Bug#780976: unblock: dokuwiki/0.0.20140505.a+dfsg-4
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Please unblock package dokuwiki
Version 0.0.20140505.a+dfsg-4 in testing-proposed-updates fixes RC bug
#779547 (CVE-2015-2172, a privilege escalation vulnerability), by adding
a debian/patches/cve-2015-2172_check_permissions_in_rpc.patch,
cherry-picked from the upstream bugfix release 2014-05-05d (upstream
commit https://github.com/splitbrain/dokuwiki/commit/16ca97e1).
Changelog entry:
>dokuwiki (0.0.20140505.a+dfsg-4) testing-proposed-updates; urgency=high
>
> * debian/patches: security fix, from upstream hotfix release
> + cve-2015-2172_check_permissions_in_rpc.patch: check permissions in the
> ACL plugin's RPC API to avoid a privilege escalation. (CVE-2015-2172)
> (Closes: #779547)
>
> -- Tanguy Ortolo <tanguy+debian@ortolo.eu> Sun, 22 Mar 2015 17:40:22 +0100
unblock dokuwiki/0.0.20140505.a+dfsg-4
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQIcBAEBCgAGBQJVDwQTAAoJEOryzVHFAGgZpfQP+wUw73xabOLo81nJ4HYQiNAs
BRPXqP4ZH3u7KFdaOyuuKv4H1tCKP6WjPO6zjaVYie35PcnrsqWkvm78xX9RgBaR
Bt1yKEnM6oqfAKUFxa/qSs1uovcFGwLOWko6wp155tPE6CYGNWAMWcv3YsU1I2MW
PfqGIrUfL1JliA5juDNy1Ydp66zBNV1bS0a/TIi9e4LdcYBRRRhOAIJvQ7NocpfQ
UmkU9Xb0H4KyWwA7QCVOlQmd8zvQUjxrxXbhO+ai0VlMo1HkhkWmI5vvA96IJn3b
nIIGkj5nFD0bbGcwQjOhiPWlTbnLs0gTKOmcRuLy6KCoyJBFGRpNWQBfSdunalES
ytmGl5OTW0qvWCx7PEhRNo1E1x45LWylsuqMIdDT7b2ac94Pl/nqkw49TMOPo5Id
5mZd4xZZZUmp38gBvq1dUEXKKmr7iRh3awchUDYOO5pGKvKEqhl55k69NMXPyuMv
nWaw8+Tfd5YCG4D7VHDTfxbi+JScGxV9+pKD4rjlmtgzqQfK8nvIOBQraDgQ4adE
mhF0ivBExhTglVQMFF4pKNbY+Bl/bgmBx6CvW+nrEIa8b4NjvI1rBf/b7IvzzfSw
wbPR6QG4kN2L7hXZ0+177u7POqouuJpMPPVQ46ndC/E+pGkjbFSlkTpM8eKb2FQJ
jkKKV90kIFvUYSpepbOx
=typ3
-----END PGP SIGNATURE-----
diff -Nru dokuwiki-0.0.20140505.a+dfsg/debian/changelog dokuwiki-0.0.20140505.a+dfsg/debian/changelog
--- dokuwiki-0.0.20140505.a+dfsg/debian/changelog 2014-10-05 21:58:22.000000000 +0200
+++ dokuwiki-0.0.20140505.a+dfsg/debian/changelog 2015-03-22 18:50:07.000000000 +0100
@@ -1,3 +1,12 @@
+dokuwiki (0.0.20140505.a+dfsg-4) testing-proposed-updates; urgency=high
+
+ * debian/patches: security fix, from upstream hotfix release
+ + cve-2015-2172_check_permissions_in_rpc.patch: check permissions in the
+ ACL plugin's RPC API to avoid a privilege escalation. (CVE-2015-2172)
+ (Closes: #779547)
+
+ -- Tanguy Ortolo <tanguy+debian@ortolo.eu> Sun, 22 Mar 2015 17:40:22 +0100
+
dokuwiki (0.0.20140505.a+dfsg-3) unstable; urgency=medium
* debian/config: only set a default password if the question was skipped
diff -Nru dokuwiki-0.0.20140505.a+dfsg/debian/patches/cve-2015-2172_check_permissions_in_rpc.patch dokuwiki-0.0.20140505.a+dfsg/debian/patches/cve-2015-2172_check_permissions_in_rpc.patch
