Bug 522146 (CVE-2014-8761)

Just ran into this one aswell. quickfix: rename of ebuild is enough to get it to work.

More recent updates for Dokuwiki, I'm informed there is now a security update to 2014-05-05b and a new release to 2014-09-29.

Comment 3 Jorge Manuel B. S. Vicetto (RETIRED) 2014-10-05 16:43:24 UTC

My apologies for not taking care of this bump earlier, but I've been busy with other stuff.

16:41 < irker171> gentoo-x86: jmbsvicetto www-apps/dokuwiki: Add 20140505b and 20140929 releases. Update to EAPI 5. Fixes bug 522146.

*** Bug 524608 has been marked as a duplicate of this bug. ***

(In reply to Jorge Manuel B. S. Vicetto from comment #3)
> My apologies for not taking care of this bump earlier, but I've been busy
> with other stuff.
> 

Not a problem, we all have busy lives.  Thanks for updating, installs and updates fine here.

Hotfix release available: 2014-09-29a "Hrun" available, but not mentioned on the changelogs page yet. Maybe it's this:
https://github.com/splitbrain/dokuwiki/issues/885

Comment 7 Jeroen Roovers (RETIRED) 2014-10-10 21:36:04 UTC

*** Bug 524968 has been marked as a duplicate of this bug. ***

Comment 8 Jorge Manuel B. S. Vicetto (RETIRED) 2014-10-11 05:02:28 UTC

(In reply to Thomas Beutin from comment #6)
> Hotfix release available: 2014-09-29a "Hrun" available, but not mentioned on
> the changelogs page yet. Maybe it's this:
> https://github.com/splitbrain/dokuwiki/issues/885

Going through https://github.com/splitbrain/dokuwiki/issues/885 , this doesn't seem a security or feature bump, but a compatibility patch for a very old libpcre version. From a quick glance at libpcre ChangeLog, that version seems to have been removed from the tree on 05 Feb 2008, so over 6.5 years ago.

(In reply to Jorge Manuel B. S. Vicetto from comment #8)
> Going through https://github.com/splitbrain/dokuwiki/issues/885 , this
> doesn't seem a security or feature bump, but a compatibility patch for a
> very old libpcre version. From a quick glance at libpcre ChangeLog, that
> version seems to have been removed from the tree on 05 Feb 2008, so over 6.5
> years ago.

This bug was originally a request to bump to 20140505a for security reasons.  It looks like Jer decided yesterday to evolve it into a request for the 20140929a version bump (see closed duplicate bug #524968), which is just this "hotfix" for 20140929 which is already in the tree.

I agree with your assessment that it's a compatibility fix for an ancient and unlikely present libpcre.  The main reason I'd say for still doing the version bump is that dokuwiki has a nag/warning on every page when you're not up-to-date.

Comment 10 Jorge Manuel B. S. Vicetto (RETIRED) 2014-10-11 14:05:15 UTC

(In reply to Philippe Chaintreuil from comment #9)
> 
> I agree with your assessment that it's a compatibility fix for an ancient
> and unlikely present libpcre.  The main reason I'd say for still doing the
> version bump is that dokuwiki has a nag/warning on every page when you're
> not up-to-date.

Yes, I'm going to do the bump. I already did a diff between versions yesterday and noticed the code path won't even change (they added a check for libpcre version and if it's >= 6.7, they use the same code, if not, they use the compatibility code.
I'll add it to my overlay / tree in a few minutes.

Comment 11 Jorge Manuel B. S. Vicetto (RETIRED) 2014-10-13 16:02:25 UTC

15:55 < irker043> gentoo-x86: jmbsvicetto www-apps/dokuwiki: Add 20140929a release. Drop old. Fixes bug 522146.

Done.

@security:

as seen on https://github.com/splitbrain/dokuwiki/issues/765 , there is a security issue affecting dokuwiki versions prior to 20140505b and 2140929. If you want to track this, an email requesting a CVE has already been sent to the oss-security ml and I suggest marking stable the 20140505b and 20140929a releases. The latter has a small compatibility patch and was released a few days after 20140929.

Comment 12 Yury German 2014-10-15 02:29:43 UTC

Making this a security bug

Maintainers, please advise when ebuilds have had enough testing, and are ready for stabilization.

Comment 13 Jorge Manuel B. S. Vicetto (RETIRED) 2014-10-15 10:13:25 UTC

Both 20140505b and 20140929a should be ready for being marked stable.

Comment 14 GLSAMaker/CVETool Bot 2014-10-22 22:25:15 UTC

CVE-2014-8764 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-8764):
  DokuWiki 2014-05-05a and earlier, when using Active Directory for LDAP
  authentication, allows remote attackers to bypass authentication via a user
  name and password starting with a null (\0) character, which triggers an
  anonymous bind.

CVE-2014-8763 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-8763):
  DokuWiki before 2014-05-05b, when using Active Directory for LDAP
  authentication, allows remote attackers to bypass authentication via a
  password starting with a null (\0) character and a valid user name, which
  triggers an unauthenticated bind.

CVE-2014-8762 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-8762):
  The ajax_mediadiff function in DokuWiki before 2014-05-05a allows remote
  attackers to access arbitrary images via a crafted namespace in the ns
  parameter.

CVE-2014-8761 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-8761):
  inc/template.php in DokuWiki before 2014-05-05a only checks for access to
  the root namespace, which allows remote attackers to access arbitrary images
  via a media file details ajax call.

Comment 15 GLSAMaker/CVETool Bot 2014-10-22 22:25:49 UTC

CVE-2014-8764 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-8764):
  DokuWiki 2014-05-05a and earlier, when using Active Directory for LDAP
  authentication, allows remote attackers to bypass authentication via a user
  name and password starting with a null (\0) character, which triggers an
  anonymous bind.

CVE-2014-8763 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-8763):
  DokuWiki before 2014-05-05b, when using Active Directory for LDAP
  authentication, allows remote attackers to bypass authentication via a
  password starting with a null (\0) character and a valid user name, which
  triggers an unauthenticated bind.

CVE-2014-8762 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-8762):
  The ajax_mediadiff function in DokuWiki before 2014-05-05a allows remote
  attackers to access arbitrary images via a crafted namespace in the ns
  parameter.

CVE-2014-8761 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-8761):
  inc/template.php in DokuWiki before 2014-05-05a only checks for access to
  the root namespace, which allows remote attackers to access arbitrary images
  via a media file details ajax call.

Comment 16 Sean Amoss (RETIRED) 2014-10-22 22:33:47 UTC

(In reply to Jorge Manuel B. S. Vicetto from comment #13)
> Both 20140505b and 20140929a should be ready for being marked stable.

Thanks, Jorge. 

Arches, please test and mark stable.

Target KEYWORDS: "amd64 ~ppc ~sparc x86"

Comment 17 Agostino Sarubbo 2014-10-27 14:23:14 UTC

amd64 stable

Comment 18 Agostino Sarubbo 2014-10-27 14:23:29 UTC

x86 stable.

Maintainer(s), please cleanup.

Comment 19 Yury German 2015-04-22 21:12:30 UTC

Arches, Thank you for your work.

Maintainer(s), please drop the vulnerable version(s).

Comment 20 Jorge Manuel B. S. Vicetto (RETIRED) 2015-04-23 02:10:49 UTC

Vulnerable versions have been dropped.

Comment 21 Yury German 2015-04-23 15:58:56 UTC

Maintainer(s), Thank you for you for cleanup.