From rea@codelabs.ru  Wed Sep  5 14:00:31 2012
Return-Path: <rea@codelabs.ru>
Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52])
	by hub.freebsd.org (Postfix) with ESMTP id 479C01065677
	for <FreeBSD-gnats-submit@freebsd.org>; Wed,  5 Sep 2012 14:00:31 +0000 (UTC)
	(envelope-from rea@codelabs.ru)
Received: from 0.mx.codelabs.ru (0.mx.codelabs.ru [144.206.6.71])
	by mx1.freebsd.org (Postfix) with ESMTP id EB30E8FC15
	for <FreeBSD-gnats-submit@freebsd.org>; Wed,  5 Sep 2012 14:00:30 +0000 (UTC)
Received: from void.codelabs.ru (void.codelabs.ru [144.206.6.66])
	by 0.mx.codelabs.ru with esmtps (TLSv1:DHE-RSA-AES256-SHA:256)
	id 1T9G9d-000PrW-3m for FreeBSD-gnats-submit@freebsd.org; Wed, 05 Sep 2012 18:00:30 +0400
Message-Id: <20120905140028.951FEDA81F@void.codelabs.ru>
Date: Wed,  5 Sep 2012 18:00:28 +0400 (MSK)
From: Eygene Ryabinkin <rea@freebsd.org>
Reply-To: Eygene Ryabinkin <rea@freebsd.org>
To: FreeBSD-gnats-submit@freebsd.org
Cc:
Subject: [vuln][patch] www/moinmoin: fix CVE-2012-4404
X-Send-Pr-Version: 3.113
X-GNATS-Notify: khsing.cn@gmail.com

>Number:         171346
>Category:       ports
>Synopsis:       [patch] www/moinmoin: fix CVE-2012-4404
>Confidential:   no
>Severity:       serious
>Priority:       high
>Responsible:    rea
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Wed Sep 05 14:10:02 UTC 2012
>Closed-Date:    Tue Sep 11 08:21:08 UTC 2012
>Last-Modified:  Tue Sep 11 08:21:08 UTC 2012
>Originator:     Eygene Ryabinkin
>Release:        FreeBSD 10.0-CURRENT amd64
>Organization:
Code Labs
>Environment:

System: FreeBSD 10.0-CURRENT amd64

>Description:

Vulnerability affecting MoinMoin 1.9 up to (and including) 1.9.4 was
recently found and fixed:
  http://www.vuxml.org/freebsd/4f99e2ef-f725-11e1-8bd8-0022156e8794.html
  http://hg.moinmo.in/moin/1.9/rev/7b9f39289e16

>How-To-Repeat:

Look at the above URLs.  Try to create the group with "All" string in
its name, restrict page's access rights like
{{{
#acl AllGoodPersonsGroup:read all:
}}}
and visit the page under user who isn't in the AllGoodPersonsGroup.  The
page should be visible to that user.

>Fix:

The patch at
  http://codelabs.ru/fbsd/ports/moinmoin/1.9.4-fix-cve-2012-4404.diff
applies upstream fix.  I had tested it at my Tinderbox and MoinMoin instance:
vulnerability was gone.  QA page:
  http://codelabs.ru/fbsd/ports/qa/www/moinmoin/1.9.4_1

If this fix or update to 1.9.5 will be committed, one should use
{{{
Security: http://www.vuxml.org/freebsd/4f99e2ef-f725-11e1-8bd8-0022156e8794.html
}}}
in the commit message.
>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: freebsd-ports-bugs->rea 
Responsible-Changed-By: edwin 
Responsible-Changed-When: Wed Sep 5 14:10:14 UTC 2012 
Responsible-Changed-Why:  
Submitter has GNATS access (via the GNATS Auto Assign Tool) 

http://www.freebsd.org/cgi/query-pr.cgi?pr=171346 
State-Changed-From-To: open->feedback 
State-Changed-By: edwin 
State-Changed-When: Wed Sep 5 14:10:23 UTC 2012 
State-Changed-Why:  
Awaiting maintainers feedback (via the GNATS Auto Assign Tool) 

http://www.freebsd.org/cgi/query-pr.cgi?pr=171346 

From: Edwin Groothuis <edwin@FreeBSD.org>
To: khsing.cn@gmail.com
Cc: bug-followup@FreeBSD.org
Subject: Re: ports/171346: [vuln][patch] www/moinmoin: fix CVE-2012-4404
Date: Wed, 5 Sep 2012 14:10:19 UT

 Maintainer of www/moinmoin,
 
 Please note that PR ports/171346 has just been submitted.
 
