Bug#686763: marked as done (unblock: moin/1.9.4-8)

To: "Adam D. Barratt" <adam@adam-barratt.org.uk>
Subject: Bug#686763: marked as done (unblock: moin/1.9.4-8)
From: owner@bugs.debian.org (Debian Bug Tracking System)
Date: Wed, 05 Sep 2012 18:57:04 +0000
Message-id: <[🔎] handler.686763.D686763.134687130030807.ackdone@bugs.debian.org>
References: <1346871209.842.4.camel@jacala.jungle.funky-badger.org> <[🔎] 20120905122028.1823.96491.reportbug@tack.local>

Your message dated Wed, 05 Sep 2012 19:53:29 +0100
with message-id <1346871209.842.4.camel@jacala.jungle.funky-badger.org>
and subject line Re: Bug#686763: unblock: moin/1.9.4-8
has caused the Debian Bug report #686763,
regarding unblock: moin/1.9.4-8
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
686763: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=686763
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: unblock: moin/1.9.4-8
From: Steve McIntyre <steve@einval.com>
Date: Wed, 05 Sep 2012 13:20:28 +0100
Message-id: <[🔎] 20120905122028.1823.96491.reportbug@tack.local>

Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock

Please unblock package moin; security fix for CVE-2012-4404.

debdiff attached.

unblock moin/1.9.4-8

-- System Information:
Debian Release: wheezy/sid
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: amd64 (x86_64)

Kernel: Linux 3.2.0-3-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

diff -Nru moin-1.9.4/debian/changelog moin-1.9.4/debian/changelog
--- moin-1.9.4/debian/changelog	2012-08-10 14:31:06.000000000 +0100
+++ moin-1.9.4/debian/changelog	2012-09-05 01:57:33.000000000 +0100
@@ -1,3 +1,11 @@
+moin (1.9.4-8) unstable; urgency=high
+
+  * High urgency for a security fix
+  * Add patch from upstream to fix a virtual group bug in ACL evaluation
+    (CVE-2012-XXXX).
+
+ -- Steve McIntyre <93sam@debian.org>  Wed, 05 Sep 2012 01:57:30 +0100
+
 moin (1.9.4-7) unstable; urgency=low
 
