Bug 24453 - ikiwiki new security issue CVE-2019-9187 (and missing fixes for several older CVEs)
Summary: ikiwiki new security issue CVE-2019-9187 (and missing fixes for several older...
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 6
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA6-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2019-03-01 23:28 CET by David Walser
Modified: 2019-03-15 17:57 CET (History)
4 users (show)

See Also:
Source RPM: ikiwiki-3.20171001-2.mga7.src.rpm
CVE:
Status comment: Fixed upstream in 3.20190228


Attachments

Description David Walser 2019-03-01 23:28:13 CET
A security issue fixed upstream in ikiwiki has been announced on February 28:
https://www.openwall.com/lists/oss-security/2019/02/28/1

The issue is fixed upstream in 3.20190228.

Mageia 6 is also affected by this issue, as well as several others, as I apparently never realized that we had this software packaged.

CVE-2017-0356:
https://www.openwall.com/lists/oss-security/2017/01/12/2

CVE-2016-10026:
https://www.openwall.com/lists/oss-security/2016/12/20/7
https://www.openwall.com/lists/oss-security/2016/12/21/3

CVE-2016-9645, CVE-2016-9646, CVE-2016-10026:
https://www.openwall.com/lists/oss-security/2016/12/29/3

CVE-2016-4561:
https://www.openwall.com/lists/oss-security/2016/05/06/8
https://www.openwall.com/lists/oss-security/2016/05/06/9
David Walser 2019-03-01 23:28:40 CET

Whiteboard: (none) => MGA6TOO
Status comment: (none) => Fixed upstream in 3.20190228
Version: 6 => Cauldron

Comment 1 David Walser 2019-03-02 04:33:10 CET
ikiwiki-3.20190228-1.mga7 uploaded for Cauldron by Shlomi.

Version: Cauldron => 6
Whiteboard: MGA6TOO => (none)

Comment 2 David Walser 2019-03-03 20:44:51 CET
ikiwiki-3.20190228-1.mga6
ikiwiki-w3m-3.20190228-1.mga6

from ikiwiki-3.20190228-1.mga6.src.rpm

uploaded by Shlomi.  Advisory to come later.

Assignee: shlomif => qa-bugs
CC: (none) => shlomif

Comment 3 Herman Viaene 2019-03-05 10:26:17 CET
MGA6-32 MATE on IBM Thinkpad R50e
Installing this draws in 93 more packages, but I guess there are more missing.
Ref https://ikiwiki.info/setup/ for a test I get:
$ ikiwiki --setup /etc/ikiwiki/auto.setup
Cannot find termcap: Can't find a valid termcap file at /usr/lib/perl5/5.22.3/Term/ReadLine.pm line 373.

What will the wiki be named? ikiwikitest          
Cannot find termcap: Can't find a valid termcap file at /usr/lib/perl5/5.22.3/Term/ReadLine.pm line 373.

What revision control system to use? git
Cannot find termcap: Can't find a valid termcap file at /usr/lib/perl5/5.22.3/Term/ReadLine.pm line 373.

Which user (wiki account, openid, or email) will be admin? tester6


Setting up ikiwikitest ...
Importing /home/tester6/ikiwikitest into git
Initialized empty shared Git repository in /home/tester6/ikiwikitest.git/
Initialized empty Git repository in /home/tester6/ikiwikitest/.git/
[master (root-commit) ae634b6] initial commit
 1 file changed, 1 insertion(+)
 create mode 100644 .gitignore
Counting objects: 3, done.
Writing objects: 100% (3/3), 216 bytes | 216.00 KiB/s, done.
Total 3 (delta 0), reused 0 (delta 0)
To /home/tester6/ikiwikitest.git
 * [new branch]      master -> master
Directory /home/tester6/ikiwikitest is now a clone of git repository /home/tester6/ikiwikitest.git
/etc/ikiwiki/auto.setup: Can't locate YAML/XS.pm in @INC (you may need to install the YAML::XS module) (@INC contains: /home/tester6/.ikiwiki /usr/lib/perl5/site_perl/5.22.3/i386-linux-thread-multi /usr/lib/perl5/site_perl/5.22.3 /usr/lib/perl5/vendor_perl/5.22.3/i386-linux-thread-multi /usr/lib/perl5/vendor_perl/5.22.3 /usr/lib/perl5/5.22.3/i386-linux-thread-multi /usr/lib/perl5/5.22.3 /usr/lib/perl5/site_perl/5.22.3 /usr/lib/perl5/site_perl/5.22.3/i386-linux-thread-multi /usr/lib/perl5/site_perl /usr/lib/perl5/vendor_perl/5.22.3 /usr/lib/perl5/vendor_perl/5.22.3/i386-linux-thread-multi /usr/lib/perl5/vendor_perl/5.22.2 /usr/lib/perl5/vendor_perl/5.22.2/i386-linux-thread-multi /usr/lib/perl5/vendor_perl/5.22.0 /usr/lib/perl5/vendor_perl) at (eval 889) line 2.
BEGIN failed--compilation aborted at (eval 889) line 2.

