Debian Bug report logs - #685324
Local File Inclusion Vulnerability in contrib script

version graph

Package: php-geshi; Maintainer for php-geshi is Mediawiki Maintenance Team <pkg-mediawiki-devel@lists.alioth.debian.org>; Source for php-geshi is src:geshi.

Reported by: Benny Baumann <BenBE@geshi.org>

Date: Sun, 19 Aug 2012 18:54:04 UTC

Severity: serious

Tags: patch, security, upstream

Found in version geshi/1.0.8.4-1

Fixed in versions geshi/1.0.8.4-2, geshi/1.0.8.4-1+squeeze1

Done: Jan Dittberner <jandd@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Mediawiki Maintenance Team <pkg-mediawiki-devel@lists.alioth.debian.org>:
Bug#685324; Package php-geshi. (Sun, 19 Aug 2012 18:54:06 GMT) Full text and rfc822 format available.

Acknowledgement sent to Benny Baumann <BenBE@geshi.org>:
New Bug report received and forwarded. Copy sent to Mediawiki Maintenance Team <pkg-mediawiki-devel@lists.alioth.debian.org>. (Sun, 19 Aug 2012 18:54:06 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Benny Baumann <BenBE@geshi.org>
To: team@security.debian.org
Subject: Local File Inclusion Vulnerability in contrib script
Date: Sun, 19 Aug 2012 18:45:34 +0200
Package: php-geshi
Version: 1.0.8.4-1
Severity: serious
Tags: security upstream

GeSHi 1.0.8.11 closes a local file inclusion vulnerability present in one
of the contrib scripts provided in the GeSHi distribution. The bug has been
present for at least 1.0.8.4 (and maybe even longer).

Please upgrade the php-geshi package to latest upstream.

Regards,
upstream.

-- System Information:
Debian Release: wheezy/sid
  APT prefers testing
  APT policy: (500, 'testing'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 3.0.0-1-amd64 (SMP w/8 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages php-geshi depends on:
ii  php5      5.4.4-4
ii  php5-cli  5.4.4-4

php-geshi recommends no packages.

php-geshi suggests no packages.

-- no debconf information



Information forwarded to debian-bugs-dist@lists.debian.org, Mediawiki Maintenance Team <pkg-mediawiki-devel@lists.alioth.debian.org>:
Bug#685324; Package php-geshi. (Mon, 20 Aug 2012 03:15:05 GMT) Full text and rfc822 format available.

Acknowledgement sent to Steven Chamberlain <steven@pyro.eu.org>:
Extra info received and forwarded to list. Copy sent to Mediawiki Maintenance Team <pkg-mediawiki-devel@lists.alioth.debian.org>. (Mon, 20 Aug 2012 03:15:05 GMT) Full text and rfc822 format available.

Message #10 received at 685324@bugs.debian.org (full text, mbox):

From: Steven Chamberlain <steven@pyro.eu.org>
To: 685324@bugs.debian.org, 685323@bugs.debian.org
Subject: Re: Bug#685324: Local File Inclusion Vulnerability in contrib script
Date: Mon, 20 Aug 2012 04:12:10 +0100
tags 685324 + moreinfo unreproducible
tags 685323 + moreinfo unreproducible
merge 685324 685323
severity 685326 wishlist
merge 685326 584251
thanks

Hi,

Were these reports of security issues supposed to be genuine?

Or was this simply your "idea on how to get them to update GeSHi". [1]

You refer to vulnerabilities in unspecified "contrib" scripts, but it
seems to me that Debian does not even ship them in the php-geshi package.


"Debian who STILL believes the most recent version is 1.0.8.4", actually
identifies the latest version as 1.0.8.10 on the PTS [2], with a link to
the source tarball, and that will surely update within a few hours to
indicate the new 1.0.8.11 release.

Yes, you already filed a wishlist bug asking for someone to package the
new version, so there was no reason to file a new 'serious'-severity
duplicate just now demanding the same.

It seems to me you are in fact wasting the time of whoever would
potentially package your software, of developers busy fixing serious
issues to make the next Debian release happen, and of the security team,
who would be kindly looking after users for the package's 2-3 year term
in stable/oldstable.


Some users really prefer long-term, unchanging versions, because they
deploy lots of software that they don't want to have to review for
what's changed, update it, re-test and check compatibility on a regular
basis.  Debian's stable distribution fulfills that need.

The freeze deadline has already passed, for someone to have
_volunteered_ to update the GeSHi package in time for the Wheezy release
process.  The only exception now might be for a genuine security fix or
serious flaw (which would probably be only a minimal patch for the
specific issue),

It is possible for more frequent updates to be packaged in testing or
backports, for example to support new programming languages, but it
would require continued effort on the part of a volunteer maintainer.
That person would have had to process your bug reports too.

[1] http://blog.benny-baumann.de/?p=1297

[2] http://packages.qa.debian.org/g/geshi.html

Regards,
-- 
Steven Chamberlain
steven@pyro.eu.org



Added tag(s) unreproducible and moreinfo. Request was from Steven Chamberlain <steven@pyro.eu.org> to control@bugs.debian.org. (Mon, 20 Aug 2012 03:15:07 GMT) Full text and rfc822 format available.

Merged 685323 685324 Request was from Steven Chamberlain <steven@pyro.eu.org> to control@bugs.debian.org. (Mon, 20 Aug 2012 03:15:08 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Mediawiki Maintenance Team <pkg-mediawiki-devel@lists.alioth.debian.org>:
Bug#685324; Package php-geshi. (Mon, 20 Aug 2012 07:36:06 GMT) Full text and rfc822 format available.

Acknowledgement sent to Thorsten Glaser <t.glaser@tarent.de>:
Extra info received and forwarded to list. Copy sent to Mediawiki Maintenance Team <pkg-mediawiki-devel@lists.alioth.debian.org>. (Mon, 20 Aug 2012 07:36:06 GMT) Full text and rfc822 format available.

Message #19 received at 685324@bugs.debian.org (full text, mbox):

From: Thorsten Glaser <t.glaser@tarent.de>
To: Benny Baumann <BenBE@geshi.org>, 685324@bugs.debian.org
Subject: Re: [Pkg-mediawiki-devel] Bug#685324: Local File Inclusion Vulnerability in contrib script
Date: Mon, 20 Aug 2012 09:24:48 +0200 (CEST)
On Sun, 19 Aug 2012, Benny Baumann wrote:

> Please upgrade the php-geshi package to latest upstream.

With the freeze this is no longer possible. If this is indeed
a security issue, we can either apply a backported fix or have
the package removed from the release, at this point in time.

bye,
//mirabilos
-- 
«MyISAM tables -will- get corrupted eventually. This is a fact of life. »
“mysql is about as much database as ms access” – “MSSQL at least descends
from a database” “it's a rebranded SyBase” “MySQL however was born from a
flatfile and went downhill from there” – “at least jetDB doesn’t claim to
be a database”	(#nosec)    ‣‣‣ Please let MySQL and MariaDB finally die!



Information forwarded to debian-bugs-dist@lists.debian.org, Mediawiki Maintenance Team <pkg-mediawiki-devel@lists.alioth.debian.org>:
Bug#685324; Package php-geshi. (Tue, 21 Aug 2012 19:24:08 GMT) Full text and rfc822 format available.

Acknowledgement sent to Benny Baumann <BenBE1987@gmx.net>:
Extra info received and forwarded to list. Copy sent to Mediawiki Maintenance Team <pkg-mediawiki-devel@lists.alioth.debian.org>. (Tue, 21 Aug 2012 19:24:08 GMT) Full text and rfc822 format available.

Message #24 received at 685324@bugs.debian.org (full text, mbox):

From: Benny Baumann <BenBE1987@gmx.net>
To: Steven Chamberlain <steven@pyro.eu.org>
Cc: 685324@bugs.debian.org, 685323@bugs.debian.org
Subject: Re: Re: Bug#685324: Local File Inclusion Vulnerability in contrib script
Date: Tue, 21 Aug 2012 21:20:55 +0200
[Message part 1 (text/plain, inline)]
Dear Steven,

Am 20.08.2012 05:12, schrieb Steven Chamberlain:
> tags 685324 + moreinfo unreproducible
> tags 685323 + moreinfo unreproducible
> merge 685324 685323
> severity 685326 wishlist
> merge 685326 584251
> thanks
>
> Hi,
>
> Were these reports of security issues supposed to be genuine?
Yes, they were, as they are really two distinct security issues.
> Or was this simply your "idea on how to get them to update GeSHi". [1]
Well, no. But it'd be a bit long for this mail to shed light on all the
background. And since I don't want to bore you to death while you
actually could be doing something useful (like e.g. updating the
package) I refrain from doing so.
> You refer to vulnerabilities in unspecified "contrib" scripts, but it
> seems to me that Debian does not even ship them in the php-geshi package.
Debian ships them. And the Security Team already has been notified about
the details. That's also the reason why these two bugs have been made
public as part of a longer discussion yesterday.
> "Debian who STILL believes the most recent version is 1.0.8.4", actually
> identifies the latest version as 1.0.8.10 on the PTS [2], with a link to
> the source tarball, and that will surely update within a few hours to
> indicate the new 1.0.8.11 release.
Just checked [2]: Still says 1.0.8.10. But that wasn't the point of the
blog post: The point was about the packaging which was (and by the way
still is) way behind; but more on this in a moment.
> Yes, you already filed a wishlist bug asking for someone to package the
> new version, so there was no reason to file a new 'serious'-severity
> duplicate just now demanding the same.
There was a request on the #debian-qa channel when I talked to some
people directly asking for it. If you'd like the log just ask.
> It seems to me you are in fact wasting the time of whoever would
> potentially package your software, of developers busy fixing serious
> issues to make the next Debian release happen, and of the security team,
> who would be kindly looking after users for the package's 2-3 year term
> in stable/oldstable.
Oh, thanks for that compliment, but I've to decline. Given exactly the
2-3 years this package will be in stable/oldstable is the reason why
there should be an update to something reasonably recent before the
package is put into a distribution. Putting in a package which is
~40kLOCs in diffs behind the current version (to compare the core
component only is about 5kLOC) will be a monster to support. Last time
there was a report to fix something in a stable release took about 4
months of MY time to look up a patch that the Package maintainers
requested; it would have taken about 2 days using upstream AND testing
it thouroughly.
> Some users really prefer long-term, unchanging versions, because they
> deploy lots of software that they don't want to have to review for
> what's changed, update it, re-test and check compatibility on a regular
> basis.  Debian's stable distribution fulfills that need.
Yeah, no news to me. And BTW: I'm also using Debian on some of my systems.

And if you really want to try: GeSHi 1.0.7.15 (which should be around
etch IIRC) can be replaced by a current 1.0.8.11 and everything just
keeps working. That's aboutith Cygwin half my system breaks everytime I
install an update.
> The freeze deadline has already passed, for someone to have
> _volunteered_ to update the GeSHi package in time for the Wheezy release
> process.  The only exception now might be for a genuine security fix or
> serious flaw (which would probably be only a minimal patch for the
> specific issue),
Feel lucky I had the revisions for the bugfix still at hand...

And regarding the packaging: It has been known for at least the time
there was this wishlist ticket that GeSHi was needing an update in
unstable/testing. It's absolutely not my fault that there's only someone
waking up once a security problem is notified. Also: I repeatedly tried
to get someone who was willing to do the packaging for php-geshi to
resolve those long-standing issues. If again the packaging team can't
manage to grant necessary privileges for about 5 month that's another
problem on your side.
> It is possible for more frequent updates to be packaged in testing or
> backports, for example to support new programming languages, but it
> would require continued effort on the part of a volunteer maintainer.
> That person would have had to process your bug reports too.
Correct. And I already did some work on this part prior and in parallel
to these reports. So don't be as gentle as an elephant shopping for
procelain.
>
> [1] http://blog.benny-baumann.de/?p=1297
>
> [2] http://packages.qa.debian.org/g/geshi.html
>
> Regards,
Regards,
upstream.

[signature.asc (application/pgp-signature, attachment)]

Information forwarded to debian-bugs-dist@lists.debian.org, Mediawiki Maintenance Team <pkg-mediawiki-devel@lists.alioth.debian.org>:
Bug#685324; Package php-geshi. (Tue, 21 Aug 2012 19:54:09 GMT) Full text and rfc822 format available.

Acknowledgement sent to Steven Chamberlain <steven@pyro.eu.org>:
Extra info received and forwarded to list. Copy sent to Mediawiki Maintenance Team <pkg-mediawiki-devel@lists.alioth.debian.org>. (Tue, 21 Aug 2012 19:54:09 GMT) Full text and rfc822 format available.

Message #29 received at 685324@bugs.debian.org (full text, mbox):

From: Steven Chamberlain <steven@pyro.eu.org>
To: Benny Baumann <BenBE1987@gmx.net>
Cc: 685324@bugs.debian.org, 685323@bugs.debian.org
Subject: Re: Bug#685324: Local File Inclusion Vulnerability in contrib script
Date: Tue, 21 Aug 2012 20:50:12 +0100
unmerge 685324 685323
thanks

Hi Benny,

If I seem annoyed, it's because I was alerted about security issues in a
package deployed on one of my systems, and had to spend time looking
into it urgently.  (And I still don't know what the issues really are.)

All I could find out is that you've been insisting that Debian
distribute a new version of your software, that you had an "idea on how
to get them to update GeSHi", and that nothing from the contrib/
directory in the source is shipped in the php-geshi package anyway.

http://packages.debian.org/squeeze/all/php-geshi/filelist

So I'm still not sure what to make of this.

Regards,
-- 
Steven Chamberlain
steven@pyro.eu.org



Disconnected #685324 from all other report(s). Request was from Steven Chamberlain <steven@pyro.eu.org> to control@bugs.debian.org. (Tue, 21 Aug 2012 19:57:06 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Mediawiki Maintenance Team <pkg-mediawiki-devel@lists.alioth.debian.org>:
Bug#685324; Package php-geshi. (Tue, 21 Aug 2012 22:45:05 GMT) Full text and rfc822 format available.

Acknowledgement sent to Steven Chamberlain <steven@pyro.eu.org>:
Extra info received and forwarded to list. Copy sent to Mediawiki Maintenance Team <pkg-mediawiki-devel@lists.alioth.debian.org>. (Tue, 21 Aug 2012 22:45:05 GMT) Full text and rfc822 format available.

Message #36 received at 685324@bugs.debian.org (full text, mbox):

From: Steven Chamberlain <steven@pyro.eu.org>
To: 685324@bugs.debian.org
Subject: Re: Bug#685324: Local File Inclusion Vulnerability in contrib script
Date: Tue, 21 Aug 2012 23:41:43 +0100
[Message part 1 (text/plain, inline)]
tags 685324 = security upstream patch
thanks

Bug affects an example script in the documentation only.

Untrusted paths are used by file() and opendir().  A patch committed
upstream tries to sanitise the inputs. [1]

But these and other user-supplied data are still echoed out unescaped,
so I think would allow XSS if someone used the script on a public-facing
webserver.  The code looks like it might have all sorts of other issues.

It seems obsoleted by cssgen2.php, which does not need to accept user
input at all.  That is distributed already in php-geshi 1.0.8.4-1.

So I suggest removing the cssgen.php file altogether.  Thank you.

[1]
http://geshi.svn.sourceforge.net/viewvc/geshi/trunk/geshi-1.0.X/src/contrib/cssgen.php?r1=2507&r2=2506&pathrev=2507

Regards,
-- 
Steven Chamberlain
steven@pyro.eu.org
[bug685324.patch (text/x-patch, attachment)]

Added tag(s) patch; removed tag(s) unreproducible and moreinfo. Request was from Steven Chamberlain <steven@pyro.eu.org> to control@bugs.debian.org. (Tue, 21 Aug 2012 22:45:06 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Mediawiki Maintenance Team <pkg-mediawiki-devel@lists.alioth.debian.org>:
Bug#685324; Package php-geshi. (Thu, 23 Aug 2012 09:27:07 GMT) Full text and rfc822 format available.

Acknowledgement sent to Thorsten Glaser <t.glaser@tarent.de>:
Extra info received and forwarded to list. Copy sent to Mediawiki Maintenance Team <pkg-mediawiki-devel@lists.alioth.debian.org>. (Thu, 23 Aug 2012 09:27:07 GMT) Full text and rfc822 format available.

Message #43 received at 685324@bugs.debian.org (full text, mbox):

From: Thorsten Glaser <t.glaser@tarent.de>
To: Benny Baumann <BenBE1987@gmx.net>, 685323@bugs.debian.org, Maintenance team for the mediawiki package <pkg-mediawiki-devel@lists.alioth.debian.org>
Cc: Steven Chamberlain <steven@pyro.eu.org>, 685324@bugs.debian.org
Subject: Re: [Pkg-mediawiki-devel] Bug#685323: Re: Bug#685324: Local File Inclusion Vulnerability in contrib script
Date: Thu, 23 Aug 2012 11:23:10 +0200 (CEST)
On Tue, 21 Aug 2012, Benny Baumann wrote:

> Given exactly the
> 2-3 years this package will be in stable/oldstable is the reason why
> there should be an update to something reasonably recent before the
> package is put into a distribution.

Sorry, it’s now too late for that. In May, something could have
been done, but not now. No new upstream versions, any more.

(That being said, updating it in sid now would be reasonable,
and wheezy users could just pull that package from sid.)

bye,
//mirabilos, Debian Developer
-- 
tarent solutions GmbH
Rochusstraße 2-4, D-53123 Bonn • http://www.tarent.de/
Tel: +49 228 54881-393 • Fax: +49 228 54881-314
HRB 5168 (AG Bonn) • USt-ID (VAT): DE122264941
Geschäftsführer: Boris Esser, Sebastian Mancke



Information forwarded to debian-bugs-dist@lists.debian.org, Mediawiki Maintenance Team <pkg-mediawiki-devel@lists.alioth.debian.org>:
Bug#685324; Package php-geshi. (Sat, 25 Aug 2012 13:09:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Jan Dittberner <jandd@debian.org>:
Extra info received and forwarded to list. Copy sent to Mediawiki Maintenance Team <pkg-mediawiki-devel@lists.alioth.debian.org>. (Sat, 25 Aug 2012 13:09:03 GMT) Full text and rfc822 format available.

Message #48 received at 685324@bugs.debian.org (full text, mbox):

From: Jan Dittberner <jandd@debian.org>
To: Steven Chamberlain <steven@pyro.eu.org>, Thorsten Glaser <t.glaser@tarent.de>
Cc: 685324@bugs.debian.org, Benny Baumann <BenBE1987@gmx.net>, Maintenance team for the mediawiki package <pkg-mediawiki-devel@lists.alioth.debian.org>
Subject: Re: Bug#685324: Local File Inclusion Vulnerability in contrib script
Date: Sat, 25 Aug 2012 14:31:46 +0200
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

On Tue, Aug 21, 2012 at 11:41:43PM +0100, Steven Chamberlain wrote:
> Bug affects an example script in the documentation only.
> 
> Untrusted paths are used by file() and opendir().  A patch committed
> upstream tries to sanitise the inputs. [1]
> 
> But these and other user-supplied data are still echoed out unescaped,
> so I think would allow XSS if someone used the script on a public-facing
> webserver.  The code looks like it might have all sorts of other issues.
> 
> It seems obsoleted by cssgen2.php, which does not need to accept user
> input at all.  That is distributed already in php-geshi 1.0.8.4-1.
> 
> So I suggest removing the cssgen.php file altogether.  Thank you.

Thanks for this suggestion. I will prepare an upload that removes this file
from the examples directory and  will ask the release team for a freeze
exception.

On Thu, Aug 23, 2012 at 11:23:10AM +0200, Thorsten Glaser wrote:
> On Tue, 21 Aug 2012, Benny Baumann wrote:
> 
> > Given exactly the
> > 2-3 years this package will be in stable/oldstable is the reason why
> > there should be an update to something reasonably recent before the
> > package is put into a distribution.
> 
> Sorry, it’s now too late for that. In May, something could have
> been done, but not now. No new upstream versions, any more.
> 
> (That being said, updating it in sid now would be reasonable,
> and wheezy users could just pull that package from sid.)

If the change suggested above by Steven will be accepted by the release team
I will upload a new upstream version to unstable after the fixed version
migrated to testing.


Best regards
Jan Dittberner

- -- 
Jan Dittberner - Debian Developer
GPG-key: 4096R/558FB8DD 2009-05-10
         B2FF 1D95 CE8F 7A22 DF4C  F09B A73E 0055 558F B8DD
http://www.dittberner.info/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQIcBAEBCAAGBQJQOMWwAAoJEKc+AFVVj7jdlYAP/1wjGorkFP5AYXcNosldfrEo
7di9kkXY3yZ2JMwFilRcqhraE0LV7l6TjlA9KfdWc6NlsDut+ctBdvFPNTXy+S3c
0JYPj0Uku18e1Mbsb86rZoKnGSQa8gMQzIUP+quoo9RECD+ftW53inLlRcc86D7D
T9r4GTzOEUlYi7K6pso/w1wpueVMP6SQ5X8gFYUF2qPfovWyWn7GxOiK7pi7ptYZ
oVqx222h59cU1jqc5CSVwMlBCPKicXbbqkVgeWg5VbVYJe073S3Ma2GaGDeR/arm
A1wmWa6T8P0PtEHyNxp/zDDBGkkZio7iouKWIu6xSkplF/hTEmSKpXxbJ3yELsYA
vMXCgq1xqHG+sxHC4ZTl9uSJzgaeo+dJFwALgX1FFkV9JE9lMjP94UvFFB526D+I
WE/do/rpDQX63r+Wc6JaJcu8WPZfYxaURrsdeWgtX2eav6Xxig0iFbRX6X04MMBe
Hkdzt3zKBbuhl5iE5CNyaV3b6KXWvJHWgXk6LFAyihsgNoDl1S764cgpigHWWGc6
kOaw5Mh/k3gByO+CrkRsW02dWiRKJZFSyq/xgrYDhKU8OQWtw2jbOW83akP48oJS
0cJALQmM7gwe9e1uMhIVCnB5qZ/RvETtYDOci/evmDGAsv4vUu/Qojrt4Tr5FEDo
w5IatTgV++THDTfV0QAd
=SOA9
-----END PGP SIGNATURE-----



Reply sent to Jan Dittberner <jandd@debian.org>:
You have taken responsibility. (Sat, 25 Aug 2012 13:21:03 GMT) Full text and rfc822 format available.

Notification sent to Benny Baumann <BenBE@geshi.org>:
Bug acknowledged by developer. (Sat, 25 Aug 2012 13:21:04 GMT) Full text and rfc822 format available.

Message #53 received at 685324-close@bugs.debian.org (full text, mbox):

From: Jan Dittberner <jandd@debian.org>
To: 685324-close@bugs.debian.org
Subject: Bug#685324: fixed in geshi 1.0.8.4-2
Date: Sat, 25 Aug 2012 13:17:37 +0000
Source: geshi
Source-Version: 1.0.8.4-2

We believe that the bug you reported is fixed in the latest version of
geshi, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 685324@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Jan Dittberner <jandd@debian.org> (supplier of updated geshi package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Sat, 25 Aug 2012 14:55:54 +0200
Source: geshi
Binary: php-geshi
Architecture: source all
Version: 1.0.8.4-2
Distribution: unstable
Urgency: low
Maintainer: Mediawiki Maintenance Team <pkg-mediawiki-devel@lists.alioth.debian.org>
Changed-By: Jan Dittberner <jandd@debian.org>
Description: 
 php-geshi  - Generic Syntax Highlighter
Closes: 685324
Changes: 
 geshi (1.0.8.4-2) unstable; urgency=low
 .
   * Fix "Local File Inclusion Vulnerability in contrib script" use debian/rules
     to remove contrib/cssgen.php from bundled examples (Closes: #685324)
   * debian/control: add myself to Uploaders
Checksums-Sha1: 
 4d64b113a43075b6a3df1de1985ad8212e2ea482 1815 geshi_1.0.8.4-2.dsc
 4c111e78a7473ee2df8a93368e4812582a00eca6 2955 geshi_1.0.8.4-2.diff.gz
 b874da31b1e3a7eafb7e9b8a61bd6c9b84975aa0 703834 php-geshi_1.0.8.4-2_all.deb
Checksums-Sha256: 
 073edb87357103f5f91b96f82418c041cf01463abc31a3ee1538369e2c428da7 1815 geshi_1.0.8.4-2.dsc
 08f3028ea8bdff11ff8d6047d1a1b16de01ea80057de16d24695ddc10e2d88be 2955 geshi_1.0.8.4-2.diff.gz
 1075c710e2291dd0aadd25e4f69ea989312212bfe7dd61163da8c0204871a3dc 703834 php-geshi_1.0.8.4-2_all.deb
Files: 
 861def50d4aa0015af3c04ea91bf3ed9 1815 web optional geshi_1.0.8.4-2.dsc
 cadaf24aff5e0c3a1994fbfc91d1abeb 2955 web optional geshi_1.0.8.4-2.diff.gz
 b89201d4ccbf490035325f7e245ba2df 703834 web optional php-geshi_1.0.8.4-2_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQIcBAEBCAAGBQJQOM3MAAoJEKc+AFVVj7jdoBMP/iSlCixvrZE8WRBKEBJCD9z7
QUtfd3p2RVwSOwmZjzfxZ/jf2Udet8RVdMX0RnCGkqlF0s88G4KV1zE1xj/LjKv4
Y28RT57Wwm/JYpd5lxMPUiR0ulpy4BkKarFN2GMkN1k5+p56YXs5Z6jgltccsN1/
gkIaiYDGHNBFNDteROk1UL1XfdWe/nP8nl335zpELLeb+M6CK92oGkkzQ817UHPL
kN+F4WRqtQXTxo8hWnkxvetdGhgMROc6ahT2VzZQCnThHlHXr4QUUVi9vlLJZOYg
MP4ZVgXy/m/9qUk+bp8QFuqUxZklP6E8DHloSJGED8u5tmO61NrljnjtNudMDQYO
RRg0FEDsjD/rHz9IDHaZck+Rdxymx/BuP++sH16xpy2fqvGhOysTT7UORmIBJ7Ro
2ZY8LpXpSAkw+ANpi7lhacX6uNGHVgTOxFWrWSneDYG1XtqzjZObH5GU1Vwr+tNA
b925TQrkmqwiYs3YJMUuYwHJuwT/DGi5iTng9T0s3JN5lGMpicih8LstlnuNfgT3
zP7C4AXf2zVlajd9tKijtX+F4tRLskRz2pZKOASr6CZ9Yot7zWxDv9B5RS1cIA5U
ElnWkshLKPoTGSRNWLlKYiim5K8DW2aXXvmSrSm/KSCfx7R7IfscEbb9HU1+Gjf3
SCvbmbm2L5Wei13F4xR5
=JWMx
-----END PGP SIGNATURE-----




Information forwarded to debian-bugs-dist@lists.debian.org, Mediawiki Maintenance Team <pkg-mediawiki-devel@lists.alioth.debian.org>:
Bug#685324; Package php-geshi. (Sun, 26 Aug 2012 11:18:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Jonathan Wiltshire <jmw@debian.org>:
Extra info received and forwarded to list. Copy sent to Mediawiki Maintenance Team <pkg-mediawiki-devel@lists.alioth.debian.org>. (Sun, 26 Aug 2012 11:18:04 GMT) Full text and rfc822 format available.

Message #58 received at 685324@bugs.debian.org (full text, mbox):

From: Jonathan Wiltshire <jmw@debian.org>
To: 685324@bugs.debian.org
Subject: Re: Local File Inclusion Vulnerability in contrib script
Date: Sun, 26 Aug 2012 11:15:02 -0000
Package: php-geshi

Dear maintainer,

Recently you fixed one or more security problems and as a result you closed
this bug. These problems were not serious enough for a Debian Security
Advisory, so they are now on my radar for fixing in the following suites
through point releases:

squeeze (6.0.6) - use target "stable"

Please prepare a minimal-changes upload targetting each of these suites,
and submit a debdiff to the Release Team [0] for consideration. They will
offer additional guidance or instruct you to upload your package.

I will happily assist you at any stage if the patch is straightforward and
you need help. Please keep me in CC at all times so I can
track [1] the progress of this request.

For details of this process and the rationale, please see the original
announcement [2] and my blog post [3].

0: debian-release@lists.debian.org
1: http://prsc.debian.net/tracker/685324/
2: <201101232332.11736.thijs@debian.org>
3: http://deb.li/prsc

Thanks,

with his security hat on:
--
Jonathan Wiltshire                                      jmw@debian.org
Debian Developer                         http://people.debian.org/~jmw

4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC  74C3 5394 479D D352 4C51




Information forwarded to debian-bugs-dist@lists.debian.org, Mediawiki Maintenance Team <pkg-mediawiki-devel@lists.alioth.debian.org>:
Bug#685324; Package php-geshi. (Mon, 27 Aug 2012 18:12:08 GMT) Full text and rfc822 format available.

Acknowledgement sent to Jan Dittberner <jandd@debian.org>:
Extra info received and forwarded to list. Copy sent to Mediawiki Maintenance Team <pkg-mediawiki-devel@lists.alioth.debian.org>. (Mon, 27 Aug 2012 18:12:08 GMT) Full text and rfc822 format available.

Message #63 received at 685324@bugs.debian.org (full text, mbox):

From: Jan Dittberner <jandd@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Cc: Jonathan Wiltshire <jmw@debian.org>, 685324@bugs.debian.org
Subject: pu: package geshi/1.0.8.4-1+squeeze1
Date: Mon, 27 Aug 2012 20:09:01 +0200
[Message part 1 (text/plain, inline)]
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: pu

Dear release team,

I have an upload of geshi for Squeeze ready. The upload fixes #685324. The
upload was requested by Jonathan Wiltshire [1]. I attach a debdiff between
the version currently in Squeeze and my prepared update.

[1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=685324#58


Best regards
Jan Dittberner

-- 
Jan Dittberner - Debian Developer
GPG-key: 4096R/558FB8DD 2009-05-10
         B2FF 1D95 CE8F 7A22 DF4C  F09B A73E 0055 558F B8DD
http://ddportfolio.debian.net/ - http://people.debian.org/~jandd/
[geshi_1.0.8.4-1+squeeze1.debdiff (text/plain, attachment)]
[signature.asc (application/pgp-signature, inline)]

Reply sent to Jan Dittberner <jandd@debian.org>:
You have taken responsibility. (Wed, 29 Aug 2012 12:21:08 GMT) Full text and rfc822 format available.

Notification sent to Benny Baumann <BenBE@geshi.org>:
Bug acknowledged by developer. (Wed, 29 Aug 2012 12:21:09 GMT) Full text and rfc822 format available.

Message #68 received at 685324-close@bugs.debian.org (full text, mbox):

From: Jan Dittberner <jandd@debian.org>
To: 685324-close@bugs.debian.org
Subject: Bug#685324: fixed in geshi 1.0.8.4-1+squeeze1
Date: Wed, 29 Aug 2012 12:17:05 +0000
Source: geshi
Source-Version: 1.0.8.4-1+squeeze1

We believe that the bug you reported is fixed in the latest version of
geshi, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 685324@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Jan Dittberner <jandd@debian.org> (supplier of updated geshi package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Mon, 27 Aug 2012 16:06:25 +0200
Source: geshi
Binary: php-geshi
Architecture: source all
Version: 1.0.8.4-1+squeeze1
Distribution: stable
Urgency: low
Maintainer: Mediawiki Maintenance Team <pkg-mediawiki-devel@lists.alioth.debian.org>
Changed-By: Jan Dittberner <jandd@debian.org>
Description: 
 php-geshi  - Generic Syntax Highlighter
Closes: 685324
Changes: 
 geshi (1.0.8.4-1+squeeze1) stable; urgency=low
 .
   * Team upload.
   * Fix "Local File Inclusion Vulnerability in contrib script" use debian/rules
     to remove contrib/cssgen.php from bundled examples (Closes: #685324)
Checksums-Sha1: 
 ede2ff5574fa16312521b7181ff7d11738da8ff6 1773 geshi_1.0.8.4-1+squeeze1.dsc
 497f11e84da41c518fcd448fd23fb0afa6d5dfc7 2995 geshi_1.0.8.4-1+squeeze1.diff.gz
 8402ad5716c48988e0e23cbfac5b92c06282a970 703000 php-geshi_1.0.8.4-1+squeeze1_all.deb
Checksums-Sha256: 
 9e26907b2f2c38d469f466151bec8decedab86c3cf1c65230154b55192568918 1773 geshi_1.0.8.4-1+squeeze1.dsc
 ccb300d74a7135bdbaac7b6ffaed202b37129b1649888ffc89914fdda119c809 2995 geshi_1.0.8.4-1+squeeze1.diff.gz
 695362c36d9835b684c0c3f3eaa94485a40c4131febd30f09946ecc0d5aad156 703000 php-geshi_1.0.8.4-1+squeeze1_all.deb
Files: 
 978723e21b165394d01cab016daf5d3e 1773 web optional geshi_1.0.8.4-1+squeeze1.dsc
 0ea118873084e5e7c2bd7900658bd182 2995 web optional geshi_1.0.8.4-1+squeeze1.diff.gz
 1e7bde9dcd97e323f1eca40568872ebb 703000 web optional php-geshi_1.0.8.4-1+squeeze1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQIcBAEBCAAGBQJQO48FAAoJEKc+AFVVj7jd4dgP/il/o6iNmsA6sfZgmeRtj10+
AumwnybWI7SNJgG4YjG9Gm8UqXhOT9muwwu9gb0sKGofA1yJ066fy3bS9DxBvNDT
Dgq5zyhTUazg993YbZ+qgx4lRLq2ZX6v4voHn8D5f/AEfpF4M56hrX8+DXt5IoUR
8Uf62dbQDIIc+Pym+jhl4WdAXrFde8OautEPBfy69EK1LlPKXlnJk8pm9JWQZM29
Kv6zcXadr4e5i5YTQZw2BfmmME2oe6pHiXb6mIVo7gTpWTvaBUPOimhG8sAHh6Le
eT559oM/3BgAx6qcY7NdV7s3xFY/V/N8L9HOm3U89zHAKPtpSHok7BqepJ2qDonm
cxI9XupCeZfd2Ci3w5QTF0vzfnzUqqa5rxmlJTXZ91Ygy7+G8L5BlV/dJLgfV/ZU
Hl2QpOZUzk1qh5QssdXImZqjlrXfBC35JWvqsJGIJs9i8BQ33oKmuBkOvrTF+7Y6
QBcvOu6oXESS2/A4pkwqO2zqddW3eMV8UCaSdQ8X9weXp37FhtA0NurKonHyThrK
vY0HVVL9w47U+Ix/xxMVxfCn/PFrzLzaR+7IKkbvxRA+xajjQmi6aJDL0tGPU+C8
YIs0moceJcbnWV7kejWXF/lWEgPrQJplEQr2AKFEd0iczmieMyANirRUNw8S+mu7
fOHf5nmoAZHN3FCrYb2J
=Oky0
-----END PGP SIGNATURE-----




Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Wed, 03 Oct 2012 07:26:28 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Mon Apr 21 12:43:06 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.