Ubuntu
twiki package

[security] twiki allows remote attackers to execute arbitrary Perl code (CVE-2008-5305)

Bug #709401 reported by Brian Thomason
264
This bug affects 1 person
Affects Status Importance Assigned to Milestone
twiki (Ubuntu)
Invalid
Undecided
Unassigned
Hardy
Fix Released
Undecided
Brian Thomason
Karmic
Fix Released
Undecided
Brian Thomason

Bug Description

Binary package hint: twiki

Eval injection vulnerability in TWiki before 4.2.4 allows remote attackers to execute arbitrary Perl code via the %SEARCH{}% variable.

Brian Thomason (brian-thomason)
Changed in twiki (Ubuntu):
assignee: nobody → Brian Thomason (brian-thomason)
summary: - [security] twiki llows remote attackers to execute arbitrary Perl code
+ [security] twiki allows remote attackers to execute arbitrary Perl code
(CVE-2008-5305)
Revision history for this message
Brian Thomason (brian-thomason) wrote :
Revision history for this message
Brian Thomason (brian-thomason) wrote :
Revision history for this message
Steve Beattie (sbeattie) wrote :

Hi Brian,

Thanks for helping to improve Ubuntu by providing these debdiffs. I've reviewed them and uploaded the packages to the ppa:ubuntu-security-proposed/ppa to build. Once they're built, please test and provide feedback here.

One minor nit that I had with the patches was that even with dpatch style patches, we prefer that the header to contain relevant DEP-3 tags as outlined at http://dep.debian.net/deps/dep/.

[Marking this bug report public as the issue is not embargoed.]

visibility: private → public
Changed in twiki (Ubuntu):
status: New → In Progress
Revision history for this message
Steve Beattie (sbeattie) wrote :

Sorry, the link for the ppa is https://launchpad.net/~ubuntu-security-proposed/+archive/ppa (I'd hoped launchpad would expand the ppa:blah/blah shortcut).

Revision history for this message
Kees Cook (kees) wrote :

Pocket copied twiki to proposed. Please test and give feedback here. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Thank you in advance!

To ubuntu-sru: if this passes the verification process, please also pocket copy to security. Thanks!

Changed in twiki (Ubuntu Karmic):
status: New → In Progress
Changed in twiki (Ubuntu):
status: In Progress → Invalid
Changed in twiki (Ubuntu Hardy):
status: New → In Progress
assignee: nobody → Brian Thomason (brian-thomason)
Changed in twiki (Ubuntu Karmic):
assignee: nobody → Brian Thomason (brian-thomason)
Changed in twiki (Ubuntu):
assignee: Brian Thomason (brian-thomason) → nobody
tags: added: verification-needed
Changed in twiki (Ubuntu Karmic):
status: In Progress → Fix Committed
Changed in twiki (Ubuntu Hardy):
status: In Progress → Fix Committed
Revision history for this message
Pedro Villavicencio (pedro) wrote :

I've verified the proposed package following the test case available at the twiki website: http://www.twiki.org/cgi-bin/view/Codev/SecurityAlert-CVE-2008-5305 and can confirm that the proposed package indeed fixes the bug for both releases (Hardy,Karmic). Marking this as verification-done, Thanks all.

tags: added: verification-done
removed: verification-needed
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package twiki - 1:4.1.2-3.1ubuntu1.1

---------------
twiki (1:4.1.2-3.1ubuntu1.1) hardy-security; urgency=low

  * SECURITY UPDATE: Fix bug which allows remote attackers to execute arbitrary
    Perl code. (LP: #709401)
    - debian/patches/002_CVE-2008-5305.dpatch: patch derived from upstream
      hotfix
    - CVE-2008-5305
 -- Brian Thomason <email address hidden> Fri, 28 Jan 2011 13:26:20 -0500

Changed in twiki (Ubuntu Hardy):
status: Fix Committed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package twiki - 1:4.1.2-5ubuntu1.1

---------------
twiki (1:4.1.2-5ubuntu1.1) karmic-security; urgency=low

  * SECURITY UPDATE: Fix bug which allows remote attackers to execute arbitrary
    Perl code. (LP: #709401)
    - debian/patches/006_CVE-2008-5305.dpatch: patch derived from upstream
      hotfix
    - CVE-2008-5305
 -- Brian Thomason <email address hidden> Fri, 28 Jan 2011 13:44:28 -0500

Changed in twiki (Ubuntu Karmic):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.