On Tue, Dec 06, 2011 at 08:01:18PM +0100, Moritz Muehlenhoff wrote: > What's the status of the following for stable? > http://security-tracker.debian.org/tracker/CVE-2011-1578 > http://security-tracker.debian.org/tracker/CVE-2011-1579 > http://security-tracker.debian.org/tracker/CVE-2011-1580 > > Otherwise, please upload. You can allocate the DSA ID yourself by running > bin/gen-DSA as outlined here and commit the new blob in data/DSA/list: > http://wiki.debian.org/DebianSecurity/AdvisoryCreation/SecSecr
New diffs attached, please review. lenny9: debian/patches/CVE-2011-1578.patch | 135 +++++++++++++++++++++++++++++++++ debian/patches/CVE-2011-1579.patch | 81 +++++++++++++++++++ debian/patches/CVE-2011-1580.patch | 52 ++++++++++++ debian/patches/CVE-2011-1587.patch | 37 +++++++++ debian/patches/CVE-2011-4360.patch | 31 +++++++ debian/patches/CVE-2011-4361.patch | 35 ++++++++ mediawiki-1.12.0/debian/changelog | 14 +++ mediawiki-1.12.0/debian/patches/series | 6 + 8 files changed, 391 insertions(+) squeeze2: changelog | 14 ++++ patches/CVE-2011-1578.patch | 134 ++++++++++++++++++++++++++++++++++++++++++++ patches/CVE-2011-1579.patch | 80 ++++++++++++++++++++++++++ patches/CVE-2011-1580.patch | 68 ++++++++++++++++++++++ patches/CVE-2011-1587.patch | 37 ++++++++++++ patches/CVE-2011-4360.patch | 31 ++++++++++ patches/CVE-2011-4361.patch | 35 +++++++++++ patches/series | 6 + 8 files changed, 405 insertions(+) Thanks, -- Jonathan Wiltshire j...@debian.org Debian Developer http://people.debian.org/~jmw 4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC 74C3 5394 479D D352 4C51
diff -u mediawiki-1.12.0/debian/changelog mediawiki-1.12.0/debian/changelog --- mediawiki-1.12.0/debian/changelog +++ mediawiki-1.12.0/debian/changelog @@ -1,3 +1,17 @@ +mediawiki (1:1.12.0-2lenny9) UNRELEASED; urgency=low + + * Security fixes from upstream (Closes: #650434): + CVE-2011-4360 - page titles on private wikis could be exposed + bypassing different page ids to index.php + CVE-2011-4361 - action=ajax requests were dispatched to the + relevant function without any read permission checks being done + CVE-2011-1578 - XSS for IE <= 6 + CVE-2011-1579 - CSS validation error in wikitext parser + CVE-2011-1580 - access control checks on transwiki import feature + CVE-2011-1587 - fix incomplete patch for CVE-2011-1578 + + -- Jonathan Wiltshire <j...@debian.org> Sat, 17 Dec 2011 23:36:14 +0000 + mediawiki (1:1.12.0-2lenny8) oldstable; urgency=high * Oldstable upload. diff -u mediawiki-1.12.0/debian/patches/series mediawiki-1.12.0/debian/patches/series --- mediawiki-1.12.0/debian/patches/series +++ mediawiki-1.12.0/debian/patches/series @@ -15,0 +16,6 @@ +CVE-2011-1578.patch +CVE-2011-1579.patch +CVE-2011-1580.patch +CVE-2011-1587.patch +CVE-2011-4360.patch +CVE-2011-4361.patch only in patch2: unchanged: --- mediawiki-1.12.0.orig/debian/patches/CVE-2011-1579.patch +++ mediawiki-1.12.0/debian/patches/CVE-2011-1579.patch @@ -0,0 +1,81 @@ +Description: CSS validation error in wikitext parser + Wikipedia user Suffusion of Yellow discovered a CSS validation error + in the wikitext parser. This is an XSS issue for Internet Explorer + clients, and a privacy loss issue for other clients since it allows + the embedding of arbitrary remote images. +Origin: upstream,http://svn.wikimedia.org/viewvc/mediawiki?view=revision&revision=85856 +Bug: https://bugzilla.wikimedia.org/show_bug.cgi?id=28450 +Last-Update: 2011-12-17 + +--- mediawiki-1.12.0.orig/includes/Sanitizer.php ++++ mediawiki-1.12.0/includes/Sanitizer.php +@@ -650,28 +650,34 @@ + + /** + * Pick apart some CSS and check it for forbidden or unsafe structures. +- * Returns a sanitized string, or false if it was just too evil. ++ * Returns a sanitized string. This sanitized string will have ++ * character references and escape sequences decoded, and comments ++ * stripped. If the input is just too evil, only a comment complaining ++ * about evilness will be returned. + * + * Currently URL references, 'expression', 'tps' are forbidden. + * ++ * NOTE: Despite the fact that character references are decoded, the ++ * returned string may contain character references given certain ++ * clever input strings. These character references must ++ * be escaped before the return value is embedded in HTML. ++ * + * @param string $value +- * @return mixed ++ * @return string + */ + static function checkCss( $value ) { ++ // Decode character references like { + $value = Sanitizer::decodeCharReferences( $value ); + +- // Remove any comments; IE gets token splitting wrong +- $value = StringUtils::delimiterReplace( '/*', '*/', ' ', $value ); +- +- // Remove anything after a comment-start token, to guard against +- // incorrect client implementations. +- $commentPos = strpos( $value, '/*' ); +- if ( $commentPos !== false ) { +- $value = substr( $value, 0, $commentPos ); +- } +- + // Decode escape sequences and line continuation + // See the grammar in the CSS 2 spec, appendix D. ++ // This has to be done AFTER decoding character references. ++ // This means it isn't possible for this function to return ++ // unsanitized escape sequences. It is possible to manufacture ++ // input that contains character references that decode to ++ // escape sequences that decode to character references, but ++ // it's OK for the return value to contain character references ++ // because the caller is supposed to escape those anyway. + static $decodeRegex, $reencodeTable; + if ( !$decodeRegex ) { + $space = '[\\x20\\t\\r\\n\\f]'; +@@ -687,6 +693,22 @@ + } + $value = preg_replace_callback( $decodeRegex, + array( __CLASS__, 'cssDecodeCallback' ), $value ); ++ ++ // Remove any comments; IE gets token splitting wrong ++ // This must be done AFTER decoding character references and ++ // escape sequences, because those steps can introduce comments ++ // This step cannot introduce character references or escape ++ // sequences, because it replaces comments with spaces rather ++ // than removing them completely. ++ $value = StringUtils::delimiterReplace( '/*', '*/', ' ', $value ); ++ ++ // Remove anything after a comment-start token, to guard against ++ // incorrect client implementations. ++ $commentPos = strpos( $value, '/*' ); ++ if ( $commentPos !== false ) { ++ $value = substr( $value, 0, $commentPos ); ++ } ++ + // Reject problematic keywords and control characters + if ( preg_match( '/[\000-\010\016-\037\177]/', $value ) ) { + return '/* invalid control char */'; only in patch2: unchanged: --- mediawiki-1.12.0.orig/debian/patches/CVE-2011-4361.patch +++ mediawiki-1.12.0/debian/patches/CVE-2011-4361.patch @@ -0,0 +1,35 @@ +Description: CVE-2011-4361 + Tim Starling discovered that action=ajax requests were dispatched to the + relevant function without any read permission checks being done. + This could have led to data leakage on private wikis. +Origin: https://www.mediawiki.org/wiki/Special:Code/MediaWiki/104506 +Bug: https://bugzilla.wikimedia.org/show_bug.cgi?id=32276 +Bug-Debian: http://bugs.debian.org/650434 +Forwarded: not-needed +Last-Update: 2011-11-30 + +--- mediawiki-1.12.0.orig/includes/AjaxDispatcher.php ++++ mediawiki-1.12.0/includes/AjaxDispatcher.php +@@ -73,7 +73,7 @@ + * request. + */ + function performAction() { +- global $wgAjaxExportList, $wgOut; ++ global $wgAjaxExportList, $wgOut, $wgUser; + + if ( empty( $this->mode ) ) { + return; +@@ -83,6 +83,13 @@ + if (! in_array( $this->func_name, $wgAjaxExportList ) ) { + wfHttpError( 400, 'Bad Request', + "unknown function " . (string) $this->func_name ); ++ } elseif ( !in_array( 'read', User::getGroupPermissions( array( '*' ) ), true ) ++ && !$wgUser->isAllowed( 'read' ) ) ++ { ++ wfHttpError( ++ 403, ++ 'Forbidden', ++ 'You must log in to view pages.' ); + } else { + if ( strpos( $this->func_name, '::' ) !== false ) { + $func = explode( '::', $this->func_name, 2 ); only in patch2: unchanged: --- mediawiki-1.12.0.orig/debian/patches/CVE-2011-1580.patch +++ mediawiki-1.12.0/debian/patches/CVE-2011-1580.patch @@ -0,0 +1,52 @@ +Description: access control check on transwiki import feature + The transwiki import feature is disabled by default. If it is enabled, + it allows wiki pages to be copied from a remote wiki listed in + $wgImportSources. The issue means that any user can trigger such an + import to occur. +Origin: upstream,http://svn.wikimedia.org/viewvc/mediawiki?view=revision&revision=85099 +Bug: https://bugzilla.wikimedia.org/show_bug.cgi?id=28449 +Last-Update: 2011-12-17 + +--- mediawiki-1.12.0.orig/includes/Title.php ++++ mediawiki-1.12.0/includes/Title.php +@@ -1055,7 +1055,14 @@ + $errors[] = array( 'confirmedittext' ); + } + +- if ( $user->isBlockedFrom( $this ) ) { ++ if ( in_array( $action, array( 'read', 'createaccount', 'unblock' ) ) ){ ++ // Edit blocks should not affect reading. ++ // Account creation blocks handled at userlogin. ++ // Unblocking handled in SpecialUnblock ++ } elseif( ( $action == 'edit' || $action == 'create' ) && !$user->isBlockedFrom( $this ) ){ ++ // Don't block the user from editing their own talk page unless they've been ++ // explicitly blocked from that too. ++ } elseif( $user->isBlocked() && $user->mBlock->prevents( $action ) !