Bug#780976: unblock: dokuwiki/0.0.20140505.a+dfsg-4

Tanguy Ortolo Sun, 22 Mar 2015 11:15:58 -0700

Package: release.debian.org
Severity: normal
User: release.debian....@packages.debian.org
Usertags: unblock


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Please unblock package dokuwiki

Version 0.0.20140505.a+dfsg-4 in testing-proposed-updates fixes RC bug
#779547 (CVE-2015-2172, a privilege escalation vulnerability), by adding
a debian/patches/cve-2015-2172_check_permissions_in_rpc.patch,
cherry-picked from the upstream bugfix release 2014-05-05d (upstream
commit https://github.com/splitbrain/dokuwiki/commit/16ca97e1).

Changelog entry:
>dokuwiki (0.0.20140505.a+dfsg-4) testing-proposed-updates; urgency=high
>
>  * debian/patches: security fix, from upstream hotfix release
>     + cve-2015-2172_check_permissions_in_rpc.patch: check permissions in the
>       ACL plugin's RPC API to avoid a privilege escalation. (CVE-2015-2172)
>       (Closes:  #779547)
>
> -- Tanguy Ortolo <tanguy+deb...@ortolo.eu>  Sun, 22 Mar 2015 17:40:22 +0100

unblock dokuwiki/0.0.20140505.a+dfsg-4

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCgAGBQJVDwQTAAoJEOryzVHFAGgZpfQP+wUw73xabOLo81nJ4HYQiNAs
BRPXqP4ZH3u7KFdaOyuuKv4H1tCKP6WjPO6zjaVYie35PcnrsqWkvm78xX9RgBaR
Bt1yKEnM6oqfAKUFxa/qSs1uovcFGwLOWko6wp155tPE6CYGNWAMWcv3YsU1I2MW
PfqGIrUfL1JliA5juDNy1Ydp66zBNV1bS0a/TIi9e4LdcYBRRRhOAIJvQ7NocpfQ
UmkU9Xb0H4KyWwA7QCVOlQmd8zvQUjxrxXbhO+ai0VlMo1HkhkWmI5vvA96IJn3b
nIIGkj5nFD0bbGcwQjOhiPWlTbnLs0gTKOmcRuLy6KCoyJBFGRpNWQBfSdunalES
ytmGl5OTW0qvWCx7PEhRNo1E1x45LWylsuqMIdDT7b2ac94Pl/nqkw49TMOPo5Id
5mZd4xZZZUmp38gBvq1dUEXKKmr7iRh3awchUDYOO5pGKvKEqhl55k69NMXPyuMv
nWaw8+Tfd5YCG4D7VHDTfxbi+JScGxV9+pKD4rjlmtgzqQfK8nvIOBQraDgQ4adE
mhF0ivBExhTglVQMFF4pKNbY+Bl/bgmBx6CvW+nrEIa8b4NjvI1rBf/b7IvzzfSw
wbPR6QG4kN2L7hXZ0+177u7POqouuJpMPPVQ46ndC/E+pGkjbFSlkTpM8eKb2FQJ
jkKKV90kIFvUYSpepbOx
=typ3
-----END PGP SIGNATURE-----

diff -Nru dokuwiki-0.0.20140505.a+dfsg/debian/changelog dokuwiki-0.0.20140505.a+dfsg/debian/changelog
--- dokuwiki-0.0.20140505.a+dfsg/debian/changelog	2014-10-05 21:58:22.000000000 +0200
+++ dokuwiki-0.0.20140505.a+dfsg/debian/changelog	2015-03-22 18:50:07.000000000 +0100
@@ -1,3 +1,12 @@
+dokuwiki (0.0.20140505.a+dfsg-4) testing-proposed-updates; urgency=high
+
+  * debian/patches: security fix, from upstream hotfix release
+     + cve-2015-2172_check_permissions_in_rpc.patch: check permissions in the
+       ACL plugin's RPC API to avoid a privilege escalation. (CVE-2015-2172)
+       (Closes:  #779547)
+
+ -- Tanguy Ortolo <tanguy+deb...@ortolo.eu>  Sun, 22 Mar 2015 17:40:22 +0100
+
 dokuwiki (0.0.20140505.a+dfsg-3) unstable; urgency=medium
 
   * debian/config: only set a default password if the question was skipped
diff -Nru dokuwiki-0.0.20140505.a+dfsg/debian/patches/cve-2015-2172_check_permissions_in_rpc.patch dokuwiki-0.0.20140505.a+dfsg/debian/patches/cve-2015-2172_check_permissions_in_rpc.patch
--- dokuwiki-0.0.20140505.a+dfsg/debian/patches/cve-2015-2172_check_permissions_in_rpc.patch	1970-01-01 01:00:00.000000000 +0100
+++ dokuwiki-0.0.20140505.a+dfsg/debian/patches/cve-2015-2172_check_permissions_in_rpc.patch	2015-03-22 18:06:36.000000000 +0100
@@ -0,0 +1,58 @@
+Description: Fix CVE-2015-2172 by checking permissions in ACL plugin's RPC API
+ This fixes a security hole in the ACL plugins remote API component. The
+ plugin failed to check for superuser permissions before executing ACL
+ addition or deletion. This means everybody with permissions to call the
+ XMLRPC API also had permissions to set up their own ACL rules and thus
+ circumventing any existing rules.
+Origin: upstream, https://github.com/splitbrain/dokuwiki/commit/16ca97e1690c775fa74d3c3cb1a906685a37b53b
+Bug-Debian: https://bugs.debian.org/779547
+Author: Andreas Gohr <a...@splitbrain.org>
+Last-Update: 2015-03-22
+
+diff --git a/lib/plugins/acl/remote.php b/lib/plugins/acl/remote.php
+index 6d5201c..9433b77 100644
+--- a/lib/plugins/acl/remote.php
++++ b/lib/plugins/acl/remote.php
+@@ -17,12 +17,39 @@ class remote_plugin_acl extends DokuWiki_Remote_Plugin {
+         );
+     }
+ 
+-    function addAcl($scope, $user, $level){
++    /**
++     * Add a new entry to ACL config
++     *
++     * @param string $scope
++     * @param string $user
++     * @param int    $level see also inc/auth.php
++     * @throws RemoteAccessDeniedException
++     * @return bool
++     */
++    public function addAcl($scope, $user, $level){
++        if(!auth_isadmin()) {
++            throw new RemoteAccessDeniedException('You are not allowed to access ACLs, superuser permission is required', 114);
++        }
++
++        /** @var admin_plugin_acl $apa */
+         $apa = plugin_load('admin', 'acl');
+         return $apa->_acl_add($scope, $user, $level);
+     }
+ 
+-    function delAcl($scope, $user){
++    /**
++     * Remove an entry from ACL config
++     *
++     * @param string $scope
++     * @param string $user
++     * @throws RemoteAccessDeniedException
++     * @return bool
++     */
++    public function delAcl($scope, $user){
++        if(!auth_isadmin()) {
++            throw new RemoteAccessDeniedException('You are not allowed to access ACLs, superuser permission is required', 114);
++        }
++
++        /** @var admin_plugin_acl $apa */
+         $apa = plugin_load('admin', 'acl');
+         return $apa->_acl_del($scope, $user);
+     }
+
diff -Nru dokuwiki-0.0.20140505.a+dfsg/debian/patches/series dokuwiki-0.0.20140505.a+dfsg/debian/patches/series
--- dokuwiki-0.0.20140505.a+dfsg/debian/patches/series	2014-08-26 07:27:13.000000000 +0200
+++ dokuwiki-0.0.20140505.a+dfsg/debian/patches/series	2015-03-22 18:48:40.000000000 +0100
@@ -4,3 +4,4 @@
 debianize.diff
 soften_email_validator.diff
 use_packaged_jquery.diff
+cve-2015-2172_check_permissions_in_rpc.patch

Bug#780976: unblock: dokuwiki/0.0.20140505.a+dfsg-4

Reply via email to