Bug 443949 (CVE-2008-6603)

Summary: CVE-2008-6603 moin: incorrect processing of hierarchic ACLs
Product: [Other] Security Response Reporter: Tomas Hoger <thoger>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: vpvainio
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2009-04-16 07:56:50 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Tomas Hoger 2008-04-24 09:50:40 UTC
Upstream MoinMoin version 1.6.3 fixed an issue with processing of hierarchic
ACLs.  Real security implications seems unclear from upstream notes.

References:
http://moinmo.in/SecurityFixes
http://moinmo.in/MoinMoinBugs/AclHierarchicPageAclSupercededByAclRightsAfter

Upstream fix:
http://hg.moinmo.in/moin/1.6/rev/543ae9bdbe26
http://hg.moinmo.in/moin/1.7/rev/88356b3f849a

Comment 1 Tomas Hoger 2008-04-24 09:51:32 UTC
From moin 1.6.3 changelog:

    * Security fix: if acl_hierarchic=True was used (False is the default),
      ACL processing was wrong for some cases, see
      MoinMoinBugs/AclHierarchicPageAclSupercededByAclRightsAfter


Comment 2 Tomas Hoger 2008-04-24 09:56:28 UTC
Matthias, do you know if this affects 1.5.x as well?

Comment 3 Tomas Hoger 2009-04-06 06:56:26 UTC
CVE-2008-6603:
MoinMoin 1.6.2 and 1.7 does not properly enforce ACL checks when
acl_hierarchic is set to True, which might allow remote attackers to
bypass intended access restrictions, a different vulnerability than
CVE-2008-1937.

Comment 4 Ville-Pekka Vainio 2009-04-16 07:47:24 UTC
(In reply to comment #2)
> Matthias, do you know if this affects 1.5.x as well?  

Replying as I'm the new moin maintainer. There are no hierarchic ACLs in 1.5 which means EL-4 and EL-5 with 1.5.9 shouldn't be affected.

Comment 5 Ville-Pekka Vainio 2009-04-16 07:54:57 UTC
And F-9 and F-9 already have 1.6.3, so this should be fixed there.

Comment 6 Tomas Hoger 2009-04-16 07:56:50 UTC
Yeah, thank you!