 If it contains a patch for an upgrade, an enhancement or a bug fix
 you agree on, reply to this email stating that you approve the patch
 and a committer will take care of it.
 
 The full text of the PR can be found at:
     http://www.freebsd.org/cgi/query-pr.cgi?pr=ports/171346
 
 -- 
 Edwin Groothuis via the GNATS Auto Assign Tool
 edwin@FreeBSD.org

From: khsing <khsing.cn@gmail.com>
To: bug-followup@freebsd.org, rea@freebsd.org
Cc:  
Subject: Re: ports/171346: [vuln][patch] www/moinmoin: fix CVE-2012-4404
Date: Mon, 10 Sep 2012 23:59:06 +0800

 --14dae934068dcc3d3e04c95b0a08
 Content-Type: text/plain; charset=UTF-8
 
 Approved
 
 --14dae934068dcc3d3e04c95b0a08
 Content-Type: application/octet-stream; name="cve-2012-4404.patch"
 Content-Disposition: attachment; filename="cve-2012-4404.patch"
 Content-Transfer-Encoding: base64
 X-Attachment-Id: f_h6xra4kp0
 
 ZGlmZiAtck51IG1vaW5tb2luLm9yaWcvTWFrZWZpbGUgbW9pbm1vaW4vTWFrZWZpbGUKLS0tIG1v
 aW5tb2luLm9yaWcvTWFrZWZpbGUJMjAxMi0wNC0xMSAwMDowNDoyMy4wMDAwMDAwMDAgKzA4MDAK
 KysrIG1vaW5tb2luL01ha2VmaWxlCTIwMTItMDktMTAgMjM6MDY6NDEuMDAwMDAwMDAwICswODAw
 CkBAIC03LDYgKzcsNyBAQAogCiBQT1JUTkFNRT0JbW9pbm1vaW4KIFBPUlRWRVJTSU9OPQkxLjku
 NAorUE9SVFJFVklTSU9OPQkxCiBDQVRFR09SSUVTPQl3d3cgcHl0aG9uCiBNQVNURVJfU0lURVM9
 CWh0dHA6Ly9zdGF0aWMubW9pbm1vLmluL2ZpbGVzLwogRElTVE5BTUU9CW1vaW4tJHtQT1JUVkVS
 U0lPTn0KZGlmZiAtck51IG1vaW5tb2luLm9yaWcvZmlsZXMvcGF0Y2gtY3ZlLTIwMTItNDQwNCBt
 b2lubW9pbi9maWxlcy9wYXRjaC1jdmUtMjAxMi00NDA0Ci0tLSBtb2lubW9pbi5vcmlnL2ZpbGVz
 L3BhdGNoLWN2ZS0yMDEyLTQ0MDQJMTk3MC0wMS0wMSAwODowMDowMC4wMDAwMDAwMDAgKzA4MDAK
 KysrIG1vaW5tb2luL2ZpbGVzL3BhdGNoLWN2ZS0yMDEyLTQ0MDQJMjAxMi0wOS0xMCAxNzoyNTo1
 Ni4wMDAwMDAwMDAgKzA4MDAKQEAgLTAsMCArMSwxMzcgQEAKK09idGFpbmVkLWZyb206IGh0dHA6
 Ly9oZy5tb2lubW8uaW4vbW9pbi8xLjkvcmF3LXJldi83YjlmMzkyODllMTYKKworIyBIRyBjaGFu
