Summary: | <www-apps/dokuwiki-20090214b: remote code execution (CVE-2009-1960) | ||||||
---|---|---|---|---|---|---|---|
Product: | Gentoo Security | Reporter: | Philippe Chaintreuil <gentoo_bugs_peep> | ||||
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> | ||||
Status: | RESOLVED FIXED | ||||||
Severity: | major | CC: | axiator, ramereth, sping | ||||
Priority: | Highest | ||||||
Version: | unspecified | ||||||
Hardware: | All | ||||||
OS: | Linux | ||||||
URL: | http://bugs.splitbrain.org/index.php?do=details&task_id=1700 | ||||||
Whiteboard: | C1 [glsa] | ||||||
Package list: | Runtime testing required: | --- | |||||
Bug Depends on: | |||||||
Bug Blocks: | 259624 | ||||||
Attachments: |
|
Description
Philippe Chaintreuil
2009-06-03 13:48:38 UTC
Setting whiteboard. Maintainer, please bump as necessary. Shouldn't this be assigned to security? Doing so... Shouldn't this be C1, as this is a remote code execution issue? Changing from C3, also raising Severity from minor to major as such. Also changing summary to match the other sec bugs' style. ====================================================== Name: CVE-2009-1960 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1960 inc/init.php in DokuWiki 2009-02-14, rc2009-02-06, and rc2009-01-30, when register_globals is enabled, allows remote attackers to include and execute arbitrary local files via the config_cascade[main][default][] parameter to doku.php. NOTE: PHP remote file inclusion is also possible in PHP 5 using ftp:// URLs. Ping. Any movement on this? It's been almost three weeks since this has been submitted. Created attachment 195663 [details]
Proposed ebuild
I've attached a proposed ebuild for dokuwiki-20090214b. It ignores the issues brought up in #259624 about "EAPI=2 rework" (security presses more than upgrades), but needed to go a little further than just a rename of the ebuild:
The source tarball is named with the trailing 'b', but it extracts into a directory without it. In src_unpack(), there was an existing rename of the folder, I just had it not use a variation of MY_PV instead of the previous use of MY_PV.
I don't mess with ebuilds much, so someone should double check my changes. I have this installed and it seems to work for me.
Oh, and before that ebuild gets checked in to the tree, the arch keywords should get fixed. I'm waiting for a bump, too. Anything besides the keywords in the way? Arches, please test and mark stable: =www-apps/dokuwiki-20090214b Target keywords : "amd64 ppc sparc x86" Already stabled : "amd64" Missing keywords: "ppc sparc x86" +*dokuwiki-20090214b (29 Jun 2009) + + 29 Jun 2009; Alex Legler <a3li@gentoo.org> -dokuwiki-20080505.ebuild, + +dokuwiki-20090214b.ebuild: + Non-maintainer commit: Version bump for security bug 272431. amd64 stable. + Thanks to Philippe Chaintreuil for proposing an updated ebuild. Removing + vulnerable version in ~arch. + x86 stable sparc stable ppc, ping ppc stable. Request filed. GLSA 200908-09 |