Package: python-moinmoin Version: 1.5.8-5 Severity: important Tags: patch Allows a malicious user to overwrite files via a bogus cookie. Should the severety on this be grave?
Example exploit: http://www.milw0rm.com/exploits/4957 Here is the upstream patch, which can also be found at http://hg.moinmo.in/moin/1.5/rev/e69a16b6e630 : --- a/MoinMoin/user.py Sun Oct 08 15:06:37 2006 +0200 +++ b/MoinMoin/user.py Sun Jan 20 23:27:48 2008 +0100 @@ -6,7 +6,7 @@ @license: GNU GPL, see COPYING for details. """ -import os, time, sha, codecs +import os, time, sha, codecs, re try: import cPickle as pickle @@ -19,6 +19,7 @@ from MoinMoin import config, caching, wi from MoinMoin import config, caching, wikiutil from MoinMoin.util import filesys, timefuncs +USERID_re = re.compile(r'^\d+\.\d+(\.\d+)?$') def getUserList(request): """ Get a list of all (numerical) user IDs. @@ -27,10 +28,9 @@ def getUserList(request): @rtype: list @return: all user IDs """ - import re, dircache - user_re = re.compile(r'^\d+\.\d+(\.\d+)?$') + import dircache files = dircache.listdir(request.cfg.user_dir) - userlist = [f for f in files if user_re.match(f)] + userlist = [f for f in files if USERID_re.match(f)] return userlist @@ -210,7 +210,7 @@ class User: self._cfg = request.cfg self.valid = 0 self.trusted = 0 - self.id = id + self.id = self.id_sanitycheck(id) self.auth_username = auth_username self.auth_method = kw.get('auth_method', 'internal') self.auth_attribs = kw.get('auth_attribs', ()) @@ -298,6 +298,15 @@ class User: # use it reliably in edit locking from random import randint return "%s.%d" % (str(time.time()), randint(0,65535)) + + def id_sanitycheck(self, id): + """ only return valid user IDs, avoid someone faking his cookie to + contain '../../../somefile', breaking out of the data/user/ directory! + """ + if id and USERID_re.match(id): + return id + else: + return None def create_or_update(self, changed=False): """ Create or update a user profile -- System Information: Debian Release: lenny/sid APT prefers unstable APT policy: (500, 'unstable') Architecture: i386 (i686) Kernel: Linux 2.6.22-1-686 (SMP w/1 CPU core) Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/bash Versions of packages python-moinmoin depends on: ii moinmoin-common 1.5.8-5 Python clone of WikiWiki - common ii python 2.4.4-6 An interactive high-level object-o ii python-support 0.7.6 automated rebuilding support for p Versions of packages python-moinmoin recommends: ii exim4 4.69-1 meta-package to ease Exim MTA (v4) ii exim4-daemon-light [mail-tran 4.69-1 lightweight Exim MTA (v4) daemon -- no debconf information -- BOFH excuse #345: Having to manually track the satellite. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]