Hey folks, There's been a set of security updates in moin in the last couple of weeks, with 2 very important ones today. I've already coordinated with the security team for fixes in Squeeze (1.9.3-1+squeeze4) and I've uploaded into sid (1.9.5-4). In Wheezy, we're currently on 1.9.4-8. What would you say to a TPU upload with the attached debdiff? -- Steve McIntyre, Cambridge, UK. steve@einval.com "Since phone messaging became popular, the young generation has lost the ability to read or write anything that is longer than one hundred and sixty characters." -- Ignatios Souvatzis
diff -Nru moin-1.9.4/debian/changelog moin-1.9.4/debian/changelog
--- moin-1.9.4/debian/changelog 2012-09-05 01:57:33.000000000 +0100
+++ moin-1.9.4/debian/changelog 2012-12-29 19:20:43.000000000 +0000
@@ -1,8 +1,22 @@
+moin (1.9.4-8+deb7u1) testing-proposed-updates; urgency=high
+
+ * Stack of security fixes from upstream:
+ + make taintfilename more secure
+ + escape user- or admin-defined css url
+ + use a constant time str comparison function to prevent timing
+ attacks
+ + fix remote code execution vulnerability in twikidraw/anywikidraw
+ actions (CVE-2012-XXXX).
+ + fix path traversal vulnerability in AttachFile action
+ (CVE-2012-XXXX).
+
+ -- Steve McIntyre <93sam@debian.org> Sat, 29 Dec 2012 19:20:37 +0100
+
moin (1.9.4-8) unstable; urgency=high
* High urgency for a security fix
* Add patch from upstream to fix a virtual group bug in ACL evaluation
- (CVE-2012-XXXX).
+ (CVE-2012-4404).
-- Steve McIntyre <93sam@debian.org> Wed, 05 Sep 2012 01:57:30 +0100
diff -Nru moin-1.9.4/debian/patches/attachfile-path-traversal.patch moin-1.9.4/debian/patches/attachfile-path-traversal.patch
--- moin-1.9.4/debian/patches/attachfile-path-traversal.patch 1970-01-01 01:00:00.000000000 +0100
+++ moin-1.9.4/debian/patches/attachfile-path-traversal.patch 2012-12-29 19:12:17.000000000 +0000
@@ -0,0 +1,42 @@
+
+# HG changeset patch
+# User Thomas Waldmann <tw AT waldmann-edv DOT de>
+# Date 1356801565 -3600
+# Node ID 3c27131a3c5275dac568b073e930fb6b2e0be907
+# Parent ef1bee86328f2bccf6bfa9f5050372a5ea686df6
+security: fix path traversal vulnerability in AttachFile action
+
+diff -r ef1bee86328f -r 3c27131a3c52 MoinMoin/action/AttachFile.py
+--- a/MoinMoin/action/AttachFile.py Sat Dec 29 17:13:39 2012 +0100
++++ b/MoinMoin/action/AttachFile.py Sat Dec 29 18:19:25 2012 +0100
+@@ -678,6 +678,18 @@
+
+
+ def move_file(request, pagename, new_pagename, attachment, new_attachment):
++ """
++ move a file attachment from pagename:attachment to new_pagename:new_attachment
++
++ @param pagename: original pagename
++ @param new_pagename: new pagename (may be same as original pagename)
++ @param attachment: original attachment filename
++ note: attachment filename must not contain a path,
++ use wikiutil.taintfilename() before calling move_file
++ @param new_attachment: new attachment filename (may be same as original filename)
++ note: attachment filename must not contain a path,
++ use wikiutil.taintfilename() before calling move_file
++ """
+ _ = request.getText
+
+ newpage = Page(request, new_pagename)
+@@ -740,6 +752,10 @@
+ upload_form(pagename, request, msg=_("Move aborted because new attachment name is empty."))
+
+ attachment = request.form.get('oldattachmentname')
++ if attachment != wikiutil.taintfilename(attachment):
++ upload_form(pagename, request, msg=_("Please use a valid filename for attachment '%(filename)s'.") % {
++ 'filename': attachment})
++ return
+ move_file(request, pagename, new_pagename, attachment, new_attachment)
+
+
+
diff -Nru moin-1.9.4/debian/patches/constant_time_strcmp.patch moin-1.9.4/debian/patches/constant_time_strcmp.patch
--- moin-1.9.4/debian/patches/constant_time_strcmp.patch 1970-01-01 01:00:00.000000000 +0100
+++ moin-1.9.4/debian/patches/constant_time_strcmp.patch 2012-12-29 19:07:48.000000000 +0000
@@ -0,0 +1,90 @@
+
+# HG changeset patch
+# User Thomas Waldmann <tw AT waldmann-edv DOT de>
+# Date 1355091650 -3600
+# Node ID 840ebd16ddd97b325b9977967632dc43cd18a198
+# Parent b9450db6c129f71eb18dee16dc81a28e931654ea
+use a constant time str comparison function to prevent timing attacks
+
+diff -r b9450db6c129 -r 840ebd16ddd9 MoinMoin/security/textcha.py
+--- a/MoinMoin/security/textcha.py Sat Dec 08 22:54:04 2012 +0100
++++ b/MoinMoin/security/textcha.py Sun Dec 09 23:20:50 2012 +0100
+@@ -28,6 +28,8 @@
+ from MoinMoin import log
+ logging = log.getLogger(__name__)
+
++from werkzeug.security import safe_str_cmp as safe_str_equal
++
+ from MoinMoin import wikiutil
+ from MoinMoin.support.python_compatibility import hmac_new
+
+@@ -136,7 +139,7 @@
+ if not timestamp or timestamp + self.expiry_time < time():
+ success = False
+ try:
+- if self._compute_signature(self.question, timestamp) != signature:
++ if not safe_str_equal(self._compute_signature(self.question, timestamp), signature):
+ success = False
+ except TypeError:
+ success = False
+diff -r b9450db6c129 -r 840ebd16ddd9 MoinMoin/user.py
+--- a/MoinMoin/user.py Sat Dec 08 22:54:04 2012 +0100
++++ b/MoinMoin/user.py Sun Dec 09 23:20:50 2012 +0100
+@@ -28,6 +28,8 @@
+ except ImportError:
+ crypt = None
+
++from werkzeug.security import safe_str_cmp as safe_str_equal
++
+ from MoinMoin.support.python_compatibility import hash_new, hmac_new
+
+ from MoinMoin import config, caching, wikiutil, i18n, events
+@@ -538,7 +540,7 @@
+ salt = d[:2]
+ enc = crypt.crypt(password.encode('utf-8'), salt.encode('ascii'))
+
+- if epwd == method + enc:
++ if safe_str_equal(epwd, method + enc):
+ data['enc_password'] = encodePassword(password) # upgrade to SSHA
+ return True, True
+ return False, False
+@@ -548,7 +550,7 @@
+ salt = data[20:]
+ hash = hash_new('sha1', password.encode('utf-8'))
+ hash.update(salt)
+- return hash.digest() == data[:20], False
++ return safe_str_equal(hash.digest(), data[:20]), False
+
+ # No encoded password match, this must be wrong password
+ return False, False
+@@ -1025,7 +1027,7 @@
+ # check hmac
+ # key must be of type string
+ h = hmac_new(str(self.recoverpass_key), str(stamp)).hexdigest()
+- if h != parts[1]:
++ if not safe_str_equal(h, parts[1]):
+ return False
+ self.recoverpass_key = ""
+ self.enc_password = encodePassword(newpass)
+diff -r b9450db6c129 -r 840ebd16ddd9 MoinMoin/wikiutil.py
+--- a/MoinMoin/wikiutil.py Sat Dec 08 22:54:04 2012 +0100
++++ b/MoinMoin/wikiutil.py Sun Dec 09 23:20:50 2012 +0100
+@@ -20,6 +20,8 @@
+ from MoinMoin import log
+ logging = log.getLogger(__name__)
+
++from werkzeug.security import safe_str_cmp as safe_str_equal
++
+ from MoinMoin import config
+ from MoinMoin.support.python_compatibility import rsplit
+ from inspect import getargspec, isfunction, isclass, ismethod
+@@ -2553,7 +2555,7 @@
+ # if the ticket was created within a session.
+ ourticket = createTicket(request, timestamp_str)
+ logging.debug("checkTicket: returning %r, got %r, expected %r" % (ticket == ourticket, ticket, ourticket))
+- return ticket == ourticket
++ return safe_str_equal(ticket, ourticket)
+
+
+ def renderText(request, Parser, text):
+
diff -Nru moin-1.9.4/debian/patches/draw-taintfile.patch moin-1.9.4/debian/patches/draw-taintfile.patch
--- moin-1.9.4/debian/patches/draw-taintfile.patch 1970-01-01 01:00:00.000000000 +0100
+++ moin-1.9.4/debian/patches/draw-taintfile.patch 2012-12-29 19:10:35.000000000 +0000
@@ -0,0 +1,55 @@
+
+# HG changeset patch
+# User Thomas Waldmann <tw AT waldmann-edv DOT de>
+# Date 1356789929 -3600
+# Node ID 7e7e1cbb9d3fbef8be61fa0506ee26f96cfb28fb
+# Parent 671124d91dc125264ad2d78ccca80f0b6ddf8351
+security: fix remote code execution vulnerability in twikidraw/anywikidraw actions
+
+We have wikiutil.taintfilename() to make user supplied filenames safe,
+so that they can't contain any "special" characters like path separators, etc.
+It is used at many places in moin, but wasn't used here. :|
+
+diff -r 671124d91dc1 -r 7e7e1cbb9d3f MoinMoin/action/AttachFile.py
+--- a/MoinMoin/action/AttachFile.py Mon Dec 24 23:49:10 2012 +0100
++++ b/MoinMoin/action/AttachFile.py Sat Dec 29 15:05:29 2012 +0100
+@@ -603,6 +603,14 @@
+ """ A storage container (multiple objects in 1 tarfile) """
+
+ def __init__(self, request, pagename, containername):
++ """
++ @param pagename: a wiki page name
++ @param containername: the filename of the tar file.
++ Make sure this is a simple filename, NOT containing any path components.
++ Use wikiutil.taintfilename() to avoid somebody giving a container
++ name that starts with e.g. ../../filename or you'll create a
++ directory traversal and code execution vulnerability.
++ """
+ self.request = request
+ self.pagename = pagename
+ self.containername = containername
+diff -r 671124d91dc1 -r 7e7e1cbb9d3f MoinMoin/action/anywikidraw.py
+--- a/MoinMoin/action/anywikidraw.py Mon Dec 24 23:49:10 2012 +0100
++++ b/MoinMoin/action/anywikidraw.py Sat Dec 29 15:05:29 2012 +0100
+@@ -197,6 +197,8 @@
+
+ def execute(pagename, request):
+ target = request.values.get('target')
++ target = wikiutil.taintfilename(target)
++
+ awd = AnyWikiDraw(request, pagename, target)
+
+ do = request.values.get('do')
+diff -r 671124d91dc1 -r 7e7e1cbb9d3f MoinMoin/action/twikidraw.py
+--- a/MoinMoin/action/twikidraw.py Mon Dec 24 23:49:10 2012 +0100
++++ b/MoinMoin/action/twikidraw.py Sat Dec 29 15:05:29 2012 +0100
+@@ -208,6 +208,8 @@
+
+ def execute(pagename, request):
+ target = request.values.get('target')
++ target = wikiutil.taintfilename(target)
++
+ twd = TwikiDraw(request, pagename, target)
+
+ do = request.values.get('do')
+
diff -Nru moin-1.9.4/debian/patches/escape_css_url.patch moin-1.9.4/debian/patches/escape_css_url.patch
--- moin-1.9.4/debian/patches/escape_css_url.patch 1970-01-01 01:00:00.000000000 +0100
+++ moin-1.9.4/debian/patches/escape_css_url.patch 2012-12-12 16:07:38.000000000 +0000
@@ -0,0 +1,21 @@
+
+# HG changeset patch
+# User Thomas Waldmann <tw AT waldmann-edv DOT de>
+# Date 1354999660 -3600
+# Node ID d0567fba754edf749a62f3a31f7be5a70456b0b2
+# Parent d3090fb6624f600c64076e161a47207496ad356b
+escape user- or admin-defined css url
+
+diff -r d3090fb6624f -r d0567fba754e MoinMoin/theme/__init__.py
+--- a/MoinMoin/theme/__init__.py Sat Dec 08 21:20:24 2012 +0100
++++ b/MoinMoin/theme/__init__.py Sat Dec 08 21:47:40 2012 +0100
+@@ -687,7 +687,7 @@
+ if theme:
+ href = '%s/%s/css/%s.css' % (self.cfg.url_prefix_static, self.name, href)
+ attrs = 'type="text/css" charset="%s" media="%s" href="%s"' % (
+- self.stylesheetsCharset, media, href, )
++ self.stylesheetsCharset, media, wikiutil.escape(href, True), )
+ if title:
+ return '<link rel="alternate stylesheet" %s title="%s">' % (attrs, title)
+ else:
+
diff -Nru moin-1.9.4/debian/patches/secure_taintfile_name.patch moin-1.9.4/debian/patches/secure_taintfile_name.patch
--- moin-1.9.4/debian/patches/secure_taintfile_name.patch 1970-01-01 01:00:00.000000000 +0100
+++ moin-1.9.4/debian/patches/secure_taintfile_name.patch 2012-12-29 19:07:34.000000000 +0000
@@ -0,0 +1,25 @@
+
+# HG changeset patch
+# User Thomas Waldmann <tw AT waldmann-edv DOT de>
+# Date 1354998024 -3600
+# Node ID d3090fb6624f600c64076e161a47207496ad356b
+# Parent 20a27e94a7f956b65e342eedaa9436292db407e8
+make taintfilename more secure
+
+diff -r 20a27e94a7f9 -r d3090fb6624f MoinMoin/wikiutil.py
+--- a/MoinMoin/wikiutil.py Fri Sep 28 15:04:15 2012 +0200
++++ b/MoinMoin/wikiutil.py Sat Dec 08 21:20:24 2012 +0100
+@@ -2266,9 +2266,9 @@
+ @rtype: string
+ @return: (safer) filename
+ """
+- for x in (os.pardir, ':', '/', '\\', '<', '>'):
+- basename = basename.replace(x, '_')
+-
++ # note: filenames containing ../ (or ..\) are made safe by replacing
++ # the / (or the \). the .. will be kept, but is harmless then.
++ basename = re.sub('[\x00-\x1f:/\\\\<>"*?%|]', '_', basename)
+ return basename
+
+
+
diff -Nru moin-1.9.4/debian/patches/series moin-1.9.4/debian/patches/series
--- moin-1.9.4/debian/patches/series 2012-09-05 01:58:55.000000000 +0100
+++ moin-1.9.4/debian/patches/series 2012-12-29 19:12:21.000000000 +0000
@@ -6,3 +6,8 @@
subscribercache.patch
mail-verification.patch
CVE-2012-XXX-virtual-group-ACL.patch
+constant_time_strcmp.patch
+escape_css_url.patch
+secure_taintfile_name.patch
+draw-taintfile.patch
+attachfile-path-traversal.patch
Attachment:
signature.asc
Description: Digital signature