tags 410338 + patch
thanks
Hi,
Attached is the diff for my moin 1.5.3-1.2 NMU.
Greetings
Martin
reverted:
--- moin-1.5.3/MoinMoin/i18n/meta.py
+++ moin-1.5.3.orig/MoinMoin/i18n/meta.py
@@ -25,8 +25,8 @@
'nb': (u'Norsk Bokmål', u'Norwegian Bokmal', 'utf-8', 0, """Joerg Cassens <[EMAIL PROTECTED]>""",),
'nl': (u'Nederlands', u'Dutch', 'utf-8', 0, """Reinout van Schouwen <[EMAIL PROTECTED]>""",),
'pl': (u'Polski', u'Polish', 'utf-8', 0, """Wojciech Palacz <[EMAIL PROTECTED]>""",),
+'pt': (u'Português', u'Portuguese', 'utf-8', 0, """Leonardo Gregianin""",),
'pt-br': (u'Português do Brasil', u'Brazillian Portuguese', 'utf-8', 0, """Leonardo Gregianin <[EMAIL PROTECTED]>""",),
-'pt': (u'Português', u'Portuguese', 'utf-8', 0, """Leonardo Gregianin""",),
'ro': (u'Română', u'Romanian', 'utf-8', 0, """Ovidiu Sabou <[EMAIL PROTECTED]>""",),
'ru': (u'Русский', u'Russian', 'utf-8', 0, """Mike Rovner <[EMAIL PROTECTED]>""",),
'sl': (u'slovenščina', u'Slovenian', 'utf-8', 0, """Mark Martinec <[EMAIL PROTECTED]>""",),
diff -u moin-1.5.3/debian/changelog moin-1.5.3/debian/changelog
--- moin-1.5.3/debian/changelog
+++ moin-1.5.3/debian/changelog
@@ -1,3 +1,10 @@
+moin (1.5.3-1.2) unstable; urgency=low
+
+ * Non-maintainer upload.
+ * Adding patch from BTS to fix CVE-2007-0857 (Closes: #410338)
+
+ -- Martin Zobel-Helas <[EMAIL PROTECTED]> Tue, 27 Feb 2007 10:00:39 +0100
+
moin (1.5.3-1.1) unstable; urgency=low
[ Pierre Habouzit ]
only in patch2:
unchanged:
--- moin-1.5.3.orig/debian/patches/010_CVE-2007-0857.patch
+++ moin-1.5.3/debian/patches/010_CVE-2007-0857.patch
@@ -0,0 +1,86 @@
+diff -Nur moin-1.5.3/MoinMoin/action/AttachFile.py moin-1.5.3.new/MoinMoin/action/AttachFile.py
+--- moin-1.5.3/MoinMoin/action/AttachFile.py 2006-04-05 11:58:07.000000000 -0700
++++ moin-1.5.3.new/MoinMoin/action/AttachFile.py 2007-02-09 13:55:30.283298168 -0800
+@@ -275,7 +275,7 @@
+ str = str + "</ul>"
+ else:
+ if showheader:
+- str = '%s<p>%s</p>' % (str, _("No attachments stored for %(pagename)s") % {'pagename': pagename})
++ str = '%s<p>%s</p>' % (str, _("No attachments stored for %(pagename)s") % {'pagename': wikiutil.escape(pagename)})
+
+ return str
+
+diff -Nur moin-1.5.3/MoinMoin/action/LikePages.py moin-1.5.3.new/MoinMoin/action/LikePages.py
+--- moin-1.5.3/MoinMoin/action/LikePages.py 2006-03-22 01:25:59.000000000 -0800
++++ moin-1.5.3.new/MoinMoin/action/LikePages.py 2007-02-09 13:55:30.283298168 -0800
+@@ -28,14 +28,14 @@
+ # No matches
+ if not matches:
+ Page(request, pagename).send_page(request,
+- msg = _('No pages like "%s"!') % (pagename,))
++ msg = _('No pages like "%s"!') % (wikiutil.escape(pagename),))
+ return
+
+ # One match - display it
+ if len(matches) == 1:
+ Page(request, matches.keys()[0]).send_page(request,
+ msg = _('Exactly one page like "%s" found, redirecting to page.') % (
+- pagename,))
++ wikiutil.escape(pagename),))
+ return
+
+ # more than one match, list 'em
+@@ -44,7 +44,7 @@
+ # This action generate data using the user language
+ request.setContentLanguage(request.lang)
+
+- wikiutil.send_title(request, _('Pages like "%s"') % (pagename),
++ wikiutil.send_title(request, _('Pages like "%s"') % (wikiutil.escape(pagename)),
+ pagename=pagename)
+
+ # Start content - IMPORTANT - without content div, there is no
+diff -Nur moin-1.5.3/MoinMoin/action/LocalSiteMap.py moin-1.5.3.new/MoinMoin/action/LocalSiteMap.py
+--- moin-1.5.3/MoinMoin/action/LocalSiteMap.py 2005-09-22 09:22:09.000000000 -0700
++++ moin-1.5.3.new/MoinMoin/action/LocalSiteMap.py 2007-02-09 13:55:30.283298168 -0800
+@@ -70,7 +70,7 @@
+ if not name: return
+ self.append(' ' * (5*depth))
+ self.append(' ' + wikiutil.link_tag(request, '%s?action=%s' %
+- (wikiutil.quoteWikinameURL(name), __name__.split('.')[-1]), name))
++ (wikiutil.quoteWikinameURL(name), __name__.split('.')[-1]), wikiutil.escape(name)))
+ self.append(" <small>[")
+ self.append(Page(request, name).link_to(request, 'view'))
+ self.append("</small>]<br>")
+diff -Nur moin-1.5.3/MoinMoin/action/RenamePage.py moin-1.5.3.new/MoinMoin/action/RenamePage.py
+--- moin-1.5.3/MoinMoin/action/RenamePage.py 2007-02-09 13:55:06.000000000 -0800
++++ moin-1.5.3.new/MoinMoin/action/RenamePage.py 2007-02-09 13:55:58.224726583 -0800
+@@ -148,7 +148,7 @@
+ 'error': error,
+ 'action': self.__class__.__name__,
+ 'ticket': wikiutil.createTicket(),
+- 'pagename': self.pagename,
++ 'pagename': wikiutil.escape(self.pagename, 1),
+ 'rename': _('Rename Page'),
+ 'cancel': _('Cancel'),
+ 'newname_label': _("New name"),
+@@ -188,7 +188,7 @@
+ _ = self.request.getText
+ self.error = _("""'''A page with the name {{{'%s'}}} already exists.'''
+
+-Try a different name.""") % (pagename,)
++Try a different name.""") % (wikiutil.escape(pagename),)
+
+
+ def execute(pagename, request):
+diff -Nur moin-1.5.3/MoinMoin/theme/__init__.py moin-1.5.3.new/MoinMoin/theme/__init__.py
+--- moin-1.5.3/MoinMoin/theme/__init__.py 2006-04-15 12:09:38.000000000 -0700
++++ moin-1.5.3.new/MoinMoin/theme/__init__.py 2007-02-09 13:55:30.287298372 -0800
+@@ -628,7 +628,7 @@
+ info = _("last edited %(time)s by %(editor)s") % info
+ else:
+ info = _("last modified %(time)s") % info
+- pagename = page.page_name
++ pagename = wikiutil.escape(page.page_name)
+ if self.request.cfg.show_interwiki:
+ pagename = "%s: %s" % (self.request.cfg.interwikiname, pagename)
+ info = "%s (%s)" % (pagename, info)
