Bug#597018: unblock: piwigo/2.1.2-2
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: freeze-exception
Hi release team,
I made an update of the piwigo package. It doesn't close any BTS bug (because the problem was reported upstream) but it fixes severals security vulnerabilities (http://www.exploit-db.com/exploits/14973/). A new upstream release with that fix has been release but I made a smaller patch that only fix the vulnerabilities.
Is it possible to add a freeze exception for it ?
I attached a diff file between the package already in testing and the patch I made.
Thanks in advance,
Nicolas Roudaire
Please unblock package piwigo
(explain the reason for the unblock here)
unblock piwigo/2.1.2-2
-- System Information:
Debian Release: squeeze/sid
APT prefers unstable
APT policy: (500, 'unstable'), (500, 'stable'), (1, 'experimental')
Architecture: i386 (i686)
Kernel: Linux 2.6.34-1-686 (SMP w/2 CPU cores)
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
diff --git a/debian/changelog b/debian/changelog
index d9f5cbc..8e710f2 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,11 @@
+piwigo (2.1.2-2) unstable; urgency=high
+
+ * Upload to fix security :
+ http://www.exploit-db.com/exploits/14973/
+
+ -- Nicolas Roudaire <nikrou77@gmail.com> Wed, 15 Sep 2010 23:07:34 +0200
+
+
piwigo (2.1.2-1) unstable; urgency=low
* New upstream release
diff --git a/debian/fix_vulnerabilities b/debian/fix_vulnerabilities
new file mode 100644
index 0000000..cd70456
--- /dev/null
+++ b/debian/fix_vulnerabilities
@@ -0,0 +1,54 @@
+# Author: Nicolas Roudaire <nikrou77@gmail.com>
+# Bug: http://piwigo.org/bugs/view.php?id=1848,1849,1856
+# Description: Fix vulnerabilities (http://www.exploit-db.com/exploits/14973/)
+
+--- piwigo.orig/admin/profile.php
++++ piwigo/admin/profile.php
+@@ -25,8 +25,12 @@
+
+ $edit_user = build_user( $_GET['user_id'], false );
+
+-include_once(PHPWG_ROOT_PATH.'profile.php');
++if (!empty($_POST))
++{
++ check_pwg_token();
++}
+
++include_once(PHPWG_ROOT_PATH.'profile.php');
+
+ $errors = array();
+ if ( !is_adviser() )
+--- piwigo.orig/include/ws_core.inc.php
++++ piwigo/include/ws_core.inc.php
+@@ -477,7 +477,7 @@
+
+ if ( $method==null )
+ {
+- return new PwgError(WS_ERR_INVALID_METHOD, 'Method name "'.$methodName.'" is not valid');
++ return new PwgError(WS_ERR_INVALID_METHOD, 'Method name is not valid');
+ }
+
+ // parameter check and data coercion !
+--- piwigo.orig/admin/themes/default/template/profile_content.tpl
++++ piwigo/admin/themes/default/template/profile_content.tpl
+@@ -103,6 +103,7 @@
+ </fieldset>
+
+ <p class="bottomButtons">
++ <input type="hidden" name="pwg_token" value="{$PWG_TOKEN}">
+ <input class="submit" type="submit" name="validate" value="{'Submit'|@translate}">
+ <input class="submit" type="reset" name="reset" value="{'Reset'|@translate}">
+ </p>
+--- piwigo.orig/include/section_init.inc.php
++++ piwigo/include/section_init.inc.php
+@@ -61,6 +61,10 @@
+ $rewritten = $key;
+ break;
+ }
++
++ // the $_GET keys are not protected in include/common.inc.php, only the values
++ $rewritten = pwg_db_real_escape_string($rewritten);
++
+ $page['root_path'] = PHPWG_ROOT_PATH;
+ }
+
diff --git a/debian/series b/debian/series
new file mode 100644
index 0000000..92db591
--- /dev/null
+++ b/debian/series
@@ -0,0 +1,3 @@
+sqlite-to-sqlite3
+pgsql-as-keyword
+fix_vulnerabilities
Reply to: