Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 339295 (CVE-2011-1058) - <www-apps/moinmoin-1.9.4: XSS issue in rst parser (CVE-2011-1058)
Summary: <www-apps/moinmoin-1.9.4: XSS issue in rst parser (CVE-2011-1058)
Status: RESOLVED FIXED
Alias: CVE-2011-1058
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: http://moinmo.in/SecurityFixes
Whiteboard: B4 [glsa]
Keywords:
Depends on: 374389 CVE-2012-4404 433978
Blocks:
  Show dependency tree
 
Reported: 2010-09-30 21:43 UTC by Robert Trace
Modified: 2012-10-18 20:58 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Robert Trace 2010-09-30 21:43:34 UTC
moinmoin-1.8.8 released on 2010-06-06 contains numerous security fixes.

A simple rename from the very vulnerable 1.8.4 seems sufficient.

And since the 1.9 branch of moin isn't in portage yet, updating to 1.8.8 could also close bugs #305663 and #334697, both of describe the vulnerabilities mentioned above.

Reproducible: Always
Comment 1 Tim Harder gentoo-dev 2010-10-13 00:17:23 UTC
I've added 1.8.8 to CVS and 1.9.3 is on the way.
Comment 2 Robert Trace 2010-10-13 21:52:01 UTC
(In reply to comment #1)
> I've added 1.8.8 to CVS and 1.9.3 is on the way.

Thanks!  1.8.8 installed without trouble and seems to be working.  I'll try out 1.9.3 when it hits ~arch.
Comment 3 Paweł Hajdan, Jr. (RETIRED) gentoo-dev 2011-02-24 18:53:04 UTC
https://bugzilla.redhat.com/show_bug.cgi?id=679523

Common Vulnerabilities and Exposures assigned an identifier CVE-2011-1058 to
the following vulnerability:

Cross-site scripting (XSS) vulnerability in the rst parser in
parser/text_rst.py in MoinMoin before 1.9.3, when docutils is
installed or when "format rst" is set, allows remote attackers to
inject arbitrary web script or HTML via a javascript: URL.

References:
[1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1058
[2] http://moinmo.in/SecurityFixes

Relevant changeset:
[3] http://hg.moinmo.in/moin/1.9/rev/97208f67798f

According to http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-1058 mojnmoin-1.8.8 *is* affected. Please bump to 1.9.3.
Comment 4 academicsam@gmail.com 2011-03-30 16:18:16 UTC
Any news on 1.9.3 hitting portage? I'll be happy to help in any way.
Comment 5 GLSAMaker/CVETool Bot gentoo-dev 2011-06-14 09:04:46 UTC
CVE-2011-1058 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-1058):
  Cross-site scripting (XSS) vulnerability in the reStructuredText (rst)
  parser in parser/text_rst.py in MoinMoin before 1.9.3, when docutils is
  installed or when "format rst" is set, allows remote attackers to inject
  arbitrary web script or HTML via a javascript: URL in the refuri attribute. 
  NOTE: some of these details are obtained from third party information.
Comment 6 Stefan Behte (RETIRED) gentoo-dev Security 2011-10-10 19:07:42 UTC
@webapps: It's been 6 months, so please provide an updated ebuild or we will punt the package.
Comment 7 Robert Trace 2011-10-10 19:09:34 UTC
(In reply to comment #6)
> @webapps: It's been 6 months, so please provide an updated ebuild or we will
> punt the package.

I created an updated ebuild in bug #374389, but there's been no response there either.
Comment 8 Stefan Behte (RETIRED) gentoo-dev Security 2012-02-29 17:39:31 UTC
@web-apps: Please add the updated ebuild or hardmask the package because of its currently unfixed security vulnerabilites.
Comment 9 Stefan Behte (RETIRED) gentoo-dev Security 2012-08-27 19:35:26 UTC
Anyone alive?
Comment 10 Tim Harder gentoo-dev 2012-09-05 01:01:59 UTC
(In reply to comment #9)
> Anyone alive?

Barely, but 1.9.4 is now in CVS. ;)

Feel free to stabilize it.

Note that arm, ppc, and sparc will have to re-keyword 1.9.4 along with a few python deps (bug #433978) that are used instead of the bundled ones now.
Comment 11 Tim Sammut (RETIRED) gentoo-dev 2012-09-05 07:13:13 UTC
Thanks, Tim.

Arches, please test and mark stable:
=www-apps/moinmoin-1.9.4
Target keywords : "amd64 ppc sparc x86"
Comment 12 Agostino Sarubbo gentoo-dev 2012-09-06 16:02:47 UTC
amd64 stable
Comment 13 Raúl Porcel (RETIRED) gentoo-dev 2012-09-09 11:23:17 UTC
sparc keywords dropped
Comment 14 Paweł Hajdan, Jr. (RETIRED) gentoo-dev 2012-09-13 07:22:39 UTC
x86 stable
Comment 15 Agostino Sarubbo gentoo-dev 2012-09-25 09:57:55 UTC
ppc will continue in bug 433898
Comment 16 Sean Amoss gentoo-dev Security 2012-09-30 18:30:31 UTC
Thanks, everyone.

This is already on an existing GLSA draft.
Comment 17 GLSAMaker/CVETool Bot gentoo-dev 2012-10-18 20:58:53 UTC
This issue was resolved and addressed in
 GLSA 201210-02 at http://security.gentoo.org/glsa/glsa-201210-02.xml
by GLSA coordinator Stefan Behte (craig).