[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Wheezy update of ikiwiki?

On Mon, 09 May 2016 at 20:05:17 +0200, Markus Koschany wrote:
> Please proceed with the upload to wheezy-security at your leisure.

I've uploaded a second test version, fixing a regression which I've
also just fixed in unstable: images with upper-case extensions, such as
the IMG1234.JPG frequently seen on cameras' FAT filesystems, were not
accepted. Interdiff attached. Still good to go?

    S

diffstat for ikiwiki-3.20120629.2+deb7u1 ikiwiki-3.20120629.2+deb7u1

 CHANGELOG             |    7 ++++---
 IkiWiki/Plugin/img.pm |    2 +-
 NEWS                  |    2 +-
 debian/NEWS           |    2 +-
 debian/changelog      |    7 ++++---
 t/img.t               |   12 +++++++++---
 6 files changed, 20 insertions(+), 12 deletions(-)

diff -Nru ikiwiki-3.20120629.2+deb7u1/CHANGELOG ikiwiki-3.20120629.2+deb7u1/CHANGELOG
--- ikiwiki-3.20120629.2+deb7u1/CHANGELOG	2016-05-08 16:31:08.000000000 +0100
+++ ikiwiki-3.20120629.2+deb7u1/CHANGELOG	2016-05-09 22:39:24.000000000 +0100
@@ -2,14 +2,15 @@
 
   * HTML-escape error messages, in one case avoiding potential cross-site
     scripting (CVE-2016-4561, OVE-20160505-0012)
-  * Update img plugin to version 3.20160506 to mitigate ImageMagick
+  * Update img plugin to version 3.20160509 to mitigate ImageMagick
     vulnerabilities, including remote code execution (CVE-2016-3714):
     - Never convert SVG images to PNG; simply pass them through to the
       browser. This prevents exploitation of any ImageMagick SVG coder
       vulnerabilities. (joeyh)
     - Do not resize image formats other than JPEG, PNG, GIF unless
       specifically configured to do so. This prevents exploitation
-      of any vulnerabilities in less common coders, such as MVG. (smcv)
+      of any vulnerabilities in less common coders, such as MVG.
+      (schmonz, smcv)
     - Do not resize JPEG, PNG, GIF, PDF images if their extensions do
       not match their "magic numbers", because wiki admins might try to
       restrict attachments by extension, but ImageMagick can base its
@@ -29,7 +30,7 @@
     (chrysn, joeyh, schmonz, smcv)
   * debian/tests: add metadata to run the img test as an autopkgtest
 
- -- Simon McVittie <smcv@debian.org>  Sun, 08 May 2016 16:30:55 +0100
+ -- Simon McVittie <smcv@debian.org>  Mon, 09 May 2016 22:38:35 +0100
 
 ikiwiki (3.20120629.2) wheezy; urgency=medium
 
diff -Nru ikiwiki-3.20120629.2+deb7u1/debian/changelog ikiwiki-3.20120629.2+deb7u1/debian/changelog
--- ikiwiki-3.20120629.2+deb7u1/debian/changelog	2016-05-08 16:31:08.000000000 +0100
+++ ikiwiki-3.20120629.2+deb7u1/debian/changelog	2016-05-09 22:39:24.000000000 +0100
@@ -2,14 +2,15 @@
 
   * HTML-escape error messages, in one case avoiding potential cross-site
     scripting (CVE-2016-4561, OVE-20160505-0012)
-  * Update img plugin to version 3.20160506 to mitigate ImageMagick
+  * Update img plugin to version 3.20160509 to mitigate ImageMagick
     vulnerabilities, including remote code execution (CVE-2016-3714):
     - Never convert SVG images to PNG; simply pass them through to the
       browser. This prevents exploitation of any ImageMagick SVG coder
       vulnerabilities. (joeyh)
     - Do not resize image formats other than JPEG, PNG, GIF unless
       specifically configured to do so. This prevents exploitation
-      of any vulnerabilities in less common coders, such as MVG. (smcv)
+      of any vulnerabilities in less common coders, such as MVG.
+      (schmonz, smcv)
     - Do not resize JPEG, PNG, GIF, PDF images if their extensions do
       not match their "magic numbers", because wiki admins might try to
       restrict attachments by extension, but ImageMagick can base its
@@ -29,7 +30,7 @@
     (chrysn, joeyh, schmonz, smcv)
   * debian/tests: add metadata to run the img test as an autopkgtest
 
