Your message dated Sat, 16 Apr 2016 21:47:46 +0000 with message-id <[email protected]> and subject line Bug#818708: fixed in didiwiki 0.5-11+deb8u2 has caused the Debian Bug report #818708, regarding didiwiki regression: fix for CVE-2013-7448 renders many existing pages inaccessible to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact [email protected] immediately.) -- 818708: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=818708 Debian Bug Tracking System Contact [email protected] with problems
--- Begin Message ---Package: didiwiki Version: 0.5-11+deb8u1 Severity: important In its attempt to prevent escape from /var/lib/didiwiki, patch 91_check_page_path.patch goes way too far and renders a large class of reasonable and previously valid page names inaccessible. The main culprit is the check for isalnum(page_name[0]): this is painful for CJK users since Chinese characters aren't alphanumeric. More generally, it's unlikely to work as intended with UTF8-encoded names; e.g. page names that start with á (which is alphanumeric in some locales) are rejected. I guess the intent was to exclude absolute pathnames. That's more properly coded if (page_name[0] == '/') return FALSE; The checks are done after %-escapes are processed, so there is no need to separately guard against a leading %2F . (Also, I'd only disallow ".." if it's preceded and followed by either a slash or an extremity of the string. No need to forbid ellipsis in page names...)
--- End Message ---
--- Begin Message ---Source: didiwiki Source-Version: 0.5-11+deb8u2 We believe that the bug you reported is fixed in the latest version of didiwiki, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to [email protected], and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Ignace Mouzannar <[email protected]> (supplier of updated didiwiki package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing [email protected]) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Mon, 11 Apr 2016 10:02:56 -0400 Source: didiwiki Binary: didiwiki Architecture: source Version: 0.5-11+deb8u2 Distribution: jessie-security Urgency: high Maintainer: Ignace Mouzannar <[email protected]> Changed-By: Ignace Mouzannar <[email protected]> Closes: 818708 Description: didiwiki - simple wiki implementation with built-in webserver Changes: didiwiki (0.5-11+deb8u2) jessie-security; urgency=high . * debian/patches: - 91_check_page_path.patch: updated patch to correct restrictive behavior, rendering pages beginning with non alpha-numeric UTF-8 characters, such as "à", inaccessible. Thank you Sergio Gelato <[email protected]> for your report and help! (Closes: #818708) Checksums-Sha1: 35ecd9c6265cd98f15fc19d7b3b29620fbf405e6 1669 didiwiki_0.5-11+deb8u2.dsc 182a7e6a5fa12e4b98e042f981fb2d2a447162e1 14008 didiwiki_0.5-11+deb8u2.debian.tar.xz Checksums-Sha256: 372e71afaf4b7e8cdfc254eb2b8fdfc472793eb2ff24cfc56ac261e80f417ab0 1669 didiwiki_0.5-11+deb8u2.dsc ceb2efd65739a0cb8a58aa8fc8500b4169645a179d4d4d13aa45bf688f122ab7 14008 didiwiki_0.5-11+deb8u2.debian.tar.xz Files: 9d0ef2b0bed156e5539c2f20caf61719 1669 web optional didiwiki_0.5-11+deb8u2.dsc 4d95ea44495002fa16703d7f50420cc1 14008 web optional didiwiki_0.5-11+deb8u2.debian.tar.xz -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCgAGBQJXC7juAAoJEAVMuPMTQ89EZWsP/ROfnpYsDaPZHxpePmqElGAQ /kBaVL/z9Vgr9+N+5ufir6u6O5tBl8kLra5cbUUB+p5M8Fwsi1UNkuAFat/+9LV3 LA0AVIIEmJVDZPGdfDjBXarTVa2h+dL+RjKnxFveHx6IG4MGVrXM3mffppyHRYFC TQR8TpWpenTNVdBn/qm3f7uXixi+Lkz+ldCfud6N4+zMEis0TJ5x5PNKT/0ava73 9PQ58cKNQuUU6yGVd4+AY7RKS0B78C9WYpnheY+RLjz0knKtXguDtdxCUl3brWOF xEulZdGUwDrKVaDcLr6r0tpibe+H7sRbWuI1ZldfteXMqtO3zpPnti+x1xTIetX1 DdS3wtCZYiK88iRLMbgsMV0xurgWRonmoxtOBqzqFnllxH1fKWU3I7LBDuEhg3oD Pa2VOHniKxX0EuLOjCU2j2m7HCQZfdvfcyzk3+BHa2yklkeiKzGC8camzOuWwdlo ZXT2FgIc3yCSmeJHXOtqAkHwiQlmeVBgiQhPNHUABu++IHlYz5E7PHNIpFrawWlY 5epH27G+SV/1ZIOOIy6elvqqoeKj8i5eOw+rs+ezfuOALG6uy4lA9LQJqfr6t0oL GTHFzNc34DM9MAmoh7D3e5fUhwP0kJsPhHnYeQS8FNBhEDZJ6dvf5eIEHvREj34Y dDA2SLdiwioZ8j1NsR/3 =zigE -----END PGP SIGNATURE-----
--- End Message ---
