svn commit: r304084 - in head: security/vuxml www/moinmoin www/moinmoin/files
Eygene Ryabinkin
rea at FreeBSD.org
Tue Sep 11 07:51:08 UTC 2012
Author: rea
Date: Tue Sep 11 07:51:07 2012
New Revision: 304084
URL: http://svn.freebsd.org/changeset/ports/304084
Log:
www/moinmoin: fix CVE-2012-4404, wrong processing of group ACLs
Using upstream patch from
http://hg.moinmo.in/moin/1.9/raw-rev/7b9f39289e16
PR: 171346
QA page: http://codelabs.ru/fbsd/ports/qa/www/moinmoin/1.9.4_1
Approved by: khsing.cn at gmail.com (maintainer)
Security: http://www.vuxml.org/freebsd/4f99e2ef-f725-11e1-8bd8-0022156e8794.html
Added:
head/www/moinmoin/files/patch-cve-2012-4404 (contents, props changed)
Modified:
head/security/vuxml/vuln.xml
head/www/moinmoin/Makefile
Modified: head/security/vuxml/vuln.xml
==============================================================================
--- head/security/vuxml/vuln.xml Tue Sep 11 06:44:54 2012 (r304083)
+++ head/security/vuxml/vuln.xml Tue Sep 11 07:51:07 2012 (r304084)
@@ -157,7 +157,7 @@ Note: Please add new entries to the beg
<affects>
<package>
<name>moinmoin</name>
- <range><ge>1.9</ge><lt>1.9.5</lt></range>
+ <range><ge>1.9</ge><lt>1.9.4_1</lt></range>
</package>
</affects>
<description>
@@ -193,6 +193,7 @@ Note: Please add new entries to the beg
<dates>
<discovery>2012-09-03</discovery>
<entry>2012-09-05</entry>
+ <modified>2012-09-11</modified>
</dates>
</vuln>
Modified: head/www/moinmoin/Makefile
==============================================================================
--- head/www/moinmoin/Makefile Tue Sep 11 06:44:54 2012 (r304083)
+++ head/www/moinmoin/Makefile Tue Sep 11 07:51:07 2012 (r304084)
@@ -7,6 +7,7 @@
PORTNAME= moinmoin
PORTVERSION= 1.9.4
+PORTREVISION= 1
CATEGORIES= www python
MASTER_SITES= http://static.moinmo.in/files/
DISTNAME= moin-${PORTVERSION}
Added: head/www/moinmoin/files/patch-cve-2012-4404
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ head/www/moinmoin/files/patch-cve-2012-4404 Tue Sep 11 07:51:07 2012 (r304084)
@@ -0,0 +1,137 @@
+Obtained-from: http://hg.moinmo.in/moin/1.9/raw-rev/7b9f39289e16
+
+# HG changeset patch
+# User Thomas Waldmann <tw AT waldmann-edv DOT de>
+# Date 1346679035 -7200
+# Node ID 7b9f39289e16b37344480025f191d8b64480c834
+# Parent 0e58d9bcd3bd8ab3a89506d66bc0c8df85c16d2c
+security fix: fix virtual group bug in ACL evaluation, add a test for it
+
+affected moin releases: all 1.9 releases up to and including 1.9.4
+
+moin releases < 1.9 are NOT affected.
+
+You can find out the moin version by looking at SystemInfo page or at the
+output of <<SystemInfo>> macro.
+
+Issue description:
+
+We have code that checks whether a group has special members "All" or "Known"
+or "Trusted", but there was a bug that checked whether these are present in
+the group NAME (not, as intended, in the group MEMBERS).
+
+a) If you have group MEMBERS like "All" or "Known" or "Trusted", they did not
+work until now, but will start working with this changeset.
+
+E.g. SomeGroup:
+ * JoeDoe
+ * Trusted
+
+SomeGroup will now (correctly) include JoeDoe and also all trusted users.
+
+It (erroneously) contained only "JoeDoe" and "Trusted" (as a username, not
+as a virtual group) before.
