On Wednesday 29 August 2007 10:33, Matt Brown wrote: > On 29/08/2007, Thijs Kinkhorst <[EMAIL PROTECTED]> wrote: > > Is there any progress on this security issue? > > The fix is in the upstream released 1.3.13p1 package. > > I'm currently Debian computer less after my move to Ireland (I should > have updated my VAC on -private sorry). > > I have a new computer ordered and should be able to provide a new > package within 2 weeks, however please feel free to NMU before then.
No worries - I'll be NMU'ing this today. The patch I'm using is attached. thanks for informing us. Thijs
diff -u phpwiki-1.3.12p3/debian/patches/00list phpwiki-1.3.12p3/debian/patches/00list
--- phpwiki-1.3.12p3/debian/patches/00list
+++ phpwiki-1.3.12p3/debian/patches/00list
@@ -12,0 +13,2 @@
+14-CVE-2007-3193
+15-CVE-2007-2024
diff -u phpwiki-1.3.12p3/debian/changelog phpwiki-1.3.12p3/debian/changelog
--- phpwiki-1.3.12p3/debian/changelog
+++ phpwiki-1.3.12p3/debian/changelog
@@ -1,3 +1,20 @@
+phpwiki (1.3.12p3-6.1) unstable; urgency=high
+
+ * NMU by the testing security team, with maintainer approval.
+ * CVE-2007-3193: lib/WikiUser/LDAP.php in PhpWiki before 1.3.13p1, when the
+ configuration lacks a nonzero PASSWORD_LENGTH_MINIMUM, might allow remote
+ attackers to bypass authentication via an empty password, which causes
+ ldap_bind to return true when used with certain LDAP implementations.
+ (Closes: #429201)
+ * CVE-2007-2024, CVE-2007-2025: Unrestricted file upload vulnerability in
+ the UpLoad feature (lib/plugin/UpLoad.php) in PhpWiki 1.3.11p1 allows
+ remote attackers to upload arbitrary PHP files with a double extension, as
+ demonstrated by .php.3, which is interpreted by Apache as being a valid
+ PHP file.
+ (Closes: #441390)
+
+ -- Thijs Kinkhorst <[EMAIL PROTECTED]> Sun, 09 Sep 2007 14:10:57 +0200
+
phpwiki (1.3.12p3-6) unstable; urgency=medium
* Updated Dutch translation. Thanks to Thijs Kinkhorst. (Closes: #413963)
only in patch2:
unchanged:
--- phpwiki-1.3.12p3.orig/debian/patches/14-CVE-2007-3193
+++ phpwiki-1.3.12p3/debian/patches/14-CVE-2007-3193
@@ -0,0 +1,22 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## Address CVE-2007-3193 by [EMAIL PROTECTED]
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: CVE-2007-3193
+
[EMAIL PROTECTED]@
+diff -ur phpwiki-1.3.12p3.orig/lib/WikiUser/LDAP.php phpwiki-1.3.12p3/lib/WikiUser/LDAP.php
+--- phpwiki-1.3.12p3.orig/lib/WikiUser/LDAP.php 2006-06-18 13:19:28.000000000 +0200
++++ phpwiki-1.3.12p3/lib/WikiUser/LDAP.php 2007-09-09 13:44:32.000000000 +0200
+@@ -61,6 +61,11 @@
+ if (!$this->_checkPassLength($submitted_password)) {
+ return WIKIAUTH_FORBIDDEN;
+ }
++ if (strlen($submitted_password) == 0) {
++ trigger_error(_("Empty password not allowed for LDAP"), E_USER_WARNING);
++ $this->_free();
++ return WIKIAUTH_FORBIDDEN;
++ }
+ if (strstr($userid,'*')) {
+ trigger_error(fmt("Invalid username '%s' for LDAP Auth", $userid),
+ E_USER_WARNING);
only in patch2:
unchanged:
--- phpwiki-1.3.12p3.orig/debian/patches/15-CVE-2007-2024
+++ phpwiki-1.3.12p3/debian/patches/15-CVE-2007-2024
@@ -0,0 +1,18 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## Address CVE-2007-2024 by [EMAIL PROTECTED]
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: CVE-2007-2024
+
+diff -ur phpwiki-1.3.12p3.orig/lib/plugin/UpLoad.php phpwiki-1.3.12p3/lib/plugin/UpLoad.php
+--- phpwiki-1.3.12p3.orig/lib/plugin/UpLoad.php 2006-06-18 13:19:23.000000000 +0200
++++ phpwiki-1.3.12p3/lib/plugin/UpLoad.php 2007-09-09 13:37:48.000000000 +0200
+@@ -136,7 +136,7 @@
+ $userfile_name = trim(basename($userfile_name));
+ $userfile_tmpname = $userfile->getTmpName();
+ $err_header = HTML::h2(fmt("ERROR uploading '%s': ", $userfile_name));
+- if (preg_match("/(\." . join("|\.", $this->disallowed_extensions) . ")\$/",
++ if (preg_match("/(\." . join("|\.", $this->disallowed_extensions) . ")(\.|\$)/i",
+ $userfile_name))
+ {
+ $message->pushContent($err_header);
pgpmuoXcKxljw.pgp
Description: PGP signature