--- dokuwiki-0.0.20140505.a+dfsg/debian/patches/cve-2015-2172_check_permissions_in_rpc.patch 1970-01-01 01:00:00.000000000 +0100
+++ dokuwiki-0.0.20140505.a+dfsg/debian/patches/cve-2015-2172_check_permissions_in_rpc.patch 2015-03-22 18:06:36.000000000 +0100
@@ -0,0 +1,58 @@
+Description: Fix CVE-2015-2172 by checking permissions in ACL plugin's RPC API
+ This fixes a security hole in the ACL plugins remote API component. The
+ plugin failed to check for superuser permissions before executing ACL
+ addition or deletion. This means everybody with permissions to call the
+ XMLRPC API also had permissions to set up their own ACL rules and thus
+ circumventing any existing rules.
+Origin: upstream, https://github.com/splitbrain/dokuwiki/commit/16ca97e1690c775fa74d3c3cb1a906685a37b53b
+Bug-Debian: https://bugs.debian.org/779547
+Author: Andreas Gohr <andi@splitbrain.org>
+Last-Update: 2015-03-22
+
+diff --git a/lib/plugins/acl/remote.php b/lib/plugins/acl/remote.php
+index 6d5201c..9433b77 100644
+--- a/lib/plugins/acl/remote.php
++++ b/lib/plugins/acl/remote.php
+@@ -17,12 +17,39 @@ class remote_plugin_acl extends DokuWiki_Remote_Plugin {
+ );
+ }
+
+- function addAcl($scope, $user, $level){
++ /**
++ * Add a new entry to ACL config
++ *
++ * @param string $scope
++ * @param string $user
++ * @param int $level see also inc/auth.php
++ * @throws RemoteAccessDeniedException
++ * @return bool
++ */
++ public function addAcl($scope, $user, $level){
++ if(!auth_isadmin()) {
++ throw new RemoteAccessDeniedException('You are not allowed to access ACLs, superuser permission is required', 114);
++ }
++
++ /** @var admin_plugin_acl $apa */
+ $apa = plugin_load('admin', 'acl');
+ return $apa->_acl_add($scope, $user, $level);
+ }
+
+- function delAcl($scope, $user){
++ /**
++ * Remove an entry from ACL config
++ *
++ * @param string $scope
++ * @param string $user
++ * @throws RemoteAccessDeniedException
++ * @return bool
++ */
++ public function delAcl($scope, $user){
++ if(!auth_isadmin()) {
++ throw new RemoteAccessDeniedException('You are not allowed to access ACLs, superuser permission is required', 114);
++ }
++
++ /** @var admin_plugin_acl $apa */
+ $apa = plugin_load('admin', 'acl');
+ return $apa->_acl_del($scope, $user);
+ }
+
diff -Nru dokuwiki-0.0.20140505.a+dfsg/debian/patches/series dokuwiki-0.0.20140505.a+dfsg/debian/patches/series
--- dokuwiki-0.0.20140505.a+dfsg/debian/patches/series 2014-08-26 07:27:13.000000000 +0200
+++ dokuwiki-0.0.20140505.a+dfsg/debian/patches/series 2015-03-22 18:48:40.000000000 +0100
@@ -4,3 +4,4 @@
debianize.diff
soften_email_validator.diff
use_packaged_jquery.diff
+cve-2015-2172_check_permissions_in_rpc.patch
Reply to: