Debian Bug report logs - #430691
hiki: [security] vulnerability that arbitrary files would be deleted

version graph

Package: hiki; Maintainer for hiki is Taku YASUI <tach@debian.org>; Source for hiki is src:hiki.

Reported by: "Hideki Yamane \(Debian-JP\)" <henrich@debian.or.jp>

Date: Tue, 26 Jun 2007 17:00:19 UTC

Severity: critical

Tags: etch, lenny, security, sid

Fixed in versions hiki/0.8.7-1, 0.8.6-1etch1

Done: Taku YASUI <tach@debian.or.jp>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Debian Security Team <team@security.debian.org>, Taku YASUI <tach@debian.or.jp>:
Bug#430691; Package hiki. Full text and rfc822 format available.

Acknowledgement sent to "Hideki Yamane \(Debian-JP\)" <henrich@debian.or.jp>:
New Bug report received and forwarded. Copy sent to Debian Security Team <team@security.debian.org>, Taku YASUI <tach@debian.or.jp>. Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: "Hideki Yamane \(Debian-JP\)" <henrich@debian.or.jp>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: hiki: [security] vulnerability that arbitrary files would be deleted
Date: Wed, 27 Jun 2007 01:23:03 +0900
Package: hiki
Severity: critical
Tags: security
Justification: causes serious data loss

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Dear hiki maintainer,

 Kazuhiro Nishiyama found a vulnerability in hiki that remote attacker 
 can delete arbitrary files by Hiki user's privilege, probably www-data 
 user's one. 

 Hiki 0.8.0 - 0.8.6 is affected, it means that stable, testing and unstable
 pacakges in Debian are affected. Please update hiki package.

 For more detail, see http://hikiwiki.org/en/advisory20070624.html
 

- -- 
Regards,

 Hideki Yamane

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFGgT1nIu0hy8THJksRAt0fAKCytE2I88MtbMlCoPV6nsvjo4HViwCeJv1T
/K3M8IjjDMc8fYGfz1hOQXU=
=hNrX
-----END PGP SIGNATURE-----



Information forwarded to debian-bugs-dist@lists.debian.org, Taku YASUI <tach@debian.or.jp>:
Bug#430691; Package hiki. Full text and rfc822 format available.

Acknowledgement sent to Steve Kemp <skx@debian.org>:
Extra info received and forwarded to list. Copy sent to Taku YASUI <tach@debian.or.jp>. Full text and rfc822 format available.

Message #10 received at 430691@bugs.debian.org (full text, mbox):

From: Steve Kemp <skx@debian.org>
To: "Hideki Yamane (Debian-JP)" <henrich@debian.or.jp>, 430691@bugs.debian.org
Cc: team@security.debian.org
Subject: Re: Bug#430691: hiki: [security] vulnerability that arbitrary files would be deleted
Date: Tue, 26 Jun 2007 18:36:34 +0100
>  Hiki 0.8.0 - 0.8.6 is affected, it means that stable, testing and unstable
>  pacakges in Debian are affected. Please update hiki package.
> 
>  For more detail, see http://hikiwiki.org/en/advisory20070624.html

  Joey if you could allocate an ID I'll upload a fixed package.

Steve
-- 



Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#430691; Package hiki. Full text and rfc822 format available.

Acknowledgement sent to Taku YASUI <tach@debian.or.jp>:
Extra info received and forwarded to list. Full text and rfc822 format available.

Message #15 received at 430691@bugs.debian.org (full text, mbox):

From: Taku YASUI <tach@debian.or.jp>
To: 430691@bugs.debian.org
Cc: team@security.debian.org, henrich@debian.or.jp
Subject: 430691@bugs.debian.org
Date: Wed, 27 Jun 2007 11:29:12 +0900
[Message part 1 (text/plain, inline)]
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Thank you for reporting.

I'll upload new upstream version to sid soon.
And I attach the patch to fix this problem.

Thanks,
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFGgct3FwU5DuZsm7ARAqWUAKCOhuTs7ZQv4puIBmA7YFJ2C5L/MACdHnBN
+ZWJBQO8Ulo6RHHvITDu5SY=
=GKfb
-----END PGP SIGNATURE-----
[hiki-0_8_6.patch (text/x-patch, inline)]
--- hiki/session.rb.orig	2007-06-23 22:09:37.468750000 +0900
+++ hiki/session.rb	2007-06-23 22:08:53.578125000 +0900
@@ -12,7 +12,7 @@
       @conf = conf
       @max_age = max_age
       if session_id
-        if /[0-9a-f]{16}/ =~ session_id
+        if /\A[0-9a-f]{16}\z/ =~ session_id
           @session_id = session_id
         else
           @session_id = nil
[hiki-0_8_6.patch.sig (application/octet-stream, attachment)]

Tags added: sid, etch Request was from Taku YASUI <tach@debian.or.jp> to control@bugs.debian.org. (Wed, 27 Jun 2007 03:00:39 GMT) Full text and rfc822 format available.

Reply sent to Taku YASUI <tach@debian.or.jp>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to "Hideki Yamane \(Debian-JP\)" <henrich@debian.or.jp>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #22 received at 430691-close@bugs.debian.org (full text, mbox):

From: Taku YASUI <tach@debian.or.jp>
To: 430691-close@bugs.debian.org
Subject: Bug#430691: fixed in hiki 0.8.7-1
Date: Wed, 27 Jun 2007 03:32:02 +0000
Source: hiki
Source-Version: 0.8.7-1

We believe that the bug you reported is fixed in the latest version of
hiki, which is due to be installed in the Debian FTP archive:

hiki_0.8.7-1.diff.gz
  to pool/main/h/hiki/hiki_0.8.7-1.diff.gz
hiki_0.8.7-1.dsc
  to pool/main/h/hiki/hiki_0.8.7-1.dsc
hiki_0.8.7-1_all.deb
  to pool/main/h/hiki/hiki_0.8.7-1_all.deb
hiki_0.8.7.orig.tar.gz
  to pool/main/h/hiki/hiki_0.8.7.orig.tar.gz



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 430691@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Taku YASUI <tach@debian.or.jp> (supplier of updated hiki package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Wed, 27 Jun 2007 11:43:21 +0900
Source: hiki
Binary: hiki
Architecture: source all
Version: 0.8.7-1
Distribution: unstable
Urgency: high
Maintainer: Taku YASUI <tach@debian.or.jp>
Changed-By: Taku YASUI <tach@debian.or.jp>
Description: 
 hiki       - Wiki Engine written in Ruby
Closes: 430691
Changes: 
 hiki (0.8.7-1) unstable; urgency=high
 .
   * New upstream release
   * [SECURITY] fix unsafe session management
     See http://hikiwiki.org/en/advisory20070624.html for more information
     (closes: #430691)
Files: 
 da0bcdbff4659124ade4d9363066d18a 561 web optional hiki_0.8.7-1.dsc
 b6bab0bcd092864516c26551849d5744 249661 web optional hiki_0.8.7.orig.tar.gz
 e9d2a78dff2bb11ce37444af2ebcb9f3 6095 web optional hiki_0.8.7-1.diff.gz
 7bf638546e260cf146cbb192328b8d1a 234090 web optional hiki_0.8.7-1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFGgdfFFwU5DuZsm7ARAvxOAKCUJ9aQ88umEV9Zq0u4YCEXkj+GZgCfVR21
1v06G5bjlPvYTEqPKYDYmjo=
=tGpy
-----END PGP SIGNATURE-----




Information forwarded to debian-bugs-dist@lists.debian.org, Taku YASUI <tach@debian.or.jp>:
Bug#430691; Package hiki. Full text and rfc822 format available.

Acknowledgement sent to Martin Schulze <joey@infodrom.org>:
Extra info received and forwarded to list. Copy sent to Taku YASUI <tach@debian.or.jp>. Full text and rfc822 format available.

Message #27 received at 430691@bugs.debian.org (full text, mbox):

From: Martin Schulze <joey@infodrom.org>
To: Steve Kemp <skx@debian.org>
Cc: "Hideki Yamane (Debian-JP)" <henrich@debian.or.jp>, 430691@bugs.debian.org, team@security.debian.org
Subject: Re: Bug#430691: hiki: [security] vulnerability that arbitrary files would be deleted
Date: Wed, 27 Jun 2007 09:20:17 +0200
Steve Kemp wrote:
> >  Hiki 0.8.0 - 0.8.6 is affected, it means that stable, testing and unstable
> >  pacakges in Debian are affected. Please update hiki package.
> > 
> >  For more detail, see http://hikiwiki.org/en/advisory20070624.html
> 
>   Joey if you could allocate an ID I'll upload a fixed package.

Please use CVE-2007-2836.

Regards,

	Joey

-- 
Given enough thrust pigs will fly, but it's not necessarily a good idea.

Please always Cc to me when replying to me on the lists.



Information forwarded to debian-bugs-dist@lists.debian.org, Taku YASUI <tach@debian.or.jp>:
Bug#430691; Package hiki. Full text and rfc822 format available.

Acknowledgement sent to Steve Kemp <skx@debian.org>:
Extra info received and forwarded to list. Copy sent to Taku YASUI <tach@debian.or.jp>. Full text and rfc822 format available.

Message #32 received at 430691@bugs.debian.org (full text, mbox):

From: Steve Kemp <skx@debian.org>
To: Taku YASUI <tach@debian.or.jp>
Cc: 430691@bugs.debian.org, team@security.debian.org, henrich@debian.or.jp
Subject: Re: 430691@bugs.debian.org
Date: Wed, 27 Jun 2007 09:51:48 +0100
On Wed Jun 27, 2007 at 11:29:12 +0900, Taku YASUI wrote:

> I'll upload new upstream version to sid soon.
> And I attach the patch to fix this problem.

  Great, thanks.

  If you could tell us which version in Sid would fix the problem
 I can include that in the advisory.

Steve
-- 



Information forwarded to debian-bugs-dist@lists.debian.org, Taku YASUI <tach@debian.or.jp>:
Bug#430691; Package hiki. Full text and rfc822 format available.

Acknowledgement sent to "Taku YASUI" <tach@debian.or.jp>:
Extra info received and forwarded to list. Copy sent to Taku YASUI <tach@debian.or.jp>. Full text and rfc822 format available.

Message #37 received at 430691@bugs.debian.org (full text, mbox):

From: "Taku YASUI" <tach@debian.or.jp>
To: "Steve Kemp" <skx@debian.org>
Cc: 430691@bugs.debian.org, team@security.debian.org, henrich@debian.or.jp
Subject: Re: 430691@bugs.debian.org
Date: Wed, 27 Jun 2007 18:18:01 +0900
Thank you Steve,

2007/6/27, Steve Kemp <skx@debian.org>:
>   If you could tell us which version in Sid would fix the problem
>  I can include that in the advisory.

It had been fixed at 0.8.7-1.

You can see it at bugs.debian.org:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=430691#msg22

Thanks,
Taku YASUI



Information forwarded to debian-bugs-dist@lists.debian.org, Taku YASUI <tach@debian.or.jp>:
Bug#430691; Package hiki. Full text and rfc822 format available.

Acknowledgement sent to Florian Weimer <fw@deneb.enyo.de>:
Extra info received and forwarded to list. Copy sent to Taku YASUI <tach@debian.or.jp>. Full text and rfc822 format available.

Message #42 received at 430691@bugs.debian.org (full text, mbox):

From: Florian Weimer <fw@deneb.enyo.de>
To: Taku YASUI <tach@debian.or.jp>
Cc: 430691@bugs.debian.org, team@security.debian.org, henrich@debian.or.jp
Subject: Re: Bug#430691: 430691@bugs.debian.org
Date: Wed, 27 Jun 2007 13:15:17 +0200
* Taku YASUI:

> Thank you for reporting.
>
> I'll upload new upstream version to sid soon.
> And I attach the patch to fix this problem.
>
> Thanks,
> --- hiki/session.rb.orig	2007-06-23 22:09:37.468750000 +0900
> +++ hiki/session.rb	2007-06-23 22:08:53.578125000 +0900
> @@ -12,7 +12,7 @@
>        @conf = conf
>        @max_age = max_age
>        if session_id
> -        if /[0-9a-f]{16}/ =~ session_id
> +        if /\A[0-9a-f]{16}\z/ =~ session_id

Shouldn't this be \Z, in case there's an embedded line break in the
string?



Tags added: lenny Request was from kurt@roeckx.be (Kurt Roeckx) to control@bugs.debian.org. (Wed, 18 Jul 2007 19:33:05 GMT) Full text and rfc822 format available.

Bug marked as fixed in version 0.8.6-1etch1. Request was from Touko Korpela <tkorpela@phnet.fi> to control@bugs.debian.org. (Fri, 20 Jul 2007 22:45:03 GMT) Full text and rfc822 format available.

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Thu, 27 Dec 2007 07:32:54 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sat Apr 19 02:14:32 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.