Your message dated Tue, 27 Feb 2007 09:47:03 +0000
with message-id <[EMAIL PROTECTED]>
and subject line Bug#410338: fixed in moin 1.5.3-1.2
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--- Begin Message ---
Package: moin
Version: 1.5.3-1.1
Severity: important
Tags: patch, security
"Multiple cross-site scripting (XSS) vulnerabilities in MoinMoin before
1.5.7 allow remote attackers to inject arbitrary web script or HTML via
(1) the page info, or the page name in a (2) AttachFile, (3) RenamePage,
or (4) LocalSiteMap action."
The upstream changes are visible here:
http://hg.thinkmo.de/moin/1.5?fl=28eb59256911;file=docs/CHANGES
However, LikePages was missed, and the upstream LocalSiteMap fix appears
to be incomplete. Attached is the patch I'm using in Ubuntu.
--
Kees Cook @outflux.net
diff -Nur moin-1.5.3/MoinMoin/action/AttachFile.py moin-1.5.3.new/MoinMoin/action/AttachFile.py
--- moin-1.5.3/MoinMoin/action/AttachFile.py 2006-04-05 11:58:07.000000000 -0700
+++ moin-1.5.3.new/MoinMoin/action/AttachFile.py 2007-02-09 13:03:48.636705206 -0800
@@ -275,7 +275,7 @@
str = str + "</ul>"
else:
if showheader:
- str = '%s<p>%s</p>' % (str, _("No attachments stored for %(pagename)s") % {'pagename': pagename})
+ str = '%s<p>%s</p>' % (str, _("No attachments stored for %(pagename)s") % {'pagename': wikiutil.escape(pagename)})
return str
diff -Nur moin-1.5.3/MoinMoin/action/LikePages.py moin-1.5.3.new/MoinMoin/action/LikePages.py
--- moin-1.5.3/MoinMoin/action/LikePages.py 2006-03-22 01:25:59.000000000 -0800
+++ moin-1.5.3.new/MoinMoin/action/LikePages.py 2007-02-09 13:06:13.428072725 -0800
@@ -28,14 +28,14 @@
# No matches
if not matches:
Page(request, pagename).send_page(request,
- msg = _('No pages like "%s"!') % (pagename,))
+ msg = _('No pages like "%s"!') % (wikiutil.escape(pagename),))
return
# One match - display it
if len(matches) == 1:
Page(request, matches.keys()[0]).send_page(request,
msg = _('Exactly one page like "%s" found, redirecting to page.') % (
- pagename,))
+ wikiutil.escape(pagename),))
return
# more than one match, list 'em
@@ -44,7 +44,7 @@
# This action generate data using the user language
request.setContentLanguage(request.lang)
- wikiutil.send_title(request, _('Pages like "%s"') % (pagename),
+ wikiutil.send_title(request, _('Pages like "%s"') % (wikiutil.escape(pagename)),
pagename=pagename)
# Start content - IMPORTANT - without content div, there is no
diff -Nur moin-1.5.3/MoinMoin/action/LocalSiteMap.py moin-1.5.3.new/MoinMoin/action/LocalSiteMap.py
--- moin-1.5.3/MoinMoin/action/LocalSiteMap.py 2005-09-22 09:22:09.000000000 -0700
+++ moin-1.5.3.new/MoinMoin/action/LocalSiteMap.py 2007-02-09 13:03:48.636705206 -0800
@@ -70,7 +70,7 @@
if not name: return
self.append(' ' * (5*depth))
self.append(' ' + wikiutil.link_tag(request, '%s?action=%s' %
- (wikiutil.quoteWikinameURL(name), __name__.split('.')[-1]), name))
+ (wikiutil.quoteWikinameURL(name), __name__.split('.')[-1]), wikiutil.escape(name)))
