tag 391291 patch
thanks
On Thu, Oct 05, 2006, Stefan Fritsch wrote:
> Package: dokuwiki
> Severity: grave
> Tags: security
> Justification: user security hole
>
> DokuWiki can be exploited by malicious people to cause a DoS (Denial of
> Service) or potentially compromise a vulnerable system.
>
> CVE-2006-5098:
> lib/exec/fetch.php in DokuWiki before 2006-03-09e allows remote
> attackers to cause a denial of service (CPU consumption) via large w
> and h parameters, when resizing an image.
>
> CVE-2006-5099:
> lib/exec/fetch.php in DokuWiki before 2006-03-09e, when
> conf[imconvert] is configured to use ImageMagick, allows remote
> attackers to execute arbitrary commands via shell metacharacters in
> the (1) w and (2) h parameters, which are not filtered when invoking
> convert.
Here is the patch to apply:
diff -urNb dokuwiki-2006-03-09d/lib/exe/fetch.php
dokuwiki-2006-03-09e/lib/exe/fetch.php
--- dokuwiki-2006-03-09d/lib/exe/fetch.php 2006-03-09 21:32:34.000000000
+0100
+++ dokuwiki-2006-03-09e/lib/exe/fetch.php 2006-09-26 22:09:40.000000000
+0200
@@ -21,8 +21,8 @@
//get input
$MEDIA = getID('media',false); // no cleaning - maybe external
$CACHE = calc_cache($_REQUEST['cache']);
- $WIDTH = $_REQUEST['w'];
- $HEIGHT = $_REQUEST['h'];
+ $WIDTH = (int) $_REQUEST['w'];
+ $HEIGHT = (int) $_REQUEST['h'];
list($EXT,$MIME) = mimetype($MEDIA);
if($EXT === false){
$EXT = 'unknown';
@@ -198,6 +198,8 @@
$info = getimagesize($file);
if(!$h) $h = round(($w * $info[1]) / $info[0]);
+ // we wont scale up to infinity
+ if($w > 2000 || $h > 2000) return $file;
//cache
$local = getCacheName($file,'.media.'.$w.'x'.$h.'.'.$ext);
diff -urNb dokuwiki-2006-03-09d/VERSION dokuwiki-2006-03-09e/VERSION
--- dokuwiki-2006-03-09d/VERSION 2006-09-13 20:46:59.000000000 +0200
+++ dokuwiki-2006-03-09e/VERSION 2006-09-26 22:08:13.000000000 +0200
@@ -1 +1 @@
-2006-03-09d
+2006-03-09e
Matti, please could you prepare a maintainer upload for that? Or should
I NMU it?
--
adn
Mohammed Adnène Trojette
