I've released ikiwiki backports for testing and stable, both fixing a malformed UTF-8 DOS, which doesn't yet have a CVE. For testing, I've uploaded 2.53.3 to tpu. This also includes an unrelated minor bugfix backport. Please review/unblock. For stable, I've prepared a 1.33.7, available in the debian-stable branch of ikiwiki's git repository, or via the attached patch. Please issue a DSA at your liesure (this is only a crasher DOS AFAIK, and at least so far I don't know of a easy way to exploit it). -- see shy jo
diff --git a/IkiWiki.pm b/IkiWiki.pm
index efacb20..9787b44 100644
--- a/IkiWiki.pm
+++ b/IkiWiki.pm
@@ -231,6 +231,9 @@ sub readfile ($;$) { #{{{
open (IN, $file) || error("failed to read $file: $!");
binmode(IN) if ($binary);
my $ret=<IN>;
+ if (! utf8::valid($ret)) {
+ $ret=encode_utf8($ret);
+ }
close IN;
return $ret;
} #}}}
diff --git a/debian/changelog b/debian/changelog
index 0f68f26..8192872 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,9 @@
+ikiwiki (1.33.7) stable-security; urgency=low
+
+ * Avoid crash on malformed utf-8 discovered by intrigeri.
+
+ -- Joey Hess <joeyh@debian.org> Wed, 12 Nov 2008 17:42:29 -0500
+
ikiwiki (1.33.6) stable-security; urgency=low
* Some error messages in recent backported security fixes used gettext,
Attachment:
signature.asc
Description: Digital signature