I've released ikiwiki backports for testing and stable, both fixing a malformed UTF-8 DOS, which doesn't yet have a CVE. For testing, I've uploaded 2.53.3 to tpu. This also includes an unrelated minor bugfix backport. Please review/unblock. For stable, I've prepared a 1.33.7, available in the debian-stable branch of ikiwiki's git repository, or via the attached patch. Please issue a DSA at your liesure (this is only a crasher DOS AFAIK, and at least so far I don't know of a easy way to exploit it). -- see shy jo
diff --git a/IkiWiki.pm b/IkiWiki.pm index efacb20..9787b44 100644 --- a/IkiWiki.pm +++ b/IkiWiki.pm @@ -231,6 +231,9 @@ sub readfile ($;$) { #{{{ open (IN, $file) || error("failed to read $file: $!"); binmode(IN) if ($binary); my $ret=<IN>; + if (! utf8::valid($ret)) { + $ret=encode_utf8($ret); + } close IN; return $ret; } #}}} diff --git a/debian/changelog b/debian/changelog index 0f68f26..8192872 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +ikiwiki (1.33.7) stable-security; urgency=low + + * Avoid crash on malformed utf-8 discovered by intrigeri. + + -- Joey Hess <joeyh@debian.org> Wed, 12 Nov 2008 17:42:29 -0500 + ikiwiki (1.33.6) stable-security; urgency=low * Some error messages in recent backported security fixes used gettext,
Attachment:
signature.asc
Description: Digital signature