- -- Simon McVittie <smcv@debian.org>  Sun, 08 May 2016 16:30:55 +0100
+ -- Simon McVittie <smcv@debian.org>  Mon, 09 May 2016 22:38:35 +0100
 
 ikiwiki (3.20120629.2) wheezy; urgency=medium
 
diff -Nru ikiwiki-3.20120629.2+deb7u1/debian/NEWS ikiwiki-3.20120629.2+deb7u1/debian/NEWS
--- ikiwiki-3.20120629.2+deb7u1/debian/NEWS	2016-05-08 16:31:08.000000000 +0100
+++ ikiwiki-3.20120629.2+deb7u1/debian/NEWS	2016-05-09 22:39:24.000000000 +0100
@@ -18,7 +18,7 @@
   can be removed with the new img_allowed_formats setup option.
   See <https://ikiwiki.info/ikiwiki/directive/img/> for more details.
 
- -- Simon McVittie <smcv@debian.org>  Sun, 08 May 2016 16:30:55 +0100
+ -- Simon McVittie <smcv@debian.org>  Mon, 09 May 2016 22:38:35 +0100
 
 ikiwiki (3.20110122) unstable; urgency=low
 
diff -Nru ikiwiki-3.20120629.2+deb7u1/IkiWiki/Plugin/img.pm ikiwiki-3.20120629.2+deb7u1/IkiWiki/Plugin/img.pm
--- ikiwiki-3.20120629.2+deb7u1/IkiWiki/Plugin/img.pm	2016-05-08 16:31:08.000000000 +0100
+++ ikiwiki-3.20120629.2+deb7u1/IkiWiki/Plugin/img.pm	2016-05-09 22:39:24.000000000 +0100
@@ -89,7 +89,7 @@
 	my $extension;
 	my $format;
 
-	if ($base =~ m/\.([a-z0-9]+)$/) {
+	if ($base =~ m/\.([a-z0-9]+)$/is) {
 		$extension = $1;
 	}
 	else {
diff -Nru ikiwiki-3.20120629.2+deb7u1/NEWS ikiwiki-3.20120629.2+deb7u1/NEWS
--- ikiwiki-3.20120629.2+deb7u1/NEWS	2016-05-08 16:31:08.000000000 +0100
+++ ikiwiki-3.20120629.2+deb7u1/NEWS	2016-05-09 22:39:24.000000000 +0100
@@ -18,7 +18,7 @@
   can be removed with the new img_allowed_formats setup option.
   See <https://ikiwiki.info/ikiwiki/directive/img/> for more details.
 
- -- Simon McVittie <smcv@debian.org>  Sun, 08 May 2016 16:30:55 +0100
+ -- Simon McVittie <smcv@debian.org>  Mon, 09 May 2016 22:38:35 +0100
 
 ikiwiki (3.20110122) unstable; urgency=low
 
diff -Nru ikiwiki-3.20120629.2+deb7u1/t/img.t ikiwiki-3.20120629.2+deb7u1/t/img.t
--- ikiwiki-3.20120629.2+deb7u1/t/img.t	2016-05-08 16:31:08.000000000 +0100
+++ ikiwiki-3.20120629.2+deb7u1/t/img.t	2016-05-09 22:39:24.000000000 +0100
@@ -45,6 +45,7 @@
 ok(! system("cp t/img/redsquare.png t/tmp/in/redsquare.png"));
 ok(! system("cp t/img/redsquare.jpg t/tmp/in/redsquare.jpg"));
 ok(! system("cp t/img/redsquare.jpg t/tmp/in/redsquare.jpeg"));
+ok(! system("cp t/img/redsquare.jpg t/tmp/in/SHOUTY.JPG"));
 # colons in filenames are a corner case for img
 ok(! system("cp t/img/redsquare.png t/tmp/in/hello:world.png"));
 ok(! system("cp t/img/redsquare.png t/tmp/in/a:b:c.png"));
@@ -59,7 +60,7 @@
 
