Hello,My package dokuwiki 0.0.20091225c-10+squeeze2 in oldstable is affected by CVE-2014-8763 and CVE-2014-8764 (which are almost the same, and fixed by the same patch).
I have prepared an updated version 0.0.20091225c-10+squeeze3, which I am considering to upload to squeeze-lts, is that okay?
Here is the debdiff (yes, I will have to set the target distribution to squeeze-lts) and the patch it adds.
Librement, -- ,--. : /` ) ن Tanguy Ortolo <xmpp:tanguy@ortolo.eu> | `-' Debian Developer <irc://irc.oftc.net/Tanguy> \_
diff -Nru dokuwiki-0.0.20091225c/debian/changelog dokuwiki-0.0.20091225c/debian/changelog --- dokuwiki-0.0.20091225c/debian/changelog 2011-06-29 01:50:12.000000000 +0200 +++ dokuwiki-0.0.20091225c/debian/changelog 2014-10-29 14:44:37.000000000 +0100 @@ -1,3 +1,12 @@ +dokuwiki (0.0.20091225c-10+squeeze3) UNRELEASED; urgency=medium + + * debian/patches: + + fix_ldap_auth_bypass_CVE-2014-8763.diff: fix an authentication bypass + flaw when using Active Directory for LDAP authentication. + (CVE-2014-8763, CVE-2014-8764) + + -- Tanguy Ortolo <tanguy+debian@ortolo.eu> Wed, 29 Oct 2014 14:17:00 +0100 + dokuwiki (0.0.20091225c-10+squeeze2) stable; urgency=low * debian/patches/rss_security.diff: Backport an upstream security fix for diff -Nru dokuwiki-0.0.20091225c/debian/patches/fix_ldap_auth_bypass_CVE-2014-8763.diff dokuwiki-0.0.20091225c/debian/patches/fix_ldap_auth_bypass_CVE-2014-8763.diff --- dokuwiki-0.0.20091225c/debian/patches/fix_ldap_auth_bypass_CVE-2014-8763.diff 1970-01-01 01:00:00.000000000 +0100 +++ dokuwiki-0.0.20091225c/debian/patches/fix_ldap_auth_bypass_CVE-2014-8763.diff 2014-10-29 14:44:51.000000000 +0100 @@ -0,0 +1,27 @@ +From: Andreas Gohr <andi@splitbrain.org> +Subject: Clean user credentials from control chars to prevent auth bypass + + This is to prevent zero byte attacks on external auth systems as described in + http://www.freelists.org/post/dokuwiki/Fwd-Dokuwiki-maybe-security-issue-Null-byte-poisoning-in-LDAP-authentication + (CVE-2014-8763, CVE-2014-8764) +Origin: backport, https://github.com/splitbrain/dokuwiki/commit/395c2f0ff3e87977ea2573587a11f4ef294433f2 +Bug-Debian: http://bugs.debian.org/766545 +Last-Update: 2014-10-28 +--- + inc/auth.php | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +Index: dokuwiki/inc/auth.php +=================================================================== +--- dokuwiki.orig/inc/auth.php ++++ dokuwiki/inc/auth.php +@@ -75,7 +75,8 @@ if($conf['useacl']){ + } + + // apply cleaning +- $_REQUEST['u'] = $auth->cleanUser($_REQUEST['u']); ++ $_REQUEST['u'] = $auth->cleanUser(stripctl($_REQUEST['u'])); ++ $_REQUEST['p'] = stripctl($_REQUEST['p']); + + if(isset($_REQUEST['authtok'])){ + // when an authentication token is given, trust the session diff -Nru dokuwiki-0.0.20091225c/debian/patches/series dokuwiki-0.0.20091225c/debian/patches/series --- dokuwiki-0.0.20091225c/debian/patches/series 2011-06-26 13:23:13.000000000 +0200 +++ dokuwiki-0.0.20091225c/debian/patches/series 2014-10-29 14:25:01.000000000 +0100 @@ -10,3 +10,4 @@ license_jpegmeta.diff cc-by-nd-url.diff fhs.diff +fix_ldap_auth_bypass_CVE-2014-8763.diff
From: Andreas Gohr <andi@splitbrain.org> Subject: Clean user credentials from control chars to prevent auth bypass This is to prevent zero byte attacks on external auth systems as described in http://www.freelists.org/post/dokuwiki/Fwd-Dokuwiki-maybe-security-issue-Null-byte-poisoning-in-LDAP-authentication (CVE-2014-8763, CVE-2014-8764) Origin: backport, https://github.com/splitbrain/dokuwiki/commit/395c2f0ff3e87977ea2573587a11f4ef294433f2 Bug-Debian: http://bugs.debian.org/766545 Last-Update: 2014-10-28 --- inc/auth.php | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) Index: dokuwiki/inc/auth.php =================================================================== --- dokuwiki.orig/inc/auth.php +++ dokuwiki/inc/auth.php @@ -75,7 +75,8 @@ if($conf['useacl']){ } // apply cleaning - $_REQUEST['u'] = $auth->cleanUser($_REQUEST['u']); + $_REQUEST['u'] = $auth->cleanUser(stripctl($_REQUEST['u'])); + $_REQUEST['p'] = stripctl($_REQUEST['p']); if(isset($_REQUEST['authtok'])){ // when an authentication token is given, trust the session
Attachment:
signature.asc
Description: Digital signature