Red Hat Bugzilla – Bug 443948
CVE-2008-1937 moin: ACL/superuser priviledge escalation
Last modified: 2009-04-16 04:13:48 EDT
Upstream MoinMoin version 1.6.3 fixed an issue allowing privilege escalation to
wiki superuser privileges in certain configs.
According to upstream page, only 1.6.x versions are affected, hence F9/rawhide
From moin 1.6.3 changelog:
* Security fix: a check in the user form processing was not working as
expected, leading to a major ACL and superuser priviledge escalation
problem. If you use ACL entries other than "Known:" or "All:" and/or
a non-empty superuser list, you need to urgently install this upgrade.
Looks pretty bad. Working on pushing an updated package right now.
The user form processing (userform.py) in MoinMoin before 1.6.3, when
using ACLs or a non-empty superusers list, does not properly manage
users, which allows remote attackers to gain privileges.
Matthias, are you doing to request freeze break for moin-1.6.3-1.fc9 so it gets
to F9 final?
I don't know how deep we are in the freeze. If there's still time, feel free to
poke rel-eng to get it in if you want (I'll be really short on time for the next
I've taken over as the new moin maintainer. This bug could probably be closed,
as 1.6.3 is in F-9 and F-10 now?
Yes, closing this.
(In reply to comment #0)
> According to upstream page, only 1.6.x versions are affected, hence F9/rawhide
For full disclosure, I'm not actually certain whether this only affected 1.6 versions. Moin upstream announced this vulnerability on 2008-04-20, but the upstream release of 1.5.9 happened before that, on 2008-03-09 and it was announced to be the final release of the 1.5 series in any case.
I've asked the moin developers whether they think 1.5.9 is vulnerable but they haven't answered yet. Debian doesn't carry a patch for this vulnerability, see <http://patch-tracking.debian.net/package/moin/1.5.3-1.2etch2>, which could imply that this is not a problem on 1.5.9.