On Wednesday 29 August 2007 10:33, Matt Brown wrote:
> On 29/08/2007, Thijs Kinkhorst <[EMAIL PROTECTED]> wrote:
> > Is there any progress on this security issue?
> > The fix is in the upstream released 1.3.13p1 package.
>
> I'm currently Debian computer less after my move to Ireland (I should
> have updated my VAC on -private sorry).
>
> I have a new computer ordered and should be able to provide a new
> package within 2 weeks, however please feel free to NMU before then.

No worries - I'll be NMU'ing this today. The patch I'm using is attached.

thanks for informing us.
Thijs
diff -u phpwiki-1.3.12p3/debian/patches/00list phpwiki-1.3.12p3/debian/patches/00list
--- phpwiki-1.3.12p3/debian/patches/00list
+++ phpwiki-1.3.12p3/debian/patches/00list
@@ -12,0 +13,2 @@
+14-CVE-2007-3193
+15-CVE-2007-2024
diff -u phpwiki-1.3.12p3/debian/changelog phpwiki-1.3.12p3/debian/changelog
--- phpwiki-1.3.12p3/debian/changelog
+++ phpwiki-1.3.12p3/debian/changelog
@@ -1,3 +1,20 @@
+phpwiki (1.3.12p3-6.1) unstable; urgency=high
+
+  * NMU by the testing security team, with maintainer approval.
+  * CVE-2007-3193: lib/WikiUser/LDAP.php in PhpWiki before 1.3.13p1, when the
+    configuration lacks a nonzero PASSWORD_LENGTH_MINIMUM, might allow remote
+    attackers to bypass authentication via an empty password, which causes
+    ldap_bind to return true when used with certain LDAP implementations.
+    (Closes: #429201)
+  * CVE-2007-2024, CVE-2007-2025: Unrestricted file upload vulnerability in
+    the UpLoad feature (lib/plugin/UpLoad.php) in PhpWiki 1.3.11p1 allows
+    remote attackers to upload arbitrary PHP files with a double extension, as
+    demonstrated by .php.3, which is interpreted by Apache as being a valid
+    PHP file.
+    (Closes: #441390)
+
+ -- Thijs Kinkhorst <[EMAIL PROTECTED]>  Sun, 09 Sep 2007 14:10:57 +0200
+
 phpwiki (1.3.12p3-6) unstable; urgency=medium
 
   * Updated Dutch translation. Thanks to Thijs Kinkhorst. (Closes: #413963)
only in patch2:
unchanged:
--- phpwiki-1.3.12p3.orig/debian/patches/14-CVE-2007-3193
+++ phpwiki-1.3.12p3/debian/patches/14-CVE-2007-3193
@@ -0,0 +1,22 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## Address CVE-2007-3193 by [EMAIL PROTECTED]
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: CVE-2007-3193
+
[EMAIL PROTECTED]@
+diff -ur phpwiki-1.3.12p3.orig/lib/WikiUser/LDAP.php phpwiki-1.3.12p3/lib/WikiUser/LDAP.php
+--- phpwiki-1.3.12p3.orig/lib/WikiUser/LDAP.php	2006-06-18 13:19:28.000000000 +0200
++++ phpwiki-1.3.12p3/lib/WikiUser/LDAP.php	2007-09-09 13:44:32.000000000 +0200
+@@ -61,6 +61,11 @@
+         if (!$this->_checkPassLength($submitted_password)) {
+             return WIKIAUTH_FORBIDDEN;
+         }
++        if (strlen($submitted_password) == 0) {
++            trigger_error(_("Empty password not allowed for LDAP"), E_USER_WARNING);
++            $this->_free();
++            return WIKIAUTH_FORBIDDEN;
++        }
+         if (strstr($userid,'*')) {
+             trigger_error(fmt("Invalid username '%s' for LDAP Auth", $userid), 
+                           E_USER_WARNING);
only in patch2:
unchanged:
--- phpwiki-1.3.12p3.orig/debian/patches/15-CVE-2007-2024
+++ phpwiki-1.3.12p3/debian/patches/15-CVE-2007-2024
@@ -0,0 +1,18 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## Address CVE-2007-2024 by [EMAIL PROTECTED]
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: CVE-2007-2024
+
+diff -ur phpwiki-1.3.12p3.orig/lib/plugin/UpLoad.php phpwiki-1.3.12p3/lib/plugin/UpLoad.php
+--- phpwiki-1.3.12p3.orig/lib/plugin/UpLoad.php	2006-06-18 13:19:23.000000000 +0200
++++ phpwiki-1.3.12p3/lib/plugin/UpLoad.php	2007-09-09 13:37:48.000000000 +0200
+@@ -136,7 +136,7 @@
+             $userfile_name = trim(basename($userfile_name));
+             $userfile_tmpname = $userfile->getTmpName();
+ 	    $err_header = HTML::h2(fmt("ERROR uploading '%s': ", $userfile_name));
+-            if (preg_match("/(\." . join("|\.", $this->disallowed_extensions) . ")\$/",
++            if (preg_match("/(\." . join("|\.", $this->disallowed_extensions) . ")(\.|\$)/i",
+                            $userfile_name))
+             {
+             	$message->pushContent($err_header);

Attachment: pgpmuoXcKxljw.pgp
Description: PGP signature

Reply via email to