Report forwarded to debian-bugs-dist@lists.debian.org, Debian Security Team <team@security.debian.org>, Taku YASUI <tach@debian.or.jp>: Bug#430691; Package hiki.
(full text, mbox, link).
Acknowledgement sent to "Hideki Yamane \(Debian-JP\)" <henrich@debian.or.jp>:
New Bug report received and forwarded. Copy sent to Debian Security Team <team@security.debian.org>, Taku YASUI <tach@debian.or.jp>.
(full text, mbox, link).
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: hiki: [security] vulnerability that arbitrary files would be deleted
Date: Wed, 27 Jun 2007 01:23:03 +0900
Package: hiki
Severity: critical
Tags: security
Justification: causes serious data loss
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Dear hiki maintainer,
Kazuhiro Nishiyama found a vulnerability in hiki that remote attacker
can delete arbitrary files by Hiki user's privilege, probably www-data
user's one.
Hiki 0.8.0 - 0.8.6 is affected, it means that stable, testing and unstable
pacakges in Debian are affected. Please update hiki package.
For more detail, see http://hikiwiki.org/en/advisory20070624.html
- --
Regards,
Hideki Yamane
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
iD8DBQFGgT1nIu0hy8THJksRAt0fAKCytE2I88MtbMlCoPV6nsvjo4HViwCeJv1T
/K3M8IjjDMc8fYGfz1hOQXU=
=hNrX
-----END PGP SIGNATURE-----
Information forwarded to debian-bugs-dist@lists.debian.org, Taku YASUI <tach@debian.or.jp>: Bug#430691; Package hiki.
(full text, mbox, link).
Acknowledgement sent to Steve Kemp <skx@debian.org>:
Extra info received and forwarded to list. Copy sent to Taku YASUI <tach@debian.or.jp>.
(full text, mbox, link).
To: "Hideki Yamane (Debian-JP)" <henrich@debian.or.jp>,
430691@bugs.debian.org
Cc: team@security.debian.org
Subject: Re: Bug#430691: hiki: [security] vulnerability that arbitrary files would be deleted
Date: Tue, 26 Jun 2007 18:36:34 +0100
> Hiki 0.8.0 - 0.8.6 is affected, it means that stable, testing and unstable
> pacakges in Debian are affected. Please update hiki package.
>
> For more detail, see http://hikiwiki.org/en/advisory20070624.html
Joey if you could allocate an ID I'll upload a fixed package.
Steve
--
Information forwarded to debian-bugs-dist@lists.debian.org: Bug#430691; Package hiki.
(full text, mbox, link).
Acknowledgement sent to Taku YASUI <tach@debian.or.jp>:
Extra info received and forwarded to list.
(full text, mbox, link).
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Thank you for reporting.
I'll upload new upstream version to sid soon.
And I attach the patch to fix this problem.
Thanks,
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFGgct3FwU5DuZsm7ARAqWUAKCOhuTs7ZQv4puIBmA7YFJ2C5L/MACdHnBN
+ZWJBQO8Ulo6RHHvITDu5SY=
=GKfb
-----END PGP SIGNATURE-----
Source: hiki
Source-Version: 0.8.7-1
We believe that the bug you reported is fixed in the latest version of
hiki, which is due to be installed in the Debian FTP archive:
hiki_0.8.7-1.diff.gz
to pool/main/h/hiki/hiki_0.8.7-1.diff.gz
hiki_0.8.7-1.dsc
to pool/main/h/hiki/hiki_0.8.7-1.dsc
hiki_0.8.7-1_all.deb
to pool/main/h/hiki/hiki_0.8.7-1_all.deb
hiki_0.8.7.orig.tar.gz
to pool/main/h/hiki/hiki_0.8.7.orig.tar.gz
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 430691@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Taku YASUI <tach@debian.or.jp> (supplier of updated hiki package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Wed, 27 Jun 2007 11:43:21 +0900
Source: hiki
Binary: hiki
Architecture: source all
Version: 0.8.7-1
Distribution: unstable
Urgency: high
Maintainer: Taku YASUI <tach@debian.or.jp>
Changed-By: Taku YASUI <tach@debian.or.jp>
Description:
hiki - Wiki Engine written in Ruby
Closes: 430691
Changes:
hiki (0.8.7-1) unstable; urgency=high
.
* New upstream release
* [SECURITY] fix unsafe session management
See http://hikiwiki.org/en/advisory20070624.html for more information
(closes: #430691)
Files:
da0bcdbff4659124ade4d9363066d18a 561 web optional hiki_0.8.7-1.dsc
b6bab0bcd092864516c26551849d5744 249661 web optional hiki_0.8.7.orig.tar.gz
e9d2a78dff2bb11ce37444af2ebcb9f3 6095 web optional hiki_0.8.7-1.diff.gz
7bf638546e260cf146cbb192328b8d1a 234090 web optional hiki_0.8.7-1_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
iD8DBQFGgdfFFwU5DuZsm7ARAvxOAKCUJ9aQ88umEV9Zq0u4YCEXkj+GZgCfVR21
1v06G5bjlPvYTEqPKYDYmjo=
=tGpy
-----END PGP SIGNATURE-----
Information forwarded to debian-bugs-dist@lists.debian.org, Taku YASUI <tach@debian.or.jp>: Bug#430691; Package hiki.
(full text, mbox, link).
Acknowledgement sent to Martin Schulze <joey@infodrom.org>:
Extra info received and forwarded to list. Copy sent to Taku YASUI <tach@debian.or.jp>.
(full text, mbox, link).
Subject: Re: Bug#430691: hiki: [security] vulnerability that arbitrary files would be deleted
Date: Wed, 27 Jun 2007 09:20:17 +0200
Steve Kemp wrote:
> > Hiki 0.8.0 - 0.8.6 is affected, it means that stable, testing and unstable
> > pacakges in Debian are affected. Please update hiki package.
> >
> > For more detail, see http://hikiwiki.org/en/advisory20070624.html
>
> Joey if you could allocate an ID I'll upload a fixed package.
Please use CVE-2007-2836.
Regards,
Joey
--
Given enough thrust pigs will fly, but it's not necessarily a good idea.
Please always Cc to me when replying to me on the lists.
Information forwarded to debian-bugs-dist@lists.debian.org, Taku YASUI <tach@debian.or.jp>: Bug#430691; Package hiki.
(full text, mbox, link).
Acknowledgement sent to Steve Kemp <skx@debian.org>:
Extra info received and forwarded to list. Copy sent to Taku YASUI <tach@debian.or.jp>.
(full text, mbox, link).
On Wed Jun 27, 2007 at 11:29:12 +0900, Taku YASUI wrote:
> I'll upload new upstream version to sid soon.
> And I attach the patch to fix this problem.
Great, thanks.
If you could tell us which version in Sid would fix the problem
I can include that in the advisory.
Steve
--
Information forwarded to debian-bugs-dist@lists.debian.org, Taku YASUI <tach@debian.or.jp>: Bug#430691; Package hiki.
(full text, mbox, link).
Acknowledgement sent to "Taku YASUI" <tach@debian.or.jp>:
Extra info received and forwarded to list. Copy sent to Taku YASUI <tach@debian.or.jp>.
(full text, mbox, link).
Thank you Steve,
2007/6/27, Steve Kemp <skx@debian.org>:
> If you could tell us which version in Sid would fix the problem
> I can include that in the advisory.
It had been fixed at 0.8.7-1.
You can see it at bugs.debian.org:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=430691#msg22
Thanks,
Taku YASUI
Information forwarded to debian-bugs-dist@lists.debian.org, Taku YASUI <tach@debian.or.jp>: Bug#430691; Package hiki.
(full text, mbox, link).
Acknowledgement sent to Florian Weimer <fw@deneb.enyo.de>:
Extra info received and forwarded to list. Copy sent to Taku YASUI <tach@debian.or.jp>.
(full text, mbox, link).
* Taku YASUI:
> Thank you for reporting.
>
> I'll upload new upstream version to sid soon.
> And I attach the patch to fix this problem.
>
> Thanks,
> --- hiki/session.rb.orig 2007-06-23 22:09:37.468750000 +0900
> +++ hiki/session.rb 2007-06-23 22:08:53.578125000 +0900
> @@ -12,7 +12,7 @@
> @conf = conf
> @max_age = max_age
> if session_id
> - if /[0-9a-f]{16}/ =~ session_id
> + if /\A[0-9a-f]{16}\z/ =~ session_id
Shouldn't this be \Z, in case there's an embedded line break in the
string?
Tags added: lenny
Request was from kurt@roeckx.be (Kurt Roeckx)
to control@bugs.debian.org.
(Wed, 18 Jul 2007 19:33:05 GMT) (full text, mbox, link).
Bug marked as fixed in version 0.8.6-1etch1.
Request was from Touko Korpela <tkorpela@phnet.fi>
to control@bugs.debian.org.
(Fri, 20 Jul 2007 22:45:03 GMT) (full text, mbox, link).
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Thu, 27 Dec 2007 07:32:54 GMT) (full text, mbox, link).
Debbugs is free software and licensed under the terms of the GNU General
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.