Bug#597018: marked as done (unblock: piwigo/2.1.2-2)

[owner@bugs.debian.org (Debian Bug Tracking System)]

Your message dated Sat, 18 Sep 2010 16:57:25 +0100
with message-id <1284825445.12215.366.camel@kaa.jungle.aubergine.my-net-space.net>
and subject line Re: Bug#597018: unblock: piwigo/2.1.2-2
has caused the Debian Bug report #597018,
regarding unblock: piwigo/2.1.2-2
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
597018: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=597018
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

• To: Debian Bug Tracking System <submit@bugs.debian.org>
• Subject: unblock: piwigo/2.1.2-2
• From: Nicolas Roudaire <nikrou77@gmail.com>
• Date: Thu, 16 Sep 2010 00:26:25 +0200
• Message-id: <[🔎] 20100915222625.26945.87455.reportbug@localhost>

Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: freeze-exception

Hi release team,

I made an update of the piwigo package. It doesn't close any BTS bug (because the problem was reported upstream) but it fixes severals security vulnerabilities (http://www.exploit-db.com/exploits/14973/). A new upstream release with that fix has been release but I made a smaller patch that only fix the vulnerabilities.

Is it possible to add a freeze exception for it ?

I attached a diff file between the package already in testing and the patch I made.

Thanks in advance,
Nicolas Roudaire
Please unblock package piwigo

(explain the reason for the unblock here)

unblock piwigo/2.1.2-2

-- System Information:
Debian Release: squeeze/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (500, 'stable'), (1, 'experimental')
Architecture: i386 (i686)

Kernel: Linux 2.6.34-1-686 (SMP w/2 CPU cores)
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

diff --git a/debian/changelog b/debian/changelog
index d9f5cbc..8e710f2 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,11 @@
+piwigo (2.1.2-2) unstable; urgency=high
+  
+  * Upload to fix security : 
+    http://www.exploit-db.com/exploits/14973/
+  
+ -- Nicolas Roudaire <nikrou77@gmail.com>  Wed, 15 Sep 2010 23:07:34 +0200
+
+  
 piwigo (2.1.2-1) unstable; urgency=low
 
   * New upstream release
diff --git a/debian/fix_vulnerabilities b/debian/fix_vulnerabilities
new file mode 100644
index 0000000..cd70456
--- /dev/null
+++ b/debian/fix_vulnerabilities
@@ -0,0 +1,54 @@
+# Author: Nicolas Roudaire <nikrou77@gmail.com>
+# Bug: http://piwigo.org/bugs/view.php?id=1848,1849,1856
+# Description: Fix vulnerabilities (http://www.exploit-db.com/exploits/14973/)
+
+--- piwigo.orig/admin/profile.php
++++ piwigo/admin/profile.php
+@@ -25,8 +25,12 @@
+ 
+ $edit_user = build_user( $_GET['user_id'], false );
+ 
+-include_once(PHPWG_ROOT_PATH.'profile.php');
++if (!empty($_POST))
++{
++  check_pwg_token();
++}
+ 
++include_once(PHPWG_ROOT_PATH.'profile.php');
+ 
+ $errors = array();
+ if ( !is_adviser() )
+--- piwigo.orig/include/ws_core.inc.php
++++ piwigo/include/ws_core.inc.php
+@@ -477,7 +477,7 @@
+ 
+     if ( $method==null )
+     {
+-      return new PwgError(WS_ERR_INVALID_METHOD, 'Method name "'.$methodName.'" is not valid');
++      return new PwgError(WS_ERR_INVALID_METHOD, 'Method name is not valid');
+     }
+ 
+     // parameter check and data coercion !
+--- piwigo.orig/admin/themes/default/template/profile_content.tpl
++++ piwigo/admin/themes/default/template/profile_content.tpl
+@@ -103,6 +103,7 @@
+   </fieldset>
+ 
+   <p class="bottomButtons">
++    <input type="hidden" name="pwg_token" value="{$PWG_TOKEN}">
+     <input class="submit" type="submit" name="validate" value="{'Submit'|@translate}">
+     <input class="submit" type="reset" name="reset" value="{'Reset'|@translate}">
+   </p>
+--- piwigo.orig/include/section_init.inc.php
++++ piwigo/include/section_init.inc.php
+@@ -61,6 +61,10 @@
+     $rewritten = $key;
+     break;
+   }
++  
++  // the $_GET keys are not protected in include/common.inc.php, only the values
++  $rewritten = pwg_db_real_escape_string($rewritten);
++  
+   $page['root_path'] = PHPWG_ROOT_PATH;
+ }
+ 
diff --git a/debian/series b/debian/series
new file mode 100644
index 0000000..92db591
--- /dev/null
+++ b/debian/series
@@ -0,0 +1,3 @@
+sqlite-to-sqlite3
+pgsql-as-keyword
+fix_vulnerabilities

--- End Message ---

--- Begin Message ---

• To: 597018-done@bugs.debian.org
• Cc: nikrou77@gmail.com
• Subject: Re: Bug#597018: unblock: piwigo/2.1.2-2
• From: "Adam D. Barratt" <adam@adam-barratt.org.uk>
• Date: Sat, 18 Sep 2010 16:57:25 +0100
• Message-id: <1284825445.12215.366.camel@kaa.jungle.aubergine.my-net-space.net>
• In-reply-to: <[🔎] 1284660671.21935.22.camel@kaa.jungle.aubergine.my-net-space.net>
• References: <[🔎] ge5qbd52wut80iimqlUYAxe124vaj_firegpg@mail.gmail.com> <[🔎] 1284660671.21935.22.camel@kaa.jungle.aubergine.my-net-space.net>

On Thu, 2010-09-16 at 19:11 +0100, Adam D. Barratt wrote:
> On Thu, 2010-09-16 at 16:41 +0200, nikrou77@gmail.com wrote:
> 
> > You're aboslutly right. I was tired and I didn't see it when I did it
> > very early this morning.
> > I moved the new patch with the other ones 
> > 
> > I attached the new patch.
> 
> Thanks; please go ahead with the upload.

Unblocked.

Regards,

Adam

--- End Message ---