On Tue, 2010-01-19 at 02:13 +0100, Pascal Volk wrote:
> Tags: security fixed-upstream
>
> The MoinMoin developers have released moin-1.9.1. This release fixes a
> security issue¹. It provides also a lot small bug fixes.
I've attached a patch for the security update, backporting upstream's
security update in 1.9.1 (as 1.9.0-1+squeeze1 so it can be uploaded with
urgency = high)
Can someone review and upload it please (Jonas doesn't seems to be
available at this time).
Thanks
Franklin
commit d68e87883a427fc6162603d7af944307c8bec63e
Author: Frank Lin PIAT <fp...@klabs.be>
Date: Wed Jan 20 21:56:38 2010 +0100
1.9.0-1+squeeze1
diff --git a/debian/changelog b/debian/changelog
index 97459db..300b491 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,11 @@
+moin (1.9.0-1+squeeze1) unstable; urgency=high
+
+ * Non-maintainer upload.
+ * Fix sys.argv security issue in moin.cgi (and other *cgi variants. This
+ is a backport from upstream 1.9.1) Closes: bug#565854
+
+ -- Frank Lin PIAT <fp...@klabs.be> Wed, 20 Jan 2010 21:56:58 +0100
+
moin (1.9.0-1) unstable; urgency=low
* New upstream release
diff --git a/debian/patches/fix_sys.argv_issue_1of2.patch
b/debian/patches/fix_sys.argv_issue_1of2.patch
new file mode 100644
index 0000000..f9198df
--- /dev/null
+++ b/debian/patches/fix_sys.argv_issue_1of2.patch
@@ -0,0 +1,17 @@
+Fix sys.argv issue 1/2
+Backport of upstream 1.9.1 security issue
+(commit http://hg.moinmo.in/moin/1.9/rev/04afdde50094)
+Author: Thomas Waldmann <tw-pub...@gmx.de>
+diff -r 93fbb0418225 -r 04afdde50094 wiki/server/moin.cgi
+--- a/wiki/server/moin.cgi Mon Jan 18 13:46:32 2010 +0100
++++ b/wiki/server/moin.cgi Mon Jan 18 22:28:57 2010 +0100
+@@ -34,6 +34,9 @@
+ # this works around a bug in flup's CGI autodetection (as of flup 1.0.1):
+ os.environ['FCGI_FORCE_CGI'] = 'Y' # 'Y' for (slow) CGI, 'N' for FCGI
+
++if 'GATEWAY_INTERFACE' in os.environ:
++ sys.argv = []
++
+ from MoinMoin.web.flup_frontend import CGIFrontEnd
+ CGIFrontEnd().run()
+
diff --git a/debian/patches/fix_sys.argv_issue_2of2.patch
b/debian/patches/fix_sys.argv_issue_2of2.patch
new file mode 100644
index 0000000..feef243
--- /dev/null
+++ b/debian/patches/fix_sys.argv_issue_2of2.patch
@@ -0,0 +1,44 @@
+Fix sys.argv issue 2/2 (move sys.argv fix to better place)
+Backport of upstream 1.9.1 security issue
+(commit http://hg.moinmo.in/moin/1.9/rev/9d8e7ce3c3a2 )
+Author: Thomas Waldmann <tw-pub...@gmx.de>
+diff -r 44c165260367 -r 9d8e7ce3c3a2 MoinMoin/web/flup_frontend.py
+--- a/MoinMoin/web/flup_frontend.py Mon Jan 18 22:40:49 2010 +0100
++++ b/MoinMoin/web/flup_frontend.py Mon Jan 18 23:05:58 2010 +0100
+@@ -129,6 +129,11 @@
+ if have_singlepatch:
+ server_types['single'] = 'flup.server.fcgi_single'
+
++ def run(self, args=None):
++ if 'GATEWAY_INTERFACE' in os.environ:
++ sys.argv = []
++ super(CGIFrontEnd, self).run(args)
++
+ class SCGIFrontEnd(FlupFrontEnd):
+ server_types = {'threaded': 'flup.server.scgi',
+ 'forking': 'flup.server.scgi_fork'}
+@@ -144,6 +149,11 @@
+ "support is available.")
+ super(CGIFrontEnd, self).__init__()
+
++ def run(self, args=None):
++ if 'GATEWAY_INTERFACE' in os.environ:
++ sys.argv = []
++ super(CGIFrontEnd, self).run(args)
++
+ def run_server(self, application, options):
+ from MoinMoin.web._fallback_cgi import WSGIServer
+ return WSGIServer(application).run()
+diff -r 44c165260367 -r 9d8e7ce3c3a2 wiki/server/moin.cgi
+--- a/wiki/server/moin.cgi Mon Jan 18 22:40:49 2010 +0100
++++ b/wiki/server/moin.cgi Mon Jan 18 23:05:58 2010 +0100
+@@ -34,9 +34,6 @@
+ # this works around a bug in flup's CGI autodetection (as of flup 1.0.1):
+ os.environ['FCGI_FORCE_CGI'] = 'Y' # 'Y' for (slow) CGI, 'N' for FCGI
+
+-if 'GATEWAY_INTERFACE' in os.environ:
+- sys.argv = []
+-
+ from MoinMoin.web.flup_frontend import CGIFrontEnd
+ CGIFrontEnd().run()
+
diff --git a/debian/patches/series b/debian/patches/series
index fa0e1b8..7069d41 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -3,3 +3,5 @@ hardcode_configdir.patch
disable_gui_editor_if_fckeditor_missing.patch
htdocs_moved_to_usr_share_moin.patch
use_systemwide_libs.patch
+fix_sys.argv_issue_1of2.patch
+fix_sys.argv_issue_2of2.patch
