Package: release.debian.org
Severity: normal
User: release.debian....@packages.debian.org
Usertags: unblock
Please unblock package mediawiki
Please consider allowing the new security bugfix release of
mediawiki’s long-term support branch into wheezy. The upload
to sid also contains a documentation and a code change both
related to correcting the installation/setup process.
The Debian changes, except patch-context-linenumber changes,
are as follows:
--- debian/changelog (revision 430)
+++ debian/changelog (working copy)
@@ -1,3 +1,21 @@
+mediawiki (1:1.19.5-1) unstable; urgency=high
+
+ [ Platonides ]
+ * Update config URL in README.Debian (Closes: #703804)
+
+ [ Thorsten Glaser ]
+ * Re-add LocalSettings creation snippet for support of the
+ mediawiki-extensions Debian packaging (Closes: #703852)
+ * New upstream security-only release:
+ - (bug 47251) SECURITY: Disable external entities in Import
+ - (bug 46859) SECURITY: Disable external entities in XMLReader
+ - (bug 46084) SECURITY: Sanitize $limitReport before outputting
+ - (bug 43594) Fix notices displayed on PHP 5.4
+ - (bug 40585) Don't drop 'step="any"' in HTML input fields.
+ * Refresh patches against new upstream code
+
+ -- Thorsten Glaser <t...@mirbsd.de> Tue, 16 Apr 2013 11:04:05 +0200
+
mediawiki (1:1.19.4-1) unstable; urgency=high
* Urgency high for security fix
--- debian/patches/debian_specific_config.patch (revision 0)
+++ debian/patches/debian_specific_config.patch (revision 434)
@@ -0,0 +1,18 @@
+$Id$
+
+Support mediawiki-extensions Debian packaging (see #703852).
+
+--- a/includes/installer/LocalSettingsGenerator.php
++++ b/includes/installer/LocalSettingsGenerator.php
+@@ -333,6 +333,11 @@ if ( !defined( 'MEDIAWIKI' ) ) {
+ # Path to the GNU diff3 utility. Used for conflict resolution.
+ \$wgDiff3 = \"{$this->values['wgDiff3']}\";
+
++# debian-specific include:
++if (is_file(\"/etc/mediawiki-extensions/extensions.php\")) {
++ include(\"/etc/mediawiki-extensions/extensions.php\");
++}
++
+ # Query string length limit for ResourceLoader. You should only set this if
+ # your web server has a query string length limit (then set it to that limit),
+ # or if you have suhosin.get.max_value_length set in php.ini (then set it to
--- debian/patches/series (revision 430)
+++ debian/patches/series (working copy)
@@ -6,3 +6,4 @@
bz29635.patch
bz40889.patch
bz39635.patch
+debian_specific_config.patch
--- debian/README.Debian (revision 430)
+++ debian/README.Debian (working copy)
@@ -14,14 +14,14 @@
Configuration:
The configuration uses an easy web-based system ; just go to this URL :
- http://www.myserver.org/mediawiki/config/index.php
+ http://www.myserver.org/mediawiki/mw-config/index.php
(replace by your own servername)
You may of course configure your webserver to serve this URL. A
default
configuration can be found in /etc/mediawiki/. Apache and cherokee
users
may have linked this in their configuration automatically if they
asked
the installer to do so.
Then just copy the generated config to the real system location :
- mv /var/lib/mediawiki/config/LocalSettings.php \
+ mv /var/lib/mediawiki/mw-config/LocalSettings.php \
/etc/mediawiki
You should change file permissions for LocalSettings.php as required to
prevent other users on the server from reading passwords and
The upstream changes are as follows:
--- mediawiki-1.19.4/RELEASE-NOTES-1.19 2013-03-04 19:11:51.000000000 +0100
+++ mediawiki-1.19.5/RELEASE-NOTES-1.19 2013-04-15 18:23:52.000000000 +0200
@@ -3,6 +3,17 @@
Security reminder: MediaWiki does not require PHP's register_globals
setting since version 1.2.0. If you have it on, turn it '''off''' if you can.
+== MediaWiki 1.19.5 ==
+
+This is a security and maintenance release of the MediaWiki 1.19 branch
+
+=== Changes since 1.19.4 ===
+* (bug 47251) SECURITY: Disable external entities in Import
+* (bug 46859) SECURITY: Disable external entities in XMLReader
+* (bug 46084) SECURITY: Sanitize $limitReport before outputting
+* (bug 43594) Fix notices displayed on PHP 5.4
+* (bug 40585) Don't drop 'step="any"' in HTML input fields.
+
== MediaWiki 1.19.4 ==
This is a maintenance release of the MediaWiki 1.19 branch
--- mediawiki-1.19.4/includes/DefaultSettings.php 2013-03-04
19:11:51.000000000 +0100
+++ mediawiki-1.19.5/includes/DefaultSettings.php 2013-04-15
18:23:52.000000000 +0200
@@ -33,7 +33,7 @@ $wgConf = new SiteConfiguration;
/** @endcond */
/** MediaWiki version number */
-$wgVersion = '1.19.4';
+$wgVersion = '1.19.5';
/** Name of the site. It must be changed in LocalSettings.php */
$wgSitename = 'MediaWiki';
--- mediawiki-1.19.4/includes/GlobalFunctions.php 2013-03-04
19:11:51.000000000 +0100
+++ mediawiki-1.19.5/includes/GlobalFunctions.php 2013-04-15
18:23:52.000000000 +0200
@@ -2216,7 +2216,7 @@ function wfSuppressWarnings( $end = fals
if( !defined( 'E_DEPRECATED' ) ) {
define( 'E_DEPRECATED', 8192 );
}
- $originalLevel = error_reporting( E_ALL & ~( E_WARNING
| E_NOTICE | E_USER_WARNING | E_USER_NOTICE | E_DEPRECATED ) );
+ $originalLevel = error_reporting( E_ALL & ~( E_WARNING
| E_NOTICE | E_USER_WARNING | E_USER_NOTICE | E_DEPRECATED | E_USER_DEPRECATED
| E_STRICT ) );
}
++$suppressCount;
}
--- mediawiki-1.19.4/includes/Html.php 2013-03-04 19:11:51.000000000 +0100
+++ mediawiki-1.19.5/includes/Html.php 2013-04-15 18:23:52.000000000 +0200
@@ -434,7 +434,13 @@ class Html {
# server-side validation. Opera is the only other
implementation at
# this time, and has ugly UI, so just kill the feature
entirely until
# we have at least one good implementation.
- if ( in_array( $key, array( 'max', 'min', 'pattern',
'required', 'step' ) ) ) {
+
+ # As the default value of "1" for "step" rejects decimal
+ # numbers to be entered in 'type="number"' fields, allow
+ # the special case 'step="any"'.
+
+ if ( in_array( $key, array( 'max', 'min', 'pattern',
'required' ) ) ||
+ $key === 'step' && $value !== 'any' ) {
continue;
}
--- mediawiki-1.19.4/includes/Import.php 2013-03-04 19:11:51.000000000
+0100
+++ mediawiki-1.19.5/includes/Import.php 2013-04-15 18:23:52.000000000
+0200
@@ -396,9 +396,15 @@ class WikiImporter {
* Primary entry point
*/
public function doImport() {
+
+ // Calls to reader->read need to be wrapped in calls to
+ // libxml_disable_entity_loader() to avoid local file
+ // inclusion attacks (bug 46932).
+ $oldDisable = libxml_disable_entity_loader( true );
$this->reader->read();
if ( $this->reader->name != 'mediawiki' ) {
+ libxml_disable_entity_loader( $oldDisable );
throw new MWException( "Expected <mediawiki> tag, got ".
$this->reader->name );
}
@@ -437,6 +443,7 @@ class WikiImporter {
}
}
+ libxml_disable_entity_loader( $oldDisable );
return true;
}
--- mediawiki-1.19.4/includes/cache/FileCacheBase.php 2013-03-04
19:11:51.000000000 +0100
+++ mediawiki-1.19.5/includes/cache/FileCacheBase.php 2013-04-15
18:23:52.000000000 +0200
@@ -116,9 +116,12 @@ abstract class FileCacheBase {
* @return string
*/
public function fetchText() {
- // gzopen can transparently read from gziped or plain text
- $fh = gzopen( $this->cachePath(), 'rb' );
- return stream_get_contents( $fh );
+ if( $this->useGzip() ) {
+ $fh = gzopen( $this->cachePath(), 'rb' );
+ return stream_get_contents( $fh );
+ } else {
+ return file_get_contents( $this->cachePath() );
+ }
}
/**
--- mediawiki-1.19.4/includes/media/SVGMetadataExtractor.php 2013-03-04
19:11:51.000000000 +0100
+++ mediawiki-1.19.5/includes/media/SVGMetadataExtractor.php 2013-04-15
18:23:52.000000000 +0200
@@ -71,7 +71,12 @@ class SVGReader {
// Expand entities, since Adobe Illustrator uses them for xmlns
// attributes (bug 31719). Note that libxml2 has some
protection
// against large recursive entity expansions so this is not as
- // insecure as it might appear to be.
+ // insecure as it might appear to be. However, it is still
extremely
+ // insecure. It's necessary to wrap any read() calls with
+ // libxml_disable_entity_loader() to avoid arbitrary local file
+ // inclusion, or even arbitrary code execution if the expect
+ // extension is installed (bug 46859).
+ $oldDisable = libxml_disable_entity_loader( true );
$this->reader->setParserProperty( XMLReader::SUBST_ENTITIES,
true );
$this->metadata['width'] = self::DEFAULT_WIDTH;
@@ -85,9 +90,11 @@ class SVGReader {
$this->read();
} catch( Exception $e ) {
wfRestoreWarnings();
+ libxml_disable_entity_loader( $oldDisable );
throw $e;
}
wfRestoreWarnings();
+ libxml_disable_entity_loader( $oldDisable );
}
/**
@@ -100,7 +107,7 @@ class SVGReader {
/**
* Read the SVG
*/
- public function read() {
+ protected function read() {
$keepReading = $this->reader->read();
/* Skip until first element */
--- mediawiki-1.19.4/includes/parser/Parser.php 2013-03-04 19:11:51.000000000
+0100
+++ mediawiki-1.19.5/includes/parser/Parser.php 2013-04-15 18:23:52.000000000
+0200
@@ -460,6 +460,11 @@ class Parser {
"Template argument size:
{$this->mIncludeSizes['arg']}/$max bytes\n".
$PFreport;
wfRunHooks( 'ParserLimitReport', array( $this,
&$limitReport ) );
+
+ // Sanitize for comment. Note '‐' in the replacement is
U+2010,
+ // which looks much like the problematic '-'.
+ $limitReport = str_replace( array( '-', '&' ), array(
'‐', '&' ), $limitReport );
+
$text .= "\n<!-- \n$limitReport-->\n";
}
$this->mOutput->setText( $text );
--- mediawiki-1.19.4/tests/phpunit/includes/HtmlTest.php 2013-03-04
19:11:51.000000000 +0100
+++ mediawiki-1.19.5/tests/phpunit/includes/HtmlTest.php 2013-04-15
18:23:52.000000000 +0200
@@ -330,4 +330,16 @@ class HtmlTest extends MediaWikiTestCase
);
}
+ public function testFormValidationBlacklist() {
+ $this->assertEmpty(
+ Html::expandAttributes( array( 'min' => 1, 'max' =>
100, 'pattern' => 'abc', 'required' => true, 'step' => 2 ) ),
+ 'Blacklist form validation attributes.'
+ );
+ $this->assertEquals(
+ ' step="any"',
+ Html::expandAttributes( array( 'min' => 1, 'max' =>
100, 'pattern' => 'abc', 'required' => true, 'step' => 'any' ) ),
+ "Allow special case 'step=\"any\"'."
+ );
+ }
+
}
unblock mediawiki/1:1.19.5-1
-- System Information:
Debian Release: 7.0
APT prefers unstable
APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: i386 (i686)
Kernel: Linux 3.2.0-4-amd64 (SMP w/4 CPU cores)
Locale: LANG=C, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/mksh-static
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
