upload dokuwiki

To: Debian LTS <debian-lts@lists.debian.org>
Subject: upload dokuwiki
From: Abhijith PA <abhijith@disroot.org>
Date: Wed, 4 Jul 2018 13:11:31 +0530
Message-id: <[🔎] 71f5220c-b243-e0f3-d797-741b6fc834dd@disroot.org>

Hello.

I've prepared LTS security update for dokuwiki. Please review and
upload. Debdiff is attached. Patch is forward ported from wheezy. I've
tested by installing in clean jessie machine, created sample wiki pages.

https://mentors.debian.net/debian/pool/main/d/dokuwiki/dokuwiki_0.0.20140505.a+dfsg-4+deb8u1.dsc

--abhijith.

diff -Nru dokuwiki-0.0.20140505.a+dfsg/debian/changelog dokuwiki-0.0.20140505.a+dfsg/debian/changelog
--- dokuwiki-0.0.20140505.a+dfsg/debian/changelog	2015-03-22 18:50:07.000000000 +0100
+++ dokuwiki-0.0.20140505.a+dfsg/debian/changelog	2018-07-03 06:34:26.000000000 +0200
@@ -1,3 +1,11 @@
+dokuwiki (0.0.20140505.a+dfsg-4+deb8u1) jessie-security; urgency=high
+
+  * Non-maintainer upload by the Debian LTS team.
+  * CVE-2017-18123: An XHR/AJAX call did not properly encode user input,
+    resulting in a reflected file download vulnerability. (Closes: #889281)
+
+ -- Abhijith PA <abhijith@disroot.org>  Tue, 03 Jul 2018 10:04:26 +0530
+
 dokuwiki (0.0.20140505.a+dfsg-4) testing-proposed-updates; urgency=high
 
   * debian/patches: security fix, from upstream hotfix release
diff -Nru dokuwiki-0.0.20140505.a+dfsg/debian/patches/CVE-2017-18123.patch dokuwiki-0.0.20140505.a+dfsg/debian/patches/CVE-2017-18123.patch
--- dokuwiki-0.0.20140505.a+dfsg/debian/patches/CVE-2017-18123.patch	1970-01-01 01:00:00.000000000 +0100
+++ dokuwiki-0.0.20140505.a+dfsg/debian/patches/CVE-2017-18123.patch	2018-07-03 06:34:26.000000000 +0200
@@ -0,0 +1,23 @@
+Description: CVE-2017-18123
+ The call parameter of /lib/exe/ajax.php in DokuWiki does not properly encode 
+ user input, which leads to a reflected file download vulnerability, and allows 
+ remote attackers to run arbitrary programs. This patch forward ported from Wheezy.
+
+
+Author: Abhijith PA <abhijith@disroot.org>
+Origin: https://github.com/splitbrain/dokuwiki/commit/238b8e878ad48f370903465192b57c2072f65d86
+Bug: https://github.com/splitbrain/dokuwiki/issues/2029
+Bug-Debian: https://bugs.debian.org/889281
+Last-Update: 2018-07-02
+
+--- dokuwiki-0.0.20140505.a+dfsg.orig/lib/exe/ajax.php
++++ dokuwiki-0.0.20140505.a+dfsg/lib/exe/ajax.php
+@@ -28,7 +28,7 @@ if(function_exists($callfn)){
+ }else{
+     $evt = new Doku_Event('AJAX_CALL_UNKNOWN', $call);
+     if ($evt->advise_before()) {
+-        print "AJAX call '".htmlspecialchars($call)."' unknown!\n";
++        print "AJAX call '".urlencode($call)."' unknown!\n";
+         exit;
+     }
+     $evt->advise_after();
diff -Nru dokuwiki-0.0.20140505.a+dfsg/debian/patches/series dokuwiki-0.0.20140505.a+dfsg/debian/patches/series
--- dokuwiki-0.0.20140505.a+dfsg/debian/patches/series	2015-03-22 18:48:40.000000000 +0100
+++ dokuwiki-0.0.20140505.a+dfsg/debian/patches/series	2018-07-03 06:34:26.000000000 +0200
@@ -5,3 +5,4 @@
 soften_email_validator.diff
 use_packaged_jquery.diff
 cve-2015-2172_check_permissions_in_rpc.patch
+CVE-2017-18123.patch

Reply to:

Follow-Ups:
- Re: upload dokuwiki
  - From: Antoine Beaupré <anarcat@orangeseeds.org>

Prev by Date: kf5-messagelib / CVE-2017-17689
Next by Date: Re: mercurial new test packages
Previous by thread: Re: kf5-messagelib / CVE-2017-17689
Next by thread: Re: upload dokuwiki
Index(es):
- Date
- Thread