== false ) { + $block = $user->mBlock; + + // This is from OutputPage::blockedPage +--- mediawiki-1.12.0.orig/includes/SpecialImport.php ++++ mediawiki-1.12.0/includes/SpecialImport.php +@@ -39,6 +39,22 @@ + return; + } + ++ if( !$wgUser->isAllowedAny( 'import', 'importupload' ) ) { ++ return $wgOut->permissionRequired( 'import' ); ++ } ++ ++ # TODO: allow Title::getUserPermissionsErrors() to take an array ++ # FIXME: Title::checkSpecialsAndNSPermissions() has a very wierd expectation of what ++ # getUserPermissionsErrors() might actually be used for, hence the 'ns-specialprotected' ++ $errors = wfMergeErrorArrays( ++ $this->getTitle()->getUserPermissionsErrors( 'import', $wgUser, true, array( 'ns-specialprotected' ) ), ++ $this->getTitle()->getUserPermissionsErrors( 'importupload', $wgUser, true, array( 'ns-specialprotected' ) ) ++ ); ++ if( $errors ){ ++ $wgOut->showPermissionsErrorPage( $errors ); ++ return; ++ } ++ + if( $wgRequest->wasPosted() && $wgRequest->getVal( 'action' ) == 'submit') { + $isUpload = false; + $namespace = $wgRequest->getIntOrNull( 'namespace' ); only in patch2: unchanged: --- mediawiki-1.12.0.orig/debian/patches/CVE-2011-4360.patch +++ mediawiki-1.12.0/debian/patches/CVE-2011-4360.patch @@ -0,0 +1,31 @@ +Description: CVE-2011-4360 + Alexandre Emsenhuber discovered an issue where page titles on private + wikis could be exposed bypassing different page ids to index.php. In the + case of the user not having correct permissions, they will now be + redirected to Special:BadTitle. +Origin: https://www.mediawiki.org/wiki/Special:Code/MediaWiki/104506 +Bug: https://bugzilla.wikimedia.org/show_bug.cgi?id=32276 +Bug-Debian: http://bugs.debian.org/650434 +Forwarded: not-needed +Last-Update: 2011-11-30 + + +--- mediawiki-1.12.0.orig/includes/Wiki.php ++++ mediawiki-1.12.0/includes/Wiki.php +@@ -123,6 +123,16 @@ + # the Read array in order for the user to see it. (We have to check here to + # catch special pages etc. We check again in Article::view()) + if ( !is_null( $title ) && !$title->userCanRead() ) { ++ // Bug 32276: allowing the skin to generate output with $wgTitle ++ // set to the input title would allow anonymous users to ++ // determine whether a page exists, potentially leaking private data. In fact, the ++ // curid and oldid request parameters would allow page titles to be enumerated even ++ // when they are not guessable. So we reset the title to Special:Badtitle before the ++ // permissions error is displayed. ++ $badtitle = SpecialPage::getTitleFor( 'Badtitle' ); ++ $output->setTitle( $badtitle ); ++ $wgTitle = $badtitle; ++ + $output->loginToUse(); + $output->output(); + exit; only in patch2: unchanged: --- mediawiki-1.12.0.orig/debian/patches/CVE-2011-1587.patch +++ mediawiki-1.12.0/debian/patches/CVE-2011-1587.patch @@ -0,0 +1,37 @@ +Description: fix insufficient patch for CVE-2011-1578 +Origin: upstream,http://svn.wikimedia.org/viewvc/mediawiki?view=revision&revision=86027 +Bug: https://bugzilla.wikimedia.org/show_bug.cgi?id=28507 +Last-Update: 2011-12-17 + +--- mediawiki-1.12.0.orig/images/.htaccess ++++ mediawiki-1.12.0/images/.htaccess +@@ -1,6 +1,6 @@ + # Protect against bug 28235 + <IfModule rewrite_module> + RewriteEngine On +- RewriteCond %{QUERY_STRING} \.[a-z]{1,4}$ [nocase] ++ RewriteCond %{QUERY_STRING} \.[a-z0-9]{1,4}(#|\?|$) [nocase] + RewriteRule . - [forbidden] + </IfModule> +--- mediawiki-1.12.0.orig/img_auth.php ++++ mediawiki-1.12.0/img_auth.php +@@ -25,7 +25,7 @@ + + // Check for bug 28235: QUERY_STRING overriding the correct extension + if ( isset( $_SERVER['QUERY_STRING'] ) +- && preg_match( '/\.[a-z]{1,4}$/i', $_SERVER['QUERY_STRING'] ) ) ++ && preg_match( '/\.[a-z0-9]{1,4}(#|\?|$)/i', $_SERVER['QUERY_STRING'] ) ) + { + wfForbidden(); + } +--- mediawiki-1.12.0.orig/includes/WebRequest.php ++++ mediawiki-1.12.0/includes/WebRequest.php +@@ -621,7 +621,7 @@ + global $wgScriptExtension; + + if ( isset( $_SERVER['QUERY_STRING'] ) +- && preg_match( '/\.[a-z]{1,4}$/i', $_SERVER['QUERY_STRING'] ) ) ++ && preg_match( '/\.[a-z0-9]{1,4}(#|\?|$)/i', $_SERVER['QUERY_STRING'] ) ) + { + // Bug 28235 + // Block only Internet Explorer 6, and requests with missing UA only in patch2: unchanged: --- mediawiki-1.12.0.orig/debian/patches/CVE-2011-1578.patch +++ mediawiki-1.12.0/debian/patches/CVE-2011-1578.patch @@ -0,0 +1,135 @@ +Description: cross-site scripting problem in IE <= 6 clients + Due to the diversity of uploaded files that we allow, MediaWiki does + not guarantee that uploaded files will be safe if they are interpreted + by the client as some arbitrary file type, such as HTML. We rely on + the web server to send the correct Content-Type header, and we rely on + the web browser to respect it. This XSS issue arises due to IE 6 + looking for a file extension in the query string of the URL (i.e. + after the "?"), if no extension is found in path part of the URL. + Masato Kinugawa discovered that the file extension in the path part + can be hidden from IE 6 by substituting the "." with "%2E". +Origin: upstream,r85844/r85849 +Bug: https://bugzilla.wikimedia.org/show_bug.cgi?id=28235 +Last-Update: 2011-12-17 + +--- /dev/null ++++ mediawiki-1.12.0/images/.htaccess +@@ -0,0 +1,6 @@ ++# Protect against bug 28235 ++<IfModule rewrite_module> ++ RewriteEngine On ++ RewriteCond %{QUERY_STRING} \.[a-z]{1,4}$ [nocase] ++ RewriteRule . - [forbidden] ++</IfModule> +--- mediawiki-1.12.0.orig/img_auth.php ++++ mediawiki-1.12.0/img_auth.php +@@ -23,6 +23,13 @@ + wfPublicError(); + } + ++// Check for bug 28235: QUERY_STRING overriding the correct extension ++if ( isset( $_SERVER['QUERY_STRING'] ) ++ && preg_match( '/\.[a-z]{1,4}$/i', $_SERVER['QUERY_STRING'] ) ) ++{ ++ wfForbidden(); ++} ++ + // Extract path and image information + if( !isset( $_SERVER['PATH_INFO'] ) ) { + wfDebugLog( 'img_auth', 'Missing PATH_INFO' ); +--- mediawiki-1.12.0.orig/includes/RawPage.php ++++ mediawiki-1.12.0/includes/RawPage.php +@@ -108,7 +108,7 @@ + } + + function view() { +- global $wgOut, $wgScript; ++ global $wgOut, $wgScript, $wgRequest; + + if( isset( $_SERVER['SCRIPT_URL'] ) ) { + # Normally we use PHP_SELF to get the URL to the script +@@ -126,7 +126,7 @@ + $url = $_SERVER['PHP_SELF']; + } + +- if( strcmp( $wgScript, $url ) ) { ++ if( $wgRequest->isPathInfoBad() ) { + # Internet Explorer will ignore the Content-Type header if it + # thinks it sees a file extension it recognizes. Make sure that + # all raw requests are done through the script node, which will +@@ -140,6 +140,7 @@ + # + # Just return a 403 Forbidden and get it over with. + wfHttpError( 403, 'Forbidden', ++ 'Invalid file extension found in PATH_INFO or QUERY_STRING. ' . + 'Raw pages must be accessed through the primary script entry point.' ); + return; + } +--- mediawiki-1.12.0.orig/includes/WebRequest.php ++++ mediawiki-1.12.0/includes/WebRequest.php +@@ -600,7 +600,50 @@ + function setSessionData( $key, $data ) { + $_SESSION[$key] = $data; + } +- ++ ++ /** ++ * Returns true if the PATH_INFO ends with an extension other than a script ++ * extension. This could confuse IE for scripts that send arbitrary data which ++ * is not HTML but may be detected as such. ++ * ++ * Various past attempts to use the URL to make this check have generally ++ * run up against the fact that CGI does not provide a standard method to ++ * determine the URL. PATH_INFO may be mangled (e.g. if cgi.fix_pathinfo=0), ++ * but only by prefixing it with the script name and maybe some other stuff, ++ * the extension is not mangled. So this should be a reasonably portable ++ * way to perform this security check. ++ * ++ * Also checks for anything that looks like a file extension at the end of ++ * QUERY_STRING, since IE 6 and earlier will use this to get the file type ++ * if there was no dot before the question mark (bug 28235). ++ */ ++ public function isPathInfoBad() { ++ global $wgScriptExtension; ++ ++ if ( isset( $_SERVER['QUERY_STRING'] ) ++ && preg_match( '/\.[a-z]{1,4}$/i', $_SERVER['QUERY_STRING'] ) ) ++ { ++ // Bug 28235 ++ // Block only Internet Explorer 6, and requests with missing UA ++ // headers that could be IE users behind a privacy proxy. ++ if ( !isset( $_SERVER['HTTP_USER_AGENT'] ) ++ || preg_match( '/; *MSIE 6/', $_SERVER['HTTP_USER_AGENT'] ) ) ++ { ++ return true; ++ } ++ } ++ ++ if ( !isset( $_SERVER['PATH_INFO'] ) ) { ++ return false; ++ } ++ $pi = $_SERVER['PATH_INFO']; ++ $dotPos = strrpos( $pi, '.' ); ++ if ( $dotPos === false ) { ++ return false; ++ } ++ $ext = substr( $pi, $dotPos ); ++ return !in_array( $ext, array( $wgScriptExtension, '.php', '.php5' ) ); ++ } + } + + /** +--- mediawiki-1.12.0.orig/api.php ++++ mediawiki-1.12.0/api.php +@@ -54,9 +54,9 @@ + } else { + $url = $_SERVER['PHP_SELF']; + } +-if( strcmp( "$wgScriptPath/api$wgScriptExtension", $url ) ) { ++if ( $wgRequest->isPathInfoBad() ) { + wfHttpError( 403, 'Forbidden', +- 'API must be accessed through the primary script entry point.' ); ++ 'Invalid file extension found in PATH_INFO or QUERY_STRING.' ); + return; + } +
diff -Nru mediawiki-1.15.5/debian/changelog mediawiki-1.15.5/debian/changelog --- mediawiki-1.15.5/debian/changelog 2011-02-06 14:18:52.000000000 +0000 +++ mediawiki-1.15.5/debian/changelog 2011-12-17 23:23:18.000000000 +0000 @@ -1,3 +1,17 @@ +mediawiki (1:1.15.5-2squeeze2) UNRELEASED; urgency=low + + * Security fixes from upstream (Closes: #650434): + CVE-2011-4360 - page titles on private wikis could be exposed + bypassing different page ids to index.php + CVE-2011-4361 - action=ajax requests were dispatched to the + relevant function without any read permission checks being done + CVE-2011-1578 - XSS for IE <= 6 + CVE-2011-1579 - CSS validation error in wikitext parser + CVE-2011-1580 - access control checks on transwiki import feature + CVE-2011-1587 - fix incomplete patch for CVE-2011-1578 + + -- Jonathan Wiltshire <j...@debian.org> Sat, 17 Dec 2011 23:22:54 +0000 + mediawiki (1:1.15.5-2squeeze1) stable; urgency=high * CVE-2011-0047: Protect against a CSS injection vulnerability diff -Nru mediawiki-1.15.5/debian/patches/CVE-2011-1578.patch mediawiki-1.15.5/debian/patches/CVE-2011-1578.patch --- mediawiki-1.15.5/debian/patches/CVE-2011-1578.patch 1970-01-01 01:00:00.000000000 +0100 +++ mediawiki-1.15.5/debian/patches/CVE-2011-1578.patch 2011-12-17 23:16:24.000000000 +0000 @@ -0,0 +1,134 @@ +Description: cross-site scripting problem in IE <= 6 clients + Due to the diversity of uploaded files that we allow, MediaWiki does + not guarantee that uploaded files will be safe if they are interpreted + by the client as some arbitrary file type, such as HTML. We rely on + the web server to send the correct Content-Type header, and we rely on + the web browser to respect it. This XSS issue arises due to IE 6 + looking for a file extension in the query string of the URL (i.e. + after the "?"), if no extension is found in path part of the URL. + Masato Kinugawa discovered that the file extension in the path part + can be hidden from IE 6 by substituting the "." with "%2E". +Origin: upstream,r85844/r85849 +Bug: https://bugzilla.wikimedia.org/show_bug.cgi?id=28235 +Last-Update: 2011-12-17 + +--- /dev/null ++++ mediawiki-1.15.5/images/.htaccess +@@ -0,0 +1,6 @@ ++# Protect against bug 28235 ++<IfModule rewrite_module> ++ RewriteEngine On ++ RewriteCond %{QUERY_STRING} \.[a-z]{1,4}$ [nocase] ++ RewriteRule . - [forbidden] ++</IfModule> +--- mediawiki-1.15.5.orig/img_auth.php ++++ mediawiki-1.15.5/img_auth.php +@@ -25,6 +25,13 @@ + wfPublicError(); + } + ++// Check for bug 28235: QUERY_STRING overriding the correct extension ++if ( isset( $_SERVER['QUERY_STRING'] ) ++ && preg_match( '/\.[a-z]{1,4}$/i', $_SERVER['QUERY_STRING'] ) ) ++{ ++ wfForbidden(); ++} ++ + // Extract path and image information + if( !isset( $_SERVER['PATH_INFO'] ) ) { + wfDebugLog( 'img_auth', 'Missing PATH_INFO' ); +--- mediawiki-1.15.5.orig/includes/RawPage.php ++++ mediawiki-1.15.5/includes/RawPage.php +@@ -109,7 +109,7 @@ + } + + function view() { +- global $wgOut, $wgScript; ++ global $wgOut, $wgScript, $wgRequest; + + if( isset( $_SERVER['SCRIPT_URL'] ) ) { + # Normally we use PHP_SELF to get the URL to the script +@@ -136,7 +136,7 @@ + return; + } + +- if( strcmp( $wgScript, $url ) ) { ++ if( $wgRequest->isPathInfoBad() ) { + # Internet Explorer will ignore the Content-Type header if it + # thinks it sees a file extension it recognizes. Make sure that + # all raw requests are done through the script node, which will +@@ -150,6 +150,7 @@ + # + # Just return a 403 Forbidden and get it over with. + wfHttpError( 403, 'Forbidden', ++ 'Invalid file extension found in PATH_INFO or QUERY_STRING. ' . + 'Raw pages must be accessed through the primary script entry point.' ); + return; + } +--- mediawiki-1.15.5.orig/includes/WebRequest.php ++++ mediawiki-1.15.5/includes/WebRequest.php +@@ -662,6 +662,50 @@ + function setSessionData( $key, $data ) { + $_SESSION[$key] = $data; + } ++ ++ /** ++ * Returns true if the PATH_INFO ends with an extension other than a script ++ * extension. This could confuse IE for scripts that send arbitrary data which ++ * is not HTML but may be detected as such. ++ * ++ * Various past attempts to use the URL to make this check have generally ++ * run up against the fact that CGI does not provide a standard method to ++ * determine the URL. PATH_INFO may be mangled (e.g. if cgi.fix_pathinfo=0), ++ * but only by prefixing it with the script name and maybe some other stuff, ++ * the extension is not mangled. So this should be a reasonably portable ++ * way to perform this security check. ++ * ++ * Also checks for anything that looks like a file extension at the end of ++ * QUERY_STRING, since IE 6 and earlier will use this to get the file type ++ * if there was no dot before the question mark (bug 28235). ++ */ ++ public function isPathInfoBad() { ++ global $wgScriptExtension; ++ ++ if ( isset( $_SERVER['QUERY_STRING'] ) ++ && preg_match( '/\.[a-z]{1,4}$/i', $_SERVER['QUERY_STRING'] ) ) ++ { ++ // Bug 28235 ++ // Block only Internet Explorer, and requests with missing UA ++ // headers that could be IE users behind a privacy proxy. ++ if ( !isset( $_SERVER['HTTP_USER_AGENT'] ) ++ || preg_match( '/; *MSIE/', $_SERVER['HTTP_USER_AGENT'] ) ) ++ { ++ return true; ++ } ++ } ++ ++ if ( !isset( $_SERVER['PATH_INFO'] ) ) { ++ return false; ++ } ++ $pi = $_SERVER['PATH_INFO']; ++ $dotPos = strrpos( $pi, '.' ); ++ if ( $dotPos === false ) { ++ return false; ++ } ++ $ext = substr( $pi, $dotPos ); ++ return !in_array( $ext, array( $wgScriptExtension, '.php', '.php5' ) ); ++ } + } + + /** +--- mediawiki-1.15.5.orig/api.php ++++ mediawiki-1.15.5/api.php +@@ -56,9 +56,9 @@ + } else { + $url = $_SERVER['PHP_SELF']; + } +-if( strcmp( "$wgScriptPath/api$wgScriptExtension", $url ) ) { ++if ( $wgRequest->isPathInfoBad() ) { + wfHttpError( 403, 'Forbidden', +- 'API must be accessed through the primary script entry point.' ); ++ 'Invalid file extension found in PATH_INFO or QUERY_STRING.' ); + return; + } + diff -Nru mediawiki-1.15.5/debian/patches/CVE-2011-1579.patch mediawiki-1.15.5/debian/patches/CVE-2011-1579.patch --- mediawiki-1.15.5/debian/patches/CVE-2011-1579.patch 1970-01-01 01:00:00.000000000 +0100 +++ mediawiki-1.15.5/debian/patches/CVE-2011-1579.patch 2011-12-17 23:19:53.000000000 +0000 @@ -0,0 +1,80 @@ +Description: CSS validation error in wikitext parser + Wikipedia user Suffusion of Yellow discovered a CSS validation error + in the wikitext parser. This is an XSS issue for Internet Explorer + clients, and a privacy loss issue for other clients since it allows + the embedding of arbitrary remote images. +Origin: upstream,http://svn.wikimedia.org/viewvc/mediawiki?view=revision&revision=85856 +Bug: https://bugzilla.wikimedia.org/show_bug.cgi?id=28450 +Last-Update: 2011-12-17 + +--- mediawiki-1.15.5.orig/includes/Sanitizer.php ++++ mediawiki-1.15.5/includes/Sanitizer.php +@@ -646,28 +646,34 @@ + + /** + * Pick apart some CSS and check it for forbidden or unsafe structures. +- * Returns a sanitized string, or false if it was just too evil. ++ * Returns a sanitized string. This sanitized string will have ++ * character references and escape sequences decoded, and comments ++ * stripped. If the input is just too evil, only a comment complaining ++ * about evilness will be returned. + * + * Currently URL references, 'expression', 'tps' are forbidden. + * ++ * NOTE: Despite the fact that character references are decoded, the ++ * returned string may contain character references given certain ++ * clever input strings. These character references must ++ * be escaped before the return value is embedded in HTML. ++ * + * @param string $value +- * @return mixed ++ * @return string + */ + static function checkCss( $value ) { ++ // Decode character references like { + $value = Sanitizer::decodeCharReferences( $value ); + +- // Remove any comments; IE gets token splitting wrong +- $value = StringUtils::delimiterReplace( '/*', '*/', ' ', $value ); +- +- // Remove anything after a comment-start token, to guard against +- // incorrect client implementations. +- $commentPos = strpos( $value, '/*' ); +- if ( $commentPos !== false ) { +- $value = substr( $value, 0, $commentPos ); +- } +- + // Decode escape sequences and line continuation + // See the grammar in the CSS 2 spec, appendix D. ++ // This has to be done AFTER decoding character references. ++ // This means it isn't possible for this function to return ++ // unsanitized escape sequences. It is possible to manufacture ++ // input that contains character references that decode to ++ // escape sequences that decode to character references, but ++ // it's OK for the return value to contain character references ++ // because the caller is supposed to escape those anyway. + static $decodeRegex, $reencodeTable; + if ( !$decodeRegex ) { + $space = '[\\x20\\t\\r\\n\\f]'; +@@ -684,6 +690,21 @@ + $value = preg_replace_callback( $decodeRegex, + array( __CLASS__, 'cssDecodeCallback' ), $value ); + ++ // Remove any comments; IE gets token splitting wrong ++ // This must be done AFTER decoding character references and ++ // escape sequences, because those steps can introduce comments ++ // This step cannot introduce character references or escape ++ // sequences, because it replaces comments with spaces rather ++ // than removing them completely. ++ $value = StringUtils::delimiterReplace( '/*', '*/', ' ', $value ); ++ ++ // Remove anything after a comment-start token, to guard against ++ // incorrect client implementations. ++ $commentPos = strpos( $value, '/*' ); ++ if ( $commentPos !== false ) { ++ $value = substr( $value, 0, $commentPos ); ++ } ++ + // Reject problematic keywords and control characters + if ( preg_match( '/[\000-\010\016-\037\177]/', $value ) ) { + return '/* invalid control char */'; diff -Nru mediawiki-1.15.5/debian/patches/CVE-2011-1580.patch mediawiki-1.15.5/debian/patches/CVE-2011-1580.patch --- mediawiki-1.15.5/debian/patches/CVE-2011-1580.patch 1970-01-01 01:00:00.000000000 +0100 +++ mediawiki-1.15.5/debian/patches/CVE-2011-1580.patch 2011-12-17 23:21:19.000000000 +0000 @@ -0,0 +1,68 @@ +Description: access control check on transwiki import feature + The transwiki import feature is disabled by default. If it is enabled, + it allows wiki pages to be copied from a remote wiki listed in + $wgImportSources. The issue means that any user can trigger such an + import to occur. +Origin: upstream,http://svn.wikimedia.org/viewvc/mediawiki?view=revision&revision=85099 +Bug: https://bugzilla.wikimedia.org/show_bug.cgi?id=28449 +Last-Update: 2011-12-17 + +--- mediawiki-1.15.5.orig/includes/Title.php ++++ mediawiki-1.15.5/includes/Title.php +@@ -1090,8 +1090,14 @@ + $errors[] = array( 'confirmedittext' ); + } + +- // Edit blocks should not affect reading. Account creation blocks handled at userlogin. +- if ( $action != 'read' && $action != 'createaccount' && $user->isBlockedFrom( $this ) ) { ++ if ( in_array( $action, array( 'read', 'createaccount', 'unblock' ) ) ){ ++ // Edit blocks should not affect reading. ++ // Account creation blocks handled at userlogin. ++ // Unblocking handled in SpecialUnblock ++ } elseif( ( $action == 'edit' || $action == 'create' ) && !$user->isBlockedFrom( $this ) ){ ++ // Don't block the user from editing their own talk page unless they've been ++ // explicitly blocked from that too. ++ } elseif( $user->isBlocked() && $user->mBlock->prevents( $action ) !== false ) { + $block = $user->mBlock; + + // This is from OutputPage::blockedPage +--- mediawiki-1.15.5.orig/includes/specials/SpecialImport.php ++++ mediawiki-1.15.5/includes/specials/SpecialImport.php +@@ -45,7 +45,7 @@ + * Execute + */ + function execute( $par ) { +- global $wgRequest; ++ global $wgRequest, $wgUser, $wgOut; + + $this->setHeaders(); + $this->outputHeader(); +@@ -55,7 +55,18 @@ + $wgOut->readOnlyPage(); + return; + } +- ++ ++ if( !$wgUser->isAllowedAny( 'import', 'importupload' ) ) { ++ return $wgOut->permissionRequired( 'import' ); ++ } ++ ++ # TODO: allow Title::getUserPermissionsErrors() to take an array ++ # FIXME: Title::checkSpecialsAndNSPermissions() has a very wierd expectation of what ++ # getUserPermissionsErrors() might actually be used for, hence the 'ns-specialprotected' ++ $errors = wfMergeErrorArrays( ++ $this->getTitle()->getUserPermissionsErrors( 'import', $wgUser, true, array( 'ns-specialprotected' ) ), ++ $this->getTitle()->getUserPermissionsErrors( 'importupload', $wgUser, true, array( 'ns-specialprotected' ) ) ++ ); + if ( $wgRequest->wasPosted() && $wgRequest->getVal( 'action' ) == 'submit' ) { + $this->doImport(); + } +@@ -133,8 +144,6 @@ + + private function showForm() { + global $wgUser, $wgOut, $wgRequest, $wgTitle, $wgImportSources, $wgExportMaxLinkDepth; +- if( !$wgUser->isAllowed( 'import' ) && !$wgUser->isAllowed( 'importupload' ) ) +- return $wgOut->permissionRequired( 'import' ); + + $action = $wgTitle->getLocalUrl( 'action=submit' ); + diff -Nru mediawiki-1.15.5/debian/patches/CVE-2011-1587.patch mediawiki-1.15.5/debian/patches/CVE-2011-1587.patch --- mediawiki-1.15.5/debian/patches/CVE-2011-1587.patch 1970-01-01 01:00:00.000000000 +0100 +++ mediawiki-1.15.5/debian/patches/CVE-2011-1587.patch 2011-12-17 23:22:38.000000000 +0000 @@ -0,0 +1,37 @@ +Description: fix insufficient patch for CVE-2011-1578 +Origin: upstream,http://svn.wikimedia.org/viewvc/mediawiki?view=revision&revision=86027 +Bug: https://bugzilla.wikimedia.org/show_bug.cgi?id=28507 +Last-Update: 2011-12-17 + +--- mediawiki-1.15.5.orig/images/.htaccess ++++ mediawiki-1.15.5/images/.htaccess +@@ -1,6 +1,6 @@ + # Protect against bug 28235 + <IfModule rewrite_module> + RewriteEngine On +- RewriteCond %{QUERY_STRING} \.[a-z]{1,4}$ [nocase] ++ RewriteCond %{QUERY_STRING} \.