Bug 628482 (CVE-2017-12979, CVE-2017-12980)

Summary:	<www-apps/dokuwiki-{20160626e, 20170219e}: Multiple XSS Vulnerabilities (CVE-2017-{12979,12980})
Product:	Gentoo Security	Reporter:	Aleksandr Wagner (Kivak) <alwag>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	RESOLVED FIXED
Severity:	normal	CC:	jmbsvicetto, web-apps
Priority:	Normal
Version:	unspecified
Hardware:	All
OS:	Linux
Whiteboard:	~4 [noglsa cve]
Package list:		Runtime testing required:	---

Description Aleksandr Wagner (Kivak) 2017-08-21 08:32:19 UTC

CVE-2017-12979 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12979):

DokuWiki through 2017-02-19c has stored XSS when rendering a malicious language name in a code element, in /inc/parser/xhtml.php. An attacker can create or edit a wiki with this element to trigger JavaScript execution. 

References:

https://github.com/splitbrain/dokuwiki/issues/2080

Fix:

https://github.com/phy25/dokuwiki/commit/56bd9509ab2037512829392fda6427af7f390724

CVE-2017-12980 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12980):

DokuWiki through 2017-02-19c has stored XSS when rendering a malicious RSS or Atom feed, in /inc/parser/xhtml.php. An attacker can create or edit a wiki that uses RSS or Atom data from an attacker-controlled server to trigger JavaScript execution. The JavaScript can be in an author field, as demonstrated by the dc:creator element. 

References:

https://github.com/splitbrain/dokuwiki/issues/2081

Fix:

https://github.com/phy25/dokuwiki/commit/163c2842d17452fffabffccaba3e18b7fbd5fc0b

Comment 1 Jorge Manuel B. S. Vicetto (RETIRED) Gentoo Infrastructure

2017-08-24 10:05:12 UTC

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=c31676125999f57f4e98a7b2c63346f6fe14261f

www-apps/dokuwiki: Add releases 20160626e and 20170219e - security bump to address CVE-2017-{12583,12979,12980}. Fixes bug 627154 and bug 628482.