Package: release.debian.org Severity: normal User: [email protected] Usertags: freeze-exception
Hi release team, I made an update of the piwigo package. It doesn't close any BTS bug (because the problem was reported upstream) but it fixes severals security vulnerabilities (http://www.exploit-db.com/exploits/14973/). A new upstream release with that fix has been release but I made a smaller patch that only fix the vulnerabilities. Is it possible to add a freeze exception for it ? I attached a diff file between the package already in testing and the patch I made. Thanks in advance, Nicolas Roudaire Please unblock package piwigo (explain the reason for the unblock here) unblock piwigo/2.1.2-2 -- System Information: Debian Release: squeeze/sid APT prefers unstable APT policy: (500, 'unstable'), (500, 'stable'), (1, 'experimental') Architecture: i386 (i686) Kernel: Linux 2.6.34-1-686 (SMP w/2 CPU cores) Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/bash
diff --git a/debian/changelog b/debian/changelog index d9f5cbc..8e710f2 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,11 @@ +piwigo (2.1.2-2) unstable; urgency=high + + * Upload to fix security : + http://www.exploit-db.com/exploits/14973/ + + -- Nicolas Roudaire <[email protected]> Wed, 15 Sep 2010 23:07:34 +0200 + + piwigo (2.1.2-1) unstable; urgency=low * New upstream release diff --git a/debian/fix_vulnerabilities b/debian/fix_vulnerabilities new file mode 100644 index 0000000..cd70456 --- /dev/null +++ b/debian/fix_vulnerabilities @@ -0,0 +1,54 @@ +# Author: Nicolas Roudaire <[email protected]> +# Bug: http://piwigo.org/bugs/view.php?id=1848,1849,1856 +# Description: Fix vulnerabilities (http://www.exploit-db.com/exploits/14973/) + +--- piwigo.orig/admin/profile.php ++++ piwigo/admin/profile.php +@@ -25,8 +25,12 @@ + + $edit_user = build_user( $_GET['user_id'], false ); + +-include_once(PHPWG_ROOT_PATH.'profile.php'); ++if (!empty($_POST)) ++{ ++ check_pwg_token(); ++} + ++include_once(PHPWG_ROOT_PATH.'profile.php'); + + $errors = array(); + if ( !is_adviser() ) +--- piwigo.orig/include/ws_core.inc.php ++++ piwigo/include/ws_core.inc.php +@@ -477,7 +477,7 @@ + + if ( $method==null ) + { +- return new PwgError(WS_ERR_INVALID_METHOD, 'Method name "'.$methodName.'" is not valid'); ++ return new PwgError(WS_ERR_INVALID_METHOD, 'Method name is not valid'); + } + + // parameter check and data coercion ! +--- piwigo.orig/admin/themes/default/template/profile_content.tpl ++++ piwigo/admin/themes/default/template/profile_content.tpl +@@ -103,6 +103,7 @@ + </fieldset> + + <p class="bottomButtons"> ++ <input type="hidden" name="pwg_token" value="{$PWG_TOKEN}"> + <input class="submit" type="submit" name="validate" value="{'Submit'|@translate}"> + <input class="submit" type="reset" name="reset" value="{'Reset'|@translate}"> + </p> +--- piwigo.orig/include/section_init.inc.php ++++ piwigo/include/section_init.inc.php +@@ -61,6 +61,10 @@ + $rewritten = $key; + break; + } ++ ++ // the $_GET keys are not protected in include/common.inc.php, only the values ++ $rewritten = pwg_db_real_escape_string($rewritten); ++ + $page['root_path'] = PHPWG_ROOT_PATH; + } + diff --git a/debian/series b/debian/series new file mode 100644 index 0000000..92db591 --- /dev/null +++ b/debian/series @@ -0,0 +1,3 @@ +sqlite-to-sqlite3 +pgsql-as-keyword +fix_vulnerabilities
