Ubuntu
moin package

[moin] [DSA-1514-1] multiple vulnerabilities

Bug #200897 reported by disabled.user
260
This bug affects 1 person
Affects Status Importance Assigned to Milestone
moin (Ubuntu)
Invalid
Undecided
Unassigned
Declined for Edgy by Martin Pitt
Declined for Feisty by Jamie Strandboge
Dapper
Fix Released
Undecided
Jamie Strandboge
Gutsy
Fix Released
Undecided
Jamie Strandboge
Hardy
Fix Released
Undecided
Unassigned
Intrepid
Invalid
Undecided
Unassigned
Jaunty
Invalid
Undecided
Unassigned

Bug Description

Binary package hint: moin

References:
DSA-1514-1 (http://www.debian.org/security/2008/dsa-1514)

Quoting:
"Several remote vulnerabilities have been discovered in MoinMoin, a
Python clone of WikiWiki. The Common Vulnerabilities and Exposures
project identifies the following problems:

CVE-2007-2423

    A cross-site-scripting vulnerability has been discovered in
    attachment handling.

CVE-2007-2637

    Access control lists for calendars and includes were
    insufficiently enforced, which could lead to information
    disclosure.

CVE-2008-0780

    A cross-site-scripting vulnerability has been discovered in
    the login code.

CVE-2008-0781

    A cross-site-scripting vulnerability has been discovered in
    attachment handling.

CVE-2008-0782

    A directory traversal vulnerability in cookie handling could
    lead to local denial of service by overwriting files.

CVE-2008-1098

    Cross-site-scripting vulnerabilities have been discovered in
    the GUI editor formatter and the code to delete pages.

CVE-2008-1099

    The macro code validates access control lists insufficiently,
    which could lead to information disclosure."

Revision history for this message
jepler (jepler) wrote :

I have not been able to independently confirm whether these bugs are fixed in the current moin package on hardy, but according to changelog.Debian.gz, the following CVEs listed above have been fixed in 1.5.8-5.1ubuntu2: 2008-0780 2008-0781 2008-0782. The other CVEs and the DSA aren't explicitly mentioned in the changelog.

It is frustrating as a mere user of moinmoin to be unsure whether these vulnerabilities (known before hardy was released!) are patched or not.

Kees Cook (kees)
Changed in moin:
status: New → Confirmed
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

2007-2423 was fixed in 1.5.7-3 (Dapper and Gutsy also have the fix)
2007-2637 was fixed in 1.5.7-2 and 1.5.8 upstream. While not clear from the changelog, Dapper and Gutsy also have this commit http://hg.moinmo.in/moin/1.5/rev/0e41a0429ee1 (this CVE may have been split after publication)

2008-0780, 2008-0781, 2008-0782: fixed in hardy and later
2008-1098, 2008-1099: fixed in hardy (1.5.8-2) and later

Gutsy and Dapper are affected by 2008-0780, 2008-0781, 2008-0782, 2008-1098, 2008-1099.

Changed in moin:
status: New → Invalid
status: Confirmed → Invalid
status: New → Invalid
status: New → Confirmed
status: New → Confirmed
Jamie Strandboge (jdstrand)
Changed in moin:
status: Confirmed → Fix Committed
assignee: nobody → jdstrand
status: Confirmed → Fix Committed
assignee: nobody → jdstrand
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package moin - 1.5.7-3ubuntu2.1

---------------
moin (1.5.7-3ubuntu2.1) gutsy-security; urgency=low

  * SECURITY UPDATE: cross-site scripting via rename parameter and
    basename variable
    - debian/patches/30001_CVE-2009-0260.patch: use wikiutil.escape() in
      MoinMoin/action/AttachFile.py
    - CVE-2009-0260
  * SECURITY UPDATE: cross-site scripting via content variable
    - debian/pathes/30002_antispam_xss_fix.patch: use wikiutil.escape()
      in MoinMoin/util/antispam.py
    - CVE-2009-XXXX
  * SECURITY UPDATE: cross-site scripting in login
    - debian/patches/30003_CVE-2008-0780.patch: update action/login.py to use
      wikiutil.escape() for name
    - CVE-2008-0780
    - LP: #200897
  * SECURITY UPDATE: cross-site scripting in AttachFile
    - debian/patches/30004_CVE-2008-0781.patch: use wikiutil.escape() for
      msg, pagename and target filenames in MoinMoin/action/AttachFile.py
    - CVE-2008-0781
  * SECURITY UPDATE: directory traversal vulnerability via MOIN_ID in userform
      cookie action
    - debian/patches/30005_CVE-2008-0782.patch: update MoinMoin/user.py to
      check USERID via the new id_sanitycheck() function
    - CVE-2008-0782
  * SECURITY UPDATE: cross-site scripting in PageEditor
    - debian/patches/30006_CVE-2008-1098.patch: use wikiutil.escape() in
      MoinMoin/PageEditor.py
    - CVE-2008-1098
  * SECURITY UPDATE: _macro_Getval does not properly enforce ACLs
    - debian/patches/30007_CVE-2008-1099.patch: update wikimacro.py and
      wikiutil.py to use request.user.may.read()
    - CVE-2008-1099

 -- Jamie Strandboge <email address hidden> Tue, 27 Jan 2009 16:15:53 -0600

Changed in moin:
status: Fix Committed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package moin - 1.5.8-5.1ubuntu2.2

---------------
moin (1.5.8-5.1ubuntu2.2) hardy-security; urgency=low

  * SECURITY UPDATE: cross-site scripting via rename parameter and
    basename variable
    - debian/patches/30001_CVE-2009-0260.patch: use wikiutil.escape() in
      MoinMoin/action/AttachFile.py
    - CVE-2009-0260
  * SECURITY UPDATE: cross-site scripting via content variable
    - debian/pathes/30002_antispam_xss_fix.patch: use wikiutil.escape()
      in MoinMoin/util/antispam.py
    - CVE-2009-XXXX
  * SECURITY UPDATE: cross-site scripting in login
    - debian/patches/30003_CVE-2008-0780.patch: update action/login.py to use
      wikiutil.escape() for name
    - CVE-2008-0780
    - LP: #200897
  * SECURITY UPDATE: cross-site scripting in AttachFile
    - debian/patches/30004_CVE-2008-0781.patch: use wikiutil.escape() for
      msg, pagename and target filenames in MoinMoin/action/AttachFile.py
    - CVE-2008-0781
  * SECURITY UPDATE: directory traversal vulnerability via MOIN_ID in userform
      cookie action
    - debian/patches/30005_CVE-2008-0782.patch: update MoinMoin/user.py to
      check USERID via the new id_sanitycheck() function
    - CVE-2008-0782

 -- Jamie Strandboge <email address hidden> Thu, 29 Jan 2009 17:37:53 -0600

Changed in moin:
status: Invalid → Fix Released
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

http://www.ubuntu.com/usn/usn-716-1

Changed in moin:
status: Fix Committed → Fix Released
Revision history for this message
Fumihito YOSHIDA (hito) wrote :

> - debian/pathes/30002_antispam_xss_fix.patch: use wikiutil.escape()
> in MoinMoin/util/antispam.py
> - CVE-2009-XXXX

It was registered as CVE-2009-0312. CVE Link added.

To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.