97648 – www-apps/tikiwiki is affected by XML_RPC PHP flaw (CAN-2005-1921)

Bug 97648 - www-apps/tikiwiki is affected by XML_RPC PHP flaw (CAN-2005-1921)

Summary: www-apps/tikiwiki is affected by XML_RPC PHP flaw (CAN-2005-1921)

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	High major (vote)
Assignee:	Gentoo Security

URL:
Whiteboard:	B1 [glsa]
Keywords:

Depends on:
Blocks:

Reported:	2005-07-01 13:24 UTC by Thierry Carrez (RETIRED)
Modified:	2005-07-06 14:09 UTC (History)
CC List:	1 user (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
tikiwiki.patch (tikiwiki.patch,1.07 KB, patch) 2005-07-04 13:46 UTC, Thierry Carrez (RETIRED)	no flags	Details \| Diff
Updated patch for security hole (tikiwiki.patch,1.07 KB, patch) 2005-07-05 16:12 UTC, Stuart Herbert (RETIRED)	no flags	Details \| Diff
Show Obsolete (1) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Thierry Carrez (RETIRED) gentoo-dev

2005-07-01 13:24:29 UTC

According to GulfTech advisory TikiWiki is also affected.

Comment 1 Thierry Carrez (RETIRED) gentoo-dev

2005-07-04 12:55:06 UTC

This one is not easy...
It includes some old version of phpxmlrpc code (apparently the first version),
so the fix must be backported by some PHP-aware folk (note that maybe copying
the xmlrpc.inc and xmlrpcs.inc over is sufficient ?).

Comment 2 Thierry Carrez (RETIRED) gentoo-dev

2005-07-04 13:46:13 UTC

Created attachment 62621 [details, diff]
tikiwiki.patch

Backported patch from PEAR

Comment 3 Thierry Carrez (RETIRED) gentoo-dev

2005-07-04 13:50:09 UTC

web-apps: please bump with patch... and test a little (I didn't)

Comment 4 Stuart Herbert (RETIRED) gentoo-dev

2005-07-05 16:12:08 UTC

tikiwiki-1.8.5-r1 is patched and in the tree.

I've also attached the patch that I used, in case anyone is patching copies of
this app by hand.

Best regards,
Stu

Comment 5 Stuart Herbert (RETIRED) gentoo-dev

2005-07-05 16:12:46 UTC

Created attachment 62725 [details, diff]
Updated patch for security hole

Comment 6 Thierry Carrez (RETIRED) gentoo-dev

2005-07-06 01:13:17 UTC

Ready for GLSA

Comment 7 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2005-07-06 14:09:58 UTC

Thx everyone. 
 
GLSA 200507-06