[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

ikiwiki 1.33.6 / 2.53



I've released ikiwiki backports for testing and stable, both fixing a
malformed UTF-8 DOS, which doesn't yet have a CVE.

For testing, I've uploaded 2.53.3 to tpu. This also includes an
unrelated minor bugfix backport. Please review/unblock.

For stable, I've prepared a 1.33.7, available in the debian-stable
branch of ikiwiki's git repository, or via the attached patch. Please
issue a DSA at your liesure (this is only a crasher DOS AFAIK, and at
least so far I don't know of a easy way to exploit it).

-- 
see shy jo
diff --git a/IkiWiki.pm b/IkiWiki.pm
index efacb20..9787b44 100644
--- a/IkiWiki.pm
+++ b/IkiWiki.pm
@@ -231,6 +231,9 @@ sub readfile ($;$) { #{{{
 	open (IN, $file) || error("failed to read $file: $!");
 	binmode(IN) if ($binary);
 	my $ret=<IN>;
+	if (! utf8::valid($ret)) {
+		$ret=encode_utf8($ret);
+	}
 	close IN;
 	return $ret;
 } #}}}
diff --git a/debian/changelog b/debian/changelog
index 0f68f26..8192872 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,9 @@
+ikiwiki (1.33.7) stable-security; urgency=low
+
+  * Avoid crash on malformed utf-8 discovered by intrigeri. 
+
+ -- Joey Hess <joeyh@debian.org>  Wed, 12 Nov 2008 17:42:29 -0500
+
 ikiwiki (1.33.6) stable-security; urgency=low
 
   * Some error messages in recent backported security fixes used gettext,

Attachment: signature.asc
Description: Digital signature


Reply to: