Your message dated Tue, 19 Feb 2008 21:02:13 +0000
with message-id <[EMAIL PROTECTED]>
and subject line Bug#462984: fixed in moin 1.5.8-5.1
has caused the Debian Bug report #462984,
regarding python-moinmoin: MOIN_ID cookie bug
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [EMAIL PROTECTED]
immediately.)
--
462984: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=462984
Debian Bug Tracking System
Contact [EMAIL PROTECTED] with problems
--- Begin Message ---
Package: python-moinmoin
Version: 1.5.8-5
Severity: important
Tags: patch
Allows a malicious user to overwrite files via a bogus cookie. Should
the severety on this be grave?
Example exploit: http://www.milw0rm.com/exploits/4957
Here is the upstream patch, which can also be found at
http://hg.moinmo.in/moin/1.5/rev/e69a16b6e630 :
--- a/MoinMoin/user.py Sun Oct 08 15:06:37 2006 +0200
+++ b/MoinMoin/user.py Sun Jan 20 23:27:48 2008 +0100
@@ -6,7 +6,7 @@
@license: GNU GPL, see COPYING for details.
"""
-import os, time, sha, codecs
+import os, time, sha, codecs, re
try:
import cPickle as pickle
@@ -19,6 +19,7 @@ from MoinMoin import config, caching, wi
from MoinMoin import config, caching, wikiutil
from MoinMoin.util import filesys, timefuncs
+USERID_re = re.compile(r'^\d+\.\d+(\.\d+)?$')
def getUserList(request):
""" Get a list of all (numerical) user IDs.
@@ -27,10 +28,9 @@ def getUserList(request):
@rtype: list
@return: all user IDs
"""
- import re, dircache
- user_re = re.compile(r'^\d+\.\d+(\.\d+)?$')
+ import dircache
files = dircache.listdir(request.cfg.user_dir)
- userlist = [f for f in files if user_re.match(f)]
+ userlist = [f for f in files if USERID_re.match(f)]
return userlist
@@ -210,7 +210,7 @@ class User:
self._cfg = request.cfg
self.valid = 0
self.trusted = 0
- self.id = id
+ self.id = self.id_sanitycheck(id)
self.auth_username = auth_username
self.auth_method = kw.get('auth_method', 'internal')
self.auth_attribs = kw.get('auth_attribs', ())
@@ -298,6 +298,15 @@ class User:
# use it reliably in edit locking
from random import randint
return "%s.%d" % (str(time.time()), randint(0,65535))
+
+ def id_sanitycheck(self, id):
+ """ only return valid user IDs, avoid someone faking his cookie to
+ contain '../../../somefile', breaking out of the data/user/
directory!
+ """
+ if id and USERID_re.match(id):
+ return id
+ else:
+ return None
def create_or_update(self, changed=False):
""" Create or update a user profile
-- System Information:
Debian Release: lenny/sid
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: i386 (i686)
Kernel: Linux 2.6.22-1-686 (SMP w/1 CPU core)
Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
Versions of packages python-moinmoin depends on:
ii moinmoin-common 1.5.8-5 Python clone of WikiWiki - common
ii python 2.4.4-6 An interactive high-level object-o
ii python-support 0.7.6 automated rebuilding support for p
Versions of packages python-moinmoin recommends:
ii exim4 4.69-1 meta-package to ease Exim MTA (v4)
ii exim4-daemon-light [mail-tran 4.69-1 lightweight Exim MTA (v4) daemon
-- no debconf information
--
BOFH excuse #345:
Having to manually track the satellite.
--- End Message ---
--- Begin Message ---
Source: moin
Source-Version: 1.5.8-5.1
We believe that the bug you reported is fixed in the latest version of
moin, which is due to be installed in the Debian FTP archive:
moin_1.5.8-5.1.diff.gz
to pool/main/m/moin/moin_1.5.8-5.1.diff.gz
moin_1.5.8-5.1.dsc
to pool/main/m/moin/moin_1.5.8-5.1.dsc
moinmoin-common_1.5.8-5.1_all.deb
to pool/main/m/moin/moinmoin-common_1.5.8-5.1_all.deb
python-moinmoin_1.5.8-5.1_all.deb
to pool/main/m/moin/python-moinmoin_1.5.8-5.1_all.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Thomas Viehmann <[EMAIL PROTECTED]> (supplier of updated moin package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Tue, 19 Feb 2008 22:38:10 +0100
Source: moin
Binary: moinmoin-common python-moinmoin
Architecture: source all
Version: 1.5.8-5.1
Distribution: unstable
Urgency: high
Maintainer: Jonas Smedegaard <[EMAIL PROTECTED]>
Changed-By: Thomas Viehmann <[EMAIL PROTECTED]>
Description:
moinmoin-common - Python clone of WikiWiki - common data
python-moinmoin - Python clone of WikiWiki - library
Closes: 462984
Changes:
moin (1.5.8-5.1) unstable; urgency=high
.
* NMU with maintainer consent, urgency for security updates
* update upstream patches to moin-1.5 branch revision 856 to fix bugs
+ cross-site scripting vulnerabilities using AttachFile,
CVE-2008-0781
+ directory traversal in MOIN_ID cookie vulnerability,
CVE-2008-0782 (Closes: #462984)
+ XSS problem in login, CVE-2008-780
Files:
7703f3d6a17120559018ef203c22e9a2 879 net optional moin_1.5.8-5.1.dsc
197373b40368686f7d808b582a5676b7 60044 net optional moin_1.5.8-5.1.diff.gz
de66d9910702137efae93d1c4b2d909d 1669978 net optional
moinmoin-common_1.5.8-5.1_all.deb
dc55bb027970948f3c1cca2b5c7c342f 1016896 python optional
python-moinmoin_1.5.8-5.1_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
iD8DBQFHuy+JriZpaaIa1PkRAnUXAKD0EnLrCRHGto1aSLcBmS1nzAjqagCdHcFA
zzyebRD+FIGthmam8641aIQ=
=KAPe
-----END PGP SIGNATURE-----
--- End Message ---
