rpms/moin/F-9 001_CVE-2008-0781_attach_file_XSS.patch, NONE, 1.1 002_CVE-2008-0781_attach_file_XSS.patch, NONE, 1.1 003_CVE-2008-0781_attach_file_XSS.patch, NONE, 1.1 022_CVE-2009-0260_attach_file_XSS.patch, NONE, 1.1 999_attachfile_fix_escaping_problems.patch, NONE, 1.1 CVE-2009-0312_XSS_antispam.patch, NONE, 1.1 .cvsignore, 1.14, 1.15 moin.spec, 1.22, 1.23 sources, 1.14, 1.15
Ville-Pekka Vainio
vpv at fedoraproject.org
Mon Apr 20 15:23:41 UTC 2009
- Previous message: rpms/nss_compat_ossl/F-9 .cvsignore, 1.7, 1.8 nss_compat_ossl.spec, 1.11, 1.12 sources, 1.7, 1.8 nss_compat_ossl-cipherlist.patch, 1.1, NONE
- Next message: rpms/kdeadmin/F-11 kdeadmin-4.2.2-printing.patch, NONE, 1.1 kdeadmin.spec, 1.128, 1.129
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
Author: vpv
Update of /cvs/pkgs/rpms/moin/F-9
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv22237
Modified Files:
.cvsignore moin.spec sources
Added Files:
001_CVE-2008-0781_attach_file_XSS.patch
002_CVE-2008-0781_attach_file_XSS.patch
003_CVE-2008-0781_attach_file_XSS.patch
022_CVE-2009-0260_attach_file_XSS.patch
999_attachfile_fix_escaping_problems.patch
CVE-2009-0312_XSS_antispam.patch
Log Message:
* Mon Apr 20 2009 Ville-Pekka Vainio <vpivaini AT cs.helsinki.fi> 1.6.4-1
- Update to 1.6.4
- CVE-2008-3381 fixed upstream
- Re-fix CVE-2008-0781, upstream seems to have dropped the fix in 1.6,
used part of upstream 1.5 db212dfc58ef, backported upstream 1.7 5f51246a4df1
and 269a1fbc3ed7
- Fix CVE-2009-0260, patch from Debian etch
- Fix CVE-2009-0312
- Fix AttachFile escaping problems, backported upstream 1.7 5c4043e651b3
001_CVE-2008-0781_attach_file_XSS.patch:
--- NEW FILE 001_CVE-2008-0781_attach_file_XSS.patch ---
This set has 3 patches. It is intended to fix
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-0781 . The original
upstream patch for 1.5 is http://hg.moinmo.in/moin/1.5/rev/db212dfc58ef . That
was dropped from 1.6 and 1.7 for some reason and the new fix was later done in
two parts. The second part of this patch set is based on
http://hg.moinmo.in/moin/1.7/rev/5f51246a4df1/ and the third part is based on
http://hg.moinmo.in/moin/1.7/rev/269a1fbc3ed7
Patches backported for Fedora by Ville-Pekka Vainio.
diff -aur moin-1.6.4.orig/MoinMoin/action/AttachFile.py moin-1.6.4/MoinMoin/action/AttachFile.py
--- moin-1.6.4.orig/MoinMoin/action/AttachFile.py 2008-07-05 23:20:18.000000000 +0300
+++ moin-1.6.4/MoinMoin/action/AttachFile.py 2009-04-18 02:06:42.362913606 +0300
@@ -545,7 +545,7 @@
'action_name': action_name,
'upload_label_file': _('File to upload', formatted=False),
'upload_label_rename': _('Rename to', formatted=False),
- 'rename': request.form.get('rename', [''])[0],
+ 'rename': wikiutil.escape(request.form.get('rename', [''])[0], 1),
'upload_label_overwrite': _('Overwrite existing attachment of same name', formatted=False),
'overwrite_checked': ('', 'checked')[request.form.get('overwrite', ['0'])[0] == '1'],
'upload_button': _('Upload', formatted=False),
002_CVE-2008-0781_attach_file_XSS.patch:
--- NEW FILE 002_CVE-2008-0781_attach_file_XSS.patch ---
Based on http://hg.moinmo.in/moin/1.7/rev/5f51246a4df1 , backported to 1.6 by
Ville-Pekka Vainio.
