PU for moin to fix #721557

Mon, 16 Sep 2013 10:17:41 -0700 

Hi folks,

I've been asked about doing a PU for moin in Wheezy to fix
#721557. This is an annoying bug with potential for a DoS, and I've
seen its effects myself as an admin for wiki.d.o. I've added local
workarounds on wiki.d.o, but others may not understand what's needed
to do that.

The patch to fix this is trivial, and came from upstream. I've
uploaded a new package version into unstable with this fix too, and it
just migrated to testing.

What would you think of a PU for moin containing this change? Debdiff
attached...

-- 
Steve McIntyre, Cambridge, UK.                                [email protected]
"You can't barbecue lettuce!" -- Ellie Crane

diff -Nru moin-1.9.4/debian/changelog moin-1.9.4/debian/changelog
--- moin-1.9.4/debian/changelog 2012-12-29 22:55:08.000000000 +0000
+++ moin-1.9.4/debian/changelog 2013-09-15 22:45:46.000000000 +0100
@@ -1,3 +1,10 @@
+moin (1.9.4-8+deb7u2) stable; urgency=low
+
+  * Backport fix from upstream: Do not create empty pagedir (with
+    empty edit-log). Closes: #721557
+
+ -- Steve McIntyre <[email protected]>  Sun, 15 Sep 2013 14:44:37 -0700
+
 moin (1.9.4-8+deb7u1) testing-proposed-updates; urgency=high
 
   * Stack of security fixes from upstream:
@@ -6,9 +13,9 @@
     + use a constant time str comparison function to prevent timing
       attacks
     + fix remote code execution vulnerability in twikidraw/anywikidraw
-      actions (CVE-2012-XXXX).
+      actions (CVE-2012-6081).
     + fix path traversal vulnerability in AttachFile action
-      (CVE-2012-XXXX).
+      (CVE-2012-6080).
 
  -- Steve McIntyre <[email protected]>  Sat, 29 Dec 2012 19:20:37 +0100
 
diff -Nru moin-1.9.4/debian/patches/avoid_empty_dir_creation.patch 
moin-1.9.4/debian/patches/avoid_empty_dir_creation.patch
--- moin-1.9.4/debian/patches/avoid_empty_dir_creation.patch    1970-01-01 
01:00:00.000000000 +0100
+++ moin-1.9.4/debian/patches/avoid_empty_dir_creation.patch    2013-09-15 
22:43:18.000000000 +0100
@@ -0,0 +1,16 @@
+changeset:   5980:6489ec33874d
+user:        Thomas Waldmann <tw AT waldmann-edv DOT de>
+date:        Sat Apr 06 00:21:51 2013 +0200
+summary:     do not create empty pagedir (with empty edit-log)
+diff -r 810aee12a186 -r 6489ec33874d MoinMoin/theme/__init__.py
+--- a/MoinMoin/theme/__init__.py       Sun Mar 24 14:58:56 2013 +0100
++++ b/MoinMoin/theme/__init__.py       Sat Apr 06 00:21:51 2013 +0200
+@@ -1784,7 +1784,7 @@
+ 
+         # In standard mode, emit theme.header
+         else:
+-            exists = pagename and page.exists(includeDeleted=True)
++            exists = pagename and page.exists(includeDeleted=False)
+             # prepare dict for theme code:
+             d = {
+                 'theme': self.name,

Reply via email to