|
Message-ID: <20161229202940.ma4dsc7qrj57nghk@perpetual.pseudorandom.co.uk> Date: Thu, 29 Dec 2016 20:29:40 +0000 From: Simon McVittie <smcv@...ian.org> To: oss-security@...ts.openwall.com Subject: ikiwiki: CVE-2016-9645 (incomplete fix for CVE-2016-10026), CVE-2016-9646 (commit metadata forgery) ikiwiki is a static site generator with some dynamic features, used for wikis, blogs and other websites. Version 3.20161229 fixes two minor vulnerabilities in earlier ikiwiki versions: ---- CVE-2016-9645: authorization bypass Reference: https://ikiwiki.info/security/#cve-2016-9645 Vulnerable versions: >= 3.20161219 but < 3.20161229 Fixed versions: >= 3.20161229 intrigeri discovered that on sites with the git and recentchanges plugins and the CGI interface enabled, the revert links on the RecentChanges page could revert changes on a page the logged-in user cannot legitimately edit, if the change being reverted was made before the page was renamed from a location that the logged-in user *could* legitimately edit. CVE-2016-10026 was assigned to this vulnerability, and it was intended to be fixed in 3.20161219. The changes that were intended to address this in 3.20161219 were not sufficient when ikiwiki is used with git versions before 2.8.0rc0. CVE-2016-9645 was assigned to this incomplete fix. In version 3.20161229, the incomplete fix has been reverted and replaced with a different solution that should work for all git versions. ---- CVE-2016-9646: commit metadata forgery Reference: https://ikiwiki.info/security/#cve-2016-9646 Vulnerable versions: < 3.20161229 Fixed versions: >= 3.20161229 CGI::FormBuilder->field has a context-dependent API, similar to the CGI->param API that led to Bugzilla's CVE-2014-1572. Parts of ikiwiki incorrectly called this method in list context when a scalar result, which could lead to two relatively minor attacks: * In the comments plugin, an attacker who was able to post a comment could give it a user-specified author and author-URL even if the wiki configuration did not allow for that, by crafting multiple values to other fields. * In the editpage plugin, an attacker who was able to edit a page could potentially forge commit authorship by crafting multiple values for the rcsinfo field. ---- Thanks to the Debian security team for allocating CVE IDs for these. Regards, smcv
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.