CVE-2012-0283

Debian Bug report logs - #683378
CVE-2012-0283

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Moritz Muehlenhoff <muehlenhoff@univention.de>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: CVE-2012-0283

Date: Tue, 31 Jul 2012 11:35:02 +0200

Package: dokuwiki
Severity: important
Tags: security

Please see:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0283
http://secunia.com/secunia_research/2012-24/
http://bugs.dokuwiki.org/index.php?do=details&task_id=2561

This doesn't warrant a DSA, but you can fix it through a stable point update.

Cheers,
        Moritz

Message #10 received at 683378-close@bugs.debian.org (full text, mbox, reply):

From: Tanguy Ortolo <tanguy+debian@ortolo.eu>

To: 683378-close@bugs.debian.org

Subject: Bug#683378: fixed in dokuwiki 0.0.20120125b-1

Date: Wed, 15 Aug 2012 13:47:39 +0000

Source: dokuwiki
Source-Version: 0.0.20120125b-1

We believe that the bug you reported is fixed in the latest version of
dokuwiki, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 683378@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Tanguy Ortolo <tanguy+debian@ortolo.eu> (supplier of updated dokuwiki package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Wed, 15 Aug 2012 11:46:36 +0200
Source: dokuwiki
Binary: dokuwiki
Architecture: source all
Version: 0.0.20120125b-1
Distribution: unstable
Urgency: high
Maintainer: Tanguy Ortolo <tanguy+debian@ortolo.eu>
Changed-By: Tanguy Ortolo <tanguy+debian@ortolo.eu>
Description: 
 dokuwiki   - standards compliant simple to use wiki
Closes: 683378
Changes: 
 dokuwiki (0.0.20120125b-1) unstable; urgency=high
 .
   * New upstream bugfix release: sanitize a POST parameter that could be used
     to inject artitrary HTML and JavaScript, leading to an XSS vulnerability.
     (CVE-2012-0283) (Closes: #683378)
Checksums-Sha1: 
 b7179002aec5caf85b8a0b22b37092d5406e7ccd 1990 dokuwiki_0.0.20120125b-1.dsc
 662c805de802e5889820eb911e3431f18003328a 2507783 dokuwiki_0.0.20120125b.orig.tar.gz
 648953bda17b019f68834d0ba4add0f5fbefc9f4 89167 dokuwiki_0.0.20120125b-1.debian.tar.gz
 77c20726166be9d369ea24af6dea43afb58b67fb 1773466 dokuwiki_0.0.20120125b-1_all.deb
Checksums-Sha256: 
 475071ff6d75803614d528405d374e888c2ab4bd88a50eced41d761f103c19f8 1990 dokuwiki_0.0.20120125b-1.dsc
 0231fd4fabdb14a05628fad60a6d68017b7664b645662d4dfdb5f2f704ca165a 2507783 dokuwiki_0.0.20120125b.orig.tar.gz
 515f82605c2d941083e9acd7488e25989eb36f0f491cd05a0094d46cdf0b4d04 89167 dokuwiki_0.0.20120125b-1.debian.tar.gz
 3ae712614ef7a7c1e75e71e14bddbdfee7de882c7f1e4f9d1a23c62de3949c33 1773466 dokuwiki_0.0.20120125b-1_all.deb
Files: 
 1f73a70990d2e052c8e04868cd0c5e61 1990 web optional dokuwiki_0.0.20120125b-1.dsc
 6bceed04c3c38b3b251c70dfe2f9fca0 2507783 web optional dokuwiki_0.0.20120125b.orig.tar.gz
 ce1cf3934aa76c351600190e40c72e0a 89167 web optional dokuwiki_0.0.20120125b-1.debian.tar.gz
 a44e37a031d6c2c2d3c09aee17f316d9 1773466 web optional dokuwiki_0.0.20120125b-1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQIcBAEBCgAGBQJQK6R6AAoJEOryzVHFAGgZsywQAKaemcFLnfRUjcH1zjXRJ6OW
4y4/HDa6rG/0wTcVbUFVh93OgykAOLtcZFcRh4ygl+L0uYtGhPsZUPH+RslIkbHj
iTEpMEjC3xljfHma60TBnw+aYB5YySNg2uYibMIinjaf1R/yUgWuHP4IMTJfDUHH
fPiYQUOpqyTj44sRQ1kPXyJoutYo8TOD2zs5Zdx8+HZpfpJ1NLG4+2uLw42rrEn2
wuC1ASEHWCRqtV8o7mc0n+ZdgLC361q/bPJSpI1B6QAG2l3rXsgGRprufTCGtYKg
xOUGqa7gX97GuLjC/VgeQNAsIwY5JJUp3FoYdoilCuXRufh6dnjfIYoE77s0QqgT
a2iLTsrR/hyIZL1FnOG1FQYarOXuim/6zwLXKnJKeIJhrueGou4QVZCj8MkjyBgC
ABZQiSFf9uFCj6l5qGrJPho8aokMiwx2iaviTRu0ED3GPiYPL668SG/nWVWu3sgO
ef3uC+Ylq2uLrDfkNHLtHGg57OQUiQwQg/9s11ZOidAfgojB/nooh4HIMKrbmPAo
zAlzMyp5nPIPwgnGwl8B+8XSm6mcFz53F/PaAIypkngqvMr7X1BbZvK+6PdAtWXg
9ClRWqMRhXM1y6FjqKZdrSv+ctGJYc4FFNQ8Ls3LEGA+GGgB1cKcyVd6wSymcfcL
jk2vN5QrEwshzCo86mmP
=y/32
-----END PGP SIGNATURE-----

