Bug#686763: unblock: moin/1.9.4-8

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#686763: unblock: moin/1.9.4-8
From: Steve McIntyre <steve@einval.com>
Date: Wed, 05 Sep 2012 13:20:28 +0100
Message-id: <[🔎] 20120905122028.1823.96491.reportbug@tack.local>
Reply-to: Steve McIntyre <steve@einval.com>, 686763@bugs.debian.org

Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock

Please unblock package moin; security fix for CVE-2012-4404.

debdiff attached.

unblock moin/1.9.4-8

-- System Information:
Debian Release: wheezy/sid
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: amd64 (x86_64)

Kernel: Linux 3.2.0-3-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

diff -Nru moin-1.9.4/debian/changelog moin-1.9.4/debian/changelog
--- moin-1.9.4/debian/changelog	2012-08-10 14:31:06.000000000 +0100
+++ moin-1.9.4/debian/changelog	2012-09-05 01:57:33.000000000 +0100
@@ -1,3 +1,11 @@
+moin (1.9.4-8) unstable; urgency=high
+
+  * High urgency for a security fix
+  * Add patch from upstream to fix a virtual group bug in ACL evaluation
+    (CVE-2012-XXXX).
+
+ -- Steve McIntyre <93sam@debian.org>  Wed, 05 Sep 2012 01:57:30 +0100
+
 moin (1.9.4-7) unstable; urgency=low
 
   * subprocess.check_output only appeared in python 2.7. Use
diff -Nru moin-1.9.4/debian/patches/CVE-2012-XXX-virtual-group-ACL.patch moin-1.9.4/debian/patches/CVE-2012-XXX-virtual-group-ACL.patch
--- moin-1.9.4/debian/patches/CVE-2012-XXX-virtual-group-ACL.patch	1970-01-01 01:00:00.000000000 +0100
+++ moin-1.9.4/debian/patches/CVE-2012-XXX-virtual-group-ACL.patch	2012-09-05 01:58:10.000000000 +0100
@@ -0,0 +1,136 @@
+
+# HG changeset patch
+# User Thomas Waldmann <tw AT waldmann-edv DOT de>
+# Date 1346679035 -7200
+# Node ID 7b9f39289e16b37344480025f191d8b64480c834
+# Parent  0e58d9bcd3bd8ab3a89506d66bc0c8df85c16d2c
+security fix: fix virtual group bug in ACL evaluation, add a test for it
+
+affected moin releases: all 1.9 releases up to and including 1.9.4
+
+moin releases < 1.9 are NOT affected.
+
+You can find out the moin version by looking at SystemInfo page or at the
+output of <<SystemInfo>> macro.
+
+Issue description:
+
+We have code that checks whether a group has special members "All" or "Known"
+or "Trusted", but there was a bug that checked whether these are present in
+the group NAME (not, as intended, in the group MEMBERS).
+
+a) If you have group MEMBERS like "All" or "Known" or "Trusted", they did not
+work until now, but will start working with this changeset.
+
+E.g. SomeGroup:
+ * JoeDoe
+ * Trusted
+
+SomeGroup will now (correctly) include JoeDoe and also all trusted users.
+
+It (erroneously) contained only "JoeDoe" and "Trusted" (as a username, not
+as a virtual group) before.
+
+b) If you have group NAMES containing "All" or "Known" or "Trusted", they behaved
+wrong until now (they erroneously included All/Known/Trusted users even if
+you did not list them as members), but will start working correctly with this
+changeset.
+
+E.g. AllFriendsGroup:
+ * JoeDoe
+
+AllFriendsGroup will now (correctly) include only JoeDoe.
+It (erroneously) contained all users (including JoeDoe) before.
+
+E.g. MyTrustedFriendsGroup:
+ * JoeDoe
+
+MyTrustedFriendsGroup will now (correctly) include only JoeDoe.
+It (erroneously) contained all trusted users and JoeDoe before.
+
+diff -r 0e58d9bcd3bd -r 7b9f39289e16 MoinMoin/security/__init__.py
+--- a/MoinMoin/security/__init__.py	Fri Aug 03 17:36:02 2012 +0200
++++ b/MoinMoin/security/__init__.py	Mon Sep 03 15:30:35 2012 +0200
+@@ -320,11 +320,12 @@
+                 handler = getattr(self, "_special_"+entry, None)
+                 allowed = handler(request, name, dowhat, rightsdict)
+             elif entry in groups:
+-                if name in groups[entry]:
++                this_group = groups[entry]
++                if name in this_group:
+                     allowed = rightsdict.get(dowhat)
+                 else:
+                     for special in self.special_users:
+-                        if special in entry:
++                        if special in this_group:
+                             handler = getattr(self, "_special_" + special, None)
+                             allowed = handler(request, name, dowhat, rightsdict)
+                             break # order of self.special_users is important
+diff -r 0e58d9bcd3bd -r 7b9f39289e16 MoinMoin/security/_tests/test_security.py
+--- a/MoinMoin/security/_tests/test_security.py	Fri Aug 03 17:36:02 2012 +0200
++++ b/MoinMoin/security/_tests/test_security.py	Mon Sep 03 15:30:35 2012 +0200
+@@ -16,10 +16,11 @@
+ acliter = security.ACLStringIterator
+ AccessControlList = security.AccessControlList
+ 
++from MoinMoin.datastruct import ConfigGroups
+ from MoinMoin.PageEditor import PageEditor
+ from MoinMoin.user import User
+ 
+-from MoinMoin._tests import become_trusted, create_page, nuke_page
++from MoinMoin._tests import wikiconfig, become_trusted, create_page, nuke_page
+ 
+ class TestACLStringIterator(object):
+ 
+@@ -248,6 +249,50 @@
+                 assert not acl.may(self.request, user, right)
+ 
+ 
++class TestGroupACL(object):
++
++    class Config(wikiconfig.Config):
++        def groups(self, request):
++            groups = {
++                u'PGroup': frozenset([u'Antony', u'Beatrice', ]),
++                u'AGroup': frozenset([u'All', ]),
++                # note: the next line is a INTENDED misnomer, there is "All" in
++                # the group NAME, but not in the group members. This makes
++                # sure that a bug that erroneously checked "in groupname" (instead
++                # of "in groupmembers") does not reappear.
++                u'AllGroup': frozenset([]), # note: intended misnomer
++            }
++            return ConfigGroups(request, groups)
++
++    def testApplyACLByGroup(self):
++        """ security: applying acl by group name"""
++        # This acl string...
++        acl_rights = [
++            "PGroup,AllGroup:read,write,admin "
++            "AGroup:read "
++            ]
++        acl = security.AccessControlList(self.request.cfg, acl_rights)
++
++        # Should apply these rights:
++        users = (
++            # user, rights
++            ('Antony', ('read', 'write', 'admin', )),  # in PGroup
++            ('Beatrice', ('read', 'write', 'admin', )),  # in PGroup
++            ('Charles', ('read', )),  # virtually in AGroup
++            )
++
++        # Check rights
++        for user, may in users:
++            mayNot = [right for right in self.request.cfg.acl_rights_valid
++                      if right not in may]
++            # User should have these rights...
++            for right in may:
++                assert acl.may(self.request, user, right)
++            # But NOT these:
++            for right in mayNot:
++                assert not acl.may(self.request, user, right)
++
++
+ class TestPageAcls(object):
+     """ security: real-life access control list on pages testing
+     """
+
diff -Nru moin-1.9.4/debian/patches/series moin-1.9.4/debian/patches/series
--- moin-1.9.4/debian/patches/series	2012-04-30 17:22:20.000000000 +0100
+++ moin-1.9.4/debian/patches/series	2012-09-05 01:58:55.000000000 +0100
@@ -5,3 +5,4 @@
 recaptcha.patch
 subscribercache.patch
 mail-verification.patch
+CVE-2012-XXX-virtual-group-ACL.patch

Reply to:

Follow-Ups:
- Bug#686763: marked as done (unblock: moin/1.9.4-8)
  - From: owner@bugs.debian.org (Debian Bug Tracking System)

Prev by Date: Bug#683142: unblock: bdii/5.2.12-1
Next by Date: Bug#686755: unblock: nautilus-dropbox/1.4.0-2
Previous by thread: Processed: Re: Bug#683142: unblock: bdii/5.2.12-1
Next by thread: Bug#686763: marked as done (unblock: moin/1.9.4-8)
Index(es):
- Date
- Thread