Security Alert: Robustness patch for TWiki; vulnerability in ImageGalleryPlugin
 Please join thetwiki-announce list: |
To get immediate alerts of high priority security issues, please join the low-volume twiki-announce list - details at TWikiAnnounceMailingList |
|---|
Communication to twiki-announce
Dear TWiki administrator, This is a TWiki security alert that provides:- a patch to make TWiki Release 01/02 Sep 2004 more robust, and
- a patch for the ImageGalleryPlugin to fix a severe security issue
, we
could not verify that the suggested robustness patch works in all
environments where TWiki is being deployed. We learned that this patch
does not work on Windows, nor on Perl older then 5.6. The patch has
been successfully tested on:
- Red Hat Enterprise Linux AS release 3 (Taroon Update 4) with Perl 5.8.0
- Debian GNU/Linux woody with Perl 5.6.1
- SuSe 9.0 with Perl 5.8.0
for follow-up on this alert.
Best regards,Peter@ThoenyPLEASENOSPAM.com - TWiki.org -- PeterThoeny - 25 Feb 2005 -------- Original Message --------
Subject: [TWiki-Dev] Robustness patch for TWiki, vulnerability in ImageGalleryPlugin
Date: Wed, 23 Feb 2005 18:27:41 +0100
From: Florian Weimer fw@denebPLEASENOSPAM.enyo.de
To: security-announce@listsPLEASENOSPAM.enyo.de, full-disclosure@listsPLEASENOSPAM.netsys.com, bugtraq@securityfocusPLEASENOSPAM.com, vulnwatch@vulnwatchPLEASENOSPAM.org, twiki-dev@listsPLEASENOSPAM.sourceforge.net * TWiki robustness patch After CAN-2004-1037 was discovered in November 2004, I wrote a patch which systematically replaces unsafe subprocess invocation constructs in the TWiki source code. This patch was published, submitted to the TWiki developers, and they ported it into the DEVELOP branch: http://www.enyo.de/fw/security/notes/twiki-robustness.html
(A TWiki release which incorporates the changes from the DEVELOP
branch is still pending.)
The TWiki robustness patch should fix all shell command injection
vulnerabilities, once and for all. It also attempts to prevent
directory traversal attacks, but I'm less confident that I have
plugged all potential holes. (However, I'm not aware of any directory
traversal vulnerabilities in TWiki, with or without this patch.)
Due to certain circumstances which I'm not at liberty to disclose at
this point, it is STRONGLY RECOMMENDED to apply the patch to any TWiki
installation which is accessible from untrusted networks. The patch
needs some changes to TWiki.cfg; please read the web page mentioned
above and the enclosed README file carefully.
* ImageGalleryPlugin security issue
ImageGalleryPlugin does not properly guard its configuration options
against unauthorized changes, in particular parts of the ImageMagick
commands used to generate thumbnails. As a result, it's possible for
anyone who is able to create or edit topics with image galleries to
execute arbitrary shell commands on the web server hosting the
affected TWiki installation.
A patch for this issue is available from the same URL as above:
http://www.enyo.de/fw/security/notes/twiki-robustness.html
The patch depends on the TWiki robustness patch. Some configuration
changes are required (as explained on the web page).
Vulnerability timeline (for the ImageGalleryPlugin issue):
2004-11-27 bug discovered and disclosed to the TWiki core developers 2004-11-29 sent patch to the TWiki core developers 2004-11-30 sent bug notice and patch to the plugin author 2004-12-26 sent reminder (and patch) to the TWiki security team 2005-02-17 sent second reminder, pending disclosure (no reply) 2005-02-23 uncoordinated public disclosure-- Florian Weimer - 23 Feb 2005 (-- KennethLavrsen - 25 Feb 2005 - Added the forgotten last past of the original email - see comment below)
Follow-up
Known issues with the robustness patch: -- PeterThoeny - 25 Feb 2005Discussions
For those new to applying a patch: To patch TWikiRelease01Sep2004 or TWikiRelease02Sep2004, download GNU Patch (linked from PatchGuidelines) - then cd to the TWiki root directory and then runpatch -i twiki-robustness-r3342.diff
-- PeterThoeny - 25 Feb 2005
What are the patch procedures / implications for TWikiRelease01Feb2003 ?
-- KeithHelfrich - 25 Feb 2005 - i tried applying this patch: http://static.enyo.de/fw/patches/twiki/twiki-robustness-r3342.diff to a backup copy of 01Feb2003 and there were a lot of problems, including the existence of some files like TWiki/UI/Upload.pm and t/20robustness.t which don't seem to exist in 01Feb2003 So i have the same question: does anyone have a patch ready for TWikiRelease01Feb2003 ? -- BoudRoukema - 27 Feb 2005
- If the patch manages to update TWiki.cfg you shouldn't need to do anything else, though see SecurityPatchBreaksAttachmentWithoutComment.
# /usr/local/bin/patch --dry-run -i twiki-robustness-r3342.diff patching file README.robustness patching file 20robustness.t can't find file to patch at input line 143 Perhaps you should have used the -p or --strip option? The text leading up to this was: -------------------------- |=== lib/TWiki.pm |================================================================== |--- lib/TWiki.pm (/twiki/trunk) (revision 287) |+++ lib/TWiki.pm (/twiki/branches/robustness) (revision 287) -------------------------- ... # ls lib/TWiki.pm lib/TWiki.pm # /usr/local/bin/patch --version patch 2.5.4 Copyright 1984-1988 Larry Wall Copyright 1989-1999 Free Software Foundation, Inc. ...
- You probably need to add -p0 to the patch command line, to make it ignore paths in the patch file. I did.
directly instead of the shell.
-- WillNorris - 25 Feb 2005
I successfully patched Cairo TWikiRelease02Sep2004 with some extra fixes added by hand using this patch command
- copy patch file to the root twiki folder.
- run:
patch -p0 < twiki-robustness-3342.diff
Is the patch for Access.pm correct? i got patching file lib/TWiki/Access.pm Reversed (or previously applied) patch detected! Assume -R? [n] on a debian-sarge release of TWikiRelease02Sep2004. My guess is that sarge has probably already applied some earlier patch, so there's definitely no need to undo it. In other words, is the part
if ($2 =~ /\S/ && !@allowList) {
etc. supposed to be present? -- BoudRoukema - 27 Feb 2005
Will, how are you getting on with a new release of the plugin?
-- MartinCleaver - 28 Feb 2005
Is there going to be a production release after 7 days, per the TWikiSecurityAlertProcess? 7 days from the advisory was yesterday, but maybe we're counting from Friday? I'm just concerned because nothing's been posted so far.
-- KyleMaxwell - 03 Mar 2005
For important security updates such as this, it seems that it would much more helpful to post the pre-patched components rather than requiring folks to download a diff and go through the process of applying it.
-- LynnwoodBrown - 11 Mar 2005
This patch seems important, yet there's no mention of it on TWikiSecurityAlerts. Shouldn't things like this get at least some sort of a mention in the obvious places?
-- MarcusLeonard - 12 Mar 2005
Yes, you are right, does anyone want to volunteer to join the TWikiSecurity group? The core group is stretched too thin, so we need help! - I am willing to volunteer for the TWikiSecurity group for the specific task of applying diffs to affected components and posting them as zipped archive. It's a small thing (within my skill level) but one which would facilitate faster application of fixes. -- LynnwoodBrown - 17 Mar 2005
piccolbo:/var/www/html/twiki$ sudo patch -p0 -i ~/install/twikipatch.diff patching file README.robustness patching file t/20robustness.t patching file lib/TWiki.pm Hunk #1 succeeded at 3202 (offset -10 lines). patching file lib/TWiki.cfg Hunk #1 FAILED at 192. Hunk #2 FAILED at 305. 2 out of 2 hunks FAILED -- saving rejects to file lib/TWiki.cfg.rej patching file lib/TWiki/Search.pm patching file lib/TWiki/Store/RcsLite.pm patching file lib/TWiki/Store/RcsWrap.pm patching file lib/TWiki/Func.pm Hunk #1 succeeded at 847 (offset -1 lines). patching file lib/TWiki/Store.pm Hunk #5 succeeded at 1736 (offset 8 lines). patching file lib/TWiki/Access.pm patching file lib/TWiki/UI/Upload.pm patching file bin/manage-- AntonioPiccolboni - 17 Mar 2005 The failures were in TWiki.cfg, which you probably modified locally. You should manually resolve the changes to TWiki.cfg. It's very simple to do. -- CrawfordCurrie - 17 Mar 2005 I'd be interested in assisting the security group with further security reviews and patch evaluation. My address is in my profile if I can be of assistance. -- KyleMaxwell - 21 Mar 2005 The robustness patch may lead to problems if usernames/ids are longer than 30 characters. For instance in our installation, we use emails as user's login names in twiki... and several of them are longer than 30 characters. I suggest that the 0,30 limit be replaced by 0,50 in the following patch line :
+ if ($param =~ /^([0-9A-Za-z.+_\-]{0,30})$/) {
-- OlivierBerger - 23 Mar 2005
Can we get a replacement for TWikiRelease02Sep2004 out? I note that the forthcoming IGP requires either this patch installed or Dakar.
-- MartinCleaver - 24 Apr 2005
| BasicForm | |
|---|---|
| TopicClassification | TWikiDeployment |
| TopicSummary | Uncoordinated security alert on robustness patch for TWiki and vulnerability in ImageGalleryPlugin |
| InterestedParties | |
| RelatedTopics | TWikiSecurityAlertProcess, TWikiAnnounceMailingList, TWikiRelease02Sep2004, ImageGalleryPlugin |
Topic revision: r22 - 2005-04-24 - MartinCleaver
Site map
Blog web
Create New Topic
Index
Search
Advanced search
My topics of interest
Changes
Major changes only
All tags
Notifications
RSS Feed
Statistics
Preferences
Community 
Readme first
Developers News
How you can help
Community roles
#twiki IRC
Lima Release
Feature Proposals
Bugs Changes
Categories 
Account 
Ideas, requests, problems regarding TWiki? Send feedback. Ask community in the support forum.Copyright © 1999-2026 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.