 Z2VzZXQgcGF0Y2gKKyMgVXNlciBUaG9tYXMgV2FsZG1hbm4gPHR3IEFUIHdhbGRtYW5uLWVkdiBE
 T1QgZGU+CisjIERhdGUgMTM0NjY3OTAzNSAtNzIwMAorIyBOb2RlIElEIDdiOWYzOTI4OWUxNmIz
 NzM0NDQ4MDAyNWYxOTFkOGI2NDQ4MGM4MzQKKyMgUGFyZW50ICAwZTU4ZDliY2QzYmQ4YWIzYTg5
 NTA2ZDY2YmMwYzhkZjg1YzE2ZDJjCitzZWN1cml0eSBmaXg6IGZpeCB2aXJ0dWFsIGdyb3VwIGJ1
 ZyBpbiBBQ0wgZXZhbHVhdGlvbiwgYWRkIGEgdGVzdCBmb3IgaXQKKworYWZmZWN0ZWQgbW9pbiBy
 ZWxlYXNlczogYWxsIDEuOSByZWxlYXNlcyB1cCB0byBhbmQgaW5jbHVkaW5nIDEuOS40CisKK21v
 aW4gcmVsZWFzZXMgPCAxLjkgYXJlIE5PVCBhZmZlY3RlZC4KKworWW91IGNhbiBmaW5kIG91dCB0
 aGUgbW9pbiB2ZXJzaW9uIGJ5IGxvb2tpbmcgYXQgU3lzdGVtSW5mbyBwYWdlIG9yIGF0IHRoZQor
 b3V0cHV0IG9mIDw8U3lzdGVtSW5mbz4+IG1hY3JvLgorCitJc3N1ZSBkZXNjcmlwdGlvbjoKKwor
 V2UgaGF2ZSBjb2RlIHRoYXQgY2hlY2tzIHdoZXRoZXIgYSBncm91cCBoYXMgc3BlY2lhbCBtZW1i
 ZXJzICJBbGwiIG9yICJLbm93biIKK29yICJUcnVzdGVkIiwgYnV0IHRoZXJlIHdhcyBhIGJ1ZyB0
 aGF0IGNoZWNrZWQgd2hldGhlciB0aGVzZSBhcmUgcHJlc2VudCBpbgordGhlIGdyb3VwIE5BTUUg
 KG5vdCwgYXMgaW50ZW5kZWQsIGluIHRoZSBncm91cCBNRU1CRVJTKS4KKworYSkgSWYgeW91IGhh
 dmUgZ3JvdXAgTUVNQkVSUyBsaWtlICJBbGwiIG9yICJLbm93biIgb3IgIlRydXN0ZWQiLCB0aGV5
 IGRpZCBub3QKK3dvcmsgdW50aWwgbm93LCBidXQgd2lsbCBzdGFydCB3b3JraW5nIHdpdGggdGhp
 cyBjaGFuZ2VzZXQuCisKK0UuZy4gU29tZUdyb3VwOgorICogSm9lRG9lCisgKiBUcnVzdGVkCisK
 K1NvbWVHcm91cCB3aWxsIG5vdyAoY29ycmVjdGx5KSBpbmNsdWRlIEpvZURvZSBhbmQgYWxzbyBh
 bGwgdHJ1c3RlZCB1c2Vycy4KKworSXQgKGVycm9uZW91c2x5KSBjb250YWluZWQgb25seSAiSm9l
 RG9lIiBhbmQgIlRydXN0ZWQiIChhcyBhIHVzZXJuYW1lLCBub3QKK2FzIGEgdmlydHVhbCBncm91
 cCkgYmVmb3JlLgorCitiKSBJZiB5b3UgaGF2ZSBncm91cCBOQU1FUyBjb250YWluaW5nICJBbGwi
 IG9yICJLbm93biIgb3IgIlRydXN0ZWQiLCB0aGV5IGJlaGF2ZWQKK3dyb25nIHVudGlsIG5vdyAo
 dGhleSBlcnJvbmVvdXNseSBpbmNsdWRlZCBBbGwvS25vd24vVHJ1c3RlZCB1c2VycyBldmVuIGlm
 Cit5b3UgZGlkIG5vdCBsaXN0IHRoZW0gYXMgbWVtYmVycyksIGJ1dCB3aWxsIHN0YXJ0IHdvcmtp
 bmcgY29ycmVjdGx5IHdpdGggdGhpcworY2hhbmdlc2V0LgorCitFLmcuIEFsbEZyaWVuZHNHcm91
 cDoKKyAqIEpvZURvZQorCitBbGxGcmllbmRzR3JvdXAgd2lsbCBub3cgKGNvcnJlY3RseSkgaW5j
 bHVkZSBvbmx5IEpvZURvZS4KK0l0IChlcnJvbmVvdXNseSkgY29udGFpbmVkIGFsbCB1c2VycyAo
 aW5jbHVkaW5nIEpvZURvZSkgYmVmb3JlLgorCitFLmcuIE15VHJ1c3RlZEZyaWVuZHNHcm91cDoK
 KyAqIEpvZURvZQorCitNeVRydXN0ZWRGcmllbmRzR3JvdXAgd2lsbCBub3cgKGNvcnJlY3RseSkg
 aW5jbHVkZSBvbmx5IEpvZURvZS4KK0l0IChlcnJvbmVvdXNseSkgY29udGFpbmVkIGFsbCB0cnVz
 dGVkIHVzZXJzIGFuZCBKb2VEb2UgYmVmb3JlLgorCitkaWZmIC1yIDBlNThkOWJjZDNiZCAtciA3
 YjlmMzkyODllMTYgTW9pbk1vaW4vc2VjdXJpdHkvX19pbml0X18ucHkKKy0tLSBNb2luTW9pbi9z
 ZWN1cml0eS9fX2luaXRfXy5weQlGcmkgQXVnIDAzIDE3OjM2OjAyIDIwMTIgKzAyMDAKKysrKyBN
 b2luTW9pbi9zZWN1cml0eS9fX2luaXRfXy5weQlNb24gU2VwIDAzIDE1OjMwOjM1IDIwMTIgKzAy
 MDAKK0BAIC0zMjAsMTEgKzMyMCwxMiBAQAorICAgICAgICAgICAgICAgICBoYW5kbGVyID0gZ2V0
 YXR0cihzZWxmLCAiX3NwZWNpYWxfIitlbnRyeSwgTm9uZSkKKyAgICAgICAgICAgICAgICAgYWxs
 b3dlZCA9IGhhbmRsZXIocmVxdWVzdCwgbmFtZSwgZG93aGF0LCByaWdodHNkaWN0KQorICAgICAg
 ICAgICAgIGVsaWYgZW50cnkgaW4gZ3JvdXBzOgorLSAgICAgICAgICAgICAgICBpZiBuYW1lIGlu
 IGdyb3Vwc1tlbnRyeV06CisrICAgICAgICAgICAgICAgIHRoaXNfZ3JvdXAgPSBncm91cHNbZW50
 cnldCisrICAgICAgICAgICAgICAgIGlmIG5hbWUgaW4gdGhpc19ncm91cDoKKyAgICAgICAgICAg
 ICAgICAgICAgIGFsbG93ZWQgPSByaWdodHNkaWN0LmdldChkb3doYXQpCisgICAgICAgICAgICAg
 ICAgIGVsc2U6CisgICAgICAgICAgICAgICAgICAgICBmb3Igc3BlY2lhbCBpbiBzZWxmLnNwZWNp
 YWxfdXNlcnM6CistICAgICAgICAgICAgICAgICAgICAgICAgaWYgc3BlY2lhbCBpbiBlbnRyeToK
 KysgICAgICAgICAgICAgICAgICAgICAgICBpZiBzcGVjaWFsIGluIHRoaXNfZ3JvdXA6CisgICAg
 ICAgICAgICAgICAgICAgICAgICAgICAgIGhhbmRsZXIgPSBnZXRhdHRyKHNlbGYsICJfc3BlY2lh
 bF8iICsgc3BlY2lhbCwgTm9uZSkKKyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYWxsb3dl
 ZCA9IGhhbmRsZXIocmVxdWVzdCwgbmFtZSwgZG93aGF0LCByaWdodHNkaWN0KQorICAgICAgICAg
 ICAgICAgICAgICAgICAgICAgICBicmVhayAjIG9yZGVyIG9mIHNlbGYuc3BlY2lhbF91c2VycyBp
