Package: dokuwiki Version: 0.0.20160626.a-2 Severity: normal Tags: patch pending
Dear maintainer, I've prepared an NMU for dokuwiki (versioned as 0.0.20160626.a-2.1) and uploaded it to DELAYED/5. The main motivation for the NMU was to fix the security issue that prevents migration to testing. While testing the patch, I realized that the current state of the dokuwiki package doesn't result in the CSS being rendered correctly, so I included some patches from the BTS in order have a package that renders correctly on a default installation. Please feel free to tell me if I should delay it longer. I think the best course of action would be to package a newer upstream version, but I leave that to you, the actual maintainer of the package. Thanks for your work in packaging and maintaining dokuwiki. Reinhard
diff -Nru dokuwiki-0.0.20160626.a/debian/add-ons/preload.php dokuwiki-0.0.20160626.a/debian/add-ons/preload.php --- dokuwiki-0.0.20160626.a/debian/add-ons/preload.php 2016-02-25 09:02:29.000000000 -0500 +++ dokuwiki-0.0.20160626.a/debian/add-ons/preload.php 2018-07-07 11:59:53.000000000 -0400 @@ -138,14 +138,14 @@ 'default' => DOKU_CONF.'users.auth.php', ), 'userstyle' => array( - 'default' => DOKU_CONF.'userstyle.css', // 'default' was renamed to 'screen' on 2011-02-26, so will be deprecated in the next version - 'screen' => DOKU_CONF.'userstyle.css', - 'rtl' => DOKU_CONF.'userrtl.css', - 'print' => DOKU_CONF.'userprint.css', - 'feed' => DOKU_CONF.'userfeed.css', - 'all' => DOKU_CONF.'userall.css', + 'default' => array(DOKU_CONF.'userstyle.css'), // 'default' was renamed to 'screen' on 2011-02-26, so will be deprecated in the next version + 'screen' => array(DOKU_CONF.'userstyle.css'), + 'rtl' => array(DOKU_CONF.'userrtl.css'), + 'print' => array(DOKU_CONF.'userprint.css'), + 'feed' => array(DOKU_CONF.'userfeed.css'), + 'all' => array(DOKU_CONF.'userall.css'), ), 'userscript' => array( - 'default' => DOKU_CONF.'userscript.js' + 'default' => array(DOKU_CONF.'userscript.js') ), ); diff -Nru dokuwiki-0.0.20160626.a/debian/changelog dokuwiki-0.0.20160626.a/debian/changelog --- dokuwiki-0.0.20160626.a/debian/changelog 2017-04-14 09:38:06.000000000 -0400 +++ dokuwiki-0.0.20160626.a/debian/changelog 2018-07-07 11:59:53.000000000 -0400 @@ -1,3 +1,15 @@ +dokuwiki (0.0.20160626.a-2.1) unstable; urgency=medium + + * Non-maintainer upload. + * CVE-2017-18123: fix remote code execution through reflected file + download. Originally prepared by Antoine Beaupré <anar...@debian.org> + (Closes: #889281) + * Fix loading of css (Closes: #894018) + * Fix 'Invalid argument supplied for foreach() .../lib/exe/js.php' + (Closes: #866245) + + -- Reinhard Tartler <siret...@tauware.de> Sat, 07 Jul 2018 11:59:53 -0400 + dokuwiki (0.0.20160626.a-2) unstable; urgency=medium * debian/control: depend on php-seclib (<<2) as the new php-phpseclib diff -Nru dokuwiki-0.0.20160626.a/debian/patches/filter-special-chars-from-ajax-call-para dokuwiki-0.0.20160626.a/debian/patches/filter-special-chars-from-ajax-call-para --- dokuwiki-0.0.20160626.a/debian/patches/filter-special-chars-from-ajax-call-para 1969-12-31 19:00:00.000000000 -0500 +++ dokuwiki-0.0.20160626.a/debian/patches/filter-special-chars-from-ajax-call-para 2018-07-07 11:59:53.000000000 -0400 @@ -0,0 +1,22 @@ +From: Andreas Gohr <g...@cosmocode.de> +Date: Tue, 27 Jun 2017 15:04:23 +0200 +X-Dgit-Generated: 0.0.20160626.a-2.1 ed9c66b49d621314958ae269c1c4c66e28b3f68b +Subject: filter special chars from ajax call parameter. fixes #2019 + + +--- + +--- dokuwiki-0.0.20160626.a.orig/lib/exe/ajax.php ++++ dokuwiki-0.0.20160626.a/lib/exe/ajax.php +@@ -15,9 +15,9 @@ header('Content-Type: text/html; charset + + //call the requested function + if($INPUT->post->has('call')){ +- $call = $INPUT->post->str('call'); ++ $call = $INPUT->post->filter('utf8_stripspecials')->str('call'); + }else if($INPUT->get->has('call')){ +- $call = $INPUT->get->str('call'); ++ $call = $INPUT->get->filter('utf8_stripspecials')->str('call'); + }else{ + exit; + } diff -Nru dokuwiki-0.0.20160626.a/debian/patches/fix-loading-of-css-closes-894018 dokuwiki-0.0.20160626.a/debian/patches/fix-loading-of-css-closes-894018 --- dokuwiki-0.0.20160626.a/debian/patches/fix-loading-of-css-closes-894018 1969-12-31 19:00:00.000000000 -0500 +++ dokuwiki-0.0.20160626.a/debian/patches/fix-loading-of-css-closes-894018 2018-07-07 11:59:53.000000000 -0400 @@ -0,0 +1,20 @@ +From: Reinhard Tartler <siret...@tauware.de> +Date: Sun, 8 Jul 2018 07:52:19 -0400 +X-Dgit-Generated: 0.0.20160626.a-2.1 04dae39dc34ab2df6b21cf7d6b557edb2483ba02 +Subject: Fix loading of css (Closes: #894018) + +Patch provided by Francesco Potortì <poto...@isti.cnr.it> + +--- + +--- dokuwiki-0.0.20160626.a.orig/lib/exe/css.php ++++ dokuwiki-0.0.20160626.a/lib/exe/css.php +@@ -166,7 +166,7 @@ function css_parseless($css) { + global $conf; + + $less = new lessc(); +- $less->importDir[] = DOKU_INC; ++ $less->importDir = array(DOKU_INC); + $less->setPreserveComments(!$conf['compress']); + + if (defined('DOKU_UNITTEST')){ diff -Nru dokuwiki-0.0.20160626.a/debian/patches/series dokuwiki-0.0.20160626.a/debian/patches/series --- dokuwiki-0.0.20160626.a/debian/patches/series 2016-02-25 09:02:29.000000000 -0500 +++ dokuwiki-0.0.20160626.a/debian/patches/series 2018-07-07 11:59:53.000000000 -0400 @@ -4,3 +4,5 @@ debianize.diff soften_email_validator.diff use_packaged_jquery.diff +filter-special-chars-from-ajax-call-para +fix-loading-of-css-closes-894018