   * subprocess.check_output only appeared in python 2.7. Use
diff -Nru moin-1.9.4/debian/patches/CVE-2012-XXX-virtual-group-ACL.patch moin-1.9.4/debian/patches/CVE-2012-XXX-virtual-group-ACL.patch
--- moin-1.9.4/debian/patches/CVE-2012-XXX-virtual-group-ACL.patch	1970-01-01 01:00:00.000000000 +0100
+++ moin-1.9.4/debian/patches/CVE-2012-XXX-virtual-group-ACL.patch	2012-09-05 01:58:10.000000000 +0100
@@ -0,0 +1,136 @@
+
+# HG changeset patch
+# User Thomas Waldmann <tw AT waldmann-edv DOT de>
+# Date 1346679035 -7200
+# Node ID 7b9f39289e16b37344480025f191d8b64480c834
+# Parent  0e58d9bcd3bd8ab3a89506d66bc0c8df85c16d2c
+security fix: fix virtual group bug in ACL evaluation, add a test for it
+
+affected moin releases: all 1.9 releases up to and including 1.9.4
+
+moin releases < 1.9 are NOT affected.
+
+You can find out the moin version by looking at SystemInfo page or at the
+output of <<SystemInfo>> macro.
+
+Issue description:
+
+We have code that checks whether a group has special members "All" or "Known"
+or "Trusted", but there was a bug that checked whether these are present in
+the group NAME (not, as intended, in the group MEMBERS).
+
+a) If you have group MEMBERS like "All" or "Known" or "Trusted", they did not
+work until now, but will start working with this changeset.
+
+E.g. SomeGroup:
+ * JoeDoe
+ * Trusted
+
+SomeGroup will now (correctly) include JoeDoe and also all trusted users.
+
+It (erroneously) contained only "JoeDoe" and "Trusted" (as a username, not
+as a virtual group) before.
+
+b) If you have group NAMES containing "All" or "Known" or "Trusted", they behaved
+wrong until now (they erroneously included All/Known/Trusted users even if
+you did not list them as members), but will start working correctly with this
+changeset.
+
+E.g. AllFriendsGroup:
+ * JoeDoe
+
+AllFriendsGroup will now (correctly) include only JoeDoe.
+It (erroneously) contained all users (including JoeDoe) before.
+
+E.g. MyTrustedFriendsGroup:
+ * JoeDoe
+
+MyTrustedFriendsGroup will now (correctly) include only JoeDoe.
+It (erroneously) contained all trusted users and JoeDoe before.
+
+diff -r 0e58d9bcd3bd -r 7b9f39289e16 MoinMoin/security/__init__.py
+--- a/MoinMoin/security/__init__.py	Fri Aug 03 17:36:02 2012 +0200
++++ b/MoinMoin/security/__init__.py	Mon Sep 03 15:30:35 2012 +0200
+@@ -320,11 +320,12 @@
+                 handler = getattr(self, "_special_"+entry, None)
+                 allowed = handler(request, name, dowhat, rightsdict)
+             elif entry in groups:
+-                if name in groups[entry]:
++                this_group = groups[entry]
++                if name in this_group:
+                     allowed = rightsdict.get(dowhat)
+                 else:
+                     for special in self.special_users:
+-                        if special in entry:
++                        if special in this_group:
+                             handler = getattr(self, "_special_" + special, None)
+                             allowed = handler(request, name, dowhat, rightsdict)
+                             break # order of self.special_users is important
+diff -r 0e58d9bcd3bd -r 7b9f39289e16 MoinMoin/security/_tests/test_security.py
+--- a/MoinMoin/security/_tests/test_security.py	Fri Aug 03 17:36:02 2012 +0200
++++ b/MoinMoin/security/_tests/test_security.py	Mon Sep 03 15:30:35 2012 +0200
+@@ -16,10 +16,11 @@
+ acliter = security.ACLStringIterator
+ AccessControlList = security.AccessControlList
+ 
++from MoinMoin.datastruct import ConfigGroups
+ from MoinMoin.PageEditor import PageEditor
+ from MoinMoin.user import User
+ 
+-from MoinMoin._tests import become_trusted, create_page, nuke_page
++from MoinMoin._tests import wikiconfig, become_trusted, create_page, nuke_page
+ 
+ class TestACLStringIterator(object):
+ 
+@@ -248,6 +249,50 @@
+                 assert not acl.may(self.request, user, right)
+ 
+ 
++class TestGroupACL(object):
++
++    class Config(wikiconfig.Config):
++        def groups(self, request):
++            groups = {
++                u'PGroup': frozenset([u'Antony', u'Beatrice', ]),
++                u'AGroup': frozenset([u'All', ]),
++                # note: the next line is a INTENDED misnomer, there is "All" in
++                # the group NAME, but not in the group members. This makes
++                # sure that a bug that erroneously checked "in groupname" (instead
++                # of "in groupmembers") does not reappear.
++                u'AllGroup': frozenset([]), # note: intended misnomer
++            }
++            return ConfigGroups(request, groups)
++
++    def testApplyACLByGroup(self):
++        """ security: applying acl by group name"""
++        # This acl string...
++        acl_rights = [
++            "PGroup,AllGroup:read,write,admin "
++            "AGroup:read "
++            ]
++        acl = security.AccessControlList(self.request.cfg, acl_rights)
++
++        # Should apply these rights:
++        users = (
++            # user, rights
++            ('Antony', ('read', 'write', 'admin', )),  # in PGroup
++            ('Beatrice', ('read', 'write', 'admin', )),  # in PGroup
++            ('Charles', ('read', )),  # virtually in AGroup
++            )
++
++        # Check rights
++        for user, may in users:
++            mayNot = [right for right in self.request.cfg.acl_rights_valid
++                      if right not in may]
++            # User should have these rights...
++            for right in may:
++                assert acl.may(self.request, user, right)
++            # But NOT these:
++            for right in mayNot:
++                assert not acl.may(self.request, user, right)
++
++
+ class TestPageAcls(object):
+     """ security: real-life access control list on pages testing
+     """
+
diff -Nru moin-1.9.4/debian/patches/series moin-1.9.4/debian/patches/series
--- moin-1.9.4/debian/patches/series	2012-04-30 17:22:20.000000000 +0100
+++ moin-1.9.4/debian/patches/series	2012-09-05 01:58:55.000000000 +0100
@@ -5,3 +5,4 @@
 recaptcha.patch
 subscribercache.patch
 mail-verification.patch
+CVE-2012-XXX-virtual-group-ACL.patch

--- End Message ---

--- Begin Message ---

To: Steve McIntyre <steve@einval.com>, 686763-done@bugs.debian.org

Subject: Re: Bug#686763: unblock: moin/1.9.4-8

From: "Adam D. Barratt" <adam@adam-barratt.org.uk>

Date: Wed, 05 Sep 2012 19:53:29 +0100

Message-id: <1346871209.842.4.camel@jacala.jungle.funky-badger.org>

In-reply-to: <[🔎] 20120905122028.1823.96491.reportbug@tack.local>

References: <[🔎] 20120905122028.1823.96491.reportbug@tack.local>
On Wed, 2012-09-05 at 13:20 +0100, Steve McIntyre wrote:
> Please unblock package moin; security fix for CVE-2012-4404.

Unblocked; thanks.

Regards,

Adam
--- End Message ---

Reply to:

References:
- Bug#686763: unblock: moin/1.9.4-8
  - From: Steve McIntyre <steve@einval.com>

Prev by Date: Bug#686755: marked as done (unblock: nautilus-dropbox/1.4.0-2)
Next by Date: Bug#686784: marked as done (RM: mathop/1.5p6-1.1)
Previous by thread: Bug#686763: unblock: moin/1.9.4-8
Next by thread: Bug#682583: pu: package nss-pam-ldapd/0.7.15+squeeze2
Index(es):
- Date
- Thread