Date: Tue, 11 Sep 2012 07:51:07 +0000 (UTC) From: Eygene Ryabinkin <rea@FreeBSD.org> To: ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-head@freebsd.org Subject: svn commit: r304084 - in head: security/vuxml www/moinmoin www/moinmoin/files Message-ID: <201209110751.q8B7p7Ae003814@svn.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: rea Date: Tue Sep 11 07:51:07 2012 New Revision: 304084 URL: http://svn.freebsd.org/changeset/ports/304084 Log: www/moinmoin: fix CVE-2012-4404, wrong processing of group ACLs Using upstream patch from http://hg.moinmo.in/moin/1.9/raw-rev/7b9f39289e16 PR: 171346 QA page: http://codelabs.ru/fbsd/ports/qa/www/moinmoin/1.9.4_1 Approved by: khsing.cn@gmail.com (maintainer) Security: http://www.vuxml.org/freebsd/4f99e2ef-f725-11e1-8bd8-0022156e8794.html Added: head/www/moinmoin/files/patch-cve-2012-4404 (contents, props changed) Modified: head/security/vuxml/vuln.xml head/www/moinmoin/Makefile Modified: head/security/vuxml/vuln.xml ============================================================================== --- head/security/vuxml/vuln.xml Tue Sep 11 06:44:54 2012 (r304083) +++ head/security/vuxml/vuln.xml Tue Sep 11 07:51:07 2012 (r304084) @@ -157,7 +157,7 @@ Note: Please add new entries to the beg <affects> <package> <name>moinmoin</name> - <range><ge>1.9</ge><lt>1.9.5</lt></range> + <range><ge>1.9</ge><lt>1.9.4_1</lt></range> </package> </affects> <description> @@ -193,6 +193,7 @@ Note: Please add new entries to the beg <dates> <discovery>2012-09-03</discovery> <entry>2012-09-05</entry> + <modified>2012-09-11</modified> </dates> </vuln> Modified: head/www/moinmoin/Makefile ============================================================================== --- head/www/moinmoin/Makefile Tue Sep 11 06:44:54 2012 (r304083) +++ head/www/moinmoin/Makefile Tue Sep 11 07:51:07 2012 (r304084) @@ -7,6 +7,7 @@ PORTNAME= moinmoin PORTVERSION= 1.9.4 +PORTREVISION= 1 CATEGORIES= www python MASTER_SITES= http://static.moinmo.in/files/ DISTNAME= moin-${PORTVERSION} Added: head/www/moinmoin/files/patch-cve-2012-4404 ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/www/moinmoin/files/patch-cve-2012-4404 Tue Sep 11 07:51:07 2012 (r304084) @@ -0,0 +1,137 @@ +Obtained-from: http://hg.moinmo.in/moin/1.9/raw-rev/7b9f39289e16 + +# HG changeset patch +# User Thomas Waldmann <tw AT waldmann-edv DOT de> +# Date 1346679035 -7200 +# Node ID 7b9f39289e16b37344480025f191d8b64480c834 +# Parent 0e58d9bcd3bd8ab3a89506d66bc0c8df85c16d2c +security fix: fix virtual group bug in ACL evaluation, add a test for it + +affected moin releases: all 1.9 releases up to and including 1.9.4 + +moin releases < 1.9 are NOT affected. + +You can find out the moin version by looking at SystemInfo page or at the +output of <<SystemInfo>> macro. + +Issue description: + +We have code that checks whether a group has special members "All" or "Known" +or "Trusted", but there was a bug that checked whether these are present in +the group NAME (not, as intended, in the group MEMBERS). + +a) If you have group MEMBERS like "All" or "Known" or "Trusted", they did not +work until now, but will start working with this changeset. + +E.g. SomeGroup: + * JoeDoe + * Trusted + +SomeGroup will now (correctly) include JoeDoe and also all trusted users. + +It (erroneously) contained only "JoeDoe" and "Trusted" (as a username, not +as a virtual group) before. + +b) If you have group NAMES containing "All" or "Known" or "Trusted", they behaved +wrong until now (they erroneously