PU for moin to fix #721557

To: debian-release@lists.debian.org
Cc: 721557-submitter@debian.org
Subject: PU for moin to fix #721557
From: Steve McIntyre <steve@einval.com>
Date: Mon, 16 Sep 2013 17:36:28 +0100
Message-id: <20130916163628.GJ14745@einval.com>

Hi folks,

I've been asked about doing a PU for moin in Wheezy to fix
#721557. This is an annoying bug with potential for a DoS, and I've
seen its effects myself as an admin for wiki.d.o. I've added local
workarounds on wiki.d.o, but others may not understand what's needed
to do that.

The patch to fix this is trivial, and came from upstream. I've
uploaded a new package version into unstable with this fix too, and it
just migrated to testing.

What would you think of a PU for moin containing this change? Debdiff
attached...

-- 
Steve McIntyre, Cambridge, UK.                                steve@einval.com
"You can't barbecue lettuce!" -- Ellie Crane

diff -Nru moin-1.9.4/debian/changelog moin-1.9.4/debian/changelog
--- moin-1.9.4/debian/changelog	2012-12-29 22:55:08.000000000 +0000
+++ moin-1.9.4/debian/changelog	2013-09-15 22:45:46.000000000 +0100
@@ -1,3 +1,10 @@
+moin (1.9.4-8+deb7u2) stable; urgency=low
+
+  * Backport fix from upstream: Do not create empty pagedir (with
+    empty edit-log). Closes: #721557
+
+ -- Steve McIntyre <93sam@debian.org>  Sun, 15 Sep 2013 14:44:37 -0700
+
 moin (1.9.4-8+deb7u1) testing-proposed-updates; urgency=high
 
   * Stack of security fixes from upstream:
@@ -6,9 +13,9 @@
     + use a constant time str comparison function to prevent timing
       attacks
     + fix remote code execution vulnerability in twikidraw/anywikidraw
-      actions (CVE-2012-XXXX).
+      actions (CVE-2012-6081).
     + fix path traversal vulnerability in AttachFile action
-      (CVE-2012-XXXX).
+      (CVE-2012-6080).
 
  -- Steve McIntyre <93sam@debian.org>  Sat, 29 Dec 2012 19:20:37 +0100
 
diff -Nru moin-1.9.4/debian/patches/avoid_empty_dir_creation.patch moin-1.9.4/debian/patches/avoid_empty_dir_creation.patch
--- moin-1.9.4/debian/patches/avoid_empty_dir_creation.patch	1970-01-01 01:00:00.000000000 +0100
+++ moin-1.9.4/debian/patches/avoid_empty_dir_creation.patch	2013-09-15 22:43:18.000000000 +0100
@@ -0,0 +1,16 @@
+changeset:   5980:6489ec33874d
+user:        Thomas Waldmann <tw AT waldmann-edv DOT de>
+date:        Sat Apr 06 00:21:51 2013 +0200
+summary:     do not create empty pagedir (with empty edit-log)
+diff -r 810aee12a186 -r 6489ec33874d MoinMoin/theme/__init__.py
+--- a/MoinMoin/theme/__init__.py	Sun Mar 24 14:58:56 2013 +0100
++++ b/MoinMoin/theme/__init__.py	Sat Apr 06 00:21:51 2013 +0200
+@@ -1784,7 +1784,7 @@
+ 
+         # In standard mode, emit theme.header
+         else:
+-            exists = pagename and page.exists(includeDeleted=True)
++            exists = pagename and page.exists(includeDeleted=False)
+             # prepare dict for theme code:
+             d = {
+                 'theme': self.name,

Reply to:

Follow-Ups:
- Re: PU for moin to fix #721557
  - From: Jonathan Wiltshire <jmw@debian.org>

Prev by Date: Re: pending PU requests
Next by Date: Bug#723110: RM (or pu): pyxpcom -- RoQA; FTBFS with Iceweasel 17
Previous by thread: Bug#655975: [PATCH] Support :any architecture qualifiers for multiarch
Next by thread: Re: PU for moin to fix #721557
Index(es):
- Date
- Thread