Bug#483770: marked as done (ikiwiki openid + passwordauth empty password security hole)

Fri, 30 May 2008 15:59:10 -0700 

Your message dated Fri, 30 May 2008 22:32:05 +0000
with message-id <[EMAIL PROTECTED]>
and subject line Bug#483770: fixed in ikiwiki 2.48
has caused the Debian Bug report #483770,
regarding ikiwiki openid + passwordauth empty password security hole
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [EMAIL PROTECTED]
immediately.)


-- 
483770: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=483770
Debian Bug Tracking System
Contact [EMAIL PROTECTED] with problems
--- Begin Message --- 
Package: ikiwiki
Version: 1.34
Severity: grave
Tags: security patch

I'm unhappy to report a nasty security hole in ikiwiki. If both openid
and passwordauth plugins are enabled (the default configuration), anyone
can log in as any openid that has previously logged into the wiki and
does not have a password set.

The worst possible impact would be if the wiki admin were configured to
be an openid. Then anyone could log in as the admin and lock pages/ban
users/trash the wiki.


The good news: This does not affect debian stable; the first ikiwiki affected
is 1.34, which is when openid support was added.

Debian testing security team: Could you please get a CVE for this issue?
I'll handle the high-urgency upload to unstable.

Ubuntu security team: Looks like all versions of ikiwiki in all ubuntu
releases except edgy are vulnerable.

Brix: Could you inform the appropriate security people in FreeBSD and
get a fix into there?

Martin: Can you update backports?


The following is a minimal patch against ikiwiki version 1.34 to fix
the issue, should also apply ok to later versions.

diff --git a/IkiWiki/Plugin/passwordauth.pm b/IkiWiki/Plugin/passwordauth.pm
index 1aac17a..0e20055 100644
--- a/IkiWiki/Plugin/passwordauth.pm
+++ b/IkiWiki/Plugin/passwordauth.pm
@@ -63,6 +63,7 @@ sub formbuilder_setup (@) { #{{{
                                        name => "password",
                                        validate => sub {
                                                length $form->field("name") &&
+                                               length $_[0] &&
                                                shift eq 
IkiWiki::userinfo_get($form->field("name"), 'password');
                                        },
                                );

-- 
see shy jo

Attachment: signature.asc
Description: Digital signature


--- End Message ---
--- Begin Message --- 
Source: ikiwiki
Source-Version: 2.48

We believe that the bug you reported is fixed in the latest version of
ikiwiki, which is due to be installed in the Debian FTP archive:

ikiwiki_2.48.dsc
  to pool/main/i/ikiwiki/ikiwiki_2.48.dsc
ikiwiki_2.48.tar.gz
  to pool/main/i/ikiwiki/ikiwiki_2.48.tar.gz
ikiwiki_2.48_all.deb
  to pool/main/i/ikiwiki/ikiwiki_2.48_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Joey Hess <[EMAIL PROTECTED]> (supplier of updated ikiwiki package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Fri, 30 May 2008 17:36:07 -0400
Source: ikiwiki
Binary: ikiwiki
Architecture: source all
Version: 2.48
Distribution: unstable
Urgency: high
Maintainer: Joey Hess <[EMAIL PROTECTED]>
Changed-By: Joey Hess <[EMAIL PROTECTED]>
Description: 
 ikiwiki    - a wiki compiler
Closes: 478530 483770
Changes: 
 ikiwiki (2.48) unstable; urgency=high
 .
   * Fix security hole that occurred if openid and passwordauth were both
     enabled. passwordauth would allow logging in as a known openid, with an
     empty password. Closes: #483770
   * Add rel=nofollow to edit links. This may prevent some spiders from
     pounding on the cgi following edit links.
   * passwordauth: If Authen::Passphrase is installed, use it to store
     password hashes, crypted with Eksblowfish.
   * `ikiwiki-transiition hashpassword /path/to/srcdir` can be used to
     hash existing plaintext passwords.
   * Passwords will no longer be mailed, but instead a password reset link.
   * The password_cost config setting is provided as a "more security" knob.
   * teximg: Fix logurl.
   * teximg: If the log isn't written, avoid ugly error messages.
   * Updated French translation. Closes: #478530
Checksums-Sha1: 
 3928af5fb39f69bcf329c2370ac59bff88a71d3d 1087 ikiwiki_2.48.dsc
 dcca59d164f7cafb9e638a02df04c1f6bd967e42 729477 ikiwiki_2.48.tar.gz
 46e63f83022691d673ad3392d0ba8cc59d6af35c 862284 ikiwiki_2.48_all.deb
Checksums-Sha256: 
 30a257ef53fa8fb5696e9465e7fb3f1973ebdffda5fa501841bd06ae3d83b0e4 1087 
ikiwiki_2.48.dsc
 5c728a3d175f28e80fde4049c1f93b6805f79f5caaa00cb6a2279f2723bef778 729477 
ikiwiki_2.48.tar.gz
 c15c1406da66f906007ee9283a82586fc5b4d1590a3316296354bad512771d95 862284 
ikiwiki_2.48_all.deb
Files: 
 778a34149481186800d79c3d8e92b8d2 1087 web optional ikiwiki_2.48.dsc
 6b293f6e8a08578533d0268b25dae5b3 729477 web optional ikiwiki_2.48.tar.gz
 f5b97d3b7ea1ff3f7be502af3c97c338 862284 web optional ikiwiki_2.48_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFIQH3m2tp5zXiKP0wRAvotAKCkhHPSwZf9tXouceTXE5fWmIZdWACgpDzN
zmoLfbN607pX4ikMfMQQcKY=
=8ypr
-----END PGP SIGNATURE-----

--- End Message ---

Reply via email to