Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 433898 (CVE-2012-4404) - <www-apps/moinmoin-1.9.5 : Virtual Group ACL Evaluation Security Issue (CVE-2012-4404)
Summary: <www-apps/moinmoin-1.9.5 : Virtual Group ACL Evaluation Security Issue (CVE-2...
Alias: CVE-2012-4404
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
Whiteboard: B4 [noglsa]
Depends on:
Blocks: CVE-2011-1058
  Show dependency tree
Reported: 2012-09-04 10:29 UTC by Agostino Sarubbo
Modified: 2012-10-02 06:23 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2012-09-04 10:29:39 UTC
A security issue has been reported in MoinMoin, which can be exploited by malicious users to bypass certain security restrictions.

The security issue is caused due to an incorrect evaluation of ACL rules when applied to a group that contains a virtual group (e.g. "All", "Known", or "Trusted"). This can be exploited to have incorrect permissions assigned and access restricted content.

Successful exploitation requires that virtual group members exist within another group.

The security issue is reported in version 1.9.4 and prior.

As a workaround the vendor recommends to apply the patch.
Further details available in Customer Area

Provided and/or discovered by
Reported by the vendor.

Original Advisory
Comment 1 GLSAMaker/CVETool Bot gentoo-dev 2012-09-11 11:05:06 UTC
CVE-2012-4404 (
  security/ in MoinMoin 1.9 through 1.9.4 does not properly handle
  group names that contain virtual group names such as "All," "Known," or
  "Trusted," which allows remote authenticated users with virtual group
  membership to be treated as a member of the group.
Comment 2 Tim Harder gentoo-dev 2012-09-24 23:07:26 UTC
1.9.5 added to CVS which fixes the issue.
Comment 3 Tim Harder gentoo-dev 2012-09-24 23:09:25 UTC
Feel free to start the stabilization process to overrule bug #339295.
Comment 4 Agostino Sarubbo gentoo-dev 2012-09-25 09:58:40 UTC
Arches, please test and mark stable:
Target keywords : "amd64 ppc x86"
Comment 5 Agostino Sarubbo gentoo-dev 2012-09-25 11:15:11 UTC
amd64 stable
Comment 6 Anthony Basile gentoo-dev 2012-09-25 11:19:26 UTC
stable ppc
Comment 7 Andreas Schürch gentoo-dev 2012-09-27 06:53:40 UTC
x86 done, last arch!
Comment 8 Sean Amoss (RETIRED) gentoo-dev Security 2012-09-30 18:28:58 UTC
Thanks, everyone.

GLSA vote: no.
Comment 9 Tim Sammut (RETIRED) gentoo-dev 2012-10-02 06:23:17 UTC
GLSA Vote: no too. Closing noglsa.