urosm
/
ikiwiki
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Add CVE references for CVE-2016-9646, CVE-2016-9645 

Thanks to the Debian security team for allocating these.
master
Simon McVittie 2016-12-29 17:31:30 +00:00
parent 078d4208ca
commit cf0166347c
2 changed files with 12 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

17
debian/changelog vendored
View File

@ -4,14 +4,15 @@ ikiwiki (3.20161220) UNRELEASED; urgency=medium
necessary, avoiding unintended function argument injection
analogous to CVE-2014-1572. In ikiwiki this could be used to
forge commit metadata, but thankfully nothing more serious.
(OVE-20161226-0001)
* Security: try revert operations before approving them. Previously,
automatic rename detection could result in a revert writing outside
the wiki srcdir or altering a file that the reverting user should not be
able to alter, an authorization bypass. The incomplete fix released in
3.20161219 was not effective for git versions prior to 2.8.0rc0.
(CVE-2016-10026 represents the original vulnerability)
(OVE-20161226-0002 represents the incomplete fix released in 3.20161219)
(CVE-2016-9646)
* Security: try revert operations in a temporary working tree before
approving them. Previously, automatic rename detection could result in
a revert writing outside the wiki srcdir or altering a file that the
reverting user should not be able to alter, an authorization bypass.
(CVE-2016-10026 represents the original vulnerability.)
The incomplete fix released in 3.20161219 was not effective for git
versions prior to 2.8.0rc0.
(CVE-2016-9645 represents that incomplete solution.)
* Add CVE references for CVE-2016-10026
* Add automated test for using the CGI with git, including
CVE-2016-10026

5
doc/security.mdwn
View File

@ -566,7 +566,8 @@ This bug was reported on 2016-12-17. A partially fixed version
version was not effective with git versions older than 2.8.0.
([[!cve CVE-2016-10026]] represents the original vulnerability.
OVE-20161226-0002 represents the incomplete fix in 3.20161219.)
[[!cve CVE-2016-9645]]/OVE-20161226-0002 represents the vulnerability
in 3.20161219 caused by the incomplete fix.)
## Commit metadata forgery via CGI::FormBuilder context-dependent APIs
@ -588,4 +589,4 @@ of them relatively minor:
could potentially forge commit authorship (attribute their edit to
someone else) by crafting multiple values for the rcsinfo field
(OVE-20161226-0001)
([[!cve CVE-2016-9646]]/OVE-20161226-0001)