui
-----END PGP SIGNATURE-----
Reply sent to Mohammed Adnène Trojette <adn+deb@diwi.org>:
You have taken responsibility.
(full text, mbox, link).
Notification sent to Stefan Fritsch <sf@sfritsch.de>:
Bug acknowledged by developer.
(full text, mbox, link).
Message #31 received at 391291-close@bugs.debian.org (full text, mbox, reply):
Source: dokuwiki
Source-Version: 0.0.20061019~rc3-1
We believe that the bug you reported is fixed in the latest version of
dokuwiki, which is due to be installed in the Debian FTP archive:
dokuwiki_0.0.20061019~rc3-1.diff.gz
to pool/main/d/dokuwiki/dokuwiki_0.0.20061019~rc3-1.diff.gz
dokuwiki_0.0.20061019~rc3-1.dsc
to pool/main/d/dokuwiki/dokuwiki_0.0.20061019~rc3-1.dsc
dokuwiki_0.0.20061019~rc3-1_all.deb
to pool/main/d/dokuwiki/dokuwiki_0.0.20061019~rc3-1_all.deb
dokuwiki_0.0.20061019~rc3.orig.tar.gz
to pool/main/d/dokuwiki/dokuwiki_0.0.20061019~rc3.orig.tar.gz
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 391291@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Mohammed Adnène Trojette <adn+deb@diwi.org> (supplier of updated dokuwiki package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Sun, 5 Nov 2006 21:09:41 +0100
Source: dokuwiki
Binary: dokuwiki
Architecture: source all
Version: 0.0.20061019~rc3-1
Distribution: experimental
Urgency: high
Maintainer: Mohammed Adnène Trojette <adn+deb@diwi.org>
Changed-By: Mohammed Adnène Trojette <adn+deb@diwi.org>
Description:
dokuwiki - a standards compliant simple to use wiki
Closes: 326810 340028 341468 374094 374750 378242 378250 384007 387972 387974 388082 389207 389442 391291 394083 394210 397030
Changes:
dokuwiki (0.0.20061019~rc3-1) experimental; urgency=low
.
* New upstream Release Candidate:
+ refresh all the patches.
+ fix .htaccess. (Closes: #341468, #378242)
.
dokuwiki (0.0.20060309e-1) unstable; urgency=low
.
* New maintainer.
* Switch to quilt for patch management.
* Reorder Build-Depends and Build-Depends-Indep.
* New upstream version:
+ remove new_upstream_2006-03-09e.
* Ack Non Maintainer Uploads. (Closes: #389442)
* Use dh_install instead of copying:
+ makes .htaccess a conffile. (Closes: #394083)
* Add bin/ directory to installation. (Closes: #378250)
+ add php{4,5}-cli to Recommends.
* Debconf Translations updates:
+ German, thanks to Erik Schanze. (Closes: #397030)
* New debconf Translations:
+ Portuguese, thanks to Rui Branco. (Closes: #394210)
.
dokuwiki (0.0.20060309-5.2) unstable; urgency=high
.
* Non-maintainer upload.
* Refresh new_upstream_2006-03-09d into new_upstream_2006-03-09e.
(Closes: #391291)
* Correct templates:
+ patch from Thomas Huriaux.
* Debconf Translations updates:
+ Czech, thanks to Miroslav Kure.
+ Swedish, thanks to Daniel Nylander.
+ French, thanks to Steve Petruzzello.
.
dokuwiki (0.0.20060309-5.1) unstable; urgency=high
.
* Non-maintainer upload.
* Add a new_upstream_2006-03-09d dpatch (Closes: #388082):
+ integrate fixspellcheckersecurityflaw.dpatch.
* Stop removing conffiles in postinst/postrm (Closes: #387974):
+ unlink lines commented out.
* Stop relaunching webservers in postinst/postrm (Closes: #387972):
+ restart_webservers() not launched.
* Debconf Translations:
+ French, thanks to Steve. (Closes: #374750, #384007)
+ Czech, thanks to Miroslav Kure. (Closes: #389207)
* Run debconf-updatepo and fix templates:
+ patch from Simon Paillard. (Closes: #374094)
* Add a localhost entry in dokuwiki.conf. (Closes: #326810)
* Depend on apache2 instead of apache2-mpm-prefork.
* Recommends imagemagick | php4-gd | php5-gd to store different sized cached
images. (Closes: #340028)
Files:
3a8c5ff036e722a19be8cb2ff7325557 660 web optional dokuwiki_0.0.20061019~rc3-1.dsc
dc4091c839e21dbaa661d01c851e801a 1031164 web optional dokuwiki_0.0.20061019~rc3.orig.tar.gz
b1c6a9381466f273e66c8b3a2e6388da 24482 web optional dokuwiki_0.0.20061019~rc3-1.diff.gz
5e59fbd097cda6ea7856829f0690106f 1078812 web optional dokuwiki_0.0.20061019~rc3-1_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)
iD8DBQFFTk2gOU3FkQ7XBOoRAtaqAKC55kCNgkc3KHRaufyxdiciwy/tLwCghRlL
FrioDg4SbR/Vp8AYP2ozBr8=
=YmBV
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Wed, 27 Jun 2007 03:47:17 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 13:08:24 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon