tags 429205 patch thanks Hi
Attached you will find the uploaded NMU patch. It should cover the major issue. For the other issues, I suggest filling a normal bug and leaving it open, until someone definetely confirms that they are fixed (I looked over them and a few seem to be fixed, others I could not get enough information). Cheers Steffen
diff -u moin-1.5.8/debian/changelog moin-1.5.8/debian/changelog --- moin-1.5.8/debian/changelog +++ moin-1.5.8/debian/changelog @@ -1,3 +1,12 @@ +moin (1.5.8-4.1) unstable; urgency=high + + * Non-maintainer upload by the testing-security team + * Include upstream patch to enable whitelisting, instead of + insufficient blacklisting for file uploads (Closes: #429205) + Fixes: CVE-2007-5156, CVE-2007-3163, CVE-2007-2630, CVE-2006-0658 + + -- Steffen Joeris <[EMAIL PROTECTED]> Sun, 21 Oct 2007 14:43:37 +0000 + moin (1.5.8-4) unstable; urgency=low * Sync with upstream HG development source as of today (patchset 851): diff -u moin-1.5.8/debian/patches/series moin-1.5.8/debian/patches/series --- moin-1.5.8/debian/patches/series +++ moin-1.5.8/debian/patches/series @@ -14,0 +15 @@ +020_CVE-whitelist.patch only in patch2: unchanged: --- moin-1.5.8.orig/debian/patches/020_CVE-whitelist.patch +++ moin-1.5.8/debian/patches/020_CVE-whitelist.patch @@ -0,0 +1,60 @@ +--- config.php.orig 2007-10-21 16:24:57.000000000 +0200 ++++ moin-1.5.3/wiki/htdocs/applets/FCKeditor/editor/filemanager/upload/php/config.php 2007-10-21 16:25:30.000000000 +0200 +@@ -26,8 +26,8 @@ + // Path to uploaded files relative to the document root. + $Config['UserFilesPath'] = '/UserFiles/' ; + +-$Config['AllowedExtensions']['File'] = array() ; +-$Config['DeniedExtensions']['File'] = array('php','php3','php5','phtml','asp','aspx','ascx','jsp','cfm','cfc','pl','bat','exe','dll','reg','cgi') ; ++$Config['AllowedExtensions']['File'] = array('7z', 'aiff', 'asf', 'avi', 'bmp', 'csv', 'doc', 'flv', 'gif', 'gz', 'gzip', 'jpeg', 'jpg', 'mid', 'mov', 'mp3', 'mp4', 'mpc', 'mpeg', 'mpg', 'ods', 'odt', 'pdf', 'png', 'ppt', 'pxd', 'qt', 'ram', 'rar', 'rm', 'rmi', 'rmvb', 'rtf', 'sdc', 'sitd', 'swf', 'sxc', 'sxw', 'tar', 'tgz', 'tif', 'tiff', 'txt', 'vsd', 'wav', 'wma', 'wmv', 'xls', 'xml', 'zip') ; ++$Config['DeniedExtensions']['File'] = array() ; + + $Config['AllowedExtensions']['Image'] = array('jpg','gif','jpeg','png') ; + $Config['DeniedExtensions']['Image'] = array() ; +@@ -35,4 +35,4 @@ + $Config['AllowedExtensions']['Flash'] = array('swf','fla') ; + $Config['DeniedExtensions']['Flash'] = array() ; + +-?> +\ No newline at end of file ++?