CVE-2010-0667

Advisory

Moin version 1.9.1 includes a fix for CVE-2010-0667: MoinMoin 1.9 before 1.9.1 does not perform the expected clearing of the sys.argv array in situations where the GATEWAY_INTERFACE environment variable is set, which allows remote attackers to obtain sensitive information via unspecified vectors.

Affected package

Affected versions

Fixed versions

Vulnerability changelog

Bug fixes:
* Fixed CVE-2010-0667: sys.argv security issue.
* Fixed FileSessionService - use session_dir from CURRENT request.cfg (it
mixed up session_dirs in farm setups).
HINT: if you added the hotfix to your wikiconfig, please remove it now.
* Fixed creation of lots of session files (if anon session were enabled and
user agent did not support cookies).
* Fixed session file storage for a non-ascii base path.
* Fixed session cookie confusion for nested URL paths (like path=/ and
path=/mywiki - for more info, see also "New features").
* Handle cookie_lifetime / anonymous_session_lifetime upgrade issue
gracefully: emit errors/warnings to log, use old settings to create
cfg.cookie_lifetime as expected by moin 1.9.
* flup based frontends: fixed SCGI and AJP (didn't work).
* farmconfig example: remove wrong comment, add sample http/https entry.
* Fixed password reset url (email content needs full URL).
* Page: fixed adding of page contents (only data added now, without metadata) -
fixes MoinMoinBugs/DeprecatedPageInclusionErrornousPageInstructionsProcessing
* xmlrpc:
* Process attachname in get/putAttachment similarly.
* revertPage: convert pagename to internal representation.
* Fixed auth calls used by jabberbot (needs more work).
* Added missing config.umask support code (setting was not used), fixed
config.umask usage for page packages.
* Fixed browser language detection.
* Fixed language pack generation/installation for pt-br, zh, zh-tw.
* Fixed caching of formatted msgs, see MoinMoinBugs/1.9EditPageHelpLinksBroken.
* Fixed usage of i18n.wikiLanguages() on class level (moved to method), failed
when tools import the module (e.g. pydoc -k foo).
* highlight parser:
* fixed caching issue for "toggle line numbers" link.
* added missing support for console/bash session
* Fixed precedence of parsers: more special parsers now have precedence
before moin falls back to using the HighlightParser (syntax highlighting).
* Added extensions to the rst, moin and creole parser (example.rst, example.moin and
example.creole attachments are rendered now when viewed).
* Fixed MoinMoinBugs/LineNumberSpansForProcessInstructionsMissed for
moin_wiki, highlight and plain parser.
* Fixed MoinMoinBugs/LineNumberAnchorsInPreformattedText for highlight and
plain parser.
* Fixed MoinMoinBugs/TableOfContentsBrokenForIncludedPages.
* Exception raised on calling add_msg() after send_title(), which leads to
Internal Server Error on calling several actions (diff, preview) for
deprecated pages, is replaced with warning and call stack information in
the log.
* AttachFile.move_file: send events (so e.g. xapian index update happens)
* SubProcess: fixed win32-specific parts, fixed imports (fixes calling of
external xapian index filters)
* Fixed auth methods that use redirects (like OpenID).
* OpenID client:
* Add setting cfg.openidrp_allowed_op, default is [].
* Fixed logging in with openid and associating with an existing account.
* openidrp_sreg extension: handle UnknownTimeZoneError gracefully
* OpenID server:
* Fixed TypeError.
* Fixed processing POSTed form data AND URL args.

New features:
* diff: Added displaying of information about revisions (editor, size,
timestamp, comment), added revision navigation.
* text editor: added TIMESTAMP variable for adding a raw time stamp
* xmlrpc: added renamePage and deleteAttachment methods.
* Accept "rel" attribute for links (moin wiki parser).
* Generate session cookie names to fix cookie path confusion and enable port-
based wiki farming.

HINT: New setting cfg.cookie_name:

None (default): use MOIN_SESSION_<PORT>_<PATH> as session cookie name. This
should work out-of-the-box for most setups.

'siteidmagic': use MOIN_SESSION_<SITEID>, which is unique within a wiki farm
created by a single farmconfig (currently, cfg.siteid is just
the name of the wiki configuration module).

'other_value': use MOIN_SESSION_other_value - this gives YOU control. Just
use same value to share the session between wikis and use a
different value, if you want a separate session.

HINT: Please do not use cfg.cookie_path any more - it usually should not be
needed any more, as we now always put path=/ into the cookie except if you
explicitly configure something else (only do that if you know exactly what
you're doing and if the default does not work for you).

HINT: see also the HelpOnSessions page which shows some typical configs.
* Store expiry into sessions, use moin maint cleansessions script to clean up.
HINT: use moin ... maint cleansessions --all once after upgrading.
HINT: you may want to add a cron job calling moin ... maint cleansessions
to regularly cleanup expired sessions (it won't remove not expired
sessions).

Other changes:
* Added rtsp, rtp, rtcp protocols to url_schemas.
* Added more info about index building to xapian wikiconfig snippet.
* Updated the wikicreole parser to version 1.1.

Resources

• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0667
• http://www.openwall.com/lists/oss-security/2010/01/21/6
• http://moinmo.in/SecurityFixes
• http://secunia.com/advisories/38242
• http://hg.moinmo.in/moin/1.9/rev/9d8e7ce3c3a2
• http://www.openwall.com/lists/oss-security/2010/02/15/2
• http://marc.info/?l=oss-security&m=126625972814888&w=2
• http://moinmo.in/MoinMoinChat/Logs/moin-dev/2010-01-18
• http://hg.moinmo.in/moin/1.9/rev/04afdde50094
• http://marc.info/?l=oss-security&m=126676896601156&w=2
• http://hg.moinmo.in/moin/1.9/raw-file/1.9.1/docs/CHANGES