Bug 443949 - (CVE-2008-6603) CVE-2008-6603 moin: incorrect processing of hierarchic ACLs
CVE-2008-6603 moin: incorrect processing of hierarchic ACLs
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
low Severity low
: ---
: ---
Assigned To: Red Hat Product Security
source=internet,reported=20080424,pub...
: Security
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2008-04-24 05:50 EDT by Tomas Hoger
Modified: 2009-04-16 03:56 EDT (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2009-04-16 03:56:50 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description Tomas Hoger 2008-04-24 05:50:40 EDT
Upstream MoinMoin version 1.6.3 fixed an issue with processing of hierarchic
ACLs.  Real security implications seems unclear from upstream notes.

References:
http://moinmo.in/SecurityFixes
http://moinmo.in/MoinMoinBugs/AclHierarchicPageAclSupercededByAclRightsAfter

Upstream fix:
http://hg.moinmo.in/moin/1.6/rev/543ae9bdbe26
http://hg.moinmo.in/moin/1.7/rev/88356b3f849a
Comment 1 Tomas Hoger 2008-04-24 05:51:32 EDT
From moin 1.6.3 changelog:

    * Security fix: if acl_hierarchic=True was used (False is the default),
      ACL processing was wrong for some cases, see
      MoinMoinBugs/AclHierarchicPageAclSupercededByAclRightsAfter
Comment 2 Tomas Hoger 2008-04-24 05:56:28 EDT
Matthias, do you know if this affects 1.5.x as well?
Comment 3 Tomas Hoger 2009-04-06 02:56:26 EDT
CVE-2008-6603:
MoinMoin 1.6.2 and 1.7 does not properly enforce ACL checks when
acl_hierarchic is set to True, which might allow remote attackers to
bypass intended access restrictions, a different vulnerability than
CVE-2008-1937.
Comment 4 Ville-Pekka Vainio 2009-04-16 03:47:24 EDT
(In reply to comment #2)
> Matthias, do you know if this affects 1.5.x as well?  

Replying as I'm the new moin maintainer. There are no hierarchic ACLs in 1.5 which means EL-4 and EL-5 with 1.5.9 shouldn't be affected.
Comment 5 Ville-Pekka Vainio 2009-04-16 03:54:57 EDT
And F-9 and F-9 already have 1.6.3, so this should be fixed there.
Comment 6 Tomas Hoger 2009-04-16 03:56:50 EDT
Yeah, thank you!

Note You need to log in before you can comment on or make changes to this bug.