[pkg-mt-om-devel] Bug#697666: Bug#697666: movabletype-opensource: mt-upgrade.cgi vulnerability

Dominic Hargreaves dom at earth.li
Tue Jan 8 18:04:20 UTC 2013


On Tue, Jan 08, 2013 at 07:52:25AM +0000, Dominic Hargreaves wrote:
> Package: movabletype-opensource
> Version: 4.3.8+dfsg-0+squeeze2
> Severity: grave
> Justification: remote command execution
> Tags: security patch
> 
> ----- Forwarded message from Takeshi Nick Osanai <tosanai at sixapart.com> -----
> 
> Date: Tue, 8 Jan 2013 11:26:38 +0900
> From: Takeshi Nick Osanai <tosanai at sixapart.com>
> To: mtos-dev <mtos-dev at ml.sixapart.com>
> Subject: [Mtos-dev] Movable Type 4.38 patch to fix a known upgrading
> 	security issue
> X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00 autolearn=ham
> 	version=3.3.1
> X-Urchin-Spam-Score-Int: -18
> X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.2
> 
> Dear MT community members,
> 
> Six Apart has found a security issue and fixed it in Movable Type 4.2
> and MT 4.3.
> For those of you who use Movable Type 4.2 and 4.3, Six Apart strongly
> recommends that you upgrade to the latest released version of Movable
> Type or execute the steps  written in below entry.
> This vulnerability does not exist in Movable Type versions 5.0 or
> later, including the latest Movable Type, version 5.2.2.
> 
> For more detail information, please see the entry.
> 
> http://www.movabletype.org/2013/01/movable_type_438_patch.html

Hi,

I've pushed a fix for this to git:

http://anonscm.debian.org/gitweb/?p=pkg-mt-om/movabletype-opensource.git;a=commit;h=6641bd2f42f5e48ac0a6cd2c0b0ccebea22967cb

Note that much of the patch is whitespace changes, but I though it
would be better to stick with the upstream file rather than trim it
back to the meaningful changes in case of subsequent updates from
upstream.

I've tested this code path by installing the lenny version of MT
and upgrading it to this package.

Security team, shall I upload to security-master?

It might be useful in a DSA to recommend restricting the mt-upgrade.cgi
script to trusted IP addresses, but I don't think it's something we
can do by default, as browser accesss to mt-upgrade.cgi is needed to
complete upgrades.

Dominic.

-- 
Dominic Hargreaves | http://www.larted.org.uk/~dom/
PGP key 5178E2A5 from the.earth.li (keyserver,web,email)



More information about the pkg-mt-om-devel mailing list