Debian Bug report logs - #575995
XSS in Despam action (CVE-2010-0828)

version graph

Package: moin; Maintainer for moin is Steve McIntyre <93sam@debian.org>;

Reported by: Frank Lin PIAT <fpiat@klabs.be>

Date: Wed, 31 Mar 2010 07:18:02 UTC

Severity: normal

Found in versions 1.7.1-2, 1.5.3-1.2, 1.5.3-1.2etch2, 1.7.1-3+lenny3

Fixed in versions 1.7.1-3+lenny4, moin/1.9.2-3

Done: Jonas Smedegaard <dr@jones.dk>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Jonas Smedegaard <dr@jones.dk>:
Bug#575995; Package moin. (Wed, 31 Mar 2010 07:18:05 GMT) Full text and rfc822 format available.

Acknowledgement sent to Frank Lin PIAT <fpiat@klabs.be>:
New Bug report received and forwarded. Copy sent to Jonas Smedegaard <dr@jones.dk>.

Your message specified a Severity: in the pseudo-header, but the severity value security was not recognised. The default severity normal is being used instead. The recognised values are: critical, grave, serious, important, normal, minor, wishlist, fixed.

(Wed, 31 Mar 2010 07:18:05 GMT) Full text and rfc822 format available.


Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Frank Lin PIAT <fpiat@klabs.be>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: XSS in Despam action (CVE-2010-0828)
Date: Wed, 31 Mar 2010 09:10:40 +0200
Package: moin
Version: 1.5.3-1.2etch2
Severity: security

Hello,

There is a XSS in moinmoin "Despam" action (see [1] and
CVE-2010-0828[2]). Note that Despam action is only accessible to
superusers, not by regular users.

Franklin


[1] http://moinmo.in/SecurityFixes
[2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0828





Bug Marked as found in versions 1.5.3-1.2. Request was from Frank Lin PIAT <fpiat@klabs.be> to control@bugs.debian.org. (Wed, 31 Mar 2010 07:42:12 GMT) Full text and rfc822 format available.

Bug Marked as found in versions 1.7.1-2. Request was from Frank Lin PIAT <fpiat@klabs.be> to control@bugs.debian.org. (Wed, 31 Mar 2010 07:42:13 GMT) Full text and rfc822 format available.

Bug Marked as found in versions 1.7.1-3+lenny3. Request was from Frank Lin PIAT <fpiat@klabs.be> to control@bugs.debian.org. (Wed, 31 Mar 2010 07:42:14 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Jonas Smedegaard <dr@jones.dk>:
Bug#575995; Package moin. (Wed, 31 Mar 2010 08:18:05 GMT) Full text and rfc822 format available.

Acknowledgement sent to Frank Lin PIAT <fpiat@klabs.be>:
Extra info received and forwarded to list. Copy sent to Jonas Smedegaard <dr@jones.dk>. (Wed, 31 Mar 2010 08:18:05 GMT) Full text and rfc822 format available.

Message #16 received at 575995@bugs.debian.org (full text, mbox):

From: Frank Lin PIAT <fpiat@klabs.be>
To: 575995@bugs.debian.org
Cc: Moin maintainers <moin@packages.debian.org>
Subject: Re: Bug#575995: XSS in Despam action (CVE-2010-0828)
Date: Wed, 31 Mar 2010 10:13:50 +0200
[Message part 1 (text/plain, inline)]
Hi,

Here's a patch for Debian Lenny (Unmodified from upstream[1])
I have made a quick test, and it seems ok.

Jonas, can you upload it?

thanks

On Wed, 2010-03-31 at 09:10 +0200, Frank Lin PIAT wrote:
> Package: moin
> Version: 1.5.3-1.2etch2

Unstable and testing need a patch too. but I can't work on it before
tonight.

> There is a XSS in moinmoin "Despam" action (see [1] and
> CVE-2010-0828[2]). Note that Despam action is only accessible to
> superusers, not by regular users.


[1] http://hg.moinmo.in/moin/1.7/rev/6e603e5411ca
    http://moinmo.in/SecurityFixes


[bug575995--cve-2010-828.patch (text/plain, attachment)]

Bug Marked as fixed in versions 1.7.1-3+lenny4. Request was from Giuseppe Iuculano <iuculano@debian.org> to control@bugs.debian.org. (Wed, 31 Mar 2010 08:51:03 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Jonas Smedegaard <dr@jones.dk>:
Bug#575995; Package moin. (Wed, 31 Mar 2010 22:48:07 GMT) Full text and rfc822 format available.

Acknowledgement sent to Frank Lin PIAT <fpiat@klabs.be>:
Extra info received and forwarded to list. Copy sent to Jonas Smedegaard <dr@jones.dk>. (Wed, 31 Mar 2010 22:48:07 GMT) Full text and rfc822 format available.

Message #23 received at 575995@bugs.debian.org (full text, mbox):

From: Frank Lin PIAT <fpiat@klabs.be>
To: 575995@bugs.debian.org, Giuseppe Iuculano <iuculano@debian.org>
Cc: Moin maintainers <moin@packages.debian.org>
Subject: Re: Bug#575995: XSS in Despam action (CVE-2010-0828)
Date: Thu, 01 Apr 2010 00:42:20 +0200
[Message part 1 (text/plain, inline)]
On Wed, 2010-03-31 at 10:13 +0200, Frank Lin PIAT wrote:
> On Wed, 2010-03-31 at 09:10 +0200, Frank Lin PIAT wrote:
> > Package: moin
> > Version: 1.5.3-1.2etch2
> 
> Unstable and testing need a patch too. but I can't work on it before
> tonight.

