diff -Nru moin-1.9.3/debian/changelog moin-1.9.3/debian/changelog --- moin-1.9.3/debian/changelog 2011-12-17 13:16:29.000000000 +0000 +++ moin-1.9.3/debian/changelog 2012-10-10 14:16:23.000000000 +0000 @@ -1,3 +1,18 @@ +moin (1.9.3-1ubuntu3) quantal; urgency=low + + * SECURITY UPDATE: cross-site scripting issue in reStructuredText parser + - debian/patches/CVE-2011-1058.patch: remove javascript support in + MoinMoin/parser/text_rst.py. + - CVE-2011-1058 + * SECURITY UPDATE: incorrect permissions due to broken virtual group + names handling + - debian/patches/CVE-2012-4404.patch: fix group test in + MoinMoin/security/__init__.py, added test in + MoinMoin/security/_tests/test_security.py. + - CVE-2012-4404 + + -- Marc Deslauriers Wed, 10 Oct 2012 10:13:05 -0400 + moin (1.9.3-1ubuntu2) precise; urgency=low * Build using dh_python2 diff -Nru moin-1.9.3/debian/patches/CVE-2011-1058.patch moin-1.9.3/debian/patches/CVE-2011-1058.patch --- moin-1.9.3/debian/patches/CVE-2011-1058.patch 1970-01-01 00:00:00.000000000 +0000 +++ moin-1.9.3/debian/patches/CVE-2011-1058.patch 2012-10-10 14:16:54.000000000 +0000 @@ -0,0 +1,18 @@ +Description: fix cross-site scripting issue in reStructuredText parser +Origin: upstream, http://hg.moinmo.in/moin/1.9/rev/97208f67798f +Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=643904 + +diff -r b1b82826f8b8 -r 97208f67798f MoinMoin/parser/text_rst.py +--- a/MoinMoin/parser/text_rst.py Thu Jan 20 13:34:33 2011 +0100 ++++ b/MoinMoin/parser/text_rst.py Mon Feb 21 22:19:57 2011 +0100 +@@ -391,6 +391,9 @@ + # for images with targets). + if not [i for i in node.children if i.__class__ == docutils.nodes.image]: + node['classes'].append('interwiki') ++ elif prefix == 'javascript': ++ # is someone trying to do XSS with javascript? ++ node['refuri'] = 'javascript:alert("it does not work")' + elif prefix != '': + # Some link scheme (http, file, https, mailto, etc.), add class + # information if the reference doesn't have a child image (don't + diff -Nru moin-1.9.3/debian/patches/CVE-2012-4404.patch moin-1.9.3/debian/patches/CVE-2012-4404.patch --- moin-1.9.3/debian/patches/CVE-2012-4404.patch 1970-01-01 00:00:00.000000000 +0000 +++ moin-1.9.3/debian/patches/CVE-2012-4404.patch 2012-10-10 14:17:33.000000000 +0000 @@ -0,0 +1,90 @@ +Description: fix incorrect permissions due to broken virtual group + names handling +Origin: upstream, http://hg.moinmo.in/moin/1.9/rev/7b9f39289e16 + +diff -r 0e58d9bcd3bd -r 7b9f39289e16 MoinMoin/security/__init__.py +--- a/MoinMoin/security/__init__.py Fri Aug 03 17:36:02 2012 +0200 ++++ b/MoinMoin/security/__init__.py Mon Sep 03 15:30:35 2012 +0200 +@@ -320,11 +320,12 @@ + handler = getattr(self, "_special_"+entry, None) + allowed = handler(request, name, dowhat, rightsdict) + elif entry in groups: +- if name in groups[entry]: ++ this_group = groups[entry] ++ if name in this_group: + allowed = rightsdict.get(dowhat) + else: + for special in self.special_users: +- if special in entry: ++ if special in this_group: + handler = getattr(self, "_special_" + special, None) + allowed = handler(request, name, dowhat, rightsdict) + break # order of self.special_users is important +diff -r 0e58d9bcd3bd -r 7b9f39289e16 MoinMoin/security/_tests/test_security.py +--- a/MoinMoin/security/_tests/test_security.py Fri Aug 03 17:36:02 2012 +0200 ++++ b/MoinMoin/security/_tests/test_security.py Mon Sep 03 15:30:35 2012 +0200 +@@ -16,10 +16,11 @@ + acliter = security.ACLStringIterator + AccessControlList = security.AccessControlList + ++from MoinMoin.datastruct import ConfigGroups + from MoinMoin.PageEditor import PageEditor + from MoinMoin.user import User + +-from MoinMoin._tests import become_trusted, create_page, nuke_page ++from MoinMoin._tests import wikiconfig, become_trusted, create_page, nuke_page + + class TestACLStringIterator(object): + +@@ -248,6 +249,50 @@ + assert not acl.may(self.request, user, right) + + ++class TestGroupACL(object): ++ ++ class Config(wikiconfig.Config): ++ def groups(self, request): ++ groups = { ++ u'PGroup': frozenset([u'Antony', u'Beatrice', ]), ++ u'AGroup': frozenset([u'All', ]), ++ # note: the next line is a INTENDED misnomer, there is "All" in ++ # the group NAME, but not in the group members. This makes ++ # sure that a bug that erroneously checked "in groupname" (instead ++ # of "in groupmembers") does not reappear. ++ u'AllGroup': frozenset([]), # note: intended misnomer ++ } ++ return ConfigGroups(request, groups) ++ ++ def testApplyACLByGroup(self): ++ """ security: applying acl by group name""" ++ # This acl string... ++ acl_rights = [ ++ "PGroup,AllGroup:read,write,admin " ++ "AGroup:read " ++ ] ++ acl = security.AccessControlList(self.request.cfg, acl_rights) ++ ++ # Should apply these rights: ++ users = ( ++ # user, rights ++ ('Antony', ('read', 'write', 'admin', )), # in PGroup ++ ('Beatrice', ('read', 'write', 'admin', )), # in PGroup ++ ('Charles', ('read', )), # virtually in AGroup ++ ) ++ ++ # Check rights ++ for user, may in users: ++ mayNot = [right for right in self.request.cfg.acl_rights_valid ++ if right not in may] ++ # User should have these rights... ++ for right in may: ++ assert acl.may(self.request, user, right) ++ # But NOT these: ++ for right in mayNot: ++ assert not acl.may(self.request, user, right) ++ ++ + class TestPageAcls(object): + """ security: real-life access control list on pages testing + """ + diff -Nru moin-1.9.3/debian/patches/series moin-1.9.3/debian/patches/series --- moin-1.9.3/debian/patches/series 2010-08-12 10:14:10.000000000 +0000 +++ moin-1.9.3/debian/patches/series 2012-10-10 14:12:56.000000000 +0000 @@ -2,3 +2,5 @@ disable_gui_editor_if_fckeditor_missing.patch htdocs_moved_to_usr_share_moin.patch use_systemwide_libs.patch +CVE-2011-1058.patch +CVE-2012-4404.patch