Bug 509924 (CVE-2009-2265)
| Summary: | CVE-2009-2265 moin: embedded fckeditor multiple directory traversal vulns | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Vincent Danen <vdanen> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED ERRATA | QA Contact: | |
| Severity: | high | Docs Contact: | |
| Priority: | high | ||
| Version: | unspecified | CC: | security-response-team, vpvainio |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| URL: | http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-2265 | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2009-07-19 16:37:22 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 509928 | ||
| Bug Blocks: | |||
|
Description
Vincent Danen
2009-07-06 21:52:49 UTC
The moin developers say moin doesn't use the filemanager directory even though it exists. They seem to be unsure of whether accessing the filemanager files directly would allow for this exploit or not. There hasn't been a moin release with the new fckeditor yet. We could go both ways, just adding the filemanager patch might actually be simpler, since moin doesn't use it (i.e. if we break its functionality, it shouldn't even matter). That's possible, sure, but if it's not used at all, why is it there? And would it be better to remove the directory and files instead of patching it -- if indeed it truly isn't used, it shouldm't be there, patched or not. Personally, if it doesn't need to be there and isn't used, I'd prefer it removed. If it *can* be used (whether it be non-standard or a configurable thing or whatever), then certainly patch it. Upstream announced Moin is not affected by the vulnerability because the filemanager is not used and it's even disabled, which to my knowledge means the vulnerable code can't be invoked: http://moinmo.in/SecurityFixes#moin_1.8.4 I talked to the developers and they agree that the filemanager directory can be removed if we want to. I will probably remove the directory and submit updated packages for F10 - Rawhide in a few days, just because I'd rather not have Fedora ship vulnerable code even though there shouldn't be a way of actually running the code with the default settings. I probably won't be able to get the update into F9 anymore, but as I've just described, there shouldn't be a security risk on F9 either. Oh fantastic. Thanks for looking into that. I don't think Fedora 9 is worth the update for the reasons you outline. Removing that from Fedora 10+ as a "better safe than sorry" proactive measure sounds like a great idea. moin-1.8.4-2.fc11 has been submitted as an update for Fedora 11. http://admin.fedoraproject.org/updates/moin-1.8.4-2.fc11 moin-1.6.4-3.fc10 has been submitted as an update for Fedora 10. http://admin.fedoraproject.org/updates/moin-1.6.4-3.fc10 moin-1.6.4-3.fc10 has been pushed to the Fedora 10 stable repository. If problems still persist, please make note of it in this bug report. moin-1.8.4-2.fc11 has been pushed to the Fedora 11 stable repository. If problems still persist, please make note of it in this bug report. |