Document the security fixes in this release

diff --git a/debian/NEWS b/debian/NEWS
index ff856e5f06c91b6c0d0bda3d6ad44439a3838783..6493175dc8cc7124cc810dfb3acd5e99c4ca35b2 100644 (file)
--- a/debian/NEWS
+++ b/debian/NEWS
@@ -1,3 +1,27 @@
+ikiwiki (3.20141016.3) UNRELEASED; urgency=medium
+
+  To mitigate CVE-2016-3714 and similar ImageMagick security vulnerabilities,
+  the [[!img]] directive is now restricted to these common web formats by
+  default:
+
+  * JPEG (.jpg, .jpeg)
+  * PNG (.png)
+  * GIF (.gif)
+  * SVG (.svg)
+
+  (In particular, by default resizing PDF files is no longer allowed.)
+
+  Additionally, resized SVG files are displayed in the browser as SVG
+  instead of being converted to PNG.
+
+  If all users who can attach images are fully trusted, this restriction
+  can be removed with the new img_allowed_formats setup option.
+  See <https://ikiwiki.info/ikiwiki/directive/img/>
+  or <file:///usr/share/doc/ikiwiki/html/ikiwiki/directive/img.html> for
+  more details.
+
+ -- Simon McVittie <smcv@debian.org>  Fri, 06 May 2016 07:07:29 +0100
+

 ikiwiki (3.20110122) unstable; urgency=low
 
   If you have custom CSS that uses "#feedlinks" or "#blogform", you will
 ikiwiki (3.20110122) unstable; urgency=low
 
   If you have custom CSS that uses "#feedlinks" or "#blogform", you will

diff --git a/doc/ikiwiki/directive/img.mdwn b/doc/ikiwiki/directive/img.mdwn
index fa3b40f50c21a0393ec7b9530f9303ae23ccd9c9..a940a44b6567ef72c9f8b23a8900a1545be508d0 100644 (file)
--- a/doc/ikiwiki/directive/img.mdwn
+++ b/doc/ikiwiki/directive/img.mdwn
@@ -41,4 +41,27 @@ the page, unless overridden. Useful when including many images on a page.
        \[[!img photo2.jpg]]
        \[[!img photo3.jpg size=200x600]]
 
        \[[!img photo2.jpg]]
        \[[!img photo3.jpg size=200x600]]
 

+## format support
+
+By default, the `img` directive only supports a few common web formats:
+
+* PNG (`.png`)
+* JPEG (`.jpg` or `.jpeg`)
+* GIF (`.gif`)
+* SVG (`.svg`)
+
+These additional formats can be enabled with the `img_allowed_formats`
+[[!iki setup]] option, but are disabled by default for better
+[[!iki security]]:
+
+* PDF (`.pdf`)
+* `everything` (accepts any file supported by ImageMagick: make sure
+  that only completely trusted users can
+  [[upload attachments|ikiwiki/pagespec/attachment]])
+
+For example, a wiki where only `admin()` users can upload attachments might
+use:
+
+    img_allowed_formats: [png, jpeg, gif, svg, pdf]
+

 [[!meta robots="noindex, follow"]]
 [[!meta robots="noindex, follow"]]

diff --git a/doc/security.mdwn b/doc/security.mdwn
index d5a0266cdce5638cd437c4d79cb58592f886bc01..6d4841fe6f258d25eeb077dc0a650bfd35b25422 100644 (file)
--- a/doc/security.mdwn
+++ b/doc/security.mdwn
@@ -178,7 +178,8 @@ the same standards as the rest of ikiwiki, but with that said, here are
 some security notes for them.
 
 * The [[plugins/img]] plugin assumes that imagemagick/perlmagick are secure
 some security notes for them.
 
 * The [[plugins/img]] plugin assumes that imagemagick/perlmagick are secure

-  from malformed image attacks. Imagemagick has had security holes in the
+  from malformed image attacks for at least the formats listed in
+  `img_allowed_formats`. Imagemagick has had security holes in the

   past. To be able to exploit such a hole, a user would need to be able to
   upload images to the wiki.
 
   past. To be able to exploit such a hole, a user would need to be able to
   upload images to the wiki.
 


@@ -506,3 +507,22 @@ The hole was reported on March 24th, a fix was developed on March 27th,
 and the fixed version 3.20150329 was released on the 29th. A fix was backported
 to Debian jessie as version 3.20141016.2 and to Debian wheezy as version
 3.20120629.2. An upgrade is recommended for sites using CGI and openid.
 and the fixed version 3.20150329 was released on the 29th. A fix was backported
 to Debian jessie as version 3.20141016.2 and to Debian wheezy as version
 3.20120629.2. An upgrade is recommended for sites using CGI and openid.

+
+## XSS via error messages
+
+CGI error messages did not escape HTML meta-characters, potentially
+allowing an attacker to carry out cross-site scripting by directing a
+user to a URL that would result in a crafted ikiwiki error message. This
+was discovered on 4 May by the ikiwiki developers, and the fixed version
+3.20160506 was released on 6 May. An upgrade is recommended for sites using
+the CGI.
+
+## ImageMagick CVE-2016–3714 ("ImageTragick")
+
+ikiwiki 3.20160506 attempts to mitigate [[!cve CVE-2016-3714]] and any
+future ImageMagick vulnerabilities that resemble it, by restricting the
+image formats that the [[ikiwiki/directive/img]] directive is willing to
+resize. An upgrade is recommended for sites where an untrusted user is
+able to attach images. Upgrading ImageMagick to a version where
+CVE-2016-3714 has been fixed is also recommended, but at the time of
+writing no such version is available.