Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 522146 (CVE-2014-8761) - <www-apps/dokuwiki-{20140505b,20140929a}: Multiple vulnerabilities (CVE-2014-{8761,8762,8763,8764})
Summary: <www-apps/dokuwiki-{20140505b,20140929a}: Multiple vulnerabilities (CVE-2014-...
Status: RESOLVED FIXED
Alias: CVE-2014-8761
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Low trivial (vote)
Assignee: Gentoo Security
URL:
Whiteboard: C4 [noglsa]
Keywords:
: 524608 524968 (view as bug list)
Depends on:
Blocks:
 
Reported: 2014-09-04 10:48 UTC by Neil
Modified: 2015-04-23 15:58 UTC (History)
4 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Neil 2014-09-04 10:48:51 UTC
Being told there is a security hotfix available...

"Security Hotfix 2014-05-05a for Issue 765 available. upgrade now! [44.1] (what's this?)"

Issue 765 is described at https://github.com/splitbrain/dokuwiki/issues/765



Reproducible: Always
Comment 1 Michael Kefeder 2014-09-11 16:16:04 UTC
Just ran into this one aswell. quickfix: rename of ebuild is enough to get it to work.
Comment 2 Neil 2014-10-01 14:45:37 UTC
More recent updates for Dokuwiki, I'm informed there is now a security update to 2014-05-05b and a new release to 2014-09-29.
Comment 3 Jorge Manuel B. S. Vicetto Gentoo Infrastructure gentoo-dev 2014-10-05 16:43:24 UTC
My apologies for not taking care of this bump earlier, but I've been busy with other stuff.

16:41 < irker171> gentoo-x86: jmbsvicetto www-apps/dokuwiki: Add 20140505b and 20140929 releases. Update to EAPI 5. Fixes bug 522146.
Comment 4 Thomas Beutin 2014-10-06 13:03:06 UTC
*** Bug 524608 has been marked as a duplicate of this bug. ***
Comment 5 Neil 2014-10-06 13:18:57 UTC
(In reply to Jorge Manuel B. S. Vicetto from comment #3)
> My apologies for not taking care of this bump earlier, but I've been busy
> with other stuff.
> 

Not a problem, we all have busy lives.  Thanks for updating, installs and updates fine here.
Comment 6 Thomas Beutin 2014-10-08 12:44:45 UTC
Hotfix release available: 2014-09-29a "Hrun" available, but not mentioned on the changelogs page yet. Maybe it's this:
https://github.com/splitbrain/dokuwiki/issues/885
Comment 7 Jeroen Roovers gentoo-dev 2014-10-10 21:36:04 UTC
*** Bug 524968 has been marked as a duplicate of this bug. ***
Comment 8 Jorge Manuel B. S. Vicetto Gentoo Infrastructure gentoo-dev 2014-10-11 05:02:28 UTC
(In reply to Thomas Beutin from comment #6)
> Hotfix release available: 2014-09-29a "Hrun" available, but not mentioned on
> the changelogs page yet. Maybe it's this:
> https://github.com/splitbrain/dokuwiki/issues/885

Going through https://github.com/splitbrain/dokuwiki/issues/885 , this doesn't seem a security or feature bump, but a compatibility patch for a very old libpcre version. From a quick glance at libpcre ChangeLog, that version seems to have been removed from the tree on 05 Feb 2008, so over 6.5 years ago.
Comment 9 Philippe Chaintreuil 2014-10-11 11:19:19 UTC
(In reply to Jorge Manuel B. S. Vicetto from comment #8)
> Going through https://github.com/splitbrain/dokuwiki/issues/885 , this
> doesn't seem a security or feature bump, but a compatibility patch for a
> very old libpcre version. From a quick glance at libpcre ChangeLog, that
> version seems to have been removed from the tree on 05 Feb 2008, so over 6.5
> years ago.

This bug was originally a request to bump to 20140505a for security reasons.  It looks like Jer decided yesterday to evolve it into a request for the 20140929a version bump (see closed duplicate bug #524968), which is just this "hotfix" for 20140929 which is already in the tree.

I agree with your assessment that it's a compatibility fix for an ancient and unlikely present libpcre.  The main reason I'd say for still doing the version bump is that dokuwiki has a nag/warning on every page when you're not up-to-date.
Comment 10 Jorge Manuel B. S. Vicetto Gentoo Infrastructure gentoo-dev 2014-10-11 14:05:15 UTC
(In reply to Philippe Chaintreuil from comment #9)
> 
> I agree with your assessment that it's a compatibility fix for an ancient
> and unlikely present libpcre.  The main reason I'd say for still doing the
> version bump is that dokuwiki has a nag/warning on every page when you're
> not up-to-date.