Message #15 received at 683378@bugs.debian.org (full text, mbox, reply):

From: Jonathan Wiltshire <jmw@debian.org>

To: 683378@bugs.debian.org

Subject: Re: CVE-2012-0283

Date: Thu, 16 Aug 2012 11:15:02 -0000

Package: dokuwiki

Dear maintainer,

Recently you fixed one or more security problems and as a result you closed
this bug. These problems were not serious enough for a Debian Security
Advisory, so they are now on my radar for fixing in the following suites
through point releases:

squeeze (6.0.6) - use target "stable"

Please prepare a minimal-changes upload targetting each of these suites,
and submit a debdiff to the Release Team [0] for consideration. They will
offer additional guidance or instruct you to upload your package.

I will happily assist you at any stage if the patch is straightforward and
you need help. Please keep me in CC at all times so I can
track [1] the progress of this request.

For details of this process and the rationale, please see the original
announcement [2] and my blog post [3].

0: debian-release@lists.debian.org
1: http://prsc.debian.net/tracker/683378/
2: <201101232332.11736.thijs@debian.org>
3: http://deb.li/prsc

Thanks,

with his security hat on:
--
Jonathan Wiltshire                                      jmw@debian.org
Debian Developer                         http://people.debian.org/~jmw

4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC  74C3 5394 479D D352 4C51

Message #20 received at 683378@bugs.debian.org (full text, mbox, reply):

From: Tanguy Ortolo <tanguy+debian@ortolo.eu>

To: Jonathan Wiltshire <jmw@debian.org>, 683378@bugs.debian.org

Subject: Re: Bug#683378: CVE-2012-0283

Date: Thu, 16 Aug 2012 14:08:27 +0200

[Message part 1 (text/plain, inline)]

Hello Jonathan.

Jonathan Wiltshire, 2012-08-16 11:15-0000:
>Dear maintainer,
>
>Recently you fixed one or more security problems and as a result you closed
>this bug. These problems were not serious enough for a Debian Security
>Advisory, so they are now on my radar for fixing in the following suites
>through point releases:
>
>squeeze (6.0.6) - use target "stable"
>
>Please prepare a minimal-changes upload targetting each of these suites,
>and submit a debdiff to the Release Team [0] for consideration. They will
>offer additional guidance or instruct you to upload your package.

I do not think this is necessary. The fix is for a flaw in the last 
version of DokuWiki, and it does not apply to the previous one which is 
currently in squeeze. I will have to double-check that, but I think that 
version is not concerned.