self.append(" <small>[")
self.append(Page(request, name).link_to(request, 'view'))
self.append("</small>]<br>")
diff -Nur moin-1.5.3/MoinMoin/action/RenamePage.py moin-1.5.3.new/MoinMoin/action/RenamePage.py
--- moin-1.5.3/MoinMoin/action/RenamePage.py 2005-12-18 13:09:42.000000000 -0800
+++ moin-1.5.3.new/MoinMoin/action/RenamePage.py 2007-02-09 13:03:48.636705206 -0800
@@ -148,7 +148,7 @@
'error': error,
'action': self.__class__.__name__,
'ticket': wikiutil.createTicket(),
- 'pagename': self.pagename,
+ 'pagename': wikiutil.escape(self.pagename, 1),
'rename': _('Rename Page'),
'cancel': _('Cancel'),
'newname_label': _("New name"),
diff -Nur moin-1.5.3/MoinMoin/theme/__init__.py moin-1.5.3.new/MoinMoin/theme/__init__.py
--- moin-1.5.3/MoinMoin/theme/__init__.py 2006-04-15 12:09:38.000000000 -0700
+++ moin-1.5.3.new/MoinMoin/theme/__init__.py 2007-02-09 13:03:48.636705206 -0800
@@ -628,7 +628,7 @@
info = _("last edited %(time)s by %(editor)s") % info
else:
info = _("last modified %(time)s") % info
- pagename = page.page_name
+ pagename = wikiutil.escape(page.page_name)
if self.request.cfg.show_interwiki:
pagename = "%s: %s" % (self.request.cfg.interwikiname, pagename)
info = "%s (%s)" % (pagename, info)
--- End Message ---
--- Begin Message ---
Source: moin
Source-Version: 1.5.3-1.2
We believe that the bug you reported is fixed in the latest version of
moin, which is due to be installed in the Debian FTP archive:
moin_1.5.3-1.2.diff.gz
to pool/main/m/moin/moin_1.5.3-1.2.diff.gz
moin_1.5.3-1.2.dsc
to pool/main/m/moin/moin_1.5.3-1.2.dsc
moinmoin-common_1.5.3-1.2_all.deb
to pool/main/m/moin/moinmoin-common_1.5.3-1.2_all.deb
python-moinmoin_1.5.3-1.2_all.deb
to pool/main/m/moin/python-moinmoin_1.5.3-1.2_all.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Martin Zobel-Helas <[EMAIL PROTECTED]> (supplier of updated moin package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Tue, 27 Feb 2007 10:00:39 +0100
Source: moin
Binary: moinmoin-common python-moinmoin
Architecture: source all
Version: 1.5.3-1.2
Distribution: unstable
Urgency: low
Maintainer: Jonas Smedegaard <[EMAIL PROTECTED]>
Changed-By: Martin Zobel-Helas <[EMAIL PROTECTED]>
Description:
moinmoin-common - Python clone of WikiWiki - common data
python-moinmoin - Python clone of WikiWiki - library
Closes: 410338
Changes:
moin (1.5.3-1.2) unstable; urgency=low
.
* Non-maintainer upload.
* Adding patch from BTS to fix CVE-2007-0857 (Closes: #410338)
Files:
134e914144ce1bc4ff53f015341f0cf1 653 net optional moin_1.5.3-1.2.dsc
530ec8bccc7c44033fac68e42021e776 35750 net optional moin_1.5.3-1.2.diff.gz
c447de2045329dc06212e0f6b196c34c 1573858 net optional
moinmoin-common_1.5.3-1.2_all.deb
8c8a51ba388f9d09f230e3c1e1e2bfe9 912502 python optional
python-moinmoin_1.5.3-1.2_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
iD8DBQFF4/rqST77jl1k+HARAlHWAKC3HAFgvZ27CEpGESLFksgpKP9WiACeI2kN
6xUPoBEwLFYpM8SW+kv3LpU=
=g6QW
-----END PGP SIGNATURE-----
--- End Message ---