Yes, I'm going to do the bump. I already did a diff between versions yesterday and noticed the code path won't even change (they added a check for libpcre version and if it's >= 6.7, they use the same code, if not, they use the compatibility code.
I'll add it to my overlay / tree in a few minutes.
Comment 11 Jorge Manuel B. S. Vicetto Gentoo Infrastructure gentoo-dev 2014-10-13 16:02:25 UTC
15:55 < irker043> gentoo-x86: jmbsvicetto www-apps/dokuwiki: Add 20140929a release. Drop old. Fixes bug 522146.

Done.

@security:

as seen on https://github.com/splitbrain/dokuwiki/issues/765 , there is a security issue affecting dokuwiki versions prior to 20140505b and 2140929. If you want to track this, an email requesting a CVE has already been sent to the oss-security ml and I suggest marking stable the 20140505b and 20140929a releases. The latter has a small compatibility patch and was released a few days after 20140929.
Comment 12 Yury German Gentoo Infrastructure gentoo-dev Security 2014-10-15 02:29:43 UTC
Making this a security bug

Maintainers, please advise when ebuilds have had enough testing, and are ready for stabilization.
Comment 13 Jorge Manuel B. S. Vicetto Gentoo Infrastructure gentoo-dev 2014-10-15 10:13:25 UTC
Both 20140505b and 20140929a should be ready for being marked stable.
Comment 14 GLSAMaker/CVETool Bot gentoo-dev 2014-10-22 22:25:15 UTC
CVE-2014-8764 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-8764):
  DokuWiki 2014-05-05a and earlier, when using Active Directory for LDAP
  authentication, allows remote attackers to bypass authentication via a user
  name and password starting with a null (\0) character, which triggers an
  anonymous bind.

CVE-2014-8763 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-8763):
  DokuWiki before 2014-05-05b, when using Active Directory for LDAP
  authentication, allows remote attackers to bypass authentication via a
  password starting with a null (\0) character and a valid user name, which
  triggers an unauthenticated bind.

CVE-2014-8762 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-8762):
  The ajax_mediadiff function in DokuWiki before 2014-05-05a allows remote
  attackers to access arbitrary images via a crafted namespace in the ns
  parameter.

CVE-2014-8761 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-8761):
  inc/template.php in DokuWiki before 2014-05-05a only checks for access to
  the root namespace, which allows remote attackers to access arbitrary images
  via a media file details ajax call.
Comment 15 GLSAMaker/CVETool Bot gentoo-dev 2014-10-22 22:25:49 UTC
CVE-2014-8764 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-8764):
  DokuWiki 2014-05-05a and earlier, when using Active Directory for LDAP
  authentication, allows remote attackers to bypass authentication via a user
  name and password starting with a null (\0) character, which triggers an
  anonymous bind.

CVE-2014-8763 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-8763):
  DokuWiki before 2014-05-05b, when using Active Directory for LDAP
  authentication, allows remote attackers to bypass authentication via a
  password starting with a null (\0) character and a valid user name, which
  triggers an unauthenticated bind.

CVE-2014-8762 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-8762):
  The ajax_mediadiff function in DokuWiki before 2014-05-05a allows remote
  attackers to access arbitrary images via a crafted namespace in the ns
  parameter.

CVE-2014-8761 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-8761):
  inc/template.php in DokuWiki before 2014-05-05a only checks for access to
  the root namespace, which allows remote attackers to access arbitrary images
  via a media file details ajax call.
Comment 16 Sean Amoss gentoo-dev Security 2014-10-22 22:33:47 UTC
(In reply to Jorge Manuel B. S. Vicetto from comment #13)
> Both 20140505b and 20140929a should be ready for being marked stable.

Thanks, Jorge. 

Arches, please test and mark stable.

Target KEYWORDS: "amd64 ~ppc ~sparc x86"
Comment 17 Agostino Sarubbo gentoo-dev 2014-10-27 14:23:14 UTC
amd64 stable
Comment 18 Agostino Sarubbo gentoo-dev 2014-10-27 14:23:29 UTC
x86 stable.

Maintainer(s), please cleanup.
Comment 19 Yury German Gentoo Infrastructure gentoo-dev Security 2015-04-22 21:12:30 UTC
Arches, Thank you for your work.

Maintainer(s), please drop the vulnerable version(s).
Comment 20 Jorge Manuel B. S. Vicetto Gentoo Infrastructure gentoo-dev 2015-04-23 02:10:49 UTC
Vulnerable versions have been dropped.
Comment 21 Yury German Gentoo Infrastructure gentoo-dev Security 2015-04-23 15:58:56 UTC
Maintainer(s), Thank you for you for cleanup.