On Tue, 2010-01-19 at 02:13 +0100, Pascal Volk wrote: > Tags: security fixed-upstream > > The MoinMoin developers have released moin-1.9.1. This release fixes a > security issue¹. It provides also a lot small bug fixes.
I've attached a patch for the security update, backporting upstream's security update in 1.9.1 (as 1.9.0-1+squeeze1 so it can be uploaded with urgency = high) Can someone review and upload it please (Jonas doesn't seems to be available at this time). Thanks Franklin
commit d68e87883a427fc6162603d7af944307c8bec63e Author: Frank Lin PIAT <fp...@klabs.be> Date: Wed Jan 20 21:56:38 2010 +0100 1.9.0-1+squeeze1 diff --git a/debian/changelog b/debian/changelog index 97459db..300b491 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,11 @@ +moin (1.9.0-1+squeeze1) unstable; urgency=high + + * Non-maintainer upload. + * Fix sys.argv security issue in moin.cgi (and other *cgi variants. This + is a backport from upstream 1.9.1) Closes: bug#565854 + + -- Frank Lin PIAT <fp...@klabs.be> Wed, 20 Jan 2010 21:56:58 +0100 + moin (1.9.0-1) unstable; urgency=low * New upstream release diff --git a/debian/patches/fix_sys.argv_issue_1of2.patch b/debian/patches/fix_sys.argv_issue_1of2.patch new file mode 100644 index 0000000..f9198df --- /dev/null +++ b/debian/patches/fix_sys.argv_issue_1of2.patch @@ -0,0 +1,17 @@ +Fix sys.argv issue 1/2 +Backport of upstream 1.9.1 security issue +(commit http://hg.moinmo.in/moin/1.9/rev/04afdde50094) +Author: Thomas Waldmann <tw-pub...@gmx.de> +diff -r 93fbb0418225 -r 04afdde50094 wiki/server/moin.cgi +--- a/wiki/server/moin.cgi Mon Jan 18 13:46:32 2010 +0100 ++++ b/wiki/server/moin.cgi Mon Jan 18 22:28:57 2010 +0100 +@@ -34,6 +34,9 @@ + # this works around a bug in flup's CGI autodetection (as of flup 1.0.1): + os.environ['FCGI_FORCE_CGI'] = 'Y' # 'Y' for (slow) CGI, 'N' for FCGI + ++if 'GATEWAY_INTERFACE' in os.environ: ++ sys.argv = [] ++ + from MoinMoin.web.flup_frontend import CGIFrontEnd + CGIFrontEnd().run() + diff --git a/debian/patches/fix_sys.argv_issue_2of2.patch b/debian/patches/fix_sys.argv_issue_2of2.patch new file mode 100644 index 0000000..feef243 --- /dev/null +++ b/debian/patches/fix_sys.argv_issue_2of2.patch @@ -0,0 +1,44 @@ +Fix sys.argv issue 2/2 (move sys.argv fix to better place) +Backport of upstream 1.9.1 security issue +(commit http://hg.moinmo.in/moin/1.9/rev/9d8e7ce3c3a2 ) +Author: Thomas Waldmann <tw-pub...@gmx.de> +diff -r 44c165260367 -r 9d8e7ce3c3a2 MoinMoin/web/flup_frontend.py +--- a/MoinMoin/web/flup_frontend.py Mon Jan 18 22:40:49 2010 +0100 ++++ b/MoinMoin/web/flup_frontend.py Mon Jan 18 23:05:58 2010 +0100 +@@ -129,6 +129,11 @@ + if have_singlepatch: + server_types['single'] = 'flup.server.fcgi_single' + ++ def run(self, args=None): ++ if 'GATEWAY_INTERFACE' in os.environ: ++ sys.argv = [] ++ super(CGIFrontEnd, self).run(args) ++ + class SCGIFrontEnd(FlupFrontEnd): + server_types = {'threaded': 'flup.server.scgi', + 'forking': 'flup.server.scgi_fork'} +@@ -144,6 +149,11 @@ + "support is available.") + super(CGIFrontEnd, self).__init__() + ++ def run(self, args=None): ++ if 'GATEWAY_INTERFACE' in os.environ: ++ sys.argv = [] ++ super(CGIFrontEnd, self).run(args) ++ + def run_server(self, application, options): + from MoinMoin.web._fallback_cgi import WSGIServer + return WSGIServer(application).run() +diff -r 44c165260367 -r 9d8e7ce3c3a2 wiki/server/moin.cgi +--- a/wiki/server/moin.cgi Mon Jan 18 22:40:49 2010 +0100 ++++ b/wiki/server/moin.cgi Mon Jan 18 23:05:58 2010 +0100 +@@ -34,9 +34,6 @@ + # this works around a bug in flup's CGI autodetection (as of flup 1.0.1): + os.environ['FCGI_FORCE_CGI'] = 'Y' # 'Y' for (slow) CGI, 'N' for FCGI + +-if 'GATEWAY_INTERFACE' in os.environ: +- sys.argv = [] +- + from MoinMoin.web.flup_frontend import CGIFrontEnd + CGIFrontEnd().run() + diff --git a/debian/patches/series b/debian/patches/series index fa0e1b8..7069d41 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -3,3 +3,5 @@ hardcode_configdir.patch disable_gui_editor_if_fckeditor_missing.patch htdocs_moved_to_usr_share_moin.patch use_systemwide_libs.patch +fix_sys.argv_issue_1of2.patch +fix_sys.argv_issue_2of2.patch