Your message dated Sat, 16 Apr 2016 21:48:54 +0000 with message-id <[email protected]> and subject line Bug#818708: fixed in didiwiki 0.5-11+deb7u2 has caused the Debian Bug report #818708, regarding didiwiki regression: fix for CVE-2013-7448 renders many existing pages inaccessible to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact [email protected] immediately.) -- 818708: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=818708 Debian Bug Tracking System Contact [email protected] with problems
--- Begin Message ---Package: didiwiki Version: 0.5-11+deb8u1 Severity: important In its attempt to prevent escape from /var/lib/didiwiki, patch 91_check_page_path.patch goes way too far and renders a large class of reasonable and previously valid page names inaccessible. The main culprit is the check for isalnum(page_name[0]): this is painful for CJK users since Chinese characters aren't alphanumeric. More generally, it's unlikely to work as intended with UTF8-encoded names; e.g. page names that start with á (which is alphanumeric in some locales) are rejected. I guess the intent was to exclude absolute pathnames. That's more properly coded if (page_name[0] == '/') return FALSE; The checks are done after %-escapes are processed, so there is no need to separately guard against a leading %2F . (Also, I'd only disallow ".." if it's preceded and followed by either a slash or an extremity of the string. No need to forbid ellipsis in page names...)
--- End Message ---
--- Begin Message ---Source: didiwiki Source-Version: 0.5-11+deb7u2 We believe that the bug you reported is fixed in the latest version of didiwiki, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to [email protected], and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Ignace Mouzannar <[email protected]> (supplier of updated didiwiki package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing [email protected]) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Mon, 11 Apr 2016 10:03:40 -0400 Source: didiwiki Binary: didiwiki Architecture: source amd64 Version: 0.5-11+deb7u2 Distribution: wheezy-security Urgency: high Maintainer: Ignace Mouzannar <[email protected]> Changed-By: Ignace Mouzannar <[email protected]> Description: didiwiki - simple wiki implementation with built-in webserver Closes: 818708 Changes: didiwiki (0.5-11+deb7u2) wheezy-security; urgency=high . * debian/patches: - 91_check_page_path.patch: updated patch to correct restrictive behavior, rendering pages beginning with non alpha-numeric UTF-8 characters, such as "à", inaccessible. Thank you Sergio Gelato <[email protected]> for your report and help! (Closes: #818708) Checksums-Sha1: 82e482dcf44149d2558cb307eba39fce1407a3ae 1687 didiwiki_0.5-11+deb7u2.dsc ce1b0615e4b3de8b64e4daa40105c3f5f8c61d6f 15796 didiwiki_0.5-11+deb7u2.debian.tar.gz 168e6ce905f6d44233170c452ac5b3a0bca22bc4 31854 didiwiki_0.5-11+deb7u2_amd64.deb Checksums-Sha256: 739d9ac8777509c4d990e139c3bf848ca62009de44c417ba8fdc800bb1f070ce 1687 didiwiki_0.5-11+deb7u2.dsc a1450f05b00f8c8e08b326d79ef44e71f6c9d650fb64163e597b9b567b0daff1 15796 didiwiki_0.5-11+deb7u2.debian.tar.gz 05f3274e0cc6a5bc54e7cdbcbdd4c9fe666ad97e07faaa64f5eb827e35a98c04 31854 didiwiki_0.5-11+deb7u2_amd64.deb Files: 840ea03e25094daab1ee8b8a6260c34b 1687 web optional didiwiki_0.5-11+deb7u2.dsc ee139b03433c1f214d87680eb3ff6941 15796 web optional didiwiki_0.5-11+deb7u2.debian.tar.gz e12af61366227a9e953e1a03d7930a3d 31854 web optional didiwiki_0.5-11+deb7u2_amd64.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCgAGBQJXC7fvAAoJEAVMuPMTQ89Exa0P/3cIzS5NY25tZ9FQfiJzaGTl v2AMMh3D1rs+gBLWT0kq1ERKgBtQBXbJoDPuWNSlePIGHM0NA/FZOpbsNqblA4cR KZGnW0PUSmKaeAR5Juy3Ni/H/3FS57biNKubDaYPaDyh3S4vPKj5UvefNg8A1VZ+ D2zZ64Zfj+yTou9+t3eENiimRlFcUkU1vDNv8uVJTbuYkb0c7h7GvMdNMGPrJkzR Jmn+xojOhGX2jH4tXh2qyvLwEAz+xXpECVA4vt6QWA3fHX7SoZU7DG+bJvPShHl0 RvPjv3d8t9vMX24fHnGvBvaP9uzBifSbwWCrLl+KogxcpfXLeYZGWgLRIXLSl/Zw NC/10nspTyWoclOJ3GnB/dBxMKOTT+pfkKE+kh87kJPGYT8lWely1/IM6EsfULiB Vh1sQRSGtEtxRcWmOdM3zpA/IcUGok66S7wH+GZ5tsG8sZJ3oZLnEXnZ4AYOjWsX 9evkvGh2DGGpre5r7kjdas6I34716sC9Ow2dJnKwnxo1cdqV1QxWPUQzC7cU6pdm drLae9jZNREMoxJOM1vcH328mhahB8kW7jPw11ZZoX6/KzJvqhauWVkh2W/JS818 x68WlAff6YMt9g0XmEHvM3ny7TJG+gIvLYGvBYJwX0V2Ww/nMsO9cyslEHY1iCzj qCweoCZag82tDPyk60EM =aRnJ -----END PGP SIGNATURE-----
--- End Message ---
