diff -u dokuwiki-0.0.20050922/debian/changelog dokuwiki-0.0.20050922/debian/changelog --- dokuwiki-0.0.20050922/debian/changelog +++ dokuwiki-0.0.20050922/debian/changelog @@ -1,3 +1,15 @@ +dokuwiki (0.0.20050922-4ubuntu1.1) dapper-security; urgency=low + + * SECURITY UPDATE: + - Fix a security issue, that allows an attacker to execute + arbitrary code in case conf[imconver] is set. + - Fix a remote DOS (denial of service) attack. + * Add "10_security_fetch.php.dpatch" to debian/patches, that + fixes both issues found in lib/exe/fetch.php. + * References: CVE 2006-5099, CVE 2006-5098. + + -- Stefan Potyra Fri, 12 Jan 2007 05:32:49 +0100 + dokuwiki (0.0.20050922-4ubuntu1) dapper; urgency=low * Change depends php5 | php4. (Closes Malone: #3392) diff -u dokuwiki-0.0.20050922/debian/patches/00list dokuwiki-0.0.20050922/debian/patches/00list --- dokuwiki-0.0.20050922/debian/patches/00list +++ dokuwiki-0.0.20050922/debian/patches/00list @@ -3,0 +4 @@ +10_security_fetch.php.dpatch only in patch2: unchanged: --- dokuwiki-0.0.20050922.orig/debian/patches/10_security_fetch.php.dpatch +++ dokuwiki-0.0.20050922/debian/patches/10_security_fetch.php.dpatch @@ -0,0 +1,84 @@ +#! /bin/sh /usr/share/dpatch/dpatch-run +## 10_security_fetch.php.dpatch by +## +## All lines beginning with `## DP:' are a description of the patch. +## DP: No description. + +@DPATCH@ +diff -urNad dokuwiki-0.0.20050922~/lib/exe/fetch.php dokuwiki-0.0.20050922/lib/exe/fetch.php +--- dokuwiki-0.0.20050922~/lib/exe/fetch.php 2005-09-22 19:21:14.000000000 +0200 ++++ dokuwiki-0.0.20050922/lib/exe/fetch.php 2007-01-08 01:16:51.000000000 +0100 +@@ -20,8 +20,9 @@ + //get input + $MEDIA = getID('media'); + $CACHE = calc_cache($_REQUEST['cache']); +- $WIDTH = $_REQUEST['w']; +- $HEIGHT = $_REQUEST['h']; ++ // force int: CVE 2006-5099 ++ $WIDTH = (int)$_REQUEST['w']; ++ $HEIGHT = (int)$_REQUEST['h']; + list($EXT,$MIME) = mimetype($MEDIA); + if($EXT === false){ + $EXT = 'unknown'; +@@ -114,6 +115,11 @@ + $local = getCacheName($file,'.media.'.$w.'x'.$h.'.'.$ext); + $mtime = @filemtime($local); // 0 if not exists + ++ // check for too big requests, CVE-2006-5098 ++ if (!is_mem_available(($info[0] * $info[1] * 4) + ($w * $h * 4))) { ++ return $file; ++ } ++ + if( $mtime > filemtime($file) || + resize_imageIM($ext,$file,$info[0],$info[1],$local,$w,$h) || + resize_imageGD($ext,$file,$info[0],$info[1],$local,$w,$h) ){ +@@ -258,6 +264,49 @@ + return false; + } + ++ /** ++ * Checks if the given amount of memory is available ++ * ++ * If the memory_get_usage() function is not available the ++ * function just assumes $used bytes of already allocated memory ++ * ++ * @param int $mem Size of memory you want to allocate in bytes ++ * @param int $used already allocated memory (see above) ++ * @author Filip Oscadal ++ * @author Andreas Gohr ++ */ ++ function is_mem_available($mem,$bytes=1048576){ ++ $limit = trim(ini_get('memory_limit')); ++ if(empty($limit)) return true; // no limit set! ++ ++ // parse limit to bytes ++ $unit = strtolower(substr($limit,-1)); ++ switch($unit){ ++ case 'g': ++ $limit = substr($limit,0,-1); ++ $limit *= 1024*1024*1024; ++ break; ++ case 'm': ++ $limit = substr($limit,0,-1); ++ $limit *= 1024*1024; ++ break; ++ case 'k': ++ $limit = substr($limit,0,-1); ++ $limit *= 1024; ++ break; ++ } ++ ++ // get used memory if possible ++ if(function_exists('memory_get_usage')){ ++ $used = memory_get_usage(); ++ } ++ ++ if($used+$mem > $limit){ ++ return false; ++ } ++ ++ return true; ++ } + + //Setup VIM: ex: et ts=2 enc=utf-8 : + ?>