 # using different image sizes for different pages, so the pagenumber selection can be tested easily
 ok(! system("cp t/img/twopages.pdf t/tmp/in/twopages.pdf"));
-ok(! system("cp t/img/twopages.pdf t/tmp/in/really-pdf.jpeg"));
+ok(! system("cp t/img/twopages.pdf t/tmp/in/really-pdf.JPEG"));
 ok(! system("cp t/img/twopages.pdf t/tmp/in/really-pdf.jpg"));
 ok(! system("cp t/img/twopages.pdf t/tmp/in/really-pdf.png"));
 ok(! system("cp t/img/twopages.pdf t/tmp/in/really-pdf.svg"));
@@ -76,6 +77,7 @@
 [[!img redsquare.png]]
 [[!img redsquare.jpg size=11x]]
 [[!img redsquare.jpeg size=12x]]
+[[!img SHOUTY.JPG size=13x]]
 [[!img redsquare.png size=10x]]
 [[!img redsquare.png size=30x50]] expecting 30x30
 [[!img hello:world.png size=x8]] expecting 8x8
@@ -90,7 +92,7 @@
 [[!img really-svg.png size=666x]]
 [[!img really-svg.bmp size=666x]]
 [[!img really-svg.pdf size=666x]]
-[[!img really-pdf.jpeg size=666x]]
+[[!img really-pdf.JPEG size=666x]]
 [[!img really-pdf.jpg size=666x]]
 [[!img really-pdf.png size=666x]]
 [[!img really-pdf.svg size=666x]]
@@ -134,16 +136,19 @@
 
 is(size("$outpath/11x-redsquare.jpg"), "11x11");
 is(size("$outpath/12x-redsquare.jpeg"), "12x12");
+is(size("$outpath/13x-SHOUTY.JPG"), "13x13");
 like($outhtml, qr{src="(\./)?imgconversions/11x-redsquare\.jpg" width="11" height="11"});
 like($outhtml, qr{src="(\./)?imgconversions/12x-redsquare\.jpeg" width="12" height="12"});
+like($outhtml, qr{src="(\./)?imgconversions/13x-SHOUTY\.JPG" width="13" height="13"});
 
 # We do not misinterpret images
 my $quot = qr/(?:"|&quot;)/;
 like($outhtml, qr/${quot}really-svg\.png${quot} does not seem to be a valid png file/);
 ok(! -e "$outpath/666x-really-svg.png");
 ok(! -e "$outpath/666x-really-svg.bmp");
-like($outhtml, qr/${quot}really-pdf\.jpeg${quot} does not seem to be a valid jpeg file/);
+like($outhtml, qr/${quot}really-pdf\.JPEG${quot} does not seem to be a valid jpeg file/);
 ok(! -e "$outpath/666x-really-pdf.jpeg");
+ok(! -e "$outpath/666x-really-pdf.JPEG");
 like($outhtml, qr/${quot}really-pdf\.jpg${quot} does not seem to be a valid jpeg file/);
 ok(! -e "$outpath/666x-really-pdf.jpg");
 like($outhtml, qr/${quot}really-pdf\.png${quot} does not seem to be a valid png file/);
@@ -165,6 +170,7 @@
 	ok(! -e "$outpath/10x-redsquare.png");
 	ok(! -e "$outpath/10x-bluesquare.png");
 	ok(! -e "$outpath/12x-twopages.png");
+	ok(! -e "$outpath/13x-SHOUTY.JPG");
 	ok(! -e "$outpath/16x-p1-twopages.png");
 	ok(! -e "$outpath/x8-hello:world.png");
 	ok(! -e "$outpath/x4-a:b:c.png");
Reply to: