Debian Bug report logs - #889281
dokuwiki: CVE-2017-18123: reflected file download vulnerability

version graph

Package: src:dokuwiki; Maintainer for src:dokuwiki is Debian DokuWiki Team <team+dokuwiki@tracker.debian.org>;

Reported by: Salvatore Bonaccorso <carnil@debian.org>

Date: Sat, 3 Feb 2018 09:27:02 UTC

Severity: serious

Tags: fixed-upstream, patch, security, upstream

Found in versions dokuwiki/0.0.20160626.a-2, dokuwiki/0.0.20140505.a+dfsg-4, dokuwiki/0.0.20140505.a+dfsg-1

Fixed in version dokuwiki/0.0.20160626.a-2.1

Done: Reinhard Tartler <siretart@tauware.de>

Bug is archived. No further changes may be made.

Forwarded to https://github.com/splitbrain/dokuwiki/issues/2029

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, team@security.debian.org, Tanguy Ortolo <tanguy+debian@ortolo.eu>:
Bug#889281; Package src:dokuwiki. (Sat, 03 Feb 2018 09:27:05 GMT) (full text, mbox, link).

Acknowledgement sent to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, team@security.debian.org, Tanguy Ortolo <tanguy+debian@ortolo.eu>. (Sat, 03 Feb 2018 09:27:05 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: dokuwiki: CVE-2017-18123: reflected file download vulnerability
Date: Sat, 03 Feb 2018 10:24:30 +0100
Source: dokuwiki
Version: 0.0.20160626.a-2
Severity: important
Tags: patch security upstream
Forwarded: https://github.com/splitbrain/dokuwiki/issues/2029
Control: found -1 0.0.20140505.a+dfsg-4 

Hi,

the following vulnerability was published for dokuwiki.

CVE-2017-18123[0]:
| The call parameter of /lib/exe/ajax.php in DokuWiki through 2017-02-19e
| does not properly encode user input, which leads to a reflected file
| download vulnerability, and allows remote attackers to run arbitrary
| programs.

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2017-18123
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18123
[1] https://github.com/splitbrain/dokuwiki/issues/2029
[2] https://github.com/splitbrain/dokuwiki/commit/238b8e878ad48f370903465192b57c2072f65d86

Regards,
Salvatore

Marked as found in versions dokuwiki/0.0.20140505.a+dfsg-4. Request was from Salvatore Bonaccorso <carnil@debian.org> to submit@bugs.debian.org. (Sat, 03 Feb 2018 09:27:05 GMT) (full text, mbox, link).

Added tag(s) fixed-upstream. Request was from bts-link-upstream@lists.alioth.debian.org to control@bugs.debian.org. (Mon, 12 Feb 2018 17:38:27 GMT) (full text, mbox, link).

Severity set to 'serious' from 'important' Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Sun, 06 May 2018 16:21:02 GMT) (full text, mbox, link).

Information forwarded to debian-bugs-dist@lists.debian.org, Tanguy Ortolo <tanguy+debian@ortolo.eu>:
Bug#889281; Package src:dokuwiki. (Thu, 07 Jun 2018 19:57:02 GMT) (full text, mbox, link).

Acknowledgement sent to anarcat <anarcat@orangeseeds.org>:
Extra info received and forwarded to list. Copy sent to Tanguy Ortolo <tanguy+debian@ortolo.eu>. (Thu, 07 Jun 2018 19:57:02 GMT) (full text, mbox, link).

Message #16 received at 889281@bugs.debian.org (full text, mbox, reply):

From: anarcat <anarcat@orangeseeds.org>
To: 889281@bugs.debian.org
Cc: Salvatore Bonaccorso <carnil@debian.org>
Subject: Re: Bug#889281: dokuwiki: CVE-2017-18123: reflected file download vulnerability
Date: Thu, 7 Jun 2018 15:55:53 -0400
[Message part 1 (text/plain, inline)]
Hi,

I have tested an update of the jessie package and things seem to work
fine after merging the patch from upstream during a smoketest of a clean
jessie VM.

Attached is the debdiff to complete the update.

A.

[dokuwiki_0.0.20140505.a+dfsg-4+deb8u1.debdiff (text/plain, attachment)]
[signature.asc (application/pgp-signature, inline)]

Reply sent to Reinhard Tartler <siretart@tauware.de>:
You have taken responsibility. (Fri, 13 Jul 2018 13:09:06 GMT) (full text, mbox, link).

Notification sent to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer. (Fri, 13 Jul 2018 13:09:06 GMT) (full text, mbox, link).

Message #21 received at 889281-close@bugs.debian.org (full text, mbox, reply):

From: Reinhard Tartler <siretart@tauware.de>
To: 889281-close@bugs.debian.org
Subject: Bug#889281: fixed in dokuwiki 0.0.20160626.a-2.1
Date: Fri, 13 Jul 2018 13:04:23 +0000
Source: dokuwiki
Source-Version: 0.0.20160626.a-2.1

We believe that the bug you reported is fixed in the latest version of
dokuwiki, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 889281@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Reinhard Tartler <siretart@tauware.de> (supplier of updated dokuwiki package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Sat, 07 Jul 2018 11:59:53 -0400
Source: dokuwiki
Binary: dokuwiki
Architecture: source
Version: 0.0.20160626.a-2.1
Distribution: unstable
Urgency: medium
Maintainer: Tanguy Ortolo <tanguy+debian@ortolo.eu>
Changed-By: Reinhard Tartler <siretart@tauware.de>
Description:
 dokuwiki   - standards compliant simple to use wiki
Closes: 866245 889281 894018
Changes:
 dokuwiki (0.0.20160626.a-2.1) unstable; urgency=medium
 .
   * Non-maintainer upload.
   * CVE-2017-18123: fix remote code execution through reflected file
     download. Originally prepared by  Antoine Beaupré <anarcat@debian.org>
     (Closes: #889281)
   * Fix loading of css (Closes: #894018)
   * Fix 'Invalid argument supplied for foreach() .../lib/exe/js.php'
     (Closes: #866245)
Checksums-Sha1:
 560bbfaaed5ab915f8510ab2de5c37630728a204 2179 dokuwiki_0.0.20160626.a-2.1.dsc
 bef662543580069e1f39cea4bd2002f5126c9078 97604 dokuwiki_0.0.20160626.a-2.1.debian.tar.xz
Checksums-Sha256:
 57625259b66bd7dbd6636559b01b8fc15c42f3c99a097b9a3a8be71f6d570c23 2179 dokuwiki_0.0.20160626.a-2.1.dsc
 95c00ab762c7547c871696569ce22554be5c03d795b1785290592e15eb62b325 97604 dokuwiki_0.0.20160626.a-2.1.debian.tar.xz
Files:
 bce750584abedb30f75964de9a5c1cb5 2179 web optional dokuwiki_0.0.20160626.a-2.1.dsc
 eb901084dc1a92bcdf4821654eecda9d 97604 web optional dokuwiki_0.0.20160626.a-2.1.debian.tar.xz

-----BEGIN PGP SIGNATURE-----

iQJIBAEBCAAyFiEE6n5rckvJ+/LRcetya3IL6cXPbZ4FAltCA5gUHHNpcmV0YXJ0
QHRhdXdhcmUuZGUACgkQa3IL6cXPbZ6cbw//aKQ/I0stte8eAvNtR6ddcJasSiQT
vJilJ9OfYbb+2cjMg8Esail9HJHUh4NLRrxmlTzIqktMMWoMFWfFY4GgQ45OZdLQ
VzVP8y3b3WDxC+4NosuZhputcZOWO1BzCDi4OntWJ2AHtPQwR1DWMZk9BF+pDEet
bntApPEJhZf9t4ivptSOXKiIj6arMPZUGYm8bif85FK/JK1mT1fs2S4uIqCXz8KI
Xl9l5s1FDsBCWNDQwdERC/Pr6xjZeWGKFOiZvUEcOYlrNWzrn/yrKLpvF0WqKBsn
GijAoyvT6qm2NzFU3wnsZ0PAiGC1hmwEklzPQ2ylx65UAnweHoJaCH4o/1BiqbNL
Q+3Hkrc4eC8K/XK4nYGgUmWrgMNzfpZC5sIguVZQLdM4FzVGWKGdCXfbZ2EYMjP+
eFLQO0CSv5q9W15EyaUAwHGmDRCUydXuay2AaPKSirfdR1bciI+UqyWtOuSCHvKw
QFF1qra+X8r6/uQ0+o1YATxrlTN29IycYqWwki0w+qQGc/OiduS3EsjT8zzJO4FN
Jqh/pPBqXmtL/U7uruTlQ15GI+LpaRKVUYu6NJqxfY5XuMSc4aojHW1GJ2YABcW3
rE7KPMgnUF4hvZIrJJ3VB7bJcFwgkJYlS9haXabacdOiOhUKH1Hpk1ObFnzhnFDS
OmcvKwZdIGgmPbI=
=p8ff
-----END PGP SIGNATURE-----

Marked as found in versions dokuwiki/0.0.20140505.a+dfsg-1. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Fri, 13 Jul 2018 19:00:05 GMT) (full text, mbox, link).

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Wed, 15 Aug 2018 07:29:16 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Fri Nov 22 00:05:17 2024; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.