+
+b) If you have group NAMES containing "All" or "Known" or "Trusted", they behaved
+wrong until now (they erroneously included All/Known/Trusted users even if
+you did not list them as members), but will start working correctly with this
+changeset.
+
+E.g. AllFriendsGroup:
+ * JoeDoe
+
+AllFriendsGroup will now (correctly) include only JoeDoe.
+It (erroneously) contained all users (including JoeDoe) before.
+
+E.g. MyTrustedFriendsGroup:
+ * JoeDoe
+
+MyTrustedFriendsGroup will now (correctly) include only JoeDoe.
+It (erroneously) contained all trusted users and JoeDoe before.
+
+diff -r 0e58d9bcd3bd -r 7b9f39289e16 MoinMoin/security/__init__.py
+--- MoinMoin/security/__init__.py Fri Aug 03 17:36:02 2012 +0200
++++ MoinMoin/security/__init__.py Mon Sep 03 15:30:35 2012 +0200
+@@ -320,11 +320,12 @@
+ handler = getattr(self, "_special_"+entry, None)
+ allowed = handler(request, name, dowhat, rightsdict)
+ elif entry in groups:
+- if name in groups[entry]:
++ this_group = groups[entry]
++ if name in this_group:
+ allowed = rightsdict.get(dowhat)
+ else:
+ for special in self.special_users:
+- if special in entry:
++ if special in this_group:
+ handler = getattr(self, "_special_" + special, None)
+ allowed = handler(request, name, dowhat, rightsdict)
+ break # order of self.special_users is important
+diff -r 0e58d9bcd3bd -r 7b9f39289e16 MoinMoin/security/_tests/test_security.py
+--- MoinMoin/security/_tests/test_security.py Fri Aug 03 17:36:02 2012 +0200
++++ MoinMoin/security/_tests/test_security.py Mon Sep 03 15:30:35 2012 +0200
+@@ -16,10 +16,11 @@
+ acliter = security.ACLStringIterator
+ AccessControlList = security.AccessControlList
+
++from MoinMoin.datastruct import ConfigGroups
+ from MoinMoin.PageEditor import PageEditor
+ from MoinMoin.user import User
+
+-from MoinMoin._tests import become_trusted, create_page, nuke_page
++from MoinMoin._tests import wikiconfig, become_trusted, create_page, nuke_page
+
+ class TestACLStringIterator(object):
+
+@@ -248,6 +249,50 @@
+ assert not acl.may(self.request, user, right)
+
+
++class TestGroupACL(object):
++
++ class Config(wikiconfig.Config):
++ def groups(self, request):
++ groups = {
++ u'PGroup': frozenset([u'Antony', u'Beatrice', ]),
++ u'AGroup': frozenset([u'All', ]),
++ # note: the next line is a INTENDED misnomer, there is "All" in
++ # the group NAME, but not in the group members. This makes
++ # sure that a bug that erroneously checked "in groupname" (instead
++ # of "in groupmembers") does not reappear.
++ u'AllGroup': frozenset([]), # note: intended misnomer
++ }
++ return ConfigGroups(request, groups)
++
++ def testApplyACLByGroup(self):
++ """ security: applying acl by group name"""
++ # This acl string...
++ acl_rights = [
++ "PGroup,AllGroup:read,write,admin "
++ "AGroup:read "
++ ]
++ acl = security.AccessControlList(self.request.cfg, acl_rights)
++
++ # Should apply these rights:
++ users = (
++ # user, rights
++ ('Antony', ('read', 'write', 'admin', )), # in PGroup
++ ('Beatrice', ('read', 'write', 'admin', )), # in PGroup
++ ('Charles', ('read', )), # virtually in AGroup
++ )
++
++ # Check rights
++ for user, may in users:
++ mayNot = [right for right in self.request.cfg.acl_rights_valid
++ if right not in may]
++ # User should have these rights...
++ for right in may:
++ assert acl.may(self.request, user, right)
++ # But NOT these:
++ for right in mayNot:
++ assert not acl.may(self.request, user, right)
++
++
+ class TestPageAcls(object):
+ """ security: real-life access control list on pages testing
+ """
+
More information about the svn-ports-all
mailing list