[a-z0-9]{1,4}(#|\?|$) [nocase] + RewriteRule . - [forbidden] + </IfModule> +--- mediawiki-1.15.5.orig/img_auth.php ++++ mediawiki-1.15.5/img_auth.php +@@ -27,7 +27,7 @@ + + // Check for bug 28235: QUERY_STRING overriding the correct extension + if ( isset( $_SERVER['QUERY_STRING'] ) +- && preg_match( '/\.[a-z]{1,4}$/i', $_SERVER['QUERY_STRING'] ) ) ++ && preg_match( '/\.[a-z0-9]{1,4}(#|\?|$)/i', $_SERVER['QUERY_STRING'] ) ) + { + wfForbidden(); + } +--- mediawiki-1.15.5.orig/includes/WebRequest.php ++++ mediawiki-1.15.5/includes/WebRequest.php +@@ -683,7 +683,7 @@ + global $wgScriptExtension; + + if ( isset( $_SERVER['QUERY_STRING'] ) +- && preg_match( '/\.[a-z]{1,4}$/i', $_SERVER['QUERY_STRING'] ) ) ++ && preg_match( '/\.[a-z0-9]{1,4}(#|\?|$)/i', $_SERVER['QUERY_STRING'] ) ) + { + // Bug 28235 + // Block only Internet Explorer, and requests with missing UA diff -Nru mediawiki-1.15.5/debian/patches/CVE-2011-4360.patch mediawiki-1.15.5/debian/patches/CVE-2011-4360.patch --- mediawiki-1.15.5/debian/patches/CVE-2011-4360.patch 1970-01-01 01:00:00.000000000 +0100 +++ mediawiki-1.15.5/debian/patches/CVE-2011-4360.patch 2011-12-01 10:42:11.000000000 +0000 @@ -0,0 +1,31 @@ +Description: CVE-2011-4360 + Alexandre Emsenhuber discovered an issue where page titles on private + wikis could be exposed bypassing different page ids to index.php. In the + case of the user not having correct permissions, they will now be + redirected to Special:BadTitle. +Origin: https://www.mediawiki.org/wiki/Special:Code/MediaWiki/104506 +Bug: https://bugzilla.wikimedia.org/show_bug.cgi?id=32276 +Bug-Debian: http://bugs.debian.org/650434 +Forwarded: not-needed +Last-Update: 2011-11-30 + + +--- mediawiki-1.15.5.orig/includes/Wiki.php ++++ mediawiki-1.15.5/includes/Wiki.php +@@ -149,6 +149,16 @@ + # the Read array in order for the user to see it. (We have to check here to + # catch special pages etc. We check again in Article::view()) + if( !is_null( $title ) && !$title->userCanRead() ) { ++ // Bug 32276: allowing the skin to generate output with $wgTitle ++ // set to the input title would allow anonymous users to ++ // determine whether a page exists, potentially leaking private data. In fact, the ++ // curid and oldid request parameters would allow page titles to be enumerated even ++ // when they are not guessable. So we reset the title to Special:Badtitle before the ++ // permissions error is displayed. ++ $badtitle = SpecialPage::getTitleFor( 'Badtitle' ); ++ $output->setTitle( $badtitle ); ++ $wgTitle = $badtitle; ++ + $output->loginToUse(); + $output->output(); + $output->disable(); diff -Nru mediawiki-1.15.5/debian/patches/CVE-2011-4361.patch mediawiki-1.15.5/debian/patches/CVE-2011-4361.patch --- mediawiki-1.15.5/debian/patches/CVE-2011-4361.patch 1970-01-01 01:00:00.000000000 +0100 +++ mediawiki-1.15.5/debian/patches/CVE-2011-4361.patch 2011-12-01 10:42:11.000000000 +0000 @@ -0,0 +1,35 @@ +Description: CVE-2011-4361 + Tim Starling discovered that action=ajax requests were dispatched to the + relevant function without any read permission checks being done. + This could have led to data leakage on private wikis. +Origin: https://www.mediawiki.org/wiki/Special:Code/MediaWiki/104506 +Bug: https://bugzilla.wikimedia.org/show_bug.cgi?id=32276 +Bug-Debian: http://bugs.debian.org/650434 +Forwarded: not-needed +Last-Update: 2011-11-30 + +--- mediawiki-1.15.5.orig/includes/AjaxDispatcher.php ++++ mediawiki-1.15.5/includes/AjaxDispatcher.php +@@ -78,7 +78,7 @@ + * request. + */ + function performAction() { +- global $wgAjaxExportList, $wgOut; ++ global $wgAjaxExportList, $wgOut, $wgUser; + + if ( empty( $this->mode ) ) { + return; +@@ -90,6 +90,13 @@ + + wfHttpError( 400, 'Bad Request', + "unknown function " . (string) $this->func_name ); ++ } elseif ( !in_array( 'read', User::getGroupPermissions( array( '*' ) ), true ) ++ && !$wgUser->isAllowed( 'read' ) ) ++ { ++ wfHttpError( ++ 403, ++ 'Forbidden', ++ 'You must log in to view pages.' ); + } else { + wfDebug( __METHOD__ . ' dispatching ' . $this->func_name . "\n" ); + diff -Nru mediawiki-1.15.5/debian/patches/series mediawiki-1.15.5/debian/patches/series --- mediawiki-1.15.5/debian/patches/series 2011-02-06 13:39:36.000000000 +0000 +++ mediawiki-1.15.5/debian/patches/series 2011-12-17 23:22:51.000000000 +0000 @@ -7,3 +7,9 @@ suppress_warnings.patch CVE-2011-0003.patch CVE-2011-0047.patch +CVE-2011-1578.patch +CVE-2011-1579.patch +CVE-2011-1580.patch +CVE-2011-1587.patch +CVE-2011-4360.patch +CVE-2011-4361.patch
signature.asc
Description: Digital signature