Regards

-- 
 ,--.
: /` )   Tanguy Ortolo      <xmpp:tanguy@ortolo.eu>
| `-'    Debian Developer   <irc://irc.oftc.net/Tanguy>
 \_

[signature.asc (application/pgp-signature, inline)]

Message #25 received at 683378@bugs.debian.org (full text, mbox, reply):

From: Jonathan Wiltshire <jmw@debian.org>

To: Tanguy Ortolo <tanguy+debian@ortolo.eu>

Cc: <683378@bugs.debian.org>, <team@security.debian.org>

Subject: Re: Bug#683378: CVE-2012-0283

Date: Fri, 17 Aug 2012 09:37:12 +0100

Hi,

On 2012-08-16 13:08, Tanguy Ortolo wrote:
>
> I do not think this is necessary. The fix is for a flaw in the last
> version of DokuWiki, and it does not apply to the previous one which
> is currently in squeeze. I will have to double-check that, but I 
> think
> that version is not concerned.
>

Thanks. If this is indeed the case please confirm so that the security 
tracker can be updated, it currently thinks squeeze is affected.

Cheers,


-- 
Jonathan Wiltshire                                      jmw@debian.org
Debian Developer                         http://people.debian.org/~jmw

4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC  74C3 5394 479D D352 4C51

Message #30 received at 683378@bugs.debian.org (full text, mbox, reply):

From: Tanguy Ortolo <tanguy+debian@ortolo.eu>

To: 683378@bugs.debian.org, team@security.debian.org

Subject: Re: Bug#683378: CVE-2012-0283

Date: Fri, 17 Aug 2012 11:04:51 +0200

[Message part 1 (text/plain, inline)]

Jonathan Wiltshire, 2012-08-17 09:37+0100:
>Thanks. If this is indeed the case please confirm so that the 
>security tracker can be updated, it currently thinks squeeze is 
>affected.

I have just had a look to the code: squeeze is affected. I shall prepare 
an update by hand.

-- 
 ,--.
: /` )   Tanguy Ortolo      <xmpp:tanguy@ortolo.eu>
| `-'    Debian Developer   <irc://irc.oftc.net/Tanguy>
 \_

[signature.asc (application/pgp-signature, inline)]

Message #35 received at 683378@bugs.debian.org (full text, mbox, reply):

From: Tanguy Ortolo <tanguy+debian@ortolo.eu>

To: 683378@bugs.debian.org, team@security.debian.org

Subject: Re: Bug#683378: CVE-2012-0283

Date: Sat, 18 Aug 2012 11:38:51 +0200

[Message part 1 (text/plain, inline)]

Tanguy Ortolo, 2012-08-17 11:04+0200:
>I have just had a look to the code: squeeze is affected. I shall 
>prepare an update by hand.

Well, after looking more closely, it appears that in fact, it is not. 
The fix for version 0.0.20120125 in testing does apply to 0.0.20091225 
in stable after some modifications, but:
1. it breaks some functionnality;
2. it is useless, because it is meant to cover a use case that did not 
   exist at the time (the code to process the POST argument do=media fo 
   the possible attack is only present in 0.0.20120125).

So, sorry for my hesitation with this bug…

-- 
 ,--.
: /` )   Tanguy Ortolo      <xmpp:tanguy@ortolo.eu>
| `-'    Debian Developer   <irc://irc.oftc.net/Tanguy>
 \_

[signature.asc (application/pgp-signature, inline)]

Message #40 received at 683378@bugs.debian.org (full text, mbox, reply):

From: Moritz Muehlenhoff <jmm@inutil.org>

To: Tanguy Ortolo <tanguy+debian@ortolo.eu>

Cc: 683378@bugs.debian.org, team@security.debian.org

Subject: Re: Bug#683378: CVE-2012-0283

Date: Mon, 20 Aug 2012 10:31:48 +0200

On Sat, Aug 18, 2012 at 11:38:51AM +0200, Tanguy Ortolo wrote:
> Tanguy Ortolo, 2012-08-17 11:04+0200:
>> I have just had a look to the code: squeeze is affected. I shall  
>> prepare an update by hand.
>
> Well, after looking more closely, it appears that in fact, it is not.  
> The fix for version 0.0.20120125 in testing does apply to 0.0.20091225  
> in stable after some modifications, but:
> 1. it breaks some functionnality;
> 2. it is useless, because it is meant to cover a use case that did not    
> exist at the time (the code to process the POST argument do=media fo    
> the possible attack is only present in 0.0.20120125).
>
> So, sorry for my hesitation with this bug…

Thanks, I've updated the Debian security tracker.

Cheers,
        Moritz

Send a report that this bug log contains spam.