CVE-2007-0857: pagename XSS

Debian Bug report logs - #410338
CVE-2007-0857: pagename XSS

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Kees Cook <kees@outflux.net>

To: Debian Bugs <submit@bugs.debian.org>

Subject: CVE-2007-0857: pagename XSS

Date: Fri, 9 Feb 2007 13:25:02 -0800

[Message part 1 (text/plain, inline)]

Package: moin
Version: 1.5.3-1.1
Severity: important
Tags: patch, security

"Multiple cross-site scripting (XSS) vulnerabilities in MoinMoin before 
1.5.7 allow remote attackers to inject arbitrary web script or HTML via 
(1) the page info, or the page name in a (2) AttachFile, (3) RenamePage, 
or (4) LocalSiteMap action."

The upstream changes are visible here:
http://hg.thinkmo.de/moin/1.5?fl=28eb59256911;file=docs/CHANGES

However, LikePages was missed, and the upstream LocalSiteMap fix appears 
to be incomplete.  Attached is the patch I'm using in Ubuntu.

-- 
Kees Cook                                            @outflux.net

[090_fix-pagename-xss.patch (text/x-diff, attachment)]

Message #10 received at 410338@bugs.debian.org (full text, mbox, reply):

From: Kees Cook <kees@outflux.net>

To: 410338@bugs.debian.org

Subject: better patch

Date: Fri, 9 Feb 2007 16:19:46 -0800

[Message part 1 (text/plain, inline)]

Attached is a more complete patch, based on some auditing.  I've 
forwarded the missed fixes upstream.

-- 
Kees Cook                                            @outflux.net

[090_fix-pagename-xss.patch (text/x-diff, attachment)]

Message #19 received at 410338@bugs.debian.org (full text, mbox, reply):

From: Martin Zobel-Helas <zobel@debian.org>

To: 410338@bugs.debian.org

Subject: moin: diff for NMU version 1.5.3-1.2

Date: Tue, 27 Feb 2007 10:32:51 +0100

[Message part 1 (text/plain, inline)]

tags 410338 + patch
thanks

Hi,

Attached is the diff for my moin 1.5.3-1.2 NMU.

Greetings
Martin

[moin-1.5.3-1.2-nmu.diff (text/x-diff, attachment)]

Message #26 received at 410338-close@bugs.debian.org (full text, mbox, reply):

From: Martin Zobel-Helas <zobel@debian.org>

To: 410338-close@bugs.debian.org

Subject: Bug#410338: fixed in moin 1.5.3-1.2

Date: Tue, 27 Feb 2007 09:47:03 +0000

Source: moin
Source-Version: 1.5.3-1.2

We believe that the bug you reported is fixed in the latest version of
moin, which is due to be installed in the Debian FTP archive:

moin_1.5.3-1.2.diff.gz
  to pool/main/m/moin/moin_1.5.3-1.2.diff.gz
moin_1.5.3-1.2.dsc
  to pool/main/m/moin/moin_1.5.3-1.2.dsc
moinmoin-common_1.5.3-1.2_all.deb
  to pool/main/m/moin/moinmoin-common_1.5.3-1.2_all.deb
python-moinmoin_1.5.3-1.2_all.deb
  to pool/main/m/moin/python-moinmoin_1.5.3-1.2_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 410338@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Martin Zobel-Helas <zobel@debian.org> (supplier of updated moin package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Tue, 27 Feb 2007 10:00:39 +0100
Source: moin
Binary: moinmoin-common python-moinmoin
Architecture: source all
Version: 1.5.3-1.2
Distribution: unstable
Urgency: low
Maintainer: Jonas Smedegaard <dr@jones.dk>
Changed-By: Martin Zobel-Helas <zobel@debian.org>
Description: 
 moinmoin-common - Python clone of WikiWiki - common data
 python-moinmoin - Python clone of WikiWiki - library
Closes: 410338
Changes: 
 moin (1.5.3-1.2) unstable; urgency=low
 .
   * Non-maintainer upload.
   * Adding patch from BTS to fix CVE-2007-0857 (Closes: #410338)
Files: 
 134e914144ce1bc4ff53f015341f0cf1 653 net optional moin_1.5.3-1.2.dsc
 530ec8bccc7c44033fac68e42021e776 35750 net optional moin_1.5.3-1.2.diff.gz
 c447de2045329dc06212e0f6b196c34c 1573858 net optional moinmoin-common_1.5.3-1.2_all.deb
 8c8a51ba388f9d09f230e3c1e1e2bfe9 912502 python optional python-moinmoin_1.5.3-1.2_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFF4/rqST77jl1k+HARAlHWAKC3HAFgvZ27CEpGESLFksgpKP9WiACeI2kN
6xUPoBEwLFYpM8SW+kv3LpU=
=g6QW
-----END PGP SIGNATURE-----

Message #36 received at 410338-close@bugs.debian.org (full text, mbox, reply):

