Your message dated Fri, 11 Apr 2008 19:52:37 +0000
with message-id <[EMAIL PROTECTED]>
and subject line Bug#462984: fixed in moin 1.5.3-1.2etch1
has caused the Debian Bug report #462984,
regarding python-moinmoin: MOIN_ID cookie bug
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [EMAIL PROTECTED]
immediately.)
--
462984: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=462984
Debian Bug Tracking System
Contact [EMAIL PROTECTED] with problems
--- Begin Message ---
Package: python-moinmoin
Version: 1.5.8-5
Severity: important
Tags: patch
Allows a malicious user to overwrite files via a bogus cookie. Should
the severety on this be grave?
Example exploit: http://www.milw0rm.com/exploits/4957
Here is the upstream patch, which can also be found at
http://hg.moinmo.in/moin/1.5/rev/e69a16b6e630 :
--- a/MoinMoin/user.py Sun Oct 08 15:06:37 2006 +0200
+++ b/MoinMoin/user.py Sun Jan 20 23:27:48 2008 +0100
@@ -6,7 +6,7 @@
@license: GNU GPL, see COPYING for details.
"""
-import os, time, sha, codecs
+import os, time, sha, codecs, re
try:
import cPickle as pickle
@@ -19,6 +19,7 @@ from MoinMoin import config, caching, wi
from MoinMoin import config, caching, wikiutil
from MoinMoin.util import filesys, timefuncs
+USERID_re = re.compile(r'^\d+\.\d+(\.\d+)?$')
def getUserList(request):
""" Get a list of all (numerical) user IDs.
@@ -27,10 +28,9 @@ def getUserList(request):
@rtype: list
@return: all user IDs
"""
- import re, dircache
- user_re = re.compile(r'^\d+\.\d+(\.\d+)?$')
+ import dircache
files = dircache.listdir(request.cfg.user_dir)
- userlist = [f for f in files if user_re.match(f)]
+ userlist = [f for f in files if USERID_re.match(f)]
return userlist
@@ -210,7 +210,7 @@ class User:
self._cfg = request.cfg
self.valid = 0
self.trusted = 0
- self.id = id
+ self.id = self.id_sanitycheck(id)
self.auth_username = auth_username
self.auth_method = kw.get('auth_method', 'internal')
self.auth_attribs = kw.get('auth_attribs', ())
@@ -298,6 +298,15 @@ class User:
# use it reliably in edit locking
from random import randint
return "%s.%d" % (str(time.time()), randint(0,65535))
+
+ def id_sanitycheck(self, id):
+ """ only return valid user IDs, avoid someone faking his cookie to
+ contain '../../../somefile', breaking out of the data/user/
directory!
+ """
+ if id and USERID_re.match(id):
+ return id
+ else:
+ return None
def create_or_update(self, changed=False):
""" Create or update a user profile
-- System Information:
Debian Release: lenny/sid
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: i386 (i686)
Kernel: Linux 2.6.22-1-686 (SMP w/1 CPU core)
Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
Versions of packages python-moinmoin depends on:
ii moinmoin-common 1.5.8-5 Python clone of WikiWiki - common
ii python 2.4.4-6 An interactive high-level object-o
ii python-support 0.7.6 automated rebuilding support for p
Versions of packages python-moinmoin recommends:
ii exim4 4.69-1 meta-package to ease Exim MTA (v4)
ii exim4-daemon-light [mail-tran 4.69-1 lightweight Exim MTA (v4) daemon
-- no debconf information
--
BOFH excuse #345:
Having to manually track the satellite.
--- End Message ---
--- Begin Message ---
Source: moin
Source-Version: 1.5.3-1.2etch1
We believe that the bug you reported is fixed in the latest version of
moin, which is due to be installed in the Debian FTP archive:
moin_1.5.3-1.2etch1.diff.gz
to pool/main/m/moin/moin_1.5.3-1.2etch1.diff.gz
moin_1.5.3-1.2etch1.dsc
to pool/main/m/moin/moin_1.5.3-1.2etch1.dsc
moinmoin-common_1.5.3-1.2etch1_all.deb
to pool/main/m/moin/moinmoin-common_1.5.3-1.2etch1_all.deb
python-moinmoin_1.5.3-1.2etch1_all.deb
to pool/main/m/moin/python-moinmoin_1.5.3-1.2etch1_all.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Thomas Viehmann <[EMAIL PROTECTED]> (supplier of updated moin package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Fri, 15 Feb 2008 23:01:17 +0100
Source: moin
Binary: moinmoin-common python-moinmoin
Architecture: source all
Version: 1.5.3-1.2etch1
Distribution: stable-security
Urgency: high
Maintainer: Jonas Smedegaard <[EMAIL PROTECTED]>
Changed-By: Thomas Viehmann <[EMAIL PROTECTED]>
Description:
moinmoin-common - Python clone of WikiWiki - common data
python-moinmoin - Python clone of WikiWiki - library
Closes: 403363 422408 462984
Changes:
moin (1.5.3-1.2etch1) stable-security; urgency=high
.
* Non-maintainer upload.
* Adding patches from BTS / upstream up to changeset 856 db212dfc58ef
+ cross-site scripting vulnerabilities using AttachFile,
CVE-2007-2423, CVE-2008-0781
+ missing access control checks for includes and calendars,
CVE-2007-2637 (Closes: #422408)
+ directory traversal in MOIN_ID cookie vulnerability,
CVE-2008-0782 (Closes: #462984)
+ XSS problem in login (CVE-2008-780)
+ XSS problem in gui editor
+ XSS problem in delete page
+ ACL check for dictionaries
+ fix password reminder mails (Closes: #403363)
Files:
e95ec46ee8de9527a39793108de22f7d 4187091 net optional moin_1.5.3.orig.tar.gz
0650a6782cb8b11d99fbfa40378c1dfb 663 net optional moin_1.5.3-1.2etch1.dsc
13984aca140b63e2303a6034fcd4f9ec 40942 net optional moin_1.5.3-1.2etch1.diff.gz
2cd40d664082f835b2def29629ff58e8 1596522 net optional
moinmoin-common_1.5.3-1.2etch1_all.deb
0a8dba5cff0e5540e4e55d39855316d4 915318 python optional
python-moinmoin_1.5.3-1.2etch1_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
iD8DBQFHvLaDriZpaaIa1PkRAnriAKD8v7t6OHkf3/s8foUg24cMRrQeogCgh5dT
AjhnulcQ/X22VvVOIuJApVI=
=aWyH
-----END PGP SIGNATURE-----
--- End Message ---
