Bug 6480

Summary: dokuwiki update to 2012-01-25b
Product: Mageia Reporter: Rod Emerson <rod.emerson>
Component: RPM PackagesAssignee: Mageia Bug Squad <bugsquad>
Status: RESOLVED FIXED QA Contact:
Severity: enhancement    
Priority: Normal CC: luigiwalser
Version: Cauldron   
Target Milestone: ---   
Hardware: All   
OS: Linux   
URL: http://www.dokuwiki.org/changes
See Also: https://bugs.mageia.org/show_bug.cgi?id=6166
Whiteboard:
Source RPM: dokuwiki-20110525-2.mga2.src.rpm CVE:
Status comment:

Description Rod Emerson 2012-06-16 11:16:29 CEST 
Description of problem: dokuwiki update to release 2012-01-25a "Angua"

Version-Release number of selected component (if applicable): 20110525-2.mga2

How reproducible: This is an update request, I am using dokuwiki as seen below.

Steps to Reproduce:
1. Get current tarball from http://www.splitbrain.org/_media/projects/dokuwiki/dokuwiki-2012-01-25a.tgz

2. Modify SPEC :

--- dokuwiki.spec.orig
+++ dokuwiki.spec
@@ -1,10 +1,10 @@
-%define dir_version  2011-05-25
+%define dir_version  2012-01-25a
 
 %define _localstatedir %_var
 
 Name:       dokuwiki
-Version:    20110525
-Release:    %mkrel 2
+Version:    20120125a
+Release:    %mkrel 1
 Summary:    A wiki with plain text files backend
 License:    GPLv2
 Group:      Networking/WWW
@@ -34,6 +34,7 @@
 install -d -m 755 %{buildroot}%{_var}/www/%{name}
 install -m 644 *.php %{buildroot}%{_var}/www/%{name}
 (cd %{buildroot}%{_var}/www/%{name} && ln -sf ../../..%{_datadir}/%{name}/lib .)
+(cd %{buildroot}%{_var}/www/%{name} && ln -sf ../../..%{_datadir}/%{name}/lib/plugins/config/images data)
 
 cat > %{buildroot}%{_var}/www/%{name}/prepend.php <<'EOF'
 <?php
@@ -118,6 +119,9 @@
 
 
 %changelog
+* Day Mth nn Year 20120125a-1.mga2
++ Revision: 20120125a
+
 * Tue Jun 21 2011 dmorgan <dmorgan> 20110525-2.mga2
 + Revision: 111382
 - Fix requires

3. Build and push to core/updates/
   Enjoy changes seen at http://www.dokuwiki.org/changes
Comment 1 Rod Emerson 2012-06-16 11:42:00 CEST 
This would take care of Bug 6166 - dokuwiki new security issues CVE-2012-2128 and CVE-2012-2129
Rod Emerson 2012-06-16 11:45:15 CEST

See Also: (none) => https://bugs.mageia.org/show_bug.cgi?id=6166

Comment 2 David Walser 2012-06-16 14:18:27 CEST 
(In reply to comment #1)
> This would take care of Bug 6166 - dokuwiki new security issues CVE-2012-2128
> and CVE-2012-2129

No, 20120125a is vulnerable to those CVEs as well.

You might consider joining the packaging team so that there would be a more active maintainer for this software.  Just a thought :o)  See the wiki if you're interested.

CC: (none) => luigiwalser

Comment 3 Rod Emerson 2012-06-17 05:01:55 CEST 
It looks like 20120125 is vulnerable, 20120125a has the fix.
Or am I looking at the wrong thing?

The one fix takes care of both issues.

http://bugs.dokuwiki.org/index.php?do=details&task_id=2487
http://bugs.dokuwiki.org/index.php?do=details&task_id=2488

The fix is :
https://github.com/splitbrain/dokuwiki/commit/ff71173477e54774b5571015d49d944f51cb8a26#diff-0

As seen in the installed 20120125a :

$ rpm -qf /usr/share/dokuwiki/inc/html.php
dokuwiki-20120125a-1.mga2

$ grep -nA6 function\ html_edit_form /usr/share/dokuwiki/inc/html.php
1436:function html_edit_form($param) {
1437-    global $TEXT;
1438-
1439-    if ($param['target'] !== 'section') {
1440-        msg('No editor for edit target ' . hsc($param['target']) . ' found.', -1);
1441-    }
1442-


This is the same as the fc17 fix-CVE-2012-2129.patch.
Comment 4 David Walser 2012-06-17 11:33:24 CEST 
Ahh, nice catch.
Comment 5 David Walser 2012-07-14 04:37:58 CEST 
2012-01-25b fixes another security issue, as noted in Bug 6166.

Summary: dokuwiki update to 2012-01-25a => dokuwiki update to 2012-01-25b

Comment 6 David Walser 2012-08-08 18:42:15 CEST 
Cauldron has been updated to 2012-01-25b, including your fix.

I'm going to close this one and handle the security update for Mageia 2 in Bug 6166.  It will also be upgraded to 2012-01-25b.

Rod, if you could help test the update candidate in updates_testing, that would be great.

Status: NEW => RESOLVED
Version: 2 => Cauldron
Resolution: (none) => FIXED