aboutsummaryrefslogtreecommitdiff
path: root/debian
diff options
context:
space:
mode:
authorSimon McVittie <smcv@debian.org>2016-12-19 13:48:56 +0000
committerSimon McVittie <smcv@debian.org>2016-12-28 21:32:12 +0000
commita8a7462382ff235086743f06a92a9ab9100083b4 (patch)
tree0d69d59b5c84950aa17f8ca08df4bc5ba4f1118c /debian
parent469c842fd56ce811d431058714d9c2700a5314f8 (diff)
downloadikiwiki-a8a7462382ff235086743f06a92a9ab9100083b4.tar
ikiwiki-a8a7462382ff235086743f06a92a9ab9100083b4.tar.gz
Try revert operations (on a branch) before approving them
Otherwise, we have a time-of-check/time-of-use vulnerability: rcs_preprevert previously looked at what changed in the commit we are reverting, not at what would result from reverting it now. In particular, if some files were renamed since the commit we are reverting, a revert of changes that were within the designated subdirectory and allowed by check_canchange() might now affect files that are outside the designated subdirectory or disallowed by check_canchange(). It is not sufficient to disable rename detection, since git older than 2.8.0rc0 (in particular the version in Debian stable) silently accepts and ignores the relevant options. OVE-20161226-0002
Diffstat (limited to 'debian')
-rw-r--r--debian/changelog7
1 files changed, 7 insertions, 0 deletions
diff --git a/debian/changelog b/debian/changelog
index ccf830b27..b057ec7f2 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -5,6 +5,13 @@ ikiwiki (3.20161220) UNRELEASED; urgency=medium
analogous to CVE-2014-1572. In ikiwiki this could be used to
forge commit metadata, but thankfully nothing more serious.
(OVE-20161226-0001)
+ * Security: try revert operations before approving them. Previously,
+ automatic rename detection could result in a revert writing outside
+ the wiki srcdir or altering a file that the reverting user should not be
+ able to alter, an authorization bypass. The incomplete fix released in
+ 3.20161219 was not effective for git versions prior to 2.8.0rc0.
+ (CVE-2016-10026 represents the original vulnerability)
+ (OVE-20161226-0002 represents the incomplete fix released in 3.20161219)
* Add CVE references for CVE-2016-10026
* Add missing ikiwiki.setup for the manual test for CVE-2016-10026
* git: don't issue a warning if the rcsinfo CGI parameter is undefined