On Wed, 2009-05-06 at 21:22 +1000, Steffen Joeris wrote: > On Tue, 5 May 2009 09:28:08 pm Jonas Smedegaard wrote: > > On Tue, May 05, 2009 at 09:54:36AM +0200, Frank Lin PIAT wrote: > > >P.S. can "you" upload moin 1.7, I can't since I am not DD/DM. > > > > I'll do it now! > > > > - Jonas > > Also, please upload fixed packages for unstable with urgency high. :)
Jonas, Here's a patch for unstable (against 1.8.2-2). Could you review and upload it please? Franklin
diff -u -r -N moin-1.8.2-2/debian/changelog moin-1.8.2-2+unstable1/debian/changelog --- moin-1.8.2-2/debian/changelog 2009-05-07 00:07:45.000000000 +0200 +++ moin-1.8.2-2+unstable1/debian/changelog 2009-05-07 00:06:26.000000000 +0200 @@ -1,3 +1,14 @@ +moin (1.8.2-2+unstable1) unstable; urgency=high + + [ Frank Lin PIAT ] + * Fix cross-site scripting vulnerability in action/AttachFile.py + (Closes: #526594), Thanks to Steffen Joeris. + Fixes: CVE-2009-1482 + * Add mode escaping to AttachFile move (maybe not XSS exploitable + though) + + -- Jonas Smedegaard <d...@jones.dk> Thu, 07 May 2009 00:02:29 +0200 + moin (1.8.2-2) unstable; urgency=low [ Jonas Smedegaard ] diff -u -r -N moin-1.8.2-2/debian/patches/00003_CVE-2009-1482.patch moin-1.8.2-2+unstable1/debian/patches/00003_CVE-2009-1482.patch --- moin-1.8.2-2/debian/patches/00003_CVE-2009-1482.patch 1970-01-01 01:00:00.000000000 +0100 +++ moin-1.8.2-2+unstable1/debian/patches/00003_CVE-2009-1482.patch 2009-05-06 23:57:04.000000000 +0200 @@ -0,0 +1,55 @@ +--- a/MoinMoin/action/AttachFile.py 2009-05-06 23:53:46.000000000 +0200 ++++ b/MoinMoin/action/AttachFile.py 2009-05-06 23:56:21.000000000 +0200 +@@ -387,6 +387,7 @@ + + + def error_msg(pagename, request, msg): ++ msg = wikiutil.escape(msg) + request.theme.add_msg(msg, "error") + Page(request, pagename).send_page() + +@@ -512,7 +513,7 @@ + if handler: + msg = handler(pagename, request) + else: +- msg = _('Unsupported AttachFile sub-action: %s') % (wikiutil.escape(do[0]), ) ++ msg = _('Unsupported AttachFile sub-action: %s') % do[0] + if msg: + error_msg(pagename, request, msg) + +@@ -522,6 +523,8 @@ + + + def upload_form(pagename, request, msg=''): ++ if msg: ++ msg = wikiutil.escape(msg) + _ = request.getText + + request.emit_http_headers() +@@ -838,13 +841,13 @@ + + if package.isPackage(): + if package.installPackage(): +- msg = _("Attachment '%(filename)s' installed.") % {'filename': wikiutil.escape(target)} ++ msg = _("Attachment '%(filename)s' installed.") % {'filename': target} + else: +- msg = _("Installation of '%(filename)s' failed.") % {'filename': wikiutil.escape(target)} ++ msg = _("Installation of '%(filename)s' failed.") % {'filename': target} + if package.msg: +- msg += "<br><pre>%s</pre>" % wikiutil.escape(package.msg) ++ msg += " " + package.msg + else: +- msg = _('The file %s is not a MoinMoin package file.') % wikiutil.escape(target) ++ msg = _('The file %s is not a MoinMoin package file.') % target + + upload_form(pagename, request, msg=msg) + +@@ -948,7 +951,7 @@ + logging.exception("An exception within zip file attachment handling occurred:") + msg = _("A severe error occurred:") + ' ' + str(err) + +- upload_form(pagename, request, msg=wikiutil.escape(msg)) ++ upload_form(pagename, request, msg=msg) + + + def send_viewfile(pagename, request): diff -u -r -N moin-1.8.2-2/debian/patches/00004_CVE-2009-1482-extra.patch moin-1.8.2-2+unstable1/debian/patches/00004_CVE-2009-1482-extra.patch --- moin-1.8.2-2/debian/patches/00004_CVE-2009-1482-extra.patch 1970-01-01 01:00:00.000000000 +0100 +++ moin-1.8.2-2+unstable1/debian/patches/00004_CVE-2009-1482-extra.patch 2009-05-06 23:58:27.000000000 +0200 @@ -0,0 +1,14 @@ +--- a/MoinMoin/action/AttachFile.py 2009-05-06 23:57:38.000000000 +0200 ++++ b/MoinMoin/action/AttachFile.py 2009-05-06 23:57:43.000000000 +0200 +@@ -749,9 +749,9 @@ + 'baseurl': request.getScriptname(), + 'do': 'attachment_move', + 'ticket': wikiutil.createTicket(request), +- 'pagename': pagename, ++ 'pagename': wikiutil.escape(pagename, 1), + 'pagename_quoted': wikiutil.quoteWikinameURL(pagename), +- 'attachment_name': filename, ++ 'attachment_name': wikiutil.escape(filename, 1), + 'move': _('Move'), + 'cancel': _('Cancel'), + 'newname_label': _("New page name"), diff -u -r -N moin-1.8.2-2/debian/patches/series moin-1.8.2-2+unstable1/debian/patches/series --- moin-1.8.2-2/debian/patches/series 2009-05-07 00:07:45.000000000 +0200 +++ moin-1.8.2-2+unstable1/debian/patches/series 2009-05-06 23:59:06.000000000 +0200 @@ -1,3 +1,5 @@ #10001_disable_RenderAsDocbook_if_no_xml.patch 20002_hardcode_configdir.patch 20003_disable_gui_editor_if_fckeditor_missing.patch +00003_CVE-2009-1482.patch +00004_CVE-2009-1482-extra.patch