Bug 443948 - (CVE-2008-1937) CVE-2008-1937 moin: ACL/superuser priviledge escalation
CVE-2008-1937 moin: ACL/superuser priviledge escalation
Status: CLOSED RAWHIDE
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
high Severity high
: ---
: ---
Assigned To: Red Hat Product Security
source=gentoo,reported=20080421,publi...
: Security
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2008-04-24 05:45 EDT by Tomas Hoger
Modified: 2009-04-16 04:13 EDT (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2009-04-15 22:59:13 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Tomas Hoger 2008-04-24 05:45:35 EDT
Upstream MoinMoin version 1.6.3 fixed an issue allowing privilege escalation to
wiki superuser privileges in certain configs.

References:
http://moinmo.in/SecurityFixes
http://bugs.gentoo.org/show_bug.cgi?id=218752

Upstream fix:
http://hg.moinmo.in/moin/1.6/rev/f405012e67af

According to upstream page, only 1.6.x versions are affected, hence F9/rawhide
packages.
Comment 1 Tomas Hoger 2008-04-24 05:50:45 EDT
From moin 1.6.3 changelog:

    * Security fix: a check in the user form processing was not working as
      expected, leading to a major ACL and superuser priviledge escalation
      problem. If you use ACL entries other than "Known:" or "All:" and/or
      a non-empty superuser list, you need to urgently install this upgrade.
Comment 2 Matthias Saou 2008-04-24 05:52:55 EDT
Looks pretty bad. Working on pushing an updated package right now.
Comment 3 Tomas Hoger 2008-04-25 03:51:21 EDT
CVE-2008-1937:

The user form processing (userform.py) in MoinMoin before 1.6.3, when
using ACLs or a non-empty superusers list, does not properly manage
users, which allows remote attackers to gain privileges.
Comment 4 Tomas Hoger 2008-04-25 03:54:03 EDT
Matthias, are you doing to request freeze break for moin-1.6.3-1.fc9 so it gets
to F9 final?
Comment 5 Matthias Saou 2008-04-25 04:35:09 EDT
I don't know how deep we are in the freeze. If there's still time, feel free to
poke rel-eng to get it in if you want (I'll be really short on time for the next
few days).
Comment 6 Ville-Pekka Vainio 2009-04-15 19:04:41 EDT
I've taken over as the new moin maintainer. This bug could probably be closed,
as 1.6.3 is in F-9 and F-10 now?
Comment 7 Vincent Danen 2009-04-15 22:59:13 EDT
Yes, closing this.
Comment 8 Ville-Pekka Vainio 2009-04-16 04:13:48 EDT
(In reply to comment #0)
> According to upstream page, only 1.6.x versions are affected, hence F9/rawhide
> packages.  

For full disclosure, I'm not actually certain whether this only affected 1.6 versions. Moin upstream announced this vulnerability on 2008-04-20, but the upstream release of 1.5.9 happened before that, on 2008-03-09 and it was announced to be the final release of the 1.5 series in any case.

I've asked the moin developers whether they think 1.5.9 is vulnerable but they haven't answered yet. Debian doesn't carry a patch for this vulnerability, see <http://patch-tracking.debian.net/package/moin/1.5.3-1.2etch2>, which could imply that this is not a problem on 1.5.9.

Note You need to log in before you can comment on or make changes to this bug.