Package: release.debian.org
Severity: normal
User: release.debian....@packages.debian.org
Usertags: unblock
X-Debbugs-Cc: dokuw...@packages.debian.org, a...@debian.org
Control: affects -1 + src:dokuwiki
Please unblock package dokuwiki/0.0.20220731.a-2
It fixes a XSS security issue (#1036279) for which upstream has
released a hotfix for two upstream releases including the release
"Igor" which is the one currently in Debian Sid/Bookworm. (There has
happened a new major upstream release since the beginning of the
freeze. See https://www.dokuwiki.org/changes for details)
The Debian Security Team considers this issue to be of grave severity.
[ Reason ]
A cross-server-side (XSS) issue has been detected in DokuWiki's RSS
feed generator. This is the security update to fix it.
[ Impact ]
DokuWiki installations will be exposed to an XSS security issue in the
RSS feed generator in Debian 12 Bookworm, at least at release time.
Given that the Debian Security Team considers the issue grave, it
might be that the security team publishes more or less the same
package as just uploaded also as DSA for Bookworm if it's not
migrating to testing before the release. (Haven't asked them, though.
I just based this on the severity they've given to the issue.)
[ Tests ]
* Ran for 2 days on a DokuWiki instance which I run on Debian Testing.
* Tested viewing, editing and the RSS feed generation on that site.
[ Risks ]
The upstream fix is small-ish, but not straight forward and contains
order changes where it's at least not obvious for me why. It though
clearly adds some additional escaping to the code. (The version bump
patch is though straight forward.)
[ Checklist ]
[x] all changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in testing
[ Other info ]
I've included the whole difference between 2022-07-31a and 2022-07-31b
in the upload (see the upstream diff at
https://github.com/dokuwiki/dokuwiki/compare/release-2022-07-31a...release-2022-07-31b#files_bucket)
in two patches (as they were split over two commits upstream)
including the version and message version bump. Reasoning behind the
latter is that security scanners potentially won't argue about about
this being 2022-07-31a and being vulnerable to that XSS issue despite
it isn't. So this is defacto an upgrade to the upstream hotfix version
2022-07-31b — which contains nothing but the XSS fix and a version
bump.
I've not used the upstream tar ball for the hotfix for that release as
it dropped about 136 files from the tar ball. See
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1036279#14 for the
whole list of missing files.
So please
unblock dokuwiki/0.0.20220731.a-2
diff -Nru dokuwiki-0.0.20220731.a/debian/changelog
dokuwiki-0.0.20220731.a/debian/changelog
--- dokuwiki-0.0.20220731.a/debian/changelog 2022-11-14 04:24:11.000000000
+0100
+++ dokuwiki-0.0.20220731.a/debian/changelog 2023-05-21 15:01:45.000000000
+0200
@@ -1,3 +1,12 @@
+dokuwiki (0.0.20220731.a-2) unstable; urgency=high
+
+ * Cherry pick upstream 2022-07-31b hotfix patches for the Igor release:
+ + ba76f875: fix XSS in RSS syntax
+ + b7fcf218: hotfix release for Igor
+ Closes: #1036279
+
+ -- Axel Beckert <a...@debian.org> Sun, 21 May 2023 15:01:45 +0200
+
dokuwiki (0.0.20220731.a-1) unstable; urgency=medium
* Salvage package. (Closes: #1008649)
diff -Nru
dokuwiki-0.0.20220731.a/debian/patches/cherrypick_b7fcf218_hotfix_release_for_igor.patch
dokuwiki-0.0.20220731.a/debian/patches/cherrypick_b7fcf218_hotfix_release_for_igor.patch
---
dokuwiki-0.0.20220731.a/debian/patches/cherrypick_b7fcf218_hotfix_release_for_igor.patch
1970-01-01 01:00:00.000000000 +0100
+++
dokuwiki-0.0.20220731.a/debian/patches/cherrypick_b7fcf218_hotfix_release_for_igor.patch
2023-05-18 22:59:00.000000000 +0200
@@ -0,0 +1,30 @@
+From b7fcf218f1b2e858e7d41809d7dd291fc8a898f3 Mon Sep 17 00:00:00 2001
+From: Guy Brand <g...@unistra.fr>
+Date: Tue, 16 May 2023 12:49:38 +0200
+Subject: [PATCH] hotfix release a for Igor
+
+---
+ VERSION | 2 +-
+ doku.php | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/VERSION b/VERSION
+index 7658b60750..2800ff9b24 100644
+--- a/VERSION
++++ b/VERSION
+@@ -1 +1 @@
+-2022-07-31a "Igor"
++2022-07-31b "Igor"
+diff --git a/doku.php b/doku.php
+index 50e3726327..f5117ee5eb 100644
+--- a/doku.php
++++ b/doku.php
+@@ -11,7 +11,7 @@
+ // update message version - always use a string to avoid localized floats!
+ use dokuwiki\Extension\Event;
+
+-$updateVersion = "53";
++$updateVersion = "53.1";
+
+ // xdebug_start_profiling();
+
diff -Nru
dokuwiki-0.0.20220731.a/debian/patches/cherrypick_ba76f875_fix_xss_in_rss_syntax.patch
dokuwiki-0.0.20220731.a/debian/patches/cherrypick_ba76f875_fix_xss_in_rss_syntax.patch
---
dokuwiki-0.0.20220731.a/debian/patches/cherrypick_ba76f875_fix_xss_in_rss_syntax.patch
1970-01-01 01:00:00.000000000 +0100
+++
dokuwiki-0.0.20220731.a/debian/patches/cherrypick_ba76f875_fix_xss_in_rss_syntax.patch
2023-05-18 22:57:33.000000000 +0200
@@ -0,0 +1,67 @@
+From ba76f875ea314c950c3c595887b68abea6181e02 Mon Sep 17 00:00:00 2001
+From: Andreas Gohr <a...@splitbrain.org>
+Date: Mon, 15 May 2023 08:06:00 +0200
+Subject: [PATCH] fix XSS in RSS syntax
+
+The title was not correctly escaped when written to the doc in xhtml
+renderer.
+
+SimplePie does no content escaping on its own (a comment in the code
+seems to suggest that that was assumed). Instead the content is passed
+on as-is from the feed.
+
+This patch also applies some more escaping on the description output
+(though it should have been relatively safe thanks to the use of
+striptags).
+
+This was discovered by @ry0tak and reported in
+https://huntr.dev/bounties/c6119106-1a5c-464c-94dd-ee7c5d0bece0/
+---
+ inc/parser/xhtml.php | 21 +++++++++++----------
+ 1 file changed, 11 insertions(+), 10 deletions(-)
+
+diff --git a/inc/parser/xhtml.php b/inc/parser/xhtml.php
+index 4c2cb78b44..2c7ff54ac7 100644
+--- a/inc/parser/xhtml.php
++++ b/inc/parser/xhtml.php
+@@ -1345,17 +1345,15 @@ public function rss($url, $params) {
+ for($x = $start; $x != $end; $x += $mod) {
+ $item = $feed->get_item($x);
+ $this->doc .= '<li><div class="li">';
+- // support feeds without links
++
+ $lnkurl = $item->get_permalink();
++ $title = html_entity_decode($item->get_title(), ENT_QUOTES,
'UTF-8');
++
++ // support feeds without links
+ if($lnkurl) {
+- // title is escaped by SimplePie, we unescape here
because it
+- // is escaped again in externallink() FS#1705
+- $this->externallink(
+- $item->get_permalink(),
+- html_entity_decode($item->get_title(), ENT_QUOTES,
'UTF-8')
+- );
++ $this->externallink($item->get_permalink(), $title);
+ } else {
+- $this->doc .= ' '.$item->get_title();
++ $this->doc .= ' '.hsc($item->get_title());
+ }
+ if($params['author']) {
+ $author = $item->get_author(0);
+@@ -1369,11 +1367,14 @@ public function rss($url, $params) {
+ $this->doc .= '
('.$item->get_local_date($conf['dformat']).')';
+ }
+ if($params['details']) {
++ $desc = $item->get_description();
++ $desc = strip_tags($desc);
++ $desc = html_entity_decode($desc, ENT_QUOTES, 'UTF-8');
+ $this->doc .= '<div class="detail">';
+ if($conf['htmlok']) {
+- $this->doc .= $item->get_description();
++ $this->doc .= hsc($item->get_description());
+ } else {
+- $this->doc .= strip_tags($item->get_description());
++ $this->doc .= hsc($desc);
+ }
+ $this->doc .= '</div>';
+ }
diff -Nru dokuwiki-0.0.20220731.a/debian/patches/series
dokuwiki-0.0.20220731.a/debian/patches/series
--- dokuwiki-0.0.20220731.a/debian/patches/series 2022-11-14
02:39:41.000000000 +0100
+++ dokuwiki-0.0.20220731.a/debian/patches/series 2023-05-18
22:59:47.000000000 +0200
@@ -5,3 +5,5 @@
use_packaged_jquery.diff
#use_packaged_php-random-compat.diff
#cherrypick_6b6d27d9.patch
+cherrypick_ba76f875_fix_xss_in_rss_syntax.patch
+cherrypick_b7fcf218_hotfix_release_for_igor.patch
