[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#1036524: marked as done (unblock: dokuwiki/0.0.20220731.a-2)

Your message dated Wed, 24 May 2023 18:47:07 +0200
with message-id <78caef53-3783-00c3-04c2-c0f04c27cb01@debian.org>
and subject line Re: Bug#1036524: unblock: dokuwiki/0.0.20220731.a-2
has caused the Debian Bug report #1036524,
regarding unblock: dokuwiki/0.0.20220731.a-2
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
1036524: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1036524
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock
X-Debbugs-Cc: dokuwiki@packages.debian.org, abe@debian.org
Control: affects -1 + src:dokuwiki

Please unblock package dokuwiki/0.0.20220731.a-2

It fixes a XSS security issue (#1036279) for which upstream has
released a hotfix for two upstream releases including the release
"Igor" which is the one currently in Debian Sid/Bookworm. (There has
happened a new major upstream release since the beginning of the
freeze. See https://www.dokuwiki.org/changes for details)

The Debian Security Team considers this issue to be of grave severity.

[ Reason ]

A cross-server-side (XSS) issue has been detected in DokuWiki's RSS
feed generator. This is the security update to fix it.

[ Impact ]

DokuWiki installations will be exposed to an XSS security issue in the
RSS feed generator in Debian 12 Bookworm, at least at release time.

Given that the Debian Security Team considers the issue grave, it
might be that the security team publishes more or less the same
package as just uploaded also as DSA for Bookworm if it's not
migrating to testing before the release. (Haven't asked them, though.
I just based this on the severity they've given to the issue.)

[ Tests ]

* Ran for 2 days on a DokuWiki instance which I run on Debian Testing.
* Tested viewing, editing and the RSS feed generation on that site.

[ Risks ]

The upstream fix is small-ish, but not straight forward and contains
order changes where it's at least not obvious for me why. It though
clearly adds some additional escaping to the code. (The version bump
patch is though straight forward.)

[ Checklist ]
  [x] all changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in testing

[ Other info ]

I've included the whole difference between 2022-07-31a and 2022-07-31b
in the upload (see the upstream diff at
https://github.com/dokuwiki/dokuwiki/compare/release-2022-07-31a...release-2022-07-31b#files_bucket)
in two patches (as they were split over two commits upstream)
including the version and message version bump. Reasoning behind the
latter is that security scanners potentially won't argue about about
this being 2022-07-31a and being vulnerable to that XSS issue despite
it isn't. So this is defacto an upgrade to the upstream hotfix version
2022-07-31b — which contains nothing but the XSS fix and a version
bump.

I've not used the upstream tar ball for the hotfix for that release as
it dropped about 136 files from the tar ball. See
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1036279#14 for the
whole list of missing files.

So please

unblock dokuwiki/0.0.20220731.a-2

diff -Nru dokuwiki-0.0.20220731.a/debian/changelog dokuwiki-0.0.20220731.a/debian/changelog
--- dokuwiki-0.0.20220731.a/debian/changelog	2022-11-14 04:24:11.000000000 +0100
+++ dokuwiki-0.0.20220731.a/debian/changelog	2023-05-21 15:01:45.000000000 +0200
@@ -1,3 +1,12 @@
+dokuwiki (0.0.20220731.a-2) unstable; urgency=high
+
+  * Cherry pick upstream 2022-07-31b hotfix patches for the Igor release:
+    + ba76f875: fix XSS in RSS syntax
+    + b7fcf218: hotfix release for Igor
+    Closes: #1036279
+
+ -- Axel Beckert <abe@debian.org>  Sun, 21 May 2023 15:01:45 +0200
+
 dokuwiki (0.0.20220731.a-1) unstable; urgency=medium
 