included All/Known/Trusted users even if +you did not list them as members), but will start working correctly with this +changeset. + +E.g. AllFriendsGroup: + * JoeDoe + +AllFriendsGroup will now (correctly) include only JoeDoe. +It (erroneously) contained all users (including JoeDoe) before. + +E.g. MyTrustedFriendsGroup: + * JoeDoe + +MyTrustedFriendsGroup will now (correctly) include only JoeDoe. +It (erroneously) contained all trusted users and JoeDoe before. + +diff -r 0e58d9bcd3bd -r 7b9f39289e16 MoinMoin/security/__init__.py +--- MoinMoin/security/__init__.py Fri Aug 03 17:36:02 2012 +0200 ++++ MoinMoin/security/__init__.py Mon Sep 03 15:30:35 2012 +0200 +@@ -320,11 +320,12 @@ + handler = getattr(self, "_special_"+entry, None) + allowed = handler(request, name, dowhat, rightsdict) + elif entry in groups: +- if name in groups[entry]: ++ this_group = groups[entry] ++ if name in this_group: + allowed = rightsdict.get(dowhat) + else: + for special in self.special_users: +- if special in entry: ++ if special in this_group: + handler = getattr(self, "_special_" + special, None) + allowed = handler(request, name, dowhat, rightsdict) + break # order of self.special_users is important +diff -r 0e58d9bcd3bd -r 7b9f39289e16 MoinMoin/security/_tests/test_security.py +--- MoinMoin/security/_tests/test_security.py Fri Aug 03 17:36:02 2012 +0200 ++++ MoinMoin/security/_tests/test_security.py Mon Sep 03 15:30:35 2012 +0200 +@@ -16,10 +16,11 @@ + acliter = security.ACLStringIterator + AccessControlList = security.AccessControlList + ++from MoinMoin.datastruct import ConfigGroups + from MoinMoin.PageEditor import PageEditor + from MoinMoin.user import User + +-from MoinMoin._tests import become_trusted, create_page, nuke_page ++from MoinMoin._tests import wikiconfig, become_trusted, create_page, nuke_page + + class TestACLStringIterator(object): + +@@ -248,6 +249,50 @@ + assert not acl.may(self.request, user, right) + + ++class TestGroupACL(object): ++ ++ class Config(wikiconfig.Config): ++ def groups(self, request): ++ groups = { ++ u'PGroup': frozenset([u'Antony', u'Beatrice', ]), ++ u'AGroup': frozenset([u'All', ]), ++ # note: the next line is a INTENDED misnomer, there is "All" in ++ # the group NAME, but not in the group members. This makes ++ # sure that a bug that erroneously checked "in groupname" (instead ++ # of "in groupmembers") does not reappear. ++ u'AllGroup': frozenset([]), # note: intended misnomer ++ } ++ return ConfigGroups(request, groups) ++ ++ def testApplyACLByGroup(self): ++ """ security: applying acl by group name""" ++ # This acl string... ++ acl_rights = [ ++ "PGroup,AllGroup:read,write,admin " ++ "AGroup:read " ++ ] ++ acl = security.AccessControlList(self.request.cfg, acl_rights) ++ ++ # Should apply these rights: ++ users = ( ++ # user, rights ++ ('Antony', ('read', 'write', 'admin', )), # in PGroup ++ ('Beatrice', ('read', 'write', 'admin', )), # in PGroup ++ ('Charles', ('read', )), # virtually in AGroup ++ ) ++ ++ # Check rights ++ for user, may in users: ++ mayNot = [right for right in self.request.cfg.acl_rights_valid ++ if right not in may] ++ # User should have these rights... ++ for right in may: ++ assert acl.may(self.request, user, right) ++ # But NOT these: ++ for right in mayNot: ++ assert not acl.may(self.request, user, right) ++ ++ + class TestPageAcls(object): + """ security: real-life access control list on pages testing + """ +
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201209110751.q8B7p7Ae003814>