Skip site navigation (1)Skip section navigation (2)
Date:      Tue, 11 Sep 2012 07:51:07 +0000 (UTC)
From:      Eygene Ryabinkin <rea@FreeBSD.org>
To:        ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-head@freebsd.org
Subject:   svn commit: r304084 - in head: security/vuxml www/moinmoin www/moinmoin/files
Message-ID:  <201209110751.q8B7p7Ae003814@svn.freebsd.org>

next in thread | raw e-mail | index | archive | help
Author: rea
Date: Tue Sep 11 07:51:07 2012
New Revision: 304084
URL: http://svn.freebsd.org/changeset/ports/304084

Log:
  www/moinmoin: fix CVE-2012-4404, wrong processing of group ACLs
  
  Using upstream patch from
    http://hg.moinmo.in/moin/1.9/raw-rev/7b9f39289e16
  
  PR:		171346
  QA page:	http://codelabs.ru/fbsd/ports/qa/www/moinmoin/1.9.4_1
  Approved by:	khsing.cn@gmail.com (maintainer)
  Security:	http://www.vuxml.org/freebsd/4f99e2ef-f725-11e1-8bd8-0022156e8794.html

Added:
  head/www/moinmoin/files/patch-cve-2012-4404   (contents, props changed)
Modified:
  head/security/vuxml/vuln.xml
  head/www/moinmoin/Makefile

Modified: head/security/vuxml/vuln.xml
==============================================================================
--- head/security/vuxml/vuln.xml	Tue Sep 11 06:44:54 2012	(r304083)
+++ head/security/vuxml/vuln.xml	Tue Sep 11 07:51:07 2012	(r304084)
@@ -157,7 +157,7 @@ Note:  Please add new entries to the beg
     <affects>
       <package>
 	<name>moinmoin</name>
-	<range><ge>1.9</ge><lt>1.9.5</lt></range>
+	<range><ge>1.9</ge><lt>1.9.4_1</lt></range>
       </package>
     </affects>
     <description>
@@ -193,6 +193,7 @@ Note:  Please add new entries to the beg
     <dates>
       <discovery>2012-09-03</discovery>
       <entry>2012-09-05</entry>
+      <modified>2012-09-11</modified>
     </dates>
   </vuln>
 

Modified: head/www/moinmoin/Makefile
==============================================================================
--- head/www/moinmoin/Makefile	Tue Sep 11 06:44:54 2012	(r304083)
+++ head/www/moinmoin/Makefile	Tue Sep 11 07:51:07 2012	(r304084)
@@ -7,6 +7,7 @@
 
 PORTNAME=	moinmoin
 PORTVERSION=	1.9.4
+PORTREVISION=	1
 CATEGORIES=	www python
 MASTER_SITES=	http://static.moinmo.in/files/
 DISTNAME=	moin-${PORTVERSION}

Added: head/www/moinmoin/files/patch-cve-2012-4404
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ head/www/moinmoin/files/patch-cve-2012-4404	Tue Sep 11 07:51:07 2012	(r304084)
@@ -0,0 +1,137 @@
+Obtained-from: http://hg.moinmo.in/moin/1.9/raw-rev/7b9f39289e16
+
+# HG changeset patch
+# User Thomas Waldmann <tw AT waldmann-edv DOT de>
+# Date 1346679035 -7200
+# Node ID 7b9f39289e16b37344480025f191d8b64480c834
+# Parent  0e58d9bcd3bd8ab3a89506d66bc0c8df85c16d2c
+security fix: fix virtual group bug in ACL evaluation, add a test for it
+
+affected moin releases: all 1.9 releases up to and including 1.9.4
+
+moin releases < 1.9 are NOT affected.
+
+You can find out the moin version by looking at SystemInfo page or at the
+output of <<SystemInfo>> macro.
+
+Issue description:
+
+We have code that checks whether a group has special members "All" or "Known"
+or "Trusted", but there was a bug that checked whether these are present in
+the group NAME (not, as intended, in the group MEMBERS).
+
+a) If you have group MEMBERS like "All" or "Known" or "Trusted", they did not
+work until now, but will start working with this changeset.
+
+E.g. SomeGroup:
+ * JoeDoe
+ * Trusted
+
+SomeGroup will now (correctly) include JoeDoe and also all trusted users.
+
+It (erroneously) contained only "JoeDoe" and "Trusted" (as a username, not
+as a virtual group) before.
+
+b) If you have group NAMES containing "All" or "Known" or "Trusted", they behaved
+wrong until now (they erroneously included All/Known/Trusted users even if
+you did not list them as members), but will start working correctly with this
+changeset.
+
+E.g. AllFriendsGroup:
+ * JoeDoe
+
+AllFriendsGroup will now (correctly) include only JoeDoe.
+It (erroneously) contained all users (including JoeDoe) before.
+
+E.g. MyTrustedFriendsGroup:
+ * JoeDoe
+
+MyTrustedFriendsGroup will now (correctly) include only JoeDoe.
+It (erroneously) contained all trusted users and JoeDoe before.
+
+diff -r 0e58d9bcd3bd -r 7b9f39289e16 MoinMoin/security/__init__.py
+--- MoinMoin/security/__init__.py	Fri Aug 03 17:36:02 2012 +0200
++++ MoinMoin/security/__init__.py	Mon Sep 03 15:30:35 2012 +0200
+@@ -320,11 +320,12 @@
+                 handler = getattr(self, "_special_"+entry, None)
+                 allowed = handler(request, name, dowhat, rightsdict)
+             elif entry in groups:
+-                if name in groups[entry]:
++                this_group = groups[entry]
++                if name in this_group:
+                     allowed = rightsdict.get(dowhat)
+                 else:
+                     for special in self.special_users:
+-                        if special in entry:
++                        if special in this_group:
+                             handler = getattr(self, "_special_" + special, None)
+                             allowed = handler(request, name, dowhat, rightsdict)
+                             break # order of self.special_users is important
+diff -r 0e58d9bcd3bd -r 7b9f39289e16 MoinMoin/security/_tests/test_security.py
+--- MoinMoin/security/_tests/test_security.py	Fri Aug 03 17:36:02 2012 +0200
++++ MoinMoin/security/_tests/test_security.py	Mon Sep 03 15:30:35 2012 +0200
+@@ -16,10 +16,11 @@
+ acliter = security.ACLStringIterator
+ AccessControlList = security.AccessControlList
+ 
++from MoinMoin.datastruct import ConfigGroups
+ from MoinMoin.PageEditor import PageEditor
+ from MoinMoin.user import User
+ 
+-from MoinMoin._tests import become_trusted, create_page, nuke_page
++from MoinMoin._tests import wikiconfig, become_trusted, create_page, nuke_page
+ 
+ class TestACLStringIterator(object):
+ 
+@@ -248,6 +249,50 @@
+                 assert not acl.may(self.request, user, right)
+ 
+ 
++class TestGroupACL(object):
++
++    class Config(wikiconfig.Config):
++        def groups(self, request):
++            groups = {
++                u'PGroup': frozenset([u'Antony', u'Beatrice', ]),
++                u'AGroup': frozenset([u'All', ]),
++                # note: the next line is a INTENDED misnomer, there is "All" in
++                # the group NAME, but not in the group members. This makes
++                # sure that a bug that erroneously checked "in groupname" (instead
++                # of "in groupmembers") does not reappear.
++                u'AllGroup': frozenset([]), # note: intended misnomer
++            }
++            return ConfigGroups(request, groups)
++
++    def testApplyACLByGroup(self):
++        """ security: applying acl by group name"""
++        # This acl string...
++        acl_rights = [
++            "PGroup,AllGroup:read,write,admin "
++            "AGroup:read "
++            ]
++        acl = security.AccessControlList(self.request.cfg, acl_rights)
++
++        # Should apply these rights:
++        users = (
++            # user, rights
++            ('Antony', ('read', 'write', 'admin', )),  # in PGroup
++            ('Beatrice', ('read', 'write', 'admin', )),  # in PGroup
++            ('Charles', ('read', )),  # virtually in AGroup
++            )
++
++        # Check rights
++        for user, may in users:
++            mayNot = [right for right in self.request.cfg.acl_rights_valid
++                      if right not in may]
++            # User should have these rights...
++            for right in may:
++                assert acl.may(self.request, user, right)
++            # But NOT these:
++            for right in mayNot:
++                assert not acl.may(self.request, user, right)
++
++
+ class TestPageAcls(object):
+     """ security: real-life access control list on pages testing
+     """
+



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201209110751.q8B7p7Ae003814>