diff -aur moin-1.6.4.orig/MoinMoin/action/AttachFile.py moin-1.6.4/MoinMoin/action/AttachFile.py
--- moin-1.6.4.orig/MoinMoin/action/AttachFile.py 2008-07-05 23:20:18.000000000 +0300
+++ moin-1.6.4/MoinMoin/action/AttachFile.py 2009-04-20 02:15:53.209834308 +0300
@@ -436,6 +436,7 @@
return names #Returns dict of {origname: safename}
def error_msg(pagename, request, msg):
+ msg = wikiutil.escape(msg)
Page(request, pagename).send_page(msg=msg)
@@ -664,12 +665,14 @@
else:
msg = _('You are not allowed to install files.', formatted=False)
else:
- msg = _('Unsupported AttachFile sub-action: %s', formatted=False) % (wikiutil.escape(do), )
+ msg = _('Unsupported AttachFile sub-action: %s', formatted=False) % do
if msg:
error_msg(pagename, request, msg)
def upload_form(pagename, request, msg=''):
+ if msg:
+ msg = wikiutil.escape(msg)
_ = request.getText
request.emit_http_headers()
@@ -932,13 +935,13 @@
if package.isPackage():
if package.installPackage():
- msg = _("Attachment '%(filename)s' installed.", formatted=False) % {'filename': wikiutil.escape(target)}
+ msg = _("Attachment '%(filename)s' installed.", formatted=False) % {'filename': target}
else:
- msg = _("Installation of '%(filename)s' failed.", formatted=False) % {'filename': wikiutil.escape(target)}
+ msg = _("Installation of '%(filename)s' failed.", formatted=False) % {'filename': target}
if package.msg != "":
- msg += "<br><pre>" + wikiutil.escape(package.msg) + "</pre>"
+ msg += " " + package.msg
else:
- msg = _('The file %s is not a MoinMoin package file.', formatted=False) % wikiutil.escape(target)
+ msg = _('The file %s is not a MoinMoin package file.', formatted=False) % target
upload_form(pagename, request, msg=msg)
@@ -1023,7 +1026,7 @@
else:
msg = _('The file %(filename)s is not a .zip file.', formatted=False) % {'filename': filename}
- upload_form(pagename, request, msg=wikiutil.escape(msg))
+ upload_form(pagename, request, msg=msg)
def send_viewfile(pagename, request):
_ = request.getText
003_CVE-2008-0781_attach_file_XSS.patch:
--- NEW FILE 003_CVE-2008-0781_attach_file_XSS.patch ---
Based on http://hg.moinmo.in/moin/1.7/rev/269a1fbc3ed7 , backported to 1.6 by
Ville-Pekka Vainio.
diff -aur moin-1.6.4.orig/MoinMoin/action/AttachFile.py moin-1.6.4/MoinMoin/action/AttachFile.py
--- moin-1.6.4.orig/MoinMoin/action/AttachFile.py 2008-07-05 23:20:18.000000000 +0300
+++ moin-1.6.4/MoinMoin/action/AttachFile.py 2009-04-20 02:23:50.621709307 +0300
@@ -849,9 +849,9 @@
'baseurl': request.getScriptname(),
'do': 'attachment_move',
'ticket': wikiutil.createTicket(request),
- 'pagename': pagename,
+ 'pagename': wikiutil.escape(pagename, 1),
'pagename_quoted': wikiutil.quoteWikinameURL(pagename),
- 'attachment_name': filename,
+ 'attachment_name': wikiutil.escape(filename, 1),
'move': _('Move', formatted=False),
'cancel': _('Cancel', formatted=False),
'newname_label': _("New page name", formatted=False),
022_CVE-2009-0260_attach_file_XSS.patch:
--- NEW FILE 022_CVE-2009-0260_attach_file_XSS.patch ---
--- ../old/moin-1.5.3/MoinMoin/action/AttachFile.py 2009-01-27 17:56:50.000000000 +0000
+++ moin-1.5.3/MoinMoin/action/AttachFile.py 2009-01-27 18:00:58.000000000 +0000
@@ -375,7 +375,7 @@
'pngpath': pngpath, 'timestamp': timestamp,
'pubpath': pubpath, 'drawpath': drawpath,
'savelink': savelink, 'pagelink': pagelink, 'helplink': helplink,
- 'basename': basename
+ 'basename': wikiutil.escape(basename),
})
999_attachfile_fix_escaping_problems.patch:
--- NEW FILE 999_attachfile_fix_escaping_problems.patch ---
diff -aur moin-1.6.4-patched-earlier/MoinMoin/action/AttachFile.py moin-1.6.4/MoinMoin/action/AttachFile.py
--- moin-1.6.4-patched-earlier/MoinMoin/action/AttachFile.py 2009-04-20 14:14:43.466538415 +0300
+++ moin-1.6.4/MoinMoin/action/AttachFile.py 2009-04-20 14:17:00.730413758 +0300
@@ -456,7 +456,7 @@
action_name, wikiutil.url_quote_plus(fname))
request.write(u'<link rel="Appendix" title="%s" href="%s">\n' % (
- wikiutil.escape(fname), wikiutil.escape(url)))
+ wikiutil.escape(fname, 1), wikiutil.escape(url)))
def send_hotdraw(pagename, request):
@@ -501,7 +501,7 @@
'pngpath': pngpath, 'timestamp': timestamp,