   * Salvage package. (Closes: #1008649)
diff -Nru dokuwiki-0.0.20220731.a/debian/patches/cherrypick_b7fcf218_hotfix_release_for_igor.patch dokuwiki-0.0.20220731.a/debian/patches/cherrypick_b7fcf218_hotfix_release_for_igor.patch
--- dokuwiki-0.0.20220731.a/debian/patches/cherrypick_b7fcf218_hotfix_release_for_igor.patch	1970-01-01 01:00:00.000000000 +0100
+++ dokuwiki-0.0.20220731.a/debian/patches/cherrypick_b7fcf218_hotfix_release_for_igor.patch	2023-05-18 22:59:00.000000000 +0200
@@ -0,0 +1,30 @@
+From b7fcf218f1b2e858e7d41809d7dd291fc8a898f3 Mon Sep 17 00:00:00 2001
+From: Guy Brand <gb@unistra.fr>
+Date: Tue, 16 May 2023 12:49:38 +0200
+Subject: [PATCH] hotfix release a for Igor
+
+---
+ VERSION  | 2 +-
+ doku.php | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/VERSION b/VERSION
+index 7658b60750..2800ff9b24 100644
+--- a/VERSION
++++ b/VERSION
+@@ -1 +1 @@
+-2022-07-31a "Igor"
++2022-07-31b "Igor"
+diff --git a/doku.php b/doku.php
+index 50e3726327..f5117ee5eb 100644
+--- a/doku.php
++++ b/doku.php
+@@ -11,7 +11,7 @@
+ // update message version - always use a string to avoid localized floats!
+ use dokuwiki\Extension\Event;
+ 
+-$updateVersion = "53";
++$updateVersion = "53.1";
+ 
+ //  xdebug_start_profiling();
+ 
diff -Nru dokuwiki-0.0.20220731.a/debian/patches/cherrypick_ba76f875_fix_xss_in_rss_syntax.patch dokuwiki-0.0.20220731.a/debian/patches/cherrypick_ba76f875_fix_xss_in_rss_syntax.patch
--- dokuwiki-0.0.20220731.a/debian/patches/cherrypick_ba76f875_fix_xss_in_rss_syntax.patch	1970-01-01 01:00:00.000000000 +0100
+++ dokuwiki-0.0.20220731.a/debian/patches/cherrypick_ba76f875_fix_xss_in_rss_syntax.patch	2023-05-18 22:57:33.000000000 +0200
@@ -0,0 +1,67 @@
+From ba76f875ea314c950c3c595887b68abea6181e02 Mon Sep 17 00:00:00 2001
+From: Andreas Gohr <andi@splitbrain.org>
+Date: Mon, 15 May 2023 08:06:00 +0200
+Subject: [PATCH] fix XSS in RSS syntax
+
+The title was not correctly escaped when written to the doc in xhtml
+renderer.
+
+SimplePie does no content escaping on its own (a comment in the code
+seems to suggest that that was assumed). Instead the content is passed
+on as-is from the feed.
+
+This patch also applies some more escaping on the description output
+(though it should have been relatively safe thanks to the use of
+striptags).
+
+This was discovered by @ry0tak and reported in
+https://huntr.dev/bounties/c6119106-1a5c-464c-94dd-ee7c5d0bece0/
+---
+ inc/parser/xhtml.php | 21 +++++++++++----------
+ 1 file changed, 11 insertions(+), 10 deletions(-)
+
+diff --git a/inc/parser/xhtml.php b/inc/parser/xhtml.php
+index 4c2cb78b44..2c7ff54ac7 100644
+--- a/inc/parser/xhtml.php
++++ b/inc/parser/xhtml.php
+@@ -1345,17 +1345,15 @@ public function rss($url, $params) {
+             for($x = $start; $x != $end; $x += $mod) {
+                 $item = $feed->get_item($x);
+                 $this->doc .= '<li><div class="li">';
+-                // support feeds without links
++
+                 $lnkurl = $item->get_permalink();
++                $title = html_entity_decode($item->get_title(), ENT_QUOTES, 'UTF-8');
++
++                // support feeds without links
+                 if($lnkurl) {
+-                    // title is escaped by SimplePie, we unescape here because it
+-                    // is escaped again in externallink() FS#1705
+-                    $this->externallink(
+-                        $item->get_permalink(),
+-                        html_entity_decode($item->get_title(), ENT_QUOTES, 'UTF-8')
+-                    );
++                    $this->externallink($item->get_permalink(), $title);
+                 } else {
+-                    $this->doc .= ' '.$item->get_title();
++                    $this->doc .= ' '.hsc($item->get_title());
+                 }
+                 if($params['author']) {
+                     $author = $item->get_author(0);
+@@ -1369,11 +1367,14 @@ public function rss($url, $params) {
+                     $this->doc .= ' ('.$item->get_local_date($conf['dformat']).')';
+                 }
+                 if($params['details']) {
++                    $desc = $item->get_description();
++                    $desc = strip_tags($desc);
++                    $desc = html_entity_decode($desc, ENT_QUOTES, 'UTF-8');
+                     $this->doc .= '<div class="detail">';
+                     if($conf['htmlok']) {
+-                        $this->doc .= $item->get_description();
++                        $this->doc .= hsc($item->get_description());
+                     } else {
+-                        $this->doc .= strip_tags($item->get_description());
++                        $this->doc .= hsc($desc);
+                     }
+                     $this->doc .= '</div>';
+                 }
diff -Nru dokuwiki-0.0.20220731.a/debian/patches/series dokuwiki-0.0.20220731.a/debian/patches/series
--- dokuwiki-0.0.20220731.a/debian/patches/series	2022-11-14 02:39:41.000000000 +0100
+++ dokuwiki-0.0.20220731.a/debian/patches/series	2023-05-18 22:59:47.000000000 +0200
@@ -5,3 +5,5 @@
 use_packaged_jquery.diff
 #use_packaged_php-random-compat.diff
 #cherrypick_6b6d27d9.patch
+cherrypick_ba76f875_fix_xss_in_rss_syntax.patch
+cherrypick_b7fcf218_hotfix_release_for_igor.patch

--- End Message ---
--- Begin Message --- 
Hi,

On 22-05-2023 00:54, Axel Beckert wrote:

unblock dokuwiki/0.0.20220731.a-2


unblocked and aged.

Paul

Attachment: OpenPGP_signature
Description: OpenPGP digital signature


--- End Message ---
Reply to: