Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 433898 (CVE-2012-4404)

Summary: <www-apps/moinmoin-1.9.5 : Virtual Group ACL Evaluation Security Issue (CVE-2012-4404)
Product: Gentoo Security Reporter: Agostino Sarubbo <ago>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: web-apps
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://secunia.com/advisories/50496/
Whiteboard: B4 [noglsa]
Package list:
Runtime testing required: ---
Bug Depends on:    
Bug Blocks: 339295    

Description Agostino Sarubbo gentoo-dev 2012-09-04 10:29:39 UTC 
Description
A security issue has been reported in MoinMoin, which can be exploited by malicious users to bypass certain security restrictions.

The security issue is caused due to an incorrect evaluation of ACL rules when applied to a group that contains a virtual group (e.g. "All", "Known", or "Trusted"). This can be exploited to have incorrect permissions assigned and access restricted content.

Successful exploitation requires that virtual group members exist within another group.

The security issue is reported in version 1.9.4 and prior.


Solution
As a workaround the vendor recommends to apply the patch.
Further details available in Customer Area

Provided and/or discovered by
Reported by the vendor.

Original Advisory
http://moinmo.in/SecurityFixes
Comment 1 GLSAMaker/CVETool Bot gentoo-dev 2012-09-11 11:05:06 UTC 
CVE-2012-4404 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-4404):
  security/__init__.py in MoinMoin 1.9 through 1.9.4 does not properly handle
  group names that contain virtual group names such as "All," "Known," or
  "Trusted," which allows remote authenticated users with virtual group
  membership to be treated as a member of the group.
Comment 2 Tim Harder gentoo-dev 2012-09-24 23:07:26 UTC 
1.9.5 added to CVS which fixes the issue.
Comment 3 Tim Harder gentoo-dev 2012-09-24 23:09:25 UTC 
Feel free to start the stabilization process to overrule bug #339295.
Comment 4 Agostino Sarubbo gentoo-dev 2012-09-25 09:58:40 UTC 
Arches, please test and mark stable:
=www-apps/moinmoin-1.9.5
Target keywords : "amd64 ppc x86"
Comment 5 Agostino Sarubbo gentoo-dev 2012-09-25 11:15:11 UTC 
amd64 stable
Comment 6 Anthony Basile gentoo-dev 2012-09-25 11:19:26 UTC 
stable ppc
Comment 7 Andreas Schürch gentoo-dev 2012-09-27 06:53:40 UTC 
x86 done, last arch!
Comment 8 Sean Amoss (RETIRED) gentoo-dev Security 2012-09-30 18:28:58 UTC 
Thanks, everyone.

GLSA vote: no.
Comment 9 Tim Sammut (RETIRED) gentoo-dev 2012-10-02 06:23:17 UTC 
GLSA Vote: no too. Closing noglsa.