 cyBpbXBvcnRhbnQKK2RpZmYgLXIgMGU1OGQ5YmNkM2JkIC1yIDdiOWYzOTI4OWUxNiBNb2luTW9p
 bi9zZWN1cml0eS9fdGVzdHMvdGVzdF9zZWN1cml0eS5weQorLS0tIE1vaW5Nb2luL3NlY3VyaXR5
 L190ZXN0cy90ZXN0X3NlY3VyaXR5LnB5CUZyaSBBdWcgMDMgMTc6MzY6MDIgMjAxMiArMDIwMAor
 KysrIE1vaW5Nb2luL3NlY3VyaXR5L190ZXN0cy90ZXN0X3NlY3VyaXR5LnB5CU1vbiBTZXAgMDMg
 MTU6MzA6MzUgMjAxMiArMDIwMAorQEAgLTE2LDEwICsxNiwxMSBAQAorIGFjbGl0ZXIgPSBzZWN1
 cml0eS5BQ0xTdHJpbmdJdGVyYXRvcgorIEFjY2Vzc0NvbnRyb2xMaXN0ID0gc2VjdXJpdHkuQWNj
 ZXNzQ29udHJvbExpc3QKKyAKKytmcm9tIE1vaW5Nb2luLmRhdGFzdHJ1Y3QgaW1wb3J0IENvbmZp
 Z0dyb3VwcworIGZyb20gTW9pbk1vaW4uUGFnZUVkaXRvciBpbXBvcnQgUGFnZUVkaXRvcgorIGZy
 b20gTW9pbk1vaW4udXNlciBpbXBvcnQgVXNlcgorIAorLWZyb20gTW9pbk1vaW4uX3Rlc3RzIGlt
 cG9ydCBiZWNvbWVfdHJ1c3RlZCwgY3JlYXRlX3BhZ2UsIG51a2VfcGFnZQorK2Zyb20gTW9pbk1v
 aW4uX3Rlc3RzIGltcG9ydCB3aWtpY29uZmlnLCBiZWNvbWVfdHJ1c3RlZCwgY3JlYXRlX3BhZ2Us
 IG51a2VfcGFnZQorIAorIGNsYXNzIFRlc3RBQ0xTdHJpbmdJdGVyYXRvcihvYmplY3QpOgorIAor
 QEAgLTI0OCw2ICsyNDksNTAgQEAKKyAgICAgICAgICAgICAgICAgYXNzZXJ0IG5vdCBhY2wubWF5
 KHNlbGYucmVxdWVzdCwgdXNlciwgcmlnaHQpCisgCisgCisrY2xhc3MgVGVzdEdyb3VwQUNMKG9i
 amVjdCk6CisrCisrICAgIGNsYXNzIENvbmZpZyh3aWtpY29uZmlnLkNvbmZpZyk6CisrICAgICAg
 ICBkZWYgZ3JvdXBzKHNlbGYsIHJlcXVlc3QpOgorKyAgICAgICAgICAgIGdyb3VwcyA9IHsKKysg
 ICAgICAgICAgICAgICAgdSdQR3JvdXAnOiBmcm96ZW5zZXQoW3UnQW50b255JywgdSdCZWF0cmlj
 ZScsIF0pLAorKyAgICAgICAgICAgICAgICB1J0FHcm91cCc6IGZyb3plbnNldChbdSdBbGwnLCBd
 KSwKKysgICAgICAgICAgICAgICAgIyBub3RlOiB0aGUgbmV4dCBsaW5lIGlzIGEgSU5URU5ERUQg
 bWlzbm9tZXIsIHRoZXJlIGlzICJBbGwiIGluCisrICAgICAgICAgICAgICAgICMgdGhlIGdyb3Vw
 IE5BTUUsIGJ1dCBub3QgaW4gdGhlIGdyb3VwIG1lbWJlcnMuIFRoaXMgbWFrZXMKKysgICAgICAg
 ICAgICAgICAgIyBzdXJlIHRoYXQgYSBidWcgdGhhdCBlcnJvbmVvdXNseSBjaGVja2VkICJpbiBn
 cm91cG5hbWUiIChpbnN0ZWFkCisrICAgICAgICAgICAgICAgICMgb2YgImluIGdyb3VwbWVtYmVy
 cyIpIGRvZXMgbm90IHJlYXBwZWFyLgorKyAgICAgICAgICAgICAgICB1J0FsbEdyb3VwJzogZnJv