From: Jonas Smedegaard <dr@jones.dk>

To: 410338-close@bugs.debian.org

Subject: Bug#410338: fixed in moin 1.5.7-1

Date: Sat, 17 Mar 2007 08:32:03 +0000

Source: moin
Source-Version: 1.5.7-1

We believe that the bug you reported is fixed in the latest version of
moin, which is due to be installed in the Debian FTP archive:

moin_1.5.7-1.diff.gz
  to pool/main/m/moin/moin_1.5.7-1.diff.gz
moin_1.5.7-1.dsc
  to pool/main/m/moin/moin_1.5.7-1.dsc
moin_1.5.7.orig.tar.gz
  to pool/main/m/moin/moin_1.5.7.orig.tar.gz
moinmoin-common_1.5.7-1_all.deb
  to pool/main/m/moin/moinmoin-common_1.5.7-1_all.deb
python-moinmoin_1.5.7-1_all.deb
  to pool/main/m/moin/python-moinmoin_1.5.7-1_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 410338@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Jonas Smedegaard <dr@jones.dk> (supplier of updated moin package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Fri, 16 Mar 2007 18:07:48 +0100
Source: moin
Binary: moinmoin-common python-moinmoin
Architecture: source all
Version: 1.5.7-1
Distribution: unstable
Urgency: low
Maintainer: Jonas Smedegaard <dr@jones.dk>
Changed-By: Jonas Smedegaard <dr@jones.dk>
Description: 
 moinmoin-common - Python clone of WikiWiki - common data
 python-moinmoin - Python clone of WikiWiki - library
Closes: 373464 373464 383841 383909 384349 410338
Changes: 
 moin (1.5.7-1) unstable; urgency=low
 .
   * New upstream release. Closes: Bug#384349.
     Highlights:
     + XSS Fixes (already fixed in Debian NMU).
     + Improved LDAP authentication.
     + Various GUI editor improvements (but still buggy!).
     + Attachments can be overwritten, moved to a different page, and
       referenced.
     + Various performance improvements.
     + Rendering fixes (especially workarounds for IE6 bugs).
     + Simplified migration routine. Please read
       /usr/share/doc/moinmoin-common/README.Migration(.gz).
     + Fix for forgotten password email login URL.
     + Google sitemap support: ?action=sitemap.
     + Updated translations: i18n strings, system and help pages.
     + Hyphens are now allowed in usernames. Closes: Bug#383909.
     + Improved docutils and ReST support.
   * Acknowledge NMUs. Closes: Bug#373464, #383841, #410338, thanks to
     Josselin Mouette, Pierre Habouzit, Martin Zobel-Helas and Toni
     Mueller.
   * Reorganize patches.
     + Extend patches to 5 digits to make room for Hg changesets.
     + Adjust debian/patches/README to mention Hg (not Arch).
     + Use quilt (not the simple cdbs-internal patch system).
   * Add patches to bring in sync with upstream Hg (patchset 822).
   * Remove parts of CVE-2007-0857 applied upstream (changesets 805-806).
     Rename patch to follow new 5-digit scheme.
   * Rewrite README.packaging to describe getting changesets from Hg (not
     Arch).
   * Update CDBS tweaks:
     + Update copyright-check.mk: Look for "(c)" too, avoid non-printable
       characters, verbose error report.
     + Update buildinfo.mk: Fix touchfile to run only once.
     + Major overhaul of python-distutils.mk: Syncronize with main cdbs,
       which adds support for new Python policy, and massive rewrite to
       bring back functionality broken in the default implementation of
       that new policy.
     + Replace auto-update.mk with (overload of) buildcore.mk.
     + Add README.cdbs-tweaks documenting the added tweaks.
     + Advertise README.cdbs-tweaks in debian/rules.
   * Enable new Python policy, except when DEB_BUILD_OPTIONS contains
     "sarge". Closes: Bug#373464 (thanks to Pierre Habouzit and ).
   * Bump up Standards-Version to 3.7.2 for non-default distros.
   * Adjust long description to not mention dropped pythonXX-moinmoin.
   * As stated in README.Debian, CGI interface has had most testing:
     + Revert to suggesting apache in favor of libapache(2)-python.
     + Suggest httpd-cgi (not httpd) as fallback.
   * Cleanup and improve debian/rules:
     + Use (newly improved!) tweaked cdbs again, to also support
       distributions using the old python policy.
     + Restore rules aaplying only to old python policy.
     + Add switch to declare variables varying between python policies.
     + Stitch together README.Debian from parts, referring to build-
       dependent default python version, and leaving out section on
       multiple packages when using new python policy.
     + Stitch together README.Debian and  moinmoin-common.postinst in
       pre-build, and remove in clean. This avoids distributing changes
       and then loosing it again automatically at next build.
     + Add more comments.
     + Move build targets to switch distribution down to the bottom.
   * Update debian/copyright:
     + Add new copyright for Bubblehelp infoboxes (license: GPLv2).
     + Add new copyright for EXIF filter (license: BSD-like).
     + Fix non-unicode Character (copyright-holder Peter Åstrand).
   * No longer install docs/CHANGES.config dropped upstream.
   * Add note to README.Debian about risk of dict symlink breaking if
     copying and using the data from a different location. This relates
     only to the recent NMU changing (without documentaing!!!) from
     static to shared symlink.
   * Use Build-depends (not Build-depends-Indep) for non-default
     distributions.
   * Tightened pyversions to only include 2.3 and higher.
   * Suppress lintian warnings about INSTALL.html in docs (contains
     valuable info on further steps than automated in this packaging) and
     non-executable scripts in underlay (they should never be executed
     from there).
Files: 
 3af73028d18bbf049565ee975c3ccb5c 759 net optional moin_1.5.7-1.dsc
 b304f1c2054c7f3bf0dc48c141b28b33 4411634 net optional moin_1.5.7.orig.tar.gz
 5ee74fe0319d707c71c9c481f4a21b12 48877 net optional moin_1.5.7-1.diff.gz
 3a2a526a20eaaa225cb237a666b8aee5 1660388 net optional moinmoin-common_1.5.7-1_all.deb
 a89395b1e9ea7d4b4cb9ab32522bde80 1017220 python optional python-moinmoin_1.5.7-1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFF+yqSn7DbMsAkQLgRAvECAJ9fbh7g5OMAhLy8xNSmlBdzVf6GsACfRK6H
QjmU9th+UdcQKyQDqERRCs0=
=742I
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.