Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 272431 (CVE-2009-1960)

Summary: <www-apps/dokuwiki-20090214b: remote code execution (CVE-2009-1960)
Product: Gentoo Security Reporter: Philippe Chaintreuil <gentoo_bugs_peep>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: major CC: axiator, ramereth, sping
Priority: Highest    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://bugs.splitbrain.org/index.php?do=details&task_id=1700
Whiteboard: C1 [glsa]
Package list:
Runtime testing required: ---
Bug Depends on:    
Bug Blocks: 259624    
Attachments:
Description Flags
Proposed ebuild none

Description Philippe Chaintreuil 2009-06-03 13:48:38 UTC
DokuWiki has released a patched version of their latest release to fix a "local file inclusion" bug.

-------------------------------------------------------------------------------
A security hole was discovered which allows an attacker to include arbitrary files located on the attacked DokuWiki installation. The included file is executed in the PHP context. This can be escalated by introducing malicious code through uploading file via the media manager or placing PHP code in editable pages.
-------------------------------------------------------------------------------
[ from http://bugs.splitbrain.org/index.php?do=details&task_id=1700 ]

This replaces dokuwiki-2009-02-14, so this bug can replace the 4-month old Gentoo bug #259624.

This is probably a simple version bump of the latest ebuild, so it shouldn't be hard to fix.
Comment 1 Pierre-Yves Rofes (RETIRED) gentoo-dev 2009-06-03 14:29:06 UTC
Setting whiteboard. Maintainer, please bump as necessary.
Comment 2 Christian Hoffmann (RETIRED) gentoo-dev 2009-06-03 16:16:28 UTC
Shouldn't this be assigned to security? Doing so...
Shouldn't this be C1, as this is a remote code execution issue? Changing from C3, also raising Severity from minor to major as such.
Also changing summary to match the other sec bugs' style.
Comment 3 Alex Legler (RETIRED) archtester gentoo-dev Security 2009-06-06 20:53:33 UTC
======================================================
Name: CVE-2009-1960
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1960

inc/init.php in DokuWiki 2009-02-14, rc2009-02-06, and rc2009-01-30,
when register_globals is enabled, allows remote attackers to include
and execute arbitrary local files via the
config_cascade[main][default][] parameter to doku.php.  NOTE: PHP
remote file inclusion is also possible in PHP 5 using ftp:// URLs.
Comment 4 Philippe Chaintreuil 2009-06-22 18:43:59 UTC
Ping.

Any movement on this?  It's been almost three weeks since this has been submitted.
Comment 5 Philippe Chaintreuil 2009-06-24 15:01:54 UTC
Created attachment 195663 [details]
Proposed ebuild

I've attached a proposed ebuild for dokuwiki-20090214b.  It ignores the issues brought up in #259624 about "EAPI=2 rework" (security presses more than upgrades), but needed to go a little further than just a rename of the ebuild:

The source tarball is named with the trailing 'b', but it extracts into a directory without it.  In src_unpack(), there was an existing rename of the folder, I just had it not use a variation of MY_PV instead of the previous use of MY_PV.

I don't mess with ebuilds much, so someone should double check my changes.  I have this installed and it seems to work for me.
Comment 6 Philippe Chaintreuil 2009-06-24 15:05:53 UTC
Oh, and before that ebuild gets checked in to the tree, the arch keywords should get fixed.
Comment 7 Sebastian Pipping gentoo-dev 2009-06-29 01:20:18 UTC
I'm waiting for a bump, too.

Anything besides the keywords in the way?
Comment 8 Alex Legler (RETIRED) archtester gentoo-dev Security 2009-06-29 09:16:14 UTC
Arches, please test and mark stable:
=www-apps/dokuwiki-20090214b
Target keywords : "amd64 ppc sparc x86"
Already stabled : "amd64"
Missing keywords: "ppc sparc x86"

+*dokuwiki-20090214b (29 Jun 2009)
+
+  29 Jun 2009; Alex Legler <a3li@gentoo.org> -dokuwiki-20080505.ebuild,
+  +dokuwiki-20090214b.ebuild:
+  Non-maintainer commit: Version bump for security bug 272431. amd64 stable.
+  Thanks to Philippe Chaintreuil for proposing an updated ebuild. Removing
+  vulnerable version in ~arch.
+

Comment 9 Christian Faulhammer (RETIRED) gentoo-dev 2009-06-29 13:54:38 UTC
x86 stable
Comment 10 Raúl Porcel (RETIRED) gentoo-dev 2009-06-30 14:08:57 UTC
sparc stable
Comment 11 Robert Buchholz (RETIRED) gentoo-dev 2009-07-18 17:21:25 UTC
ppc, ping
Comment 12 nixnut (RETIRED) gentoo-dev 2009-07-19 18:42:03 UTC
ppc stable.
Comment 13 Alex Legler (RETIRED) archtester gentoo-dev Security 2009-07-19 18:47:40 UTC
Request filed.
Comment 14 Alex Legler (RETIRED) archtester gentoo-dev Security 2009-08-18 21:42:00 UTC
GLSA 200908-09