 emVuc2V0KFtdKSwgIyBub3RlOiBpbnRlbmRlZCBtaXNub21lcgorKyAgICAgICAgICAgIH0KKysg
 ICAgICAgICAgICByZXR1cm4gQ29uZmlnR3JvdXBzKHJlcXVlc3QsIGdyb3VwcykKKysKKysgICAg
 ZGVmIHRlc3RBcHBseUFDTEJ5R3JvdXAoc2VsZik6CisrICAgICAgICAiIiIgc2VjdXJpdHk6IGFw
 cGx5aW5nIGFjbCBieSBncm91cCBuYW1lIiIiCisrICAgICAgICAjIFRoaXMgYWNsIHN0cmluZy4u
 LgorKyAgICAgICAgYWNsX3JpZ2h0cyA9IFsKKysgICAgICAgICAgICAiUEdyb3VwLEFsbEdyb3Vw
 OnJlYWQsd3JpdGUsYWRtaW4gIgorKyAgICAgICAgICAgICJBR3JvdXA6cmVhZCAiCisrICAgICAg
 ICAgICAgXQorKyAgICAgICAgYWNsID0gc2VjdXJpdHkuQWNjZXNzQ29udHJvbExpc3Qoc2VsZi5y
 ZXF1ZXN0LmNmZywgYWNsX3JpZ2h0cykKKysKKysgICAgICAgICMgU2hvdWxkIGFwcGx5IHRoZXNl
 IHJpZ2h0czoKKysgICAgICAgIHVzZXJzID0gKAorKyAgICAgICAgICAgICMgdXNlciwgcmlnaHRz
 CisrICAgICAgICAgICAgKCdBbnRvbnknLCAoJ3JlYWQnLCAnd3JpdGUnLCAnYWRtaW4nLCApKSwg
 ICMgaW4gUEdyb3VwCisrICAgICAgICAgICAgKCdCZWF0cmljZScsICgncmVhZCcsICd3cml0ZScs
 ICdhZG1pbicsICkpLCAgIyBpbiBQR3JvdXAKKysgICAgICAgICAgICAoJ0NoYXJsZXMnLCAoJ3Jl
 YWQnLCApKSwgICMgdmlydHVhbGx5IGluIEFHcm91cAorKyAgICAgICAgICAgICkKKysKKysgICAg
 ICAgICMgQ2hlY2sgcmlnaHRzCisrICAgICAgICBmb3IgdXNlciwgbWF5IGluIHVzZXJzOgorKyAg
 ICAgICAgICAgIG1heU5vdCA9IFtyaWdodCBmb3IgcmlnaHQgaW4gc2VsZi5yZXF1ZXN0LmNmZy5h
 Y2xfcmlnaHRzX3ZhbGlkCisrICAgICAgICAgICAgICAgICAgICAgIGlmIHJpZ2h0IG5vdCBpbiBt
 YXldCisrICAgICAgICAgICAgIyBVc2VyIHNob3VsZCBoYXZlIHRoZXNlIHJpZ2h0cy4uLgorKyAg
 ICAgICAgICAgIGZvciByaWdodCBpbiBtYXk6CisrICAgICAgICAgICAgICAgIGFzc2VydCBhY2wu
 bWF5KHNlbGYucmVxdWVzdCwgdXNlciwgcmlnaHQpCisrICAgICAgICAgICAgIyBCdXQgTk9UIHRo
 ZXNlOgorKyAgICAgICAgICAgIGZvciByaWdodCBpbiBtYXlOb3Q6CisrICAgICAgICAgICAgICAg
 IGFzc2VydCBub3QgYWNsLm1heShzZWxmLnJlcXVlc3QsIHVzZXIsIHJpZ2h0KQorKworKworIGNs
 YXNzIFRlc3RQYWdlQWNscyhvYmplY3QpOgorICAgICAiIiIgc2VjdXJpdHk6IHJlYWwtbGlmZSBh
 Y2Nlc3MgY29udHJvbCBsaXN0IG9uIHBhZ2VzIHRlc3RpbmcKKyAgICAgIiIiCisKCg==
 --14dae934068dcc3d3e04c95b0a08--