Here's a patch for Debian Unstable (Unmodified from upstream[1])
I have made a quick test, and it seems ok.

Giuseppe, can you review & upload it since Jonas seems busy?

> > There is a XSS in moinmoin "Despam" action (see [1] and
> > CVE-2010-0828[2]). Note that Despam action is only accessible to
> > superusers, not by regular users.

Regards,

Thanks

[1] http://hg.moinmo.in/moin/1.9/rev/6e603e5411ca
    http://moinmo.in/SecurityFixes
[moin_1.9.2+cve-2010-0828.patch (text/plain, attachment)]

Reply sent to Jonas Smedegaard <dr@jones.dk>:
You have taken responsibility. (Sun, 04 Apr 2010 08:51:09 GMT) Full text and rfc822 format available.

Notification sent to Frank Lin PIAT <fpiat@klabs.be>:
Bug acknowledged by developer. (Sun, 04 Apr 2010 08:51:10 GMT) Full text and rfc822 format available.

Message #28 received at 575995-close@bugs.debian.org (full text, mbox):

From: Jonas Smedegaard <dr@jones.dk>
To: 575995-close@bugs.debian.org
Subject: Bug#575995: fixed in moin 1.9.2-3
Date: Sun, 04 Apr 2010 08:49:56 +0000
Source: moin
Source-Version: 1.9.2-3

We believe that the bug you reported is fixed in the latest version of
moin, which is due to be installed in the Debian FTP archive:

moin_1.9.2-3.debian.tar.gz
  to main/m/moin/moin_1.9.2-3.debian.tar.gz
moin_1.9.2-3.dsc
  to main/m/moin/moin_1.9.2-3.dsc
python-moinmoin_1.9.2-3_all.deb
  to main/m/moin/python-moinmoin_1.9.2-3_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 575995@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Jonas Smedegaard <dr@jones.dk> (supplier of updated moin package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: RIPEMD160

Format: 1.8
Date: Sat, 03 Apr 2010 16:27:00 +0200
Source: moin
Binary: python-moinmoin
Architecture: source all
Version: 1.9.2-3
Distribution: unstable
Urgency: high
Maintainer: Jonas Smedegaard <dr@jones.dk>
Changed-By: Jonas Smedegaard <dr@jones.dk>
Description: 
 python-moinmoin - Python clone of WikiWiki - library
Closes: 557956 575995
Changes: 
 moin (1.9.2-3) unstable; urgency=high
 .
   [ Frank Lin PIAT ]
   * Add patch to fix CVE-2010-0828: XSS in Despam page.
     Closes: 575995, thanks to Jamie Strandboge (Ubuntu).
 .
   [ Jakub Wilk ]
   * Fix htdocs symlink, when compiled with python2.6.
     Closes: bug#557956.
 .
   [ Jonas Smedegaard ]
   * Drop local package-relations.mk snippet, now in main cdbs package.
   * Unfuzz and refresh patches (with quilt compacting options
     --no-timestamps --no-index -pab).
   * Add DEP3 header to patch "CVE-2010-0828.patch".
   * Stop suppressing optional build-dependencies: we need recent cdbs
     anyway (to not complicate packaging with a local CDBS snippet) so
     cannot please backporters anyway.
   * Build-depend on devscripts and dh-buildinfo, and tighten build-
     dependency on cdbs, due to above changes.
Checksums-Sha1: 
 4c2afb8ca29d01ebb44bfb6bfc49407e7e06ba69 1234 moin_1.9.2-3.dsc
 342d6f2e7a9e123041e2435fb974f6909fe32454 113610 moin_1.9.2-3.debian.tar.gz
 d6c917e01d92beee2f6a7f3b447459083a4bc982 14601884 python-moinmoin_1.9.2-3_all.deb
Checksums-Sha256: 
 cdf63da62c4c166de7d08a1b109e13d171d0263f6a3aeab957d781b4fd560f8b 1234 moin_1.9.2-3.dsc
 d4fc3d50b0ec4827c81fa867cdb569e71b44218302e0ef16bdaf29e0482cb438 113610 moin_1.9.2-3.debian.tar.gz
 b5c7ec10b9c50b28d8a82b578357e6831391b3a0a4c57558c637207cb44b2303 14601884 python-moinmoin_1.9.2-3_all.deb
Files: 
 2fb43cc07c83c91f8b4c981a5c2923a1 1234 net optional moin_1.9.2-3.dsc
 9bc0784c6ff031b2d8b10f7043a9e3d9 113610 net optional moin_1.9.2-3.debian.tar.gz
 4bce1eedfa6414b34a51e2e40dc41776 14601884 python optional python-moinmoin_1.9.2-3_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iEYEAREDAAYFAku3UioACgkQn7DbMsAkQLhkeQCgifatsJCSfiKQaQBGbw5yRDWn
i3AAn1qJlQfU48MVqAm/Tz0P0PzU6GTr
=rhm7
-----END PGP SIGNATURE-----





Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Thu, 06 May 2010 08:19:22 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Apr 16 16:16:33 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.