usage: ikiwiki [options] source dest
       ikiwiki --setup my.setup [options]

CC: (none) => herman.viaene

Comment 4 David Walser 2019-03-05 14:58:51 CET
Updated packages from Shlomi to fix the perl errors.

ikiwiki-3.20190228-1.1.mga6
ikiwiki-w3m-3.20190228-1.1.mga6

from ikiwiki-3.20190228-1.1.mga6.src.rpm
Comment 5 Herman Viaene 2019-03-06 10:25:27 CET
Getting better, but still not OK.
First uninstalled older version and removed all ikiwiki stuff from my home, then install new version, then

$ ikiwiki --setup /etc/ikiwiki/auto.setup
Cannot find termcap: Can't find a valid termcap file at /usr/lib/perl5/5.22.3/Term/ReadLine.pm line 373.

What will the wiki be named? ikiwiktest
Cannot find termcap: Can't find a valid termcap file at /usr/lib/perl5/5.22.3/Term/ReadLine.pm line 373.

What revision control system to use? git
Cannot find termcap: Can't find a valid termcap file at /usr/lib/perl5/5.22.3/Term/ReadLine.pm line 373.

Which user (wiki account, openid, or email) will be admin? tester6


Setting up ikiwiktest ...
Importing /home/tester6/ikiwiktest into git
Initialized empty shared Git repository in /home/tester6/ikiwiktest.git/
Initialized empty Git repository in /home/tester6/ikiwiktest/.git/
[master (root-commit) c84ae4d] initial commit
 1 file changed, 1 insertion(+)
 create mode 100644 .gitignore
Counting objects: 3, done.
Writing objects: 100% (3/3), 216 bytes | 216.00 KiB/s, done.
Total 3 (delta 0), reused 0 (delta 0)
To /home/tester6/ikiwiktest.git
 * [new branch]      master -> master
Directory /home/tester6/ikiwiktest is now a clone of git repository /home/tester6/ikiwiktest.git
warning: installing LWPx::ParanoidAgent is recommended


Creating wiki admin tester6 ...
Choose a password: 
Confirm password: 


Can't exec "cc": Bestand of map bestaat niet at /usr/lib/perl5/vendor_perl/5.22.3/IkiWiki/Wrapper.pm line 302.
failed to compile /home/tester6/public_html/ikiwiktest/ikiwiki.cgi.c
/etc/ikiwiki/auto.setup: ikiwiki --wrappers --setup /home/tester6/ikiwiktest.setup failed at /usr/lib/perl5/vendor_perl/5.22.3/IkiWiki/Setup/Automator.pm line 189, <STDIN> line 2.

usage: ikiwiki [options] source dest
       ikiwiki --setup my.setup [options]
Comment 6 David Walser 2019-03-08 21:10:58 CET
Debian has issued an advisory for the newest issue on February 28:
https://www.debian.org/security/2019/dsa-4399

Keywords: (none) => feedback

Comment 7 Dave Hodgins 2019-03-14 22:52:25 CET
Testing on Mageia 6 x86_64

Installed the old version. Installed the update, which also pulled in
perl-YAML-LibYAML from core release.

[root@x6v ~]# ikiwiki --setup /etc/ikiwiki/auto.setup
What will the wiki be named? qatestwiki
What revision control system to use? git
Which user (wiki account, openid, or email) will be admin? dave@x6v.hodgins.homeip.net


Setting up qatestwiki ...
Importing /root/2qatestwiki into git
Initialized empty shared Git repository in /root/2qatestwiki.git/
Initialized empty Git repository in /root/2qatestwiki/.git/
[master (root-commit) a220042] initial commit
 1 file changed, 1 insertion(+)
 create mode 100644 .gitignore
Counting objects: 3, done.
Writing objects: 100% (3/3), 216 bytes | 216.00 KiB/s, done.
Total 3 (delta 0), reused 0 (delta 0)
To /root/2qatestwiki.git
 * [new branch]      master -> master
Directory /root/2qatestwiki is now a clone of git repository /root/2qatestwiki.git
warning: installing LWPx::ParanoidAgent is recommended
ikiwiki-update-wikilist: added user root to /etc/ikiwiki/wikilist


Successfully set up qatestwiki:
        url:         http://x6v.hodgins.homeip.net/~root/qatestwiki
        srcdir:      ~/2qatestwiki
        destdir:     ~/public_html/qatestwiki
        repository:  ~/2qatestwiki.git
To modify settings, edit ~/qatestwiki.setup and then run:
        ikiwiki --setup ~/qatestwiki.setup

Viewed several pages starting with ...
# w3m /root/public_html/qatestwiki/index.html

No regressions found. Advisory committed to svn. Validating the update.

Whiteboard: (none) => MGA6-64-OK
Keywords: feedback => advisory, validated_update
CC: (none) => davidwhodgins, sysadmin-bugs

Comment 8 Mageia Robot 2019-03-15 17:57:06 CET
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2019-0113.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED


Note You need to log in before you can comment on or make changes to this bug.