Bug#772764: New debdiff

Sébastien Delafond Wed, 17 Dec 2014 01:21:55 -0800

You can find it attached.

Cheers,


--Seb

diff -Nru mediawiki-1.19.20+dfsg/debian/changelog 
mediawiki-1.19.20+dfsg/debian/changelog
--- mediawiki-1.19.20+dfsg/debian/changelog     2014-10-07 20:14:04.000000000 
+0200
+++ mediawiki-1.19.20+dfsg/debian/changelog     2014-12-14 18:27:31.000000000 
+0100
@@ -1,3 +1,12 @@
+mediawiki (1:1.19.20+dfsg-2.1) unstable; urgency=medium
+
+  * Non-maintainer upload.
+  * CVE-2014-9277: The <cross-domain-policy> mangling in OutputHandler.php
+    poses a potentially severe security problem for API clients written in
+    PHP, in that format=php is affected (Closes: #772764).
+
+ -- Sebastien Delafond <s...@debian.org>  Sun, 14 Dec 2014 18:23:47 +0100
+
 mediawiki (1:1.19.20+dfsg-2) unstable; urgency=low
 
   * Team upload.
diff -Nru mediawiki-1.19.20+dfsg/debian/patches/CVE-2014-9277_1.patch 
mediawiki-1.19.20+dfsg/debian/patches/CVE-2014-9277_1.patch
--- mediawiki-1.19.20+dfsg/debian/patches/CVE-2014-9277_1.patch 1970-01-01 
01:00:00.000000000 +0100
+++ mediawiki-1.19.20+dfsg/debian/patches/CVE-2014-9277_1.patch 2014-12-14 
18:22:36.000000000 +0100
@@ -0,0 +1,32 @@
+--- a/includes/DefaultSettings.php
++++ b/includes/DefaultSettings.php
+@@ -2688,6 +2688,14 @@
+  */
+ $wgResourceLoaderExperimentalAsyncLoading = false;
+ 
++/**
++ * When OutputHandler is used, mangle any output that contains
++ * <cross-domain-policy>. Without this, an attacker can send their own
++ * cross-domain policy unless it is prevented by the crossdomain.xml file at
++ * the domain root.
++ */
++$wgMangleFlashPolicy = true;
++
+ /** @} */ # End of resource loader settings }
+ 
+ 
+--- a/includes/OutputHandler.php
++++ b/includes/OutputHandler.php
+@@ -13,8 +13,10 @@
+  * @return string
+  */
+ function wfOutputHandler( $s ) {
+-      global $wgDisableOutputCompression, $wgValidateAllHtml;
+-      $s = wfMangleFlashPolicy( $s );
++      global $wgDisableOutputCompression, $wgValidateAllHtml, 
$wgMangleFlashPolicy;
++      if ( $wgMangleFlashPolicy ) {
++              $s = wfMangleFlashPolicy( $s );
++      }
+       if ( $wgValidateAllHtml ) {
+               $headers = apache_response_headers();
+               $isHTML = true;
diff -Nru mediawiki-1.19.20+dfsg/debian/patches/CVE-2014-9277_2.patch 
mediawiki-1.19.20+dfsg/debian/patches/CVE-2014-9277_2.patch
--- mediawiki-1.19.20+dfsg/debian/patches/CVE-2014-9277_2.patch 1970-01-01 
01:00:00.000000000 +0100
+++ mediawiki-1.19.20+dfsg/debian/patches/CVE-2014-9277_2.patch 2014-12-17 
10:07:26.000000000 +0100
@@ -0,0 +1,53 @@
+--- a/includes/api/ApiFormatJson.php
++++ b/includes/api/ApiFormatJson.php
+@@ -67,9 +67,21 @@
+                       $prefix = ( "/**/$prefix" );
+                       $suffix = ')';
+               }
++
++              $json = FormatJson::encode( $this->getResultData(), 
$this->getIsHtml() );
++
++              // Bug 66776: wfMangleFlashPolicy() is needed to avoid a nasty 
bug in
++              // Flash, but what it does isn't friendly for the API, so we 
need to
++              // work around it.
++              if ( preg_match( '/\<\s*cross-domain-policy\s*\>/i', $json ) ) {
++                      $json = preg_replace(
++                              '/\<(\s*cross-domain-policy\s*)\>/i', 
'\\u003C$1\\u003E', $json
++                      );
++              }
++
+               $this->printText(
+                       $prefix .
+-                      FormatJson::encode( $this->getResultData(), 
$this->getIsHtml() ) .
++                      $json .
+                       $suffix
+               );
+       }
+--- a/includes/api/ApiFormatPhp.php
++++ b/includes/api/ApiFormatPhp.php
+@@ -39,7 +39,24 @@
+       }
+ 
+       public function execute() {
+-              $this->printText( serialize( $this->getResultData() ) );
++              global $wgMangleFlashPolicy;
++              $text = serialize( $this->getResultData() );
++
++              // Bug 66776: wfMangleFlashPolicy() is needed to avoid a nasty 
bug in
++              // Flash, but what it does isn't friendly for the API. There's 
nothing
++              // we can do here that isn't actively broken in some manner, so 
let's
++              // just be broken in a useful manner.
++              if ( $wgMangleFlashPolicy &&
++                      in_array( 'wfOutputHandler', ob_list_handlers(), true ) 
&&
++                      preg_match( '/\<\s*cross-domain-policy\s*\>/i', $text )
++              ) {
++                      $this->dieUsage(
++                              'This response cannot be represented using 
format=php. See https://bugzilla.wikimedia.org/show_bug.cgi?id=66776',
++                              'internalerror'
++                      );
++              }
++
++              $this->printText( $text );
+       }
+ 
+       public function getDescription() {
diff -Nru mediawiki-1.19.20+dfsg/debian/patches/series 
mediawiki-1.19.20+dfsg/debian/patches/series
--- mediawiki-1.19.20+dfsg/debian/patches/series        2014-08-24 
06:52:14.000000000 +0200
+++ mediawiki-1.19.20+dfsg/debian/patches/series        2014-12-14 
18:22:55.000000000 +0100
@@ -9,3 +9,5 @@
 fix_warnings.patch
 mimetypes.patch
 suppress_warnings.patch
+CVE-2014-9277_1.patch
+CVE-2014-9277_2.patch

Bug#772764: New debdiff

Reply via email to