Adam D. Barratt, 2011-06-23 14:08 UTC+0100: > Please prepare packages for both stable and oldstable and send the > debdiffs to debian-release for approval. Here they are. Given that I am using quilt as a patch system, these are “squared” diffs: for convenience I also attach the base patch. The packages and everything is available at <http://tanguy.ortolo.eu/deb/dokuwiki/>. Please tell me if I can proceed with uploading. Regards, -- Tanguy
diff -Nru dokuwiki-0.0.20091225c/debian/changelog dokuwiki-0.0.20091225c/debian/changelog --- dokuwiki-0.0.20091225c/debian/changelog 2011-03-16 21:03:49.000000000 +0100 +++ dokuwiki-0.0.20091225c/debian/changelog 2011-06-26 13:18:22.000000000 +0200 @@ -1,3 +1,11 @@ +dokuwiki (0.0.20091225c-10+squeeze2) stable; urgency=low + + * debian/patches/rss_security.diff: Backport an upstream security fix for + an XSS vulnerability in the RSS embedding mechanism. + * debian/control: Updated Standards-Version (no change required). + + -- Tanguy Ortolo <tanguy+debian@ortolo.eu> Sun, 26 Jun 2011 13:18:16 +0200 + dokuwiki (0.0.20091225c-10+squeeze1) stable; urgency=low * debian/README.Debian: Correct a spelling error. diff -Nru dokuwiki-0.0.20091225c/debian/control dokuwiki-0.0.20091225c/debian/control --- dokuwiki-0.0.20091225c/debian/control 2011-03-16 21:02:43.000000000 +0100 +++ dokuwiki-0.0.20091225c/debian/control 2011-06-26 13:00:25.000000000 +0200 @@ -6,7 +6,7 @@ Maintainer: Tanguy Ortolo <tanguy+debian@ortolo.eu> DM-Upload-Allowed: yes Build-Depends: debhelper (>= 7.0.50~), po-debconf -Standards-Version: 3.9.1 +Standards-Version: 3.9.2 Homepage: http://www.dokuwiki.org/ Vcs-Git: git://git.debian.org/collab-maint/dokuwiki.git/ Vcs-Browser: http://git.debian.org/?p=collab-maint/dokuwiki.git diff -Nru dokuwiki-0.0.20091225c/debian/patches/rss_security.diff dokuwiki-0.0.20091225c/debian/patches/rss_security.diff --- dokuwiki-0.0.20091225c/debian/patches/rss_security.diff 1970-01-01 01:00:00.000000000 +0100 +++ dokuwiki-0.0.20091225c/debian/patches/rss_security.diff 2011-06-26 12:54:50.000000000 +0200 @@ -0,0 +1,38 @@ +Author: Andreas Gohr <andi@splitbrain.org> +Author: Tanguy Ortolo <tanguy+debian@ortolo.eu> +Origin: upstream, https://github.com/splitbrain/dokuwiki/commit/8dd5c1d6612a6c7f217da041703183200405fa90 +Last-Update: 2011-06-26 +Description: Fix a cross-site scripting vulnerability in the RSS embedding mechanism + . + This fixes a problem where JavaScript could be introduced through + specially crafted RSS feeds. + . + This also fixes a problem where JavaScript links could be introduced by + specifying it as an RSS URL: the resulting error message displays a + link to the broken feed URL. This patch makes sure there's no working + link for unknown protocols. + +Index: dokuwiki/inc/parser/xhtml.php +=================================================================== +--- dokuwiki.orig/inc/parser/xhtml.php 2011-06-26 12:34:33.102960953 +0200 ++++ dokuwiki/inc/parser/xhtml.php 2011-06-26 12:47:55.915963024 +0200 +@@ -580,6 +580,19 @@ + + $name = $this->_getLinkTitle($name, $url, $isImage); + ++ // url might be an attack vector, only allow registered protocols ++ if(is_null($this->schemes)) $this->schemes = getSchemes(); ++ list($scheme) = explode('://',$url); ++ $scheme = strtolower($scheme); ++ if(!in_array($scheme,$this->schemes)) $url = ''; ++ ++ // is there still an URL? ++ if(!$url){ ++ $this->doc .= $name; ++ return; ++ } ++ ++ // set class + if ( !$isImage ) { + $class='urlextern'; + } else { diff -Nru dokuwiki-0.0.20091225c/debian/patches/series dokuwiki-0.0.20091225c/debian/patches/series --- dokuwiki-0.0.20091225c/debian/patches/series 2011-03-16 21:02:43.000000000 +0100 +++ dokuwiki-0.0.20091225c/debian/patches/series 2011-06-26 13:17:41.000000000 +0200 @@ -1,3 +1,4 @@ +rss_security.diff xmlrpc_security.diff use_packaged_simplepie.diff use_packaged_php-geshi_SA32559.diff
diff -Nru dokuwiki-0.0.20080505/debian/changelog dokuwiki-0.0.20080505/debian/changelog --- dokuwiki-0.0.20080505/debian/changelog 2011-06-26 13:26:03.000000000 +0200 +++ dokuwiki-0.0.20080505/debian/changelog 2011-06-26 13:26:03.000000000 +0200 @@ -1,3 +1,10 @@ +dokuwiki (0.0.20080505-4+lenny3) oldstable; urgency=low + + * debian/patches/rss_security.diff: Backport an upstream security fix for an + XSS vulnerability in the RSS embedding mechanism. + + -- Tanguy Ortolo <tanguy+debian@ortolo.eu> Sun, 26 Jun 2011 13:23:05 +0200 + dokuwiki (0.0.20080505-4+lenny2) oldstable; urgency=low * debian/patches/xmlrpc_security.diff: Backport an upstream security fix diff -Nru dokuwiki-0.0.20080505/debian/patches/rss_security.diff dokuwiki-0.0.20080505/debian/patches/rss_security.diff --- dokuwiki-0.0.20080505/debian/patches/rss_security.diff 1970-01-01 01:00:00.000000000 +0100 +++ dokuwiki-0.0.20080505/debian/patches/rss_security.diff 2011-06-26 13:26:03.000000000 +0200 @@ -0,0 +1,38 @@ +Author: Andreas Gohr <andi@splitbrain.org> +Author: Tanguy Ortolo <tanguy+debian@ortolo.eu> +Origin: upstream, https://github.com/splitbrain/dokuwiki/commit/8dd5c1d6612a6c7f217da041703183200405fa90 +Last-Update: 2011-06-26 +Description: Fix a cross-site scripting vulnerability in the RSS embedding mechanism + . + This fixes a problem where JavaScript could be introduced through + specially crafted RSS feeds. + . + This also fixes a problem where JavaScript links could be introduced by + specifying it as an RSS URL: the resulting error message displays a + link to the broken feed URL. This patch makes sure there's no working + link for unknown protocols. + +Index: dokuwiki-0.0.20080505/inc/parser/xhtml.php +=================================================================== +--- dokuwiki-0.0.20080505.orig/inc/parser/xhtml.php 2008-05-05 19:10:08.000000000 +0200 ++++ dokuwiki-0.0.20080505/inc/parser/xhtml.php 2011-06-26 13:21:21.743609982 +0200 +@@ -543,6 +543,19 @@ + + $name = $this->_getLinkTitle($name, $url, $isImage); + ++ // url might be an attack vector, only allow registered protocols ++ if(is_null($this->schemes)) $this->schemes = getSchemes(); ++ list($scheme) = explode('://',$url); ++ $scheme = strtolower($scheme); ++ if(!in_array($scheme,$this->schemes)) $url = ''; ++ ++ // is there still an URL? ++ if(!$url){ ++ $this->doc .= $name; ++ return; ++ } ++ ++ // set class + if ( !$isImage ) { + $class='urlextern'; + } else { diff -Nru dokuwiki-0.0.20080505/debian/patches/series dokuwiki-0.0.20080505/debian/patches/series --- dokuwiki-0.0.20080505/debian/patches/series 2011-06-26 13:26:03.000000000 +0200 +++ dokuwiki-0.0.20080505/debian/patches/series 2011-06-26 13:26:03.000000000 +0200 @@ -5,3 +5,4 @@ debianize.diff security.diff xmlrpc_security.diff +rss_security.diff
diff --git a/inc/parser/xhtml.php b/inc/parser/xhtml.php index 1041268..83359cd 100644 --- a/inc/parser/xhtml.php +++ b/inc/parser/xhtml.php @@ -646,6 +646,19 @@ class Doku_Renderer_xhtml extends Doku_Renderer { $name = $this->_getLinkTitle($name, $url, $isImage); + // url might be an attack vector, only allow registered protocols + if(is_null($this->schemes)) $this->schemes = getSchemes(); + list($scheme) = explode('://',$url); + $scheme = strtolower($scheme); + if(!in_array($scheme,$this->schemes)) $url = ''; + + // is there still an URL? + if(!$url){ + $this->doc .= $name; + return; + } + + // set class if ( !$isImage ) { $class='urlextern'; } else {
Attachment:
signature.asc
Description: Digital signature