Debian Bug report logs - #378059
hiki: CVE-2006-3379 remote denial of service

version graph

Package: hiki; Maintainer for hiki is Taku YASUI <tach@debian.org>; Source for hiki is src:hiki.

Reported by: Alec Berryman <alec@thened.net>

Date: Thu, 13 Jul 2006 00:04:03 UTC

Severity: serious

Tags: patch, security

Found in versions 0.8.3-1, 0.6.5-1

Fixed in versions hiki/0.8.6-1, hiki/0.6.5-2

Done: Taku YASUI <tach@debian.or.jp>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Debian Security Team <team@security.debian.org>, Taku YASUI <tach@debian.or.jp>:
Bug#378059; Package hiki. Full text and rfc822 format available.

Acknowledgement sent to Alec Berryman <alec@thened.net>:
New Bug report received and forwarded. Copy sent to Debian Security Team <team@security.debian.org>, Taku YASUI <tach@debian.or.jp>. Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Alec Berryman <alec@thened.net>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: hiki: CVE-2006-3379 remote denial of service
Date: Wed, 12 Jul 2006 19:50:07 -0400
Package: hiki
Version: 0.8.3-1 0.6.5-1
Severity: serious
Tags: security

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

CVE-2006-3379: "Algorithmic complexity vulnerability in Hiki Wiki 0.6.0
through 0.6.5 and 0.8.0 through 0.8.5 allows remote attackers to cause a
denial of service (CPU consumption) by performing a diff between large,
crafted pages that trigger the worst case."

The Hiki team has issued an advisory [1].  This affects the version in
Sarge.

The fix for this issue, according to ChangeLog [2] r1.417, appears to be
in r1.81 of hiki/command.rb [3], r1.113 of hiki/config.rb [4], r1.18 of
hikiconf.rb [5], and r1.10 of misc/i18n/hikiconf.rb.sample.en [6].
These changes are included in the latest version, 0.8.6.
Unfortunately, the patches don't apply cleanly to 0.6.5; I hope to
follow up with a real diff.

Please mention the CVE in your changelog.

Thanks,

Alec

[1] http://hikiwiki.org/en/advisory20060703.html
[2] http://cvs.sourceforge.jp/cgi-bin/viewcvs.cgi/hiki/hiki/ChangeLog?rev=1.417&view=log
[3] http://cvs.sourceforge.jp/cgi-bin/viewcvs.cgi/hiki/hiki/hiki/command.rb?rev=1.81&view=log
[4] http://cvs.sourceforge.jp/cgi-bin/viewcvs.cgi/hiki/hiki/hiki/config.rb?rev=1.113&view=log
[5] http://cvs.sourceforge.jp/cgi-bin/viewcvs.cgi/hiki/hiki/hikiconf.rb.sample?rev=1.18&view=log
[6] http://cvs.sourceforge.jp/cgi-bin/viewcvs.cgi/hiki/hiki/misc/i18n/hikiconf.rb.sample.en?rev=1.10&view=log

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (GNU/Linux)

iD8DBQFEtYqvAud/2YgchcQRAttoAKDqMLGQtLoS9xoRQ88EY30ilEWgigCfa+Ua
/lI3ObdN+hGs0GR74WNZurQ=
=BPAR
-----END PGP SIGNATURE-----



Information forwarded to debian-bugs-dist@lists.debian.org, Taku YASUI <tach@debian.or.jp>:
Bug#378059; Package hiki. Full text and rfc822 format available.

Acknowledgement sent to Alec Berryman <alec@thened.net>:
Extra info received and forwarded to list. Copy sent to Taku YASUI <tach@debian.or.jp>. Full text and rfc822 format available.

Message #10 received at 378059@bugs.debian.org (full text, mbox):

From: Alec Berryman <alec@thened.net>
To: Debian Bug Tracking System <378059@bugs.debian.org>
Subject: proposed patch for CVE-2006-3379 (hiki)
Date: Thu, 13 Jul 2006 00:32:31 -0400
[Message part 1 (text/plain, inline)]
Package: hiki
Followup-For: Bug #378059

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Attached is my backport of the patch in 0.8.6 for 0.6.5.  The
recommended timeout is 30 seconds; this is set in a configuration option
in hiki 0.8.x, but that configuration framework doesn't seem to be
present in 0.6.5.  My Ruby isn't great and I didn't see how to access
variables from hikiconf.rb in hiki/command.rb.  This patch wraps the
diff function in a 30 second timeout as r1.81 of command.rb does, but
it is hard coded and not a configuration parameter.


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (GNU/Linux)

iD8DBQFEtczeAud/2YgchcQRAlJCAJsEhkWLz231r9NK1f0otPim24ZzQwCgq5NS
HzJTcPgvlKmUkhvAqkf7od0=
=kHIy
-----END PGP SIGNATURE-----
[CVE-2006-3379.diff (text/plain, attachment)]

Tags added: patch Request was from Alec Berryman <alec@thened.net> to control@bugs.debian.org. Full text and rfc822 format available.

Reply sent to Taku YASUI <tach@debian.or.jp>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Alec Berryman <alec@thened.net>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #17 received at 378059-close@bugs.debian.org (full text, mbox):

From: Taku YASUI <tach@debian.or.jp>
To: 378059-close@bugs.debian.org
Subject: Bug#378059: fixed in hiki 0.8.6-1
Date: Thu, 20 Jul 2006 13:47:27 -0700
Source: hiki
Source-Version: 0.8.6-1

We believe that the bug you reported is fixed in the latest version of
hiki, which is due to be installed in the Debian FTP archive:

hiki_0.8.6-1.diff.gz
  to pool/main/h/hiki/hiki_0.8.6-1.diff.gz
hiki_0.8.6-1.dsc
  to pool/main/h/hiki/hiki_0.8.6-1.dsc
hiki_0.8.6-1_all.deb
  to pool/main/h/hiki/hiki_0.8.6-1_all.deb
hiki_0.8.6.orig.tar.gz
  to pool/main/h/hiki/hiki_0.8.6.orig.tar.gz



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 378059@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Taku YASUI <tach@debian.or.jp> (supplier of updated hiki package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Fri, 21 Jul 2006 02:49:13 +0900
Source: hiki
Binary: hiki
Architecture: source all
Version: 0.8.6-1
Distribution: unstable
Urgency: high
Maintainer: Taku YASUI <tach@debian.or.jp>
Changed-By: Taku YASUI <tach@debian.or.jp>
Description: 
 hiki       - Wiki Engine written in Ruby
Closes: 378059
Changes: 
 hiki (0.8.6-1) unstable; urgency=high
 .
   * New upstream release
   * Security release for CVE-2006-3379
     (closes: #378059)
   * Change to use cdbs for building
Files: 
 3dbae659cdb40da99b46283a2b9c4c89 561 web optional hiki_0.8.6-1.dsc
 990212929cabf29e72df10a5b76ff27d 244885 web optional hiki_0.8.6.orig.tar.gz
 4fe9ccfd3c8170d649153b09ecaeec0f 5205 web optional hiki_0.8.6-1.diff.gz
 ea43a3a37cfd30bcbdcf951cffa12877 228682 web optional hiki_0.8.6-1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (GNU/Linux)

iD8DBQFEv8OXFwU5DuZsm7ARApUJAKDM3208orvXsOurRHGaY+klhCTKdACfSuV4
6RsozzFXGKP0jDOUWksnKwY=
=yy2Q
-----END PGP SIGNATURE-----




Reply sent to Taku YASUI <tach@debian.or.jp>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Alec Berryman <alec@thened.net>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #22 received at 378059-close@bugs.debian.org (full text, mbox):

From: Taku YASUI <tach@debian.or.jp>
To: 378059-close@bugs.debian.org
Subject: Bug#378059: fixed in hiki 0.6.5-2
Date: Wed, 30 Aug 2006 23:02:12 -0700
Source: hiki
Source-Version: 0.6.5-2

We believe that the bug you reported is fixed in the latest version of
hiki, which is due to be installed in the Debian FTP archive:

hiki_0.6.5-2.diff.gz
  to pool/main/h/hiki/hiki_0.6.5-2.diff.gz
hiki_0.6.5-2.dsc
  to pool/main/h/hiki/hiki_0.6.5-2.dsc
hiki_0.6.5-2_all.deb
  to pool/main/h/hiki/hiki_0.6.5-2_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 378059@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Taku YASUI <tach@debian.or.jp> (supplier of updated hiki package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Fri, 21 Jul 2006 02:54:07 +0900
Source: hiki
Binary: hiki
Architecture: source all
Version: 0.6.5-2
Distribution: stable-security
Urgency: high
Maintainer: Taku YASUI <tach@debian.or.jp>
Changed-By: Taku YASUI <tach@debian.or.jp>
Description: 
 hiki       - Wiki Engine written in Ruby
Closes: 378059
Changes: 
 hiki (0.6.5-2) stable-security; urgency=high
 .
   * Security fix: CVE-2006-3379
     (closes: #378059)
Files: 
 fa72e16d4c5eb8108ccd603b3396bd76 561 web optional hiki_0.6.5-2.dsc
 46c81d7c9e5f52115df2fd91b6cc0bf4 1573 web optional hiki_0.6.5-2.diff.gz
 b1e689405cc70854ad77f5be95a86606 108780 web optional hiki_0.6.5-2_all.deb
 11c97fe604d70fc42f6c198ec64018e9 143468 web optional hiki_0.6.5.orig.tar.gz

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (GNU/Linux)

iD8DBQFEv9NvW5ql+IAeqTIRAsaJAJ9hJiccrvgPXMlpll2E0rS+BiuE3ACfbjrY
W8XizzL2QCwkGNbwaQW467U=
=ACk2
-----END PGP SIGNATURE-----




Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Tue, 26 Jun 2007 02:06:44 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Thu Apr 17 07:59:33 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.