From: dfilter@FreeBSD.ORG (dfilter service)
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: ports/171346: commit references a PR
Date: Tue, 11 Sep 2012 07:51:22 +0000 (UTC)

 Author: rea
 Date: Tue Sep 11 07:51:07 2012
 New Revision: 304084
 URL: http://svn.freebsd.org/changeset/ports/304084
 
 Log:
   www/moinmoin: fix CVE-2012-4404, wrong processing of group ACLs
   
   Using upstream patch from
     http://hg.moinmo.in/moin/1.9/raw-rev/7b9f39289e16
   
   PR:		171346
   QA page:	http://codelabs.ru/fbsd/ports/qa/www/moinmoin/1.9.4_1
   Approved by:	khsing.cn@gmail.com (maintainer)
   Security:	http://www.vuxml.org/freebsd/4f99e2ef-f725-11e1-8bd8-0022156e8794.html
 
 Added:
   head/www/moinmoin/files/patch-cve-2012-4404   (contents, props changed)
 Modified:
   head/security/vuxml/vuln.xml
   head/www/moinmoin/Makefile
 
 Modified: head/security/vuxml/vuln.xml
 ==============================================================================
 --- head/security/vuxml/vuln.xml	Tue Sep 11 06:44:54 2012	(r304083)
 +++ head/security/vuxml/vuln.xml	Tue Sep 11 07:51:07 2012	(r304084)
 @@ -157,7 +157,7 @@ Note:  Please add new entries to the beg
      <affects>
        <package>
  	<name>moinmoin</name>
 -	<range><ge>1.9</ge><lt>1.9.5</lt></range>
 +	<range><ge>1.9</ge><lt>1.9.4_1</lt></range>
        </package>
      </affects>
      <description>
 @@ -193,6 +193,7 @@ Note:  Please add new entries to the beg
      <dates>
        <discovery>2012-09-03</discovery>
        <entry>2012-09-05</entry>
 +      <modified>2012-09-11</modified>
      </dates>
    </vuln>
  
 
 Modified: head/www/moinmoin/Makefile
 ==============================================================================
 --- head/www/moinmoin/Makefile	Tue Sep 11 06:44:54 2012	(r304083)
 +++ head/www/moinmoin/Makefile	Tue Sep 11 07:51:07 2012	(r304084)
 @@ -7,6 +7,7 @@
  
  PORTNAME=	moinmoin
  PORTVERSION=	1.9.4
 +PORTREVISION=	1
  CATEGORIES=	www python
  MASTER_SITES=	http://static.moinmo.in/files/
  DISTNAME=	moin-${PORTVERSION}
 
 Added: head/www/moinmoin/files/patch-cve-2012-4404
 ==============================================================================
 --- /dev/null	00:00:00 1970	(empty, because file is newly added)
 +++ head/www/moinmoin/files/patch-cve-2012-4404	Tue Sep 11 07:51:07 2012	(r304084)
 @@ -0,0 +1,137 @@
 +Obtained-from: http://hg.moinmo.in/moin/1.9/raw-rev/7b9f39289e16
 +
 +# HG changeset patch
 +# User Thomas Waldmann <tw AT waldmann-edv DOT de>
 +# Date 1346679035 -7200
 +# Node ID 7b9f39289e16b37344480025f191d8b64480c834
 +# Parent  0e58d9bcd3bd8ab3a89506d66bc0c8df85c16d2c
 +security fix: fix virtual group bug in ACL evaluation, add a test for it
 +
 +affected moin releases: all 1.9 releases up to and including 1.9.4
 +
 +moin releases < 1.9 are NOT affected.
 +
 +You can find out the moin version by looking at SystemInfo page or at the
 +output of <<SystemInfo>> macro.
 +
 +Issue description:
 +
 +We have code that checks whether a group has special members "All" or "Known"
 +or "Trusted", but there was a bug that checked whether these are present in
 +the group NAME (not, as intended, in the group MEMBERS).
 +
 +a) If you have group MEMBERS like "All" or "Known" or "Trusted", they did not
 +work until now, but will start working with this changeset.
 +
 +E.g. SomeGroup:
 + * JoeDoe
 + * Trusted
 +
 +SomeGroup will now (correctly) include JoeDoe and also all trusted users.
 +
 +It (erroneously) contained only "JoeDoe" and "Trusted" (as a username, not
 +as a virtual group) before.
 +
 +b) If you have group NAMES containing "All" or "Known" or "Trusted", they behaved
 +wrong until now (they erroneously included All/Known/Trusted users even if
 +you did not list them as members), but will start working correctly with this
 +changeset.
 +
 +E.g. AllFriendsGroup:
 + * JoeDoe
 +
 +AllFriendsGroup will now (correctly) include only JoeDoe.
 +It (erroneously) contained all users (including JoeDoe) before.
 +
 +E.g. MyTrustedFriendsGroup:
 + * JoeDoe
 +
 +MyTrustedFriendsGroup will now (correctly) include only JoeDoe.
 +It (erroneously) contained all trusted users and JoeDoe before.
 +
 +diff -r 0e58d9bcd3bd -r 7b9f39289e16 MoinMoin/security/__init__.py
 +--- MoinMoin/security/__init__.py	Fri Aug 03 17:36:02 2012 +0200
 ++++ MoinMoin/security/__init__.py	Mon Sep 03 15:30:35 2012 +0200
 +@@ -320,11 +320,12 @@
 +                 handler = getattr(self, "_special_"+entry, None)
 +                 allowed = handler(request, name, dowhat, rightsdict)
 +             elif entry in groups:
 +-                if name in groups[entry]:
 ++                this_group = groups[entry]
 ++                if name in this_group:
 +                     allowed = rightsdict.get(dowhat)
 +                 else:
 +                     for special in self.special_users:
 +-                        if special in entry:
 ++                        if special in this_group:
 +                             handler = getattr(self, "_special_" + special, None)
 +                             allowed = handler(request, name, dowhat, rightsdict)
 +                             break # order of self.special_users is important
 +diff -r 0e58d9bcd3bd -r 7b9f39289e16 MoinMoin/security/_tests/test_security.py
 +--- MoinMoin/security/_tests/test_security.py	Fri Aug 03 17:36:02 2012 +0200
 ++++ MoinMoin/security/_tests/test_security.py	Mon Sep 03 15:30:35 2012 +0200
 +@@ -16,10 +16,11 @@
 + acliter = security.ACLStringIterator
 + AccessControlList = security.AccessControlList
 + 
 ++from MoinMoin.datastruct import ConfigGroups
 + from MoinMoin.PageEditor import PageEditor
 + from MoinMoin.user import User
 + 
 +-from MoinMoin._tests import become_trusted, create_page, nuke_page
 ++from MoinMoin._tests import wikiconfig, become_trusted, create_page, nuke_page
 + 
 + class TestACLStringIterator(object):
 + 
 +@@ -248,6 +249,50 @@
 +                 assert not acl.may(self.request, user, right)
 + 
 + 
 ++class TestGroupACL(object):
 ++
 ++    class Config(wikiconfig.Config):
 ++        def groups(self, request):
 ++            groups = {
 ++                u'PGroup': frozenset([u'Antony', u'Beatrice', ]),
 ++                u'AGroup': frozenset([u'All', ]),
 ++                # note: the next line is a INTENDED misnomer, there is "All" in
 ++                # the group NAME, but not in the group members. This makes
 ++                # sure that a bug that erroneously checked "in groupname" (instead
 ++                # of "in groupmembers") does not reappear.
 ++                u'AllGroup': frozenset([]), # note: intended misnomer
 ++            }
 ++            return ConfigGroups(request, groups)
 ++
 ++    def testApplyACLByGroup(self):
 ++        """ security: applying acl by group name"""
 ++        # This acl string...
 ++        acl_rights = [
 ++            "PGroup,AllGroup:read,write,admin "
 ++            "AGroup:read "
 ++            ]
 ++        acl = security.AccessControlList(self.request.cfg, acl_rights)
 ++
 ++        # Should apply these rights:
 ++        users = (
 ++            # user, rights
 ++            ('Antony', ('read', 'write', 'admin', )),  # in PGroup
 ++            ('Beatrice', ('read', 'write', 'admin', )),  # in PGroup
 ++            ('Charles', ('read', )),  # virtually in AGroup
 ++            )
 ++
 ++        # Check rights
 ++        for user, may in users:
 ++            mayNot = [right for right in self.request.cfg.acl_rights_valid
 ++                      if right not in may]
 ++            # User should have these rights...
 ++            for right in may:
 ++                assert acl.may(self.request, user, right)
 ++            # But NOT these:
 ++            for right in mayNot:
 ++                assert not acl.may(self.request, user, right)
 ++
 ++
 + class TestPageAcls(object):
 +     """ security: real-life access control list on pages testing
 +     """
 +
 _______________________________________________
 svn-ports-all@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/svn-ports-all
 To unsubscribe, send any mail to "svn-ports-all-unsubscribe@freebsd.org"
 
State-Changed-From-To: feedback->closed 
State-Changed-By: rea 
State-Changed-When: Tue Sep 11 08:20:38 UTC 2012 
State-Changed-Why:  
Committed, thanks! 

http://www.freebsd.org/cgi/query-pr.cgi?pr=171346 
>Unformatted:
