[SRM] Permission to upload mediawiki to stable

To: debian-release@lists.debian.org
Subject: [SRM] Permission to upload mediawiki to stable
From: Jonathan Wiltshire <jmw@debian.org>
Date: Sat, 18 Dec 2010 00:28:48 +0000
Message-id: <[🔎] 20101218002848.GK7355@lupin.powdarrmonkey.net>

Hi,

mediawiki 1:1.15.{4,5} included some security fixes that did not warrant a
DSA, but we were all too busy to backport them to the package in stable.

I have now prepared 1:1.12.0-2lenny6 for stable and I'd like permission to
upload it.

Changes: 
 mediawiki (1:1.12.0-2lenny6) stable; urgency=high
 .
   * Stable upload. Closes: #591382
   * Fixed CSRF vulnerability in "e-mail me my password",
     "create account" and "create by e-mail" features of
     [[Special:Userlogin]]. CVE-2010-1648
   * Fixed XSS vulnerability affecting IE clients only, due to a CSS
     validation issue. CVE-2010-1647 (Closes: #585918)
   * Fixed an XSS vulnerability in profileinfo.php for installations
     with $wgEnableProfileInfo = true (false by default) (Closes: #590669)

There is some diffstat noise in po/* as a result of generating them at
build-time. They are no-ops:

debdiff mediawiki_1.12.0-2lenny5.dsc mediawiki_1.12.0-2lenny6.dsc | diffstat
 debian/patches/1.15.4-css-security.patch         |   84 ++++++++++
 debian/patches/1.15.4-userlogin-security.patch   |  193 +++++++++++++++++++++++
 debian/patches/1.15.5-profileinfo-security.patch |   76 +++++++++
 mediawiki-1.12.0/debian/changelog                |   13 +
 mediawiki-1.12.0/debian/patches/series           |    3 
 mediawiki-1.12.0/debian/po/ar.po                 |    1 
 mediawiki-1.12.0/debian/po/ca.po                 |    1 
 mediawiki-1.12.0/debian/po/cs.po                 |    1 
 mediawiki-1.12.0/debian/po/de.po                 |    1 
 mediawiki-1.12.0/debian/po/es.po                 |    4 
 mediawiki-1.12.0/debian/po/eu.po                 |    1 
 mediawiki-1.12.0/debian/po/fi.po                 |   10 -
 mediawiki-1.12.0/debian/po/fr.po                 |    1 
 mediawiki-1.12.0/debian/po/gl.po                 |    1 
 mediawiki-1.12.0/debian/po/it.po                 |    1 
 mediawiki-1.12.0/debian/po/ja.po                 |    1 
 mediawiki-1.12.0/debian/po/ml.po                 |    1 
 mediawiki-1.12.0/debian/po/nl.po                 |    1 
 mediawiki-1.12.0/debian/po/pt.po                 |    1 
 mediawiki-1.12.0/debian/po/pt_BR.po              |    1 
 mediawiki-1.12.0/debian/po/ru.po                 |    1 
 mediawiki-1.12.0/debian/po/sk.po                 |    1 
 mediawiki-1.12.0/debian/po/sv.po                 |    1 
 mediawiki-1.12.0/debian/po/ta.po                 |    1 
 mediawiki-1.12.0/debian/po/vi.po                 |    3 
 25 files changed, 397 insertions(+), 6 deletions(-)

The full diff is attached.

Thanks,

-- 
Jonathan Wiltshire                                      jmw@debian.org
Debian Developer                         http://people.debian.org/~jmw

4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC  74C3 5394 479D D352 4C51

diff -u mediawiki-1.12.0/debian/changelog mediawiki-1.12.0/debian/changelog
--- mediawiki-1.12.0/debian/changelog
+++ mediawiki-1.12.0/debian/changelog
@@ -1,3 +1,16 @@
+mediawiki (1:1.12.0-2lenny6) stable; urgency=high
+
+  * Stable upload. Closes: #591382
+  * Fixed CSRF vulnerability in "e-mail me my password",
+    "create account" and "create by e-mail" features of
+    [[Special:Userlogin]]. CVE-2010-1648
+  * Fixed XSS vulnerability affecting IE clients only, due to a CSS
+    validation issue. CVE-2010-1647 (Closes: #585918)
+  * Fixed an XSS vulnerability in profileinfo.php for installations
+    with $wgEnableProfileInfo = true (false by default) (Closes: #590669)
+
+ -- Jonathan Wiltshire <jmw@debian.org>  Fri, 17 Dec 2010 23:32:46 +0000
+
 mediawiki (1:1.12.0-2lenny5) stable-security; urgency=high
 
   * Security upload. Fixes the following issue (CVE-2010-1150):
diff -u mediawiki-1.12.0/debian/po/ar.po mediawiki-1.12.0/debian/po/ar.po
--- mediawiki-1.12.0/debian/po/ar.po
+++ mediawiki-1.12.0/debian/po/ar.po
@@ -24,6 +24,7 @@
 "MIME-Version: 1.0\n"
 "Content-Type: text/plain; charset=UTF-8\n"
 "Content-Transfer-Encoding: 8bit\n"
+"Language: ar\n"
 "X-Generator: KBabel 1.11.4\n"
 "Plural-Forms: nplurals=6; plural=n==1 ? 0 : n==0 ? 1 : n==2 ? 2: n%100>=3 && "
 "n%100<=10 ? 3 : n%100>=11 && n%100<=99 ? 4 : 5\n"
diff -u mediawiki-1.12.0/debian/po/ca.po mediawiki-1.12.0/debian/po/ca.po
--- mediawiki-1.12.0/debian/po/ca.po
+++ mediawiki-1.12.0/debian/po/ca.po
@@ -17,6 +17,7 @@
 "MIME-Version: 1.0\n"
 "Content-Type: text/plain; charset=UTF-8\n"
 "Content-Transfer-Encoding: 8bit\n"
+"Language: ca\n"
 "X-Generator: KBabel 1.11.4\n"
 
 #. Type: multiselect
diff -u mediawiki-1.12.0/debian/po/de.po mediawiki-1.12.0/debian/po/de.po
--- mediawiki-1.12.0/debian/po/de.po
+++ mediawiki-1.12.0/debian/po/de.po
@@ -14,6 +14,7 @@
 "MIME-Version: 1.0\n"
 "Content-Type: text/plain; charset=ISO-8859-15\n"
 "Content-Transfer-Encoding: 8bit\n"
+"Language: de\n"
 
 #. Type: multiselect
 #. Description
diff -u mediawiki-1.12.0/debian/po/cs.po mediawiki-1.12.0/debian/po/cs.po
--- mediawiki-1.12.0/debian/po/cs.po
+++ mediawiki-1.12.0/debian/po/cs.po
@@ -22,6 +22,7 @@
 "MIME-Version: 1.0\n"
 "Content-Type: text/plain; charset=UTF-8\n"
 "Content-Transfer-Encoding: 8bit\n"
+"Language: cs\n"
 "X-Generator: KBabel 1.11.4\n"
 
 #. Type: multiselect
diff -u mediawiki-1.12.0/debian/po/es.po mediawiki-1.12.0/debian/po/es.po
--- mediawiki-1.12.0/debian/po/es.po
+++ mediawiki-1.12.0/debian/po/es.po
@@ -43,6 +43,7 @@
 "MIME-Version: 1.0\n"
 "Content-Type: text/plain; charset=UTF-8\n"
 "Content-Transfer-Encoding: 8bit\n"
+"Language: \n"
 "com>\n"
 
 #. Type: multiselect
@@ -169,2 +170 @@
-#~ "por si acaso esto fallara, que también está disponible en «/etc/"
-#~ "mediawiki»."
+#~ "por si acaso esto fallara, que también está disponible en «/etc/mediawiki»."
diff -u mediawiki-1.12.0/debian/po/fi.po mediawiki-1.12.0/debian/po/fi.po
--- mediawiki-1.12.0/debian/po/fi.po
+++ mediawiki-1.12.0/debian/po/fi.po
@@ -9,6 +9,7 @@
 "MIME-Version: 1.0\n"
 "Content-Type: text/plain; charset=UTF-8\n"
 "Content-Transfer-Encoding: 8bit\n"
+"Language: fi\n"
 "X-Poedit-Language: Finnish\n"
 "X-Poedit-Country: Finland\n"
 
@@ -24,3 +25,6 @@
-msgid "Please select the web server(s) that should be configured automatically for MediaWiki."
-msgstr "Valitse verkkopalvelimet, joille tulisi automaattisesti tehdä asetukset MediaWikiä varten."
-
+msgid ""
+"Please select the web server(s) that should be configured automatically for "
+"MediaWiki."
+msgstr ""
+"Valitse verkkopalvelimet, joille tulisi automaattisesti tehdä asetukset "
+"MediaWikiä varten."
diff -u mediawiki-1.12.0/debian/po/eu.po mediawiki-1.12.0/debian/po/eu.po
--- mediawiki-1.12.0/debian/po/eu.po
+++ mediawiki-1.12.0/debian/po/eu.po
@@ -14,6 +14,7 @@
 "MIME-Version: 1.0\n"
 "Content-Type: text/plain; charset=UTF-8\n"
 "Content-Transfer-Encoding: 8bit\n"
+"Language: \n"
 "X-Generator: KBabel 1.11.4\n"
 
 #. Type: multiselect
diff -u mediawiki-1.12.0/debian/po/fr.po mediawiki-1.12.0/debian/po/fr.po
--- mediawiki-1.12.0/debian/po/fr.po
+++ mediawiki-1.12.0/debian/po/fr.po
@@ -13,6 +13,7 @@
 "MIME-Version: 1.0\n"
 "Content-Type: text/plain; charset=UTF-8\n"
 "Content-Transfer-Encoding: 8bit\n"
+"Language: \n"
 "X-Generator: KBabel 1.11.4\n"
 
 #. Type: multiselect
diff -u mediawiki-1.12.0/debian/po/gl.po mediawiki-1.12.0/debian/po/gl.po
--- mediawiki-1.12.0/debian/po/gl.po
+++ mediawiki-1.12.0/debian/po/gl.po
@@ -13,6 +13,7 @@
 "MIME-Version: 1.0\n"
 "Content-Type: text/plain; charset=UTF-8\n"
 "Content-Transfer-Encoding: 8bit\n"
+"Language: gl\n"
 
 #. Type: multiselect
 #. Description
diff -u mediawiki-1.12.0/debian/po/ja.po mediawiki-1.12.0/debian/po/ja.po
--- mediawiki-1.12.0/debian/po/ja.po
+++ mediawiki-1.12.0/debian/po/ja.po
@@ -13,6 +13,7 @@
 "MIME-Version: 1.0\n"
 "Content-Type: text/plain; charset=UTF-8\n"
 "Content-Transfer-Encoding: 8bit\n"
+"Language: ja\n"
 
 #. Type: multiselect
 #. Description
diff -u mediawiki-1.12.0/debian/po/it.po mediawiki-1.12.0/debian/po/it.po
--- mediawiki-1.12.0/debian/po/it.po
+++ mediawiki-1.12.0/debian/po/it.po
@@ -14,6 +14,7 @@
 "MIME-Version: 1.0\n"
 "Content-Type: text/plain; charset=UTF-8\n"
 "Content-Transfer-Encoding: 8bit\n"
+"Language: it\n"
 
 #. Type: multiselect
 #. Description
diff -u mediawiki-1.12.0/debian/po/ml.po mediawiki-1.12.0/debian/po/ml.po
--- mediawiki-1.12.0/debian/po/ml.po
+++ mediawiki-1.12.0/debian/po/ml.po
@@ -14,6 +14,7 @@
 "MIME-Version: 1.0\n"
 "Content-Type: text/plain; charset=UTF-8\n"
 "Content-Transfer-Encoding: 8bit\n"
+"Language: \n"
 "X-Generator: KBabel 1.11.4\n"
 
 #. Type: multiselect
diff -u mediawiki-1.12.0/debian/po/nl.po mediawiki-1.12.0/debian/po/nl.po
--- mediawiki-1.12.0/debian/po/nl.po
+++ mediawiki-1.12.0/debian/po/nl.po
@@ -14,6 +14,7 @@
 "MIME-Version: 1.0\n"
 "Content-Type: text/plain; charset=utf-8\n"
 "Content-Transfer-Encoding: 8bit\n"
+"Language: \n"
 "X-Poedit-Language: Dutch\n"
 
 #. Type: multiselect
diff -u mediawiki-1.12.0/debian/po/pt.po mediawiki-1.12.0/debian/po/pt.po
--- mediawiki-1.12.0/debian/po/pt.po
+++ mediawiki-1.12.0/debian/po/pt.po
@@ -13,6 +13,7 @@
 "MIME-Version: 1.0\n"
 "Content-Type: text/plain; charset=UTF-8\n"
 "Content-Transfer-Encoding: 8bit\n"
+"Language: \n"
 
 #. Type: multiselect
 #. Description
diff -u mediawiki-1.12.0/debian/po/ru.po mediawiki-1.12.0/debian/po/ru.po
--- mediawiki-1.12.0/debian/po/ru.po
+++ mediawiki-1.12.0/debian/po/ru.po
@@ -14,6 +14,7 @@
 "MIME-Version: 1.0\n"
 "Content-Type: text/plain; charset=UTF-8\n"
 "Content-Transfer-Encoding: 8bit\n"
+"Language: ru\n"
 "X-Generator: KBabel 1.11.4\n"
 "Plural-Forms:  nplurals=3; plural=(n%10==1 && n%100!=11 ? 0 : n%10>=2 && n%"
 "10<=4 && (n%100<10 || n%100>=20) ? 1 : 2);\n"
diff -u mediawiki-1.12.0/debian/po/sk.po mediawiki-1.12.0/debian/po/sk.po
--- mediawiki-1.12.0/debian/po/sk.po
+++ mediawiki-1.12.0/debian/po/sk.po
@@ -9,6 +9,7 @@
 "MIME-Version: 1.0\n"
 "Content-Type: text/plain; charset=utf-8\n"
 "Content-Transfer-Encoding: 8bit\n"
+"Language: sk\n"
 "X-Poedit-Language: Slovak\n"
 "X-Poedit-Country: SLOVAKIA\n"
 
diff -u mediawiki-1.12.0/debian/po/ta.po mediawiki-1.12.0/debian/po/ta.po
--- mediawiki-1.12.0/debian/po/ta.po
+++ mediawiki-1.12.0/debian/po/ta.po
@@ -14,6 +14,7 @@
 "MIME-Version: 1.0\n"
 "Content-Type: text/plain; charset=UTF-8\n"
 "Content-Transfer-Encoding: 8bit\n"
+"Language: \n"
 "X-Generator: KBabel 1.11.4\n"
 
 #. Type: multiselect
diff -u mediawiki-1.12.0/debian/po/sv.po mediawiki-1.12.0/debian/po/sv.po
--- mediawiki-1.12.0/debian/po/sv.po
+++ mediawiki-1.12.0/debian/po/sv.po
@@ -21,6 +21,7 @@
 "MIME-Version: 1.0\n"
 "Content-Type: text/plain; charset=iso-8859-1\n"
 "Content-Transfer-Encoding: 8bit\n"
+"Language: sv\n"
 
 #. Type: multiselect
 #. Description
diff -u mediawiki-1.12.0/debian/po/vi.po mediawiki-1.12.0/debian/po/vi.po
--- mediawiki-1.12.0/debian/po/vi.po
+++ mediawiki-1.12.0/debian/po/vi.po
@@ -1,7 +1,7 @@
 # Vietnamese translation for MediaWiki.
 # Copyright © 2007 Free Software Foundation, Inc.
 # Clytie Siddall <clytie@riverland.net.au>, 2007
-# 
+#
 msgid ""
 msgstr ""
 "Project-Id-Version: mediawiki\n"
@@ -13,6 +13,7 @@
 "MIME-Version: 1.0\n"
 "Content-Type: text/plain; charset=UTF-8\n"
 "Content-Transfer-Encoding: 8bit\n"
+"Language: vi\n"
 "Plural-Forms: nplurals=1; plural=0;\n"
 "X-Generator: LocFactoryEditor 1.6.3b1\n"
 
diff -u mediawiki-1.12.0/debian/po/pt_BR.po mediawiki-1.12.0/debian/po/pt_BR.po
--- mediawiki-1.12.0/debian/po/pt_BR.po
+++ mediawiki-1.12.0/debian/po/pt_BR.po
@@ -14,6 +14,7 @@
 "MIME-Version: 1.0\n"
 "Content-Type: text/plain; charset=UTF-8\n"
 "Content-Transfer-Encoding: 8bit\n"
+"Language: \n"
 "pt_BR utf-8\n"
 
 #. Type: multiselect
diff -u mediawiki-1.12.0/debian/patches/series mediawiki-1.12.0/debian/patches/series
--- mediawiki-1.12.0/debian/patches/series
+++ mediawiki-1.12.0/debian/patches/series
@@ -10,0 +11,3 @@
+1.15.4-userlogin-security.patch
+1.15.4-css-security.patch
+1.15.5-profileinfo-security.patch
only in patch2:
unchanged:
--- mediawiki-1.12.0.orig/debian/patches/1.15.4-userlogin-security.patch
+++ mediawiki-1.12.0/debian/patches/1.15.4-userlogin-security.patch
@@ -0,0 +1,193 @@
+Description: Fixed CSRF vulnerability in "e-mail me my password",
+ "create account" and "create by e-mail" features of [[Special:Userlogin]]
+Origin: http://www.mediawiki.org/wiki/Special:Code/MediaWiki/66991
+Author: Tim Starling
+Bug: https://bugzilla.wikimedia.org/show_bug.cgi?id=23371
+Last-Update: 2010-12-17
+
+
+--- mediawiki-1.12.0.orig/includes/SpecialUserlogin.php
++++ mediawiki-1.12.0/includes/SpecialUserlogin.php
+@@ -66,7 +66,7 @@
+ 		$this->mAction = $request->getVal( 'action' );
+ 		$this->mRemember = $request->getCheck( 'wpRemember' );
+ 		$this->mLanguage = $request->getText( 'uselang' );
+-		$this->mToken = $request->getVal( 'wpLoginToken' );
++		$this->mToken = ($this->mType == 'signup' ) ? $request->getVal( 'wpCreateaccountToken' ) : $request->getVal( 'wpLoginToken' );
+ 
+ 		if( $wgEnableEmail ) {
+ 			$this->mEmail = $request->getText( 'wpEmail' );
+@@ -234,6 +234,25 @@
+ 			return false;
+ 		}
+ 
++		# Request forgery checks.
++		if ( !self::getCreateaccountToken() ) {
++			self::setCreateaccountToken();
++			$this->mainLoginForm( wfMsg( 'sessionfailure' ) );
++			return false;
++		}
++		
++		# The user didn't pass a createaccount token
++		if ( !$this->mToken ) {
++			$this->mainLoginForm( wfMsg( 'sessionfailure' ) );
++			return false;
++		}
++		
++		# Validate the createaccount token
++		if ( $this->mToken !== self::getCreateaccountToken() ) {
++			$this->mainLoginForm( wfMsg( 'sessionfailure' ) );
++			return false;
++		}
++
+ 		# Check permissions
+ 		if ( !$wgUser->isAllowed( 'createaccount' ) ) {
+ 			$this->userNotPrivilegedMessage();
+@@ -248,7 +267,7 @@
+ 		  $wgUser->inSorbsBlacklist( $ip ) )
+ 		{
+ 			$this->mainLoginForm( wfMsg( 'sorbs_create_account_reason' ) . ' (' . htmlspecialchars( $ip ) . ')' );
+-			return;
++			return false;
+ 		}
+ 
+ 		# Now create a dummy user ($u) and check if it is valid
+@@ -322,6 +341,7 @@
+ 			return false;
+ 		}
+ 
++		self::clearCreateaccountToken();		
+ 		return $this->initUser( $u, false );
+ 	}
+ 
+@@ -540,13 +560,26 @@
+ 			return;
+ 		}
+ 
+-		# Check against blocked IPs
+-		# fixme -- should we not?
++		# Check against blocked IPs so blocked users can't flood admins 
++		# with password resets
+ 		if( $wgUser->isBlocked() ) {
+ 			$this->mainLoginForm( wfMsg( 'blocked-mailpassword' ) );
+ 			return;
+ 		}
+ 
++		# If the user doesn't have a login token yet, set one.
++		if ( !self::getLoginToken() ) {
++			self::setLoginToken();
++			$this->mainLoginForm( wfMsg( 'sessionfailure' ) );
++			return;
++		}
++
++		# If the user didn't pass a login token, tell them we need one
++		if ( !$this->mToken ) {
++			$this->mainLoginForm( wfMsg( 'sessionfailure' ) );
++			return;
++		}
++		
+ 		# Check against the rate limiter
+ 		if( $wgUser->pingLimiter( 'mailpassword' ) ) {
+ 			$wgOut->rateLimited();
+@@ -567,6 +600,12 @@
+ 			return;
+ 		}
+ 
++		# Validate the login token
++		if ( $this->mToken !== self::getLoginToken() ) {
++			$this->mainLoginForm( wfMsg( 'sessionfailure' ) );
++			return;
++		}
++
+ 		# Check against password throttle
+ 		if ( $u->isPasswordReminderThrottled() ) {
+ 			global $wgPasswordReminderResendTime;
+@@ -581,6 +620,7 @@
+ 			$this->mainLoginForm( wfMsg( 'mailerror', $result->getMessage() ) );
+ 		} else {
+ 			$this->mainLoginForm( wfMsg( 'passwordsent', $u->getName() ), 'success' );
++			self::clearLoginToken();
+ 		}
+ 	}
+ 
+@@ -757,11 +797,18 @@
+ 		$template->set( 'canreset', $wgAuth->allowPasswordChange() );
+ 		$template->set( 'remember', $wgUser->getOption( 'rememberpassword' ) or $this->mRemember  );
+ 
+-		if ( !self::getLoginToken() ) {
+-			self::setLoginToken();
++		if ( $this->mType == 'signup' ) {
++			if ( !self::getCreateaccountToken() ) {
++				self::setCreateaccountToken();
++			}
++			$template->set( 'token', self::getCreateaccountToken() );
++		} else {
++			if ( !self::getLoginToken() ) {
++				self::setLoginToken();
++			}
++			$template->set( 'token', self::getLoginToken() );
+ 		}
+-		$template->set( 'token', self::getLoginToken() );
+-
++		
+ 		# Prepare language selection links as needed
+ 		if( $wgLoginLanguageSelector ) {
+ 			$template->set( 'languages', $this->makeLanguageSelector() );
+@@ -820,7 +867,7 @@
+ 	}
+ 	
+ 	/**
+-	 * Generate a new login token and attach it to the current session
++	 * Randomly generate a new login token and attach it to the current session
+ 	 */
+ 	public static function setLoginToken() {
+ 		global $wgRequest;
+@@ -832,12 +879,36 @@
+ 	/**
+ 	 * Remove any login token attached to the current session
+ 	 */
+-	public static  function clearLoginToken() {
++	public static function clearLoginToken() {
+ 		global $wgRequest;
+ 		$wgRequest->setSessionData( 'wsLoginToken', null );
+ 	}
+ 
+ 	/**
++	 * Get the createaccount token from the current session
++	 */
++	public static function getCreateaccountToken() {
++		global $wgRequest;
++		return $wgRequest->getSessionData( 'wsCreateaccountToken' );
++	}
++	
++	/**
++	 * Randomly generate a new createaccount token and attach it to the current session
++	 */
++	public static function setCreateaccountToken() {
++		global $wgRequest;
++		$wgRequest->setSessionData( 'wsCreateaccountToken', User::generateToken() );
++	}
++	
++	/**
++	 * Remove any createaccount token attached to the current session
++	 */
++	public static function clearCreateaccountToken() {
++		global $wgRequest;
++		$wgRequest->setSessionData( 'wsCreateaccountToken', null );
++	}
++
++	/**
+ 	 * @private
+ 	 */
+ 	function cookieRedirectCheck( $type ) {
+--- mediawiki-1.12.0.orig/includes/templates/Userlogin.php
++++ mediawiki-1.12.0/includes/templates/Userlogin.php
+@@ -214,6 +214,7 @@
+ 		</tr>
+ 	</table>
+ <?php if( @$this->haveData( 'uselang' ) ) { ?><input type="hidden" name="uselang" value="<?php $this->text( 'uselang' ); ?>" /><?php } ?>
++<?php if( @$this->haveData( 'token' ) ) { ?><input type="hidden" name="wpCreateaccountToken" value="<?php $this->text( 'token' ); ?>" /><?php } ?>
+ </form>
+ </div>
+ <div id="signupend"><?php $this->msgWiki( 'signupend' ); ?></div>
+ 
only in patch2:
unchanged:
--- mediawiki-1.12.0.orig/debian/patches/1.15.4-css-security.patch
+++ mediawiki-1.12.0/debian/patches/1.15.4-css-security.patch
@@ -0,0 +1,84 @@
+Description: Fixed XSS vulnerability affecting IE clients only, due to a CSS
+ validation issue.
+Origin: http://www.mediawiki.org/wiki/Special:Code/MediaWiki/66992
+Author: Tim Starling
+Bug: https://bugzilla.wikimedia.org/show_bug.cgi?id=23687
+Last-Update: 2010-12-17
+
+--- mediawiki-1.12.0.orig/includes/Sanitizer.php
++++ mediawiki-1.12.0/includes/Sanitizer.php
+@@ -609,10 +609,6 @@
+ 			# http://msdn.microsoft.com/workshop/author/dhtml/overview/recalc.asp
+ 			if( $attribute == 'style' ) {
+ 				$value = Sanitizer::checkCss( $value );
+-				if( $value === false ) {
+-					# haxx0r
+-					continue;
+-				}
+ 			}
+ 
+ 			if ( $attribute === 'id' )
+@@ -668,10 +664,8 @@
+ 		$value = StringUtils::delimiterReplace( '/*', '*/', ' ', $value );
+ 
+ 		// Decode escape sequences and line continuation
+-		// See the grammar in the CSS 2 spec, appendix D, Mozilla implements it accurately.
+- 		// IE 8 doesn't implement it at all, but there's no way to introduce url() into
+-		// IE that doesn't hit Mozilla also.
+-		static $decodeRegex;
++		// See the grammar in the CSS 2 spec, appendix D.
++		static $decodeRegex, $reencodeTable;
+ 		if ( !$decodeRegex ) {
+ 			$space = '[\\x20\\t\\r\\n\\f]';
+ 			$nl = '(?:\\n|\\r\\n|\\r|\\f)';
+@@ -680,29 +674,39 @@
+ 				(?:
+ 					($nl) |  # 1. Line continuation
+ 					([0-9A-Fa-f]{1,6})$space? |  # 2. character number
+-					(.) # 3. backslash cancelling special meaning
++					(.) | # 3. backslash cancelling special meaning
++					() | # 4. backslash at end of string
+ 				)/xu";
+ 		}
+-		$decoded = preg_replace_callback( $decodeRegex,
++		$value = preg_replace_callback( $decodeRegex,
+ 			array( __CLASS__, 'cssDecodeCallback' ), $value );
+-		if ( preg_match( '!expression|https?://|url\s*\(!i', $decoded ) ) {
+-			// Not allowed	
+-			return false;
+-		} else {
+-			// Allowed, return CSS with comments stripped
+-			return $value;
++		// Reject problematic keywords and control characters
++		if ( preg_match( '/[\000-\010\016-\037\177]/', $value ) ) {
++			return '/* invalid control char */';
++		} elseif ( preg_match( '! expression | filter\s*: | accelerator\s*: | url\s*\( !ix', $value ) ) {
++			return '/* insecure input */';
+ 		}
++		return $value;
+ 	}
+ 
+ 	static function cssDecodeCallback( $matches ) {
+ 		if ( $matches[1] !== '' ) {
++			// Line continuation
+ 			return '';
+ 		} elseif ( $matches[2] !== '' ) {
+-			return codepointToUtf8( hexdec( $matches[2] ) );
++			$char = codepointToUtf8( hexdec( $matches[2] ) );
+ 		} elseif ( $matches[3] !== '' ) {
+-			return $matches[3];
++			$char = $matches[3];
++		} else {
++			$char = '\\';
++		}
++		if ( $char == "\n" || $char == '"' || $char == "'" || $char == '\\' ) {
++			// These characters need to be escaped in strings
++			// Clean up the escape sequence to avoid parsing errors by clients
++			return '\\' . dechex( ord( $char ) ) . ' ';
+ 		} else {
+-			throw new MWException( __METHOD__.': invalid match' );
