X-Git-Url: http://git.vanrenterghem.biz/git.ikiwiki.info.git/blobdiff_plain/28409cd358d5ff17e2c340298988e8baf86fd5f5..c142dba356b757facd6684a99623c58430b7221e:/doc/security.mdwn diff --git a/doc/security.mdwn b/doc/security.mdwn index 4f825deba..823f5ef88 100644 --- a/doc/security.mdwn +++ b/doc/security.mdwn @@ -561,5 +561,37 @@ result in `policy.mdwn` being altered. This affects sites with the `git` VCS and the `recentchanges` plugin, which are both used in most ikiwiki installations. -This bug was reported on 2016-12-17. The fixed version 3.20161219 -was released on 2016-12-19. ([[!cve CVE-2016-10026]]) +This bug was reported on 2016-12-17. A partially fixed version +3.20161219 was released on 2016-12-19, but the solution used in that +version was not effective with git versions older than 2.8.0. +A more complete fix was released on 2016-12-29 in version 3.20161229. +A backport to Debian 8 'jessie' is in progress. + +([[!cve CVE-2016-10026]] represents the original vulnerability. +[[!cve CVE-2016-9645]]/OVE-20161226-0002 represents the vulnerability +in 3.20161219 caused by the incomplete fix.) + +## Commit metadata forgery via CGI::FormBuilder context-dependent APIs + +When CGI::FormBuilder->field("foo") is called in list context (and +in particular in the arguments to a subroutine that takes named +arguments), it can return zero or more values for foo from the CGI +request, rather than the expected single value. This breaks the usual +Perl parsing convention for named arguments, similar to CVE-2014-1572 +in Bugzilla (which was caused by a similar API design issue in CGI.pm). + +In ikiwiki, this appears to have been exploitable in two places, both +of them relatively minor: + +* in the comments plugin, an attacker who was able to post a comment + could give it a user-specified author and author-URL even if the wiki + configuration did not allow for that, by crafting multiple values + for other fields +* in the editpage plugin, an attacker who was able to edit a page + could potentially forge commit authorship (attribute their edit to + someone else) by crafting multiple values for the rcsinfo field + +This was fixed in ikiwiki 3.20161229. A backport to Debian 8 +'jessie' is in progress. + +([[!cve CVE-2016-9646]]/OVE-20161226-0001)