Vulnerability affecting MoinMoin 1.9 up to (and including) 1.9.4 was recently found and fixed: http://www.vuxml.org/freebsd/4f99e2ef-f725-11e1-8bd8-0022156e8794.html http://hg.moinmo.in/moin/1.9/rev/7b9f39289e16 Fix: The patch at http://codelabs.ru/fbsd/ports/moinmoin/1.9.4-fix-cve-2012-4404.diff applies upstream fix. I had tested it at my Tinderbox and MoinMoin instance: vulnerability was gone. QA page: http://codelabs.ru/fbsd/ports/qa/www/moinmoin/1.9.4_1 If this fix or update to 1.9.5 will be committed, one should use {{{ Security: http://www.vuxml.org/freebsd/4f99e2ef-f725-11e1-8bd8-0022156e8794.html }}} in the commit message. How-To-Repeat: Look at the above URLs. Try to create the group with "All" string in its name, restrict page's access rights like {{{ #acl AllGoodPersonsGroup:read all: }}} and visit the page under user who isn't in the AllGoodPersonsGroup. The page should be visible to that user.
Responsible Changed From-To: freebsd-ports-bugs->rea Submitter has GNATS access (via the GNATS Auto Assign Tool)
Maintainer of www/moinmoin, Please note that PR ports/171346 has just been submitted. If it contains a patch for an upgrade, an enhancement or a bug fix you agree on, reply to this email stating that you approve the patch and a committer will take care of it. The full text of the PR can be found at: http://www.freebsd.org/cgi/query-pr.cgi?pr=ports/171346 -- Edwin Groothuis via the GNATS Auto Assign Tool edwin@FreeBSD.org
State Changed From-To: open->feedback Awaiting maintainers feedback (via the GNATS Auto Assign Tool)
Approved
Author: rea Date: Tue Sep 11 07:51:07 2012 New Revision: 304084 URL: http://svn.freebsd.org/changeset/ports/304084 Log: www/moinmoin: fix CVE-2012-4404, wrong processing of group ACLs Using upstream patch from http://hg.moinmo.in/moin/1.9/raw-rev/7b9f39289e16 PR: 171346 QA page: http://codelabs.ru/fbsd/ports/qa/www/moinmoin/1.9.4_1 Approved by: khsing.cn@gmail.com (maintainer) Security: http://www.vuxml.org/freebsd/4f99e2ef-f725-11e1-8bd8-0022156e8794.html Added: head/www/moinmoin/files/patch-cve-2012-4404 (contents, props changed) Modified: head/security/vuxml/vuln.xml head/www/moinmoin/Makefile Modified: head/security/vuxml/vuln.xml ============================================================================== --- head/security/vuxml/vuln.xml Tue Sep 11 06:44:54 2012 (r304083) +++ head/security/vuxml/vuln.xml Tue Sep 11 07:51:07 2012 (r304084) @@ -157,7 +157,7 @@ Note: Please add new entries to the beg <affects> <package> <name>moinmoin</name> - <range><ge>1.9</ge><lt>1.9.5</lt></range> + <range><ge>1.9</ge><lt>1.9.4_1</lt></range> </package> </affects> <description> @@ -193,6 +193,7 @@ Note: Please add new entries to the beg <dates> <discovery>2012-09-03</discovery> <entry>2012-09-05</entry> + <modified>2012-09-11</modified> </dates> </vuln> Modified: head/www/moinmoin/Makefile ============================================================================== --- head/www/moinmoin/Makefile Tue Sep 11 06:44:54 2012 (r304083) +++ head/www/moinmoin/Makefile Tue Sep 11 07:51:07 2012 (r304084) @@ -7,6 +7,7 @@ PORTNAME= moinmoin PORTVERSION= 1.9.4 +PORTREVISION= 1 CATEGORIES= www python MASTER_SITES= http://static.moinmo.in/files/ DISTNAME= moin-${PORTVERSION} Added: head/www/moinmoin/files/patch-cve-2012-4404 ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/www/moinmoin/files/patch-cve-2012-4404 Tue Sep 11 07:51:07 2012 (r304084) @@ -0,0 +1,137 @@ +Obtained-from: http://hg.moinmo.in/moin/1.9/raw-rev/7b9f39289e16 + +# HG changeset patch +# User Thomas Waldmann <tw AT waldmann-edv DOT de> +# Date 1346679035 -7200 +# Node ID 7b9f39289e16b37344480025f191d8b64480c834 +# Parent 0e58d9bcd3bd8ab3a89506d66bc0c8df85c16d2c +security fix: fix virtual group bug in ACL evaluation, add a test for it + +affected moin releases: all 1.9 releases up to and including 1.9.4 + +moin releases < 1.9 are NOT affected. + +You can find out the moin version by looking at SystemInfo page or at the +output of <<SystemInfo>> macro. + +Issue description: + +We have code that checks whether a group has special members "All" or "Known" +or "Trusted", but there was a bug that checked whether these are present in +the group NAME (not, as intended, in the group MEMBERS). + +a) If you have group MEMBERS like "All" or "Known" or "Trusted", they did not +work until now, but will start working with this changeset. + +E.g. SomeGroup: + * JoeDoe + * Trusted + +SomeGroup will now (correctly) include JoeDoe and also all trusted users. + +It (erroneously) contained only "JoeDoe" and "Trusted" (as a username, not +as a virtual group) before. + +b) If you have group NAMES containing "All" or "Known" or "Trusted", they behaved +wrong until now (they erroneously included All/Known/Trusted users even if +you did not list them as members), but will start working correctly with this +changeset. + +E.g. AllFriendsGroup: + * JoeDoe + +AllFriendsGroup will now (correctly) include only JoeDoe. +It (erroneously) contained all users (including JoeDoe) before. + +E.g. MyTrustedFriendsGroup: + * JoeDoe + +MyTrustedFriendsGroup will now (correctly) include only JoeDoe. +It (erroneously) contained all trusted users and JoeDoe before. + +diff -r 0e58d9bcd3bd -r 7b9f39289e16 MoinMoin/security/__init__.py +--- MoinMoin/security/__init__.py Fri Aug 03 17:36:02 2012 +0200 ++++ MoinMoin/security/__init__.py Mon Sep 03 15:30:35 2012 +0200 +@@ -320,11 +320,12 @@ + handler = getattr(self, "_special_"+entry, None) + allowed = handler(request, name, dowhat, rightsdict) + elif entry in groups: +- if name in groups[entry]: ++ this_group = groups[entry] ++ if name in this_group: + allowed = rightsdict.get(dowhat) + else: + for special in self.special_users: +- if special in entry: ++ if special in this_group: + handler = getattr(self, "_special_" + special, None) + allowed = handler(request, name, dowhat, rightsdict) + break # order of self.special_users is important +diff -r 0e58d9bcd3bd -r 7b9f39289e16 MoinMoin/security/_tests/test_security.py +--- MoinMoin/security/_tests/test_security.py Fri Aug 03 17:36:02 2012 +0200 ++++ MoinMoin/security/_tests/test_security.py Mon Sep 03 15:30:35 2012 +0200 +@@ -16,10 +16,11 @@ + acliter = security.ACLStringIterator + AccessControlList = security.AccessControlList + ++from MoinMoin.datastruct import ConfigGroups + from MoinMoin.PageEditor import PageEditor + from MoinMoin.user import User + +-from MoinMoin._tests import become_trusted, create_page, nuke_page ++from MoinMoin._tests import wikiconfig, become_trusted, create_page, nuke_page + + class TestACLStringIterator(object): + +@@ -248,6 +249,50 @@ + assert not acl.may(self.request, user, right) + + ++class TestGroupACL(object): ++ ++ class Config(wikiconfig.Config): ++ def groups(self, request): ++ groups = { ++ u'PGroup': frozenset([u'Antony', u'Beatrice', ]), ++ u'AGroup': frozenset([u'All', ]), ++ # note: the next line is a INTENDED misnomer, there is "All" in ++ # the group NAME, but not in the group members. This makes ++ # sure that a bug that erroneously checked "in groupname" (instead ++ # of "in groupmembers") does not reappear. ++ u'AllGroup': frozenset([]), # note: intended misnomer ++ } ++ return ConfigGroups(request, groups) ++ ++ def testApplyACLByGroup(self): ++ """ security: applying acl by group name""" ++ # This acl string... ++ acl_rights = [ ++ "PGroup,AllGroup:read,write,admin " ++ "AGroup:read " ++ ] ++ acl = security.AccessControlList(self.request.cfg, acl_rights) ++ ++ # Should apply these rights: ++ users = ( ++ # user, rights ++ ('Antony', ('read', 'write', 'admin', )), # in PGroup ++ ('Beatrice', ('read', 'write', 'admin', )), # in PGroup ++ ('Charles', ('read', )), # virtually in AGroup ++ ) ++ ++ # Check rights ++ for user, may in users: ++ mayNot = [right for right in self.request.cfg.acl_rights_valid ++ if right not in may] ++ # User should have these rights... ++ for right in may: ++ assert acl.may(self.request, user, right) ++ # But NOT these: ++ for right in mayNot: ++ assert not acl.may(self.request, user, right) ++ ++ + class TestPageAcls(object): + """ security: real-life access control list on pages testing + """ + _______________________________________________ svn-ports-all@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/svn-ports-all To unsubscribe, send any mail to "svn-ports-all-unsubscribe@freebsd.org"
State Changed From-To: feedback->closed Committed, thanks!