> +--- config.php.orig 2007-10-21 16:26:27.000000000 +0200 ++++ moin-1.5.3/wiki/htdocs/applets/FCKeditor/editor/filemanager/browser/default/connectors/php/config.php 2007-10-21 16:27:16.000000000 +0200 +@@ -32,8 +32,8 @@ + // Attention: The above 'UserFilesPath' must point to the same directory. + $Config['UserFilesAbsolutePath'] = '' ; + +-$Config['AllowedExtensions']['File'] = array() ; +-$Config['DeniedExtensions']['File'] = array('php','php3','php5','phtml','asp','aspx','ascx','jsp','cfm','cfc','pl','bat','exe','dll','reg','cgi') ; ++$Config['AllowedExtensions']['File'] = array('7z', 'aiff', 'asf', 'avi', 'bmp', 'csv', 'doc', 'flv', 'gif', 'gz', 'gzip', 'jpeg', 'jpg', 'mid', 'mov', 'mp3', 'mp4', 'mpc', 'mpeg', 'mpg', 'ods', 'odt', 'pdf', 'png', 'ppt', 'pxd', 'qt', 'ram', 'rar', 'rm', 'rmi', 'rmvb', 'rtf', 'sdc', 'sitd', 'swf', 'sxc', 'sxw', 'tar', 'tgz', 'tif', 'tiff', 'txt', 'vsd', 'wav', 'wma', 'wmv', 'xls', 'xml', 'zip') ; ++$Config['DeniedExtensions']['File'] = array() ; + + $Config['AllowedExtensions']['Image'] = array('jpg','gif','jpeg','png') ; + $Config['DeniedExtensions']['Image'] = array() ; +@@ -44,4 +44,4 @@ + $Config['AllowedExtensions']['Media'] = array('swf','fla','jpg','gif','jpeg','png','avi','mpg','mpeg') ; + $Config['DeniedExtensions']['Media'] = array() ; + +-?> +\ No newline at end of file ++?> +--- fckconfig.js.orig 2007-10-21 16:28:02.000000000 +0200 ++++ moin-1.5.3/wiki/htdocs/applets/FCKeditor/fckconfig.js 2007-10-21 16:28:46.000000000 +0200 +@@ -153,8 +153,8 @@ + + FCKConfig.LinkUpload = true ; + FCKConfig.LinkUploadURL = FCKConfig.BasePath + 'filemanager/upload/' + FCKConfig.QuickUploadLanguage + '/upload.' + _QuickUploadLanguage ; +-FCKConfig.LinkUploadAllowedExtensions = "" ; // empty for all +-FCKConfig.LinkUploadDeniedExtensions = ".(php|php3|php5|phtml|asp|aspx|ascx|jsp|cfm|cfc|pl|bat|exe|dll|reg|cgi)$" ; // empty for no one ++FCKConfig.LinkUploadAllowedExtensions = ".('7z', 'aiff', 'asf', 'avi', 'bmp', 'csv', 'doc', 'flv', 'gif', 'gz', 'gzip', 'jpeg', 'jpg', 'mid', 'mov', 'mp3', 'mp4', 'mpc', 'mpeg', 'mpg', 'ods', 'odt', 'pdf', 'png', 'ppt', 'pxd', 'qt', 'ram', 'rar', 'rm', 'rmi', 'rmvb', 'rtf', 'sdc', 'sitd', 'swf', 'sxc', 'sxw', 'tar', 'tgz', 'tif', 'tiff', 'txt', 'vsd', 'wav', 'wma', 'wmv', 'xls', 'xml', 'zip')$" ; // empty for all ++FCKConfig.LinkUploadDeniedExtensions = "" ; // empty for no one + + FCKConfig.ImageUpload = true ; + FCKConfig.ImageUploadURL = FCKConfig.BasePath + 'filemanager/upload/' + FCKConfig.QuickUploadLanguage + '/upload.' + _QuickUploadLanguage + '?Type=Image' ; +@@ -172,4 +172,4 @@ + FCKConfig.SmileyWindowWidth = 320 ; + FCKConfig.SmileyWindowHeight = 240 ; + +-if( window.console ) window.console.log( 'Config is loaded!' ) ; // @Packager.Compactor.RemoveLine +\ No newline at end of file ++if( window.console ) window.console.log( 'Config is loaded!' ) ; // @Packager.Compactor.RemoveLine
signature.asc
Description: This is a digitally signed message part.