Bug#780976: marked as done (unblock: dokuwiki/0.0.20140505.a+dfsg-4)

Debian Bug Tracking System Sun, 22 Mar 2015 12:52:25 -0700

Your message dated Sun, 22 Mar 2015 19:47:37 +0000
with message-id <1427053657.26766.6.ca...@adam-barratt.org.uk>
and subject line Re: Bug#780976: unblock: dokuwiki/0.0.20140505.a+dfsg-4
has caused the Debian Bug report #780976,
regarding unblock: dokuwiki/0.0.20140505.a+dfsg-4
to be marked as done.


This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
780976: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=780976
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Package: release.debian.org
Severity: normal
User: release.debian....@packages.debian.org
Usertags: unblock

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Please unblock package dokuwiki

Version 0.0.20140505.a+dfsg-4 in testing-proposed-updates fixes RC bug
#779547 (CVE-2015-2172, a privilege escalation vulnerability), by adding
a debian/patches/cve-2015-2172_check_permissions_in_rpc.patch,
cherry-picked from the upstream bugfix release 2014-05-05d (upstream
commit https://github.com/splitbrain/dokuwiki/commit/16ca97e1).

Changelog entry:
>dokuwiki (0.0.20140505.a+dfsg-4) testing-proposed-updates; urgency=high
>
>  * debian/patches: security fix, from upstream hotfix release
>     + cve-2015-2172_check_permissions_in_rpc.patch: check permissions in the
>       ACL plugin's RPC API to avoid a privilege escalation. (CVE-2015-2172)
>       (Closes:  #779547)
>
> -- Tanguy Ortolo <tanguy+deb...@ortolo.eu>  Sun, 22 Mar 2015 17:40:22 +0100

unblock dokuwiki/0.0.20140505.a+dfsg-4

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCgAGBQJVDwQTAAoJEOryzVHFAGgZpfQP+wUw73xabOLo81nJ4HYQiNAs
BRPXqP4ZH3u7KFdaOyuuKv4H1tCKP6WjPO6zjaVYie35PcnrsqWkvm78xX9RgBaR
Bt1yKEnM6oqfAKUFxa/qSs1uovcFGwLOWko6wp155tPE6CYGNWAMWcv3YsU1I2MW
PfqGIrUfL1JliA5juDNy1Ydp66zBNV1bS0a/TIi9e4LdcYBRRRhOAIJvQ7NocpfQ
UmkU9Xb0H4KyWwA7QCVOlQmd8zvQUjxrxXbhO+ai0VlMo1HkhkWmI5vvA96IJn3b
nIIGkj5nFD0bbGcwQjOhiPWlTbnLs0gTKOmcRuLy6KCoyJBFGRpNWQBfSdunalES
ytmGl5OTW0qvWCx7PEhRNo1E1x45LWylsuqMIdDT7b2ac94Pl/nqkw49TMOPo5Id
5mZd4xZZZUmp38gBvq1dUEXKKmr7iRh3awchUDYOO5pGKvKEqhl55k69NMXPyuMv
nWaw8+Tfd5YCG4D7VHDTfxbi+JScGxV9+pKD4rjlmtgzqQfK8nvIOBQraDgQ4adE
mhF0ivBExhTglVQMFF4pKNbY+Bl/bgmBx6CvW+nrEIa8b4NjvI1rBf/b7IvzzfSw
wbPR6QG4kN2L7hXZ0+177u7POqouuJpMPPVQ46ndC/E+pGkjbFSlkTpM8eKb2FQJ
jkKKV90kIFvUYSpepbOx
=typ3
-----END PGP SIGNATURE-----

diff -Nru dokuwiki-0.0.20140505.a+dfsg/debian/changelog dokuwiki-0.0.20140505.a+dfsg/debian/changelog
--- dokuwiki-0.0.20140505.a+dfsg/debian/changelog	2014-10-05 21:58:22.000000000 +0200
+++ dokuwiki-0.0.20140505.a+dfsg/debian/changelog	2015-03-22 18:50:07.000000000 +0100
@@ -1,3 +1,12 @@
+dokuwiki (0.0.20140505.a+dfsg-4) testing-proposed-updates; urgency=high
+
+  * debian/patches: security fix, from upstream hotfix release
+     + cve-2015-2172_check_permissions_in_rpc.patch: check permissions in the
+       ACL plugin's RPC API to avoid a privilege escalation. (CVE-2015-2172)
+       (Closes:  #779547)
+
+ -- Tanguy Ortolo <tanguy+deb...@ortolo.eu>  Sun, 22 Mar 2015 17:40:22 +0100
+
 dokuwiki (0.0.20140505.a+dfsg-3) unstable; urgency=medium
 
   * debian/config: only set a default password if the question was skipped
diff -Nru dokuwiki-0.0.20140505.a+dfsg/debian/patches/cve-2015-2172_check_permissions_in_rpc.patch dokuwiki-0.0.20140505.a+dfsg/debian/patches/cve-2015-2172_check_permissions_in_rpc.patch
--- dokuwiki-0.0.20140505.a+dfsg/debian/patches/cve-2015-2172_check_permissions_in_rpc.patch	1970-01-01 01:00:00.000000000 +0100
+++ dokuwiki-0.0.20140505.a+dfsg/debian/patches/cve-2015-2172_check_permissions_in_rpc.patch	2015-03-22 18:06:36.000000000 +0100
@@ -0,0 +1,58 @@
+Description: Fix CVE-2015-2172 by checking permissions in ACL plugin's RPC API
+ This fixes a security hole in the ACL plugins remote API component. The
+ plugin failed to check for superuser permissions before executing ACL
+ addition or deletion. This means everybody with permissions to call the
+ XMLRPC API also had permissions to set up their own ACL rules and thus
+ circumventing any existing rules.
+Origin: upstream, https://github.com/splitbrain/dokuwiki/commit/16ca97e1690c775fa74d3c3cb1a906685a37b53b
+Bug-Debian: https://bugs.debian.org/779547
+Author: Andreas Gohr <a...@splitbrain.org>
+Last-Update: 2015-03-22
+
+diff --git a/lib/plugins/acl/remote.php b/lib/plugins/acl/remote.php
+index 6d5201c..9433b77 100644
+--- a/lib/plugins/acl/remote.php
++++ b/lib/plugins/acl/remote.php
+@@ -17,12 +17,39 @@ class remote_plugin_acl extends DokuWiki_Remote_Plugin {
+         );
+     }
+ 
+-    function addAcl($scope, $user, $level){
++    /**
++     * Add a new entry to ACL config
++     *
++     * @param string $scope
++     * @param string $user
++     * @param int    $level see also inc/auth.php
++     * @throws RemoteAccessDeniedException
++     * @return bool
++     */
++    public function addAcl($scope, $user, $level){
++        if(!auth_isadmin()) {
++            throw new RemoteAccessDeniedException('You are not allowed to access ACLs, superuser permission is required', 114);
++        }
++
++        /** @var admin_plugin_acl $apa */
+         $apa = plugin_load('admin', 'acl');
+         return $apa->_acl_add($scope, $user, $level);
+     }
+ 
+-    function delAcl($scope, $user){
++    /**
++     * Remove an entry from ACL config
++     *
++     * @param string $scope
++     * @param string $user
++     * @throws RemoteAccessDeniedException
++     * @return bool
++     */
++    public function delAcl($scope, $user){
++        if(!auth_isadmin()) {
++            throw new RemoteAccessDeniedException('You are not allowed to access ACLs, superuser permission is required', 114);
++        }
++
++        /** @var admin_plugin_acl $apa */
+         $apa = plugin_load('admin', 'acl');
+         return $apa->_acl_del($scope, $user);
+     }
+
diff -Nru dokuwiki-0.0.20140505.a+dfsg/debian/patches/series dokuwiki-0.0.20140505.a+dfsg/debian/patches/series
--- dokuwiki-0.0.20140505.a+dfsg/debian/patches/series	2014-08-26 07:27:13.000000000 +0200
+++ dokuwiki-0.0.20140505.a+dfsg/debian/patches/series	2015-03-22 18:48:40.000000000 +0100
@@ -4,3 +4,4 @@
 debianize.diff
 soften_email_validator.diff
 use_packaged_jquery.diff
+cve-2015-2172_check_permissions_in_rpc.patch

--- End Message ---

--- Begin Message ---

On Sun, 2015-03-22 at 19:04 +0100, Tanguy Ortolo wrote:
> Please unblock package dokuwiki
> 
> Version 0.0.20140505.a+dfsg-4 in testing-proposed-updates fixes RC bug
> #779547 (CVE-2015-2172, a privilege escalation vulnerability), by adding
> a debian/patches/cve-2015-2172_check_permissions_in_rpc.patch,
> cherry-picked from the upstream bugfix release 2014-05-05d (upstream
> commit https://github.com/splitbrain/dokuwiki/commit/16ca97e1).

Approved, but for future reference please note that the expected
workflow is to get an ack _before_ uploading anything to t-p-u.

Regards,

Adam

--- End Message ---

Bug#780976: marked as done (unblock: dokuwiki/0.0.20140505.a+dfsg-4)

Reply via email to