Bug 443948 (CVE-2008-1937)

Summary: CVE-2008-1937 moin: ACL/superuser priviledge escalation
Product: [Other] Security Response Reporter: Tomas Hoger <thoger>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED RAWHIDE QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: vdanen, vpvainio
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2009-04-16 02:59:13 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Tomas Hoger 2008-04-24 09:45:35 UTC 
Upstream MoinMoin version 1.6.3 fixed an issue allowing privilege escalation to
wiki superuser privileges in certain configs.

References:
http://moinmo.in/SecurityFixes
http://bugs.gentoo.org/show_bug.cgi?id=218752

Upstream fix:
http://hg.moinmo.in/moin/1.6/rev/f405012e67af

According to upstream page, only 1.6.x versions are affected, hence F9/rawhide
packages.
Comment 1 Tomas Hoger 2008-04-24 09:50:45 UTC 
From moin 1.6.3 changelog:

    * Security fix: a check in the user form processing was not working as
      expected, leading to a major ACL and superuser priviledge escalation
      problem. If you use ACL entries other than "Known:" or "All:" and/or
      a non-empty superuser list, you need to urgently install this upgrade.
Comment 2 Matthias Saou 2008-04-24 09:52:55 UTC 
Looks pretty bad. Working on pushing an updated package right now.
Comment 3 Tomas Hoger 2008-04-25 07:51:21 UTC 
CVE-2008-1937:

The user form processing (userform.py) in MoinMoin before 1.6.3, when
using ACLs or a non-empty superusers list, does not properly manage
users, which allows remote attackers to gain privileges.
Comment 4 Tomas Hoger 2008-04-25 07:54:03 UTC 
Matthias, are you doing to request freeze break for moin-1.6.3-1.fc9 so it gets
to F9 final?
Comment 5 Matthias Saou 2008-04-25 08:35:09 UTC 
I don't know how deep we are in the freeze. If there's still time, feel free to
poke rel-eng to get it in if you want (I'll be really short on time for the next
few days).
Comment 6 Ville-Pekka Vainio 2009-04-15 23:04:41 UTC 
I've taken over as the new moin maintainer. This bug could probably be closed,
as 1.6.3 is in F-9 and F-10 now?
Comment 7 Vincent Danen 2009-04-16 02:59:13 UTC 
Yes, closing this.
Comment 8 Ville-Pekka Vainio 2009-04-16 08:13:48 UTC 
(In reply to comment #0)
> According to upstream page, only 1.6.x versions are affected, hence F9/rawhide
> packages.  

For full disclosure, I'm not actually certain whether this only affected 1.6 versions. Moin upstream announced this vulnerability on 2008-04-20, but the upstream release of 1.5.9 happened before that, on 2008-03-09 and it was announced to be the final release of the 1.5 series in any case.

I've asked the moin developers whether they think 1.5.9 is vulnerable but they haven't answered yet. Debian doesn't carry a patch for this vulnerability, see <http://patch-tracking.debian.net/package/moin/1.5.3-1.2etch2>, which could imply that this is not a problem on 1.5.9.