++			// Decode unnecessary escape
++			return $char;
+ 		}
+ 	}
+ 
only in patch2:
unchanged:
--- mediawiki-1.12.0.orig/debian/patches/1.15.5-profileinfo-security.patch
+++ mediawiki-1.12.0/debian/patches/1.15.5-profileinfo-security.patch
@@ -0,0 +1,76 @@
+Descripto: Fixed an XSS vulnerability in profileinfo.php for installations
+ with $wgEnableProfileInfo = true (false by default)
+Origin: http://www.mediawiki.org/wiki/Special:Code/MediaWiki/66989
+Author: Tim Starling
+Last-Update: 2010-12-17
+
+--- mediawiki-1.12.0.orig/profileinfo.php
++++ mediawiki-1.12.0/profileinfo.php
+@@ -52,7 +52,8 @@
+ require_once( './includes/GlobalFunctions.php' );
+ 
+ if (!$wgEnableProfileInfo) {
+-	echo "disabled\n";
++	echo "<p>Disabled</p>\n";
++	echo "</body></html>";
+ 	exit( 1 );
+ }
+ 
+@@ -95,7 +96,7 @@
+ 		else	$ex = false;
+ 		if (!$ex) {
+ 			if (count($this->children)) {
+-				$url = makeurl(false, false, $expand + array($this->name() => true));
++				$url = getEscapedProfileUrl(false, false, $expand + array($this->name() => true));
+ 				$extet = " <a href=\"$url\">[+]</a>";
+ 			} else $extet = '';
+ 		} else {
+@@ -104,7 +105,7 @@
+ 				if ($name != $this->name())
+ 					$e += array($name => $ep);
+ 
+-			$extet = " <a href=\"" . makeurl(false, false, $e) . "\">[&ndash;]</a>";
++			$extet = " <a href=\"" . getEscapedProfileUrl(false, false, $e) . "\">[&ndash;]</a>";
+ 		}
+ 		?>
+ 		<tr>
+@@ -181,26 +182,30 @@
+ 
+ <table cellspacing="0">
+ <tr id="top">
+-<th><a href="<?php echo makeurl(false, "time") ?>">Time</a></th>
++<th><a href="<?php echo getEscapedProfileUrl(false, "time") ?>">Time</a></th>
+ <th>Time (%)</th>
+-<th><a href="<?php echo makeurl(false, "count") ?>">Count</a></th>
++<th><a href="<?php echo getEscapedProfileUrl(false, "count") ?>">Count</a></th>
+ <th>Avg calls per request</th>
+-<th><a href="<?php echo makeurl(false, "name") ?>">Name</a></th>
++<th><a href="<?php echo getEscapedProfileUrl(false, "name") ?>">Name</a></th>
+ </tr>
+ <?php
+ $totaltime = 0.0;
+ $totalcount = 0;
+ 
+-function makeurl($_filter = false, $_sort = false, $_expand = false) {
++function getEscapedProfileUrl( $_filter = false, $_sort = false, $_expand = false ) {
+ 	global $filter, $sort, $expand;
+ 
+-	if ($_expand === false)
++	if ( $_expand === false )
+ 		$_expand = $expand;
+ 
+-	$nfilter = $_filter ? $_filter : $filter;
+-	$nsort = $_sort ? $_sort : $sort;
+-	$exp = urlencode(implode(',', array_keys($_expand)));
+-	return "?filter=$nfilter&amp;sort=$nsort&amp;expand=$exp";
++	return htmlspecialchars(
++		'?' .
++		wfArrayToCGI( array(
++			'filter' => $_filter ? $_filter : $filter,
++			'sort' => $_sort ? $_sort : $sort,
++			'expand' => implode( ',', array_keys( $_expand ) )
++		) )
++	);
+ }
+ 
+ $points = array();

Attachment: signature.asc
Description: Digital signature

Reply to:

Follow-Ups:
- Re: [SRM] Permission to upload mediawiki to stable
  - From: "Adam D. Barratt" <adam@adam-barratt.org.uk>

Prev by Date: Re: Your recent sqlite3 and neon27 uploads
Next by Date: Bug#605588: marked as done (unblock: openoffice.org/1:3.2.1-10)
Previous by thread: test results
Next by thread: Re: [SRM] Permission to upload mediawiki to stable
Index(es):
- Date
- Thread