'pubpath': pubpath, 'drawpath': drawpath,
'savelink': savelink, 'pagelink': pagelink, 'helplink': helplink,
- 'basename': wikiutil.escape(basename),
+ 'basename': wikiutil.escape(basename, 1),
})
CVE-2009-0312_XSS_antispam.patch:
--- NEW FILE CVE-2009-0312_XSS_antispam.patch ---
--- moin-1.6.4.orig/MoinMoin/security/antispam.py 2008-04-26 23:29:08.000000000 +0300
+++ moin-1.6.4/MoinMoin/security/antispam.py 2009-04-16 01:33:58.893892260 +0300
@@ -201,7 +201,7 @@
_ = editor.request.getText
msg = _('Sorry, can not save page because "%(content)s"'
' is not allowed in this wiki.', formatted=False) % {
- 'content': match.group()
+ 'content': wikiutil.escape(match.group())
}
dprint(msg)
raise editor.SaveError(msg)
Index: .cvsignore
===================================================================
RCS file: /cvs/pkgs/rpms/moin/F-9/.cvsignore,v
retrieving revision 1.14
retrieving revision 1.15
diff -u -r1.14 -r1.15
--- .cvsignore 24 Apr 2008 09:58:31 -0000 1.14
+++ .cvsignore 20 Apr 2009 15:23:40 -0000 1.15
@@ -1 +1 @@
-moin-1.6.3.tar.gz
+moin-1.6.4.tar.gz
Index: moin.spec
===================================================================
RCS file: /cvs/pkgs/rpms/moin/F-9/moin.spec,v
retrieving revision 1.22
retrieving revision 1.23
diff -u -r1.22 -r1.23
--- moin.spec 24 Apr 2008 09:58:31 -0000 1.22
+++ moin.spec 20 Apr 2009 15:23:41 -0000 1.23
@@ -2,13 +2,31 @@
Summary: MoinMoin is a WikiEngine to collaborate on easily editable web pages
Name: moin
-Version: 1.6.3
+Version: 1.6.4
Release: 1%{?dist}
License: GPLv2+
Group: Applications/Internet
URL: http://moinmo.in/
Source0: http://static.moinmo.in/files/moin-%{version}.tar.gz
Source1: README-rpm
+
+# Out of the major distributions, Debian has 1.5 and 1.7 (as does Ubuntu),
+# Mandriva has 1.5 and OpenSUSE has no official moin package. It looks like
+# Fedora is the only one shipping 1.6, so most of the security patches have
+# been ported specifically for this package from newer versions. Upstream
+# only supports 1.7 and later currently.
+
+# 3-part patch for 2008-0781, the last part has one additional fix.
+Patch0: 001_CVE-2008-0781_attach_file_XSS.patch
+Patch1: 002_CVE-2008-0781_attach_file_XSS.patch
+Patch2: 003_CVE-2008-0781_attach_file_XSS.patch
+# from Debian etch
+Patch3: 022_CVE-2009-0260_attach_file_XSS.patch
+Patch4: CVE-2009-0312_XSS_antispam.patch
+# upstream http://hg.moinmo.in/moin/1.7/rev/5c4043e651b3 - "invalid html, but
+# likely no XSS", still marked as a security patch. Needs to be done after
+# 022_CVE-2009-0260_attach_file_XSS.patch, thus the numbering.
+Patch5: 999_attachfile_fix_escaping_problems.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root
BuildRequires: python-devel
BuildArch: noarch
@@ -21,6 +39,12 @@
%prep
%setup -q
+%patch0 -p1
+%patch1 -p1
+%patch2 -p1
+%patch3 -p1
+%patch4 -p1
+%patch5 -p1
%build
@@ -50,6 +74,16 @@
%changelog
+* Mon Apr 20 2009 Ville-Pekka Vainio <vpivaini AT cs.helsinki.fi> 1.6.4-1
+- Update to 1.6.4
+- CVE-2008-3381 fixed upstream
+- Re-fix CVE-2008-0781, upstream seems to have dropped the fix in 1.6,
+ used part of upstream 1.5 db212dfc58ef, backported upstream 1.7 5f51246a4df1
+ and 269a1fbc3ed7
+- Fix CVE-2009-0260, patch from Debian etch
+- Fix CVE-2009-0312
+- Fix AttachFile escaping problems, backported upstream 1.7 5c4043e651b3
+
* Thu Apr 24 2008 Matthias Saou <http://freshrpms.net/> 1.6.3-1
- Update to 1.6.3.
Index: sources
===================================================================
RCS file: /cvs/pkgs/rpms/moin/F-9/sources,v
retrieving revision 1.14
retrieving revision 1.15
diff -u -r1.14 -r1.15
--- sources 24 Apr 2008 09:58:31 -0000 1.14
+++ sources 20 Apr 2009 15:23:41 -0000 1.15
@@ -1 +1 @@
-081aa0dd82b4220c8ff28a9a751bad7c moin-1.6.3.tar.gz
+fb51c4b2d64ac98ca8ccb42fde8cd753 moin-1.6.4.tar.gz
- Previous message: rpms/nss_compat_ossl/F-9 .cvsignore, 1.7, 1.8 nss_compat_ossl.spec, 1.11, 1.12 sources, 1.7, 1.8 nss_compat_ossl-cipherlist.patch, 1.1, NONE
- Next message: rpms/kdeadmin/F-11 kdeadmin-4.2.2-printing.patch, NONE, 1.1 kdeadmin.spec, 1.128, 1.129
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
More information about the scm-commits
mailing list