Hi, Please consider the attached diff to fix CVE-2011-0047 in stable. jona@lupin:~/debian/packages/mediawiki/build-area$ diffstat squeeze1.diff changelog | 7 +++++ patches/CVE-2011-0047.patch | 58 ++++++++++++++++++++++++++++++++++++++++++++ patches/series | 1 3 files changed, 66 insertions(+) Thanks, -- Jonathan Wiltshire jmw@debian.org Debian Developer http://people.debian.org/~jmw 4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC 74C3 5394 479D D352 4C51
diff -Nru mediawiki-1.15.5/debian/changelog mediawiki-1.15.5/debian/changelog --- mediawiki-1.15.5/debian/changelog 2011-01-04 22:44:14.000000000 +0000 +++ mediawiki-1.15.5/debian/changelog 2011-02-06 14:18:52.000000000 +0000 @@ -1,3 +1,10 @@ +mediawiki (1:1.15.5-2squeeze1) stable; urgency=high + + * CVE-2011-0047: Protect against a CSS injection vulnerability + (closes: #611787) + + -- Jonathan Wiltshire <debian@jwiltshire.org.uk> Sun, 06 Feb 2011 13:45:39 +0000 + mediawiki (1:1.15.5-2) testing-security; urgency=high * CVE-2011-0003: Protect against clickjacking by sending the diff -Nru mediawiki-1.15.5/debian/patches/CVE-2011-0047.patch mediawiki-1.15.5/debian/patches/CVE-2011-0047.patch --- mediawiki-1.15.5/debian/patches/CVE-2011-0047.patch 1970-01-01 01:00:00.000000000 +0100 +++ mediawiki-1.15.5/debian/patches/CVE-2011-0047.patch 2011-02-06 14:19:58.000000000 +0000 @@ -0,0 +1,58 @@ +Description: prevent CSS injection vulnerability +Origin: http://www.mediawiki.org/wiki/Special:Code/MediaWiki/81333 +Bug: https://bugzilla.wikimedia.org/show_bug.cgi?id=27093 +Author: Tim Starling, Roan +Last-Update: 2011-02-06 + +--- mediawiki-1.15.5.orig/RELEASE-NOTES ++++ mediawiki-1.15.5/RELEASE-NOTES +@@ -3,6 +3,9 @@ + Security reminder: MediaWiki does not require PHP's register_globals + setting since version 1.2.0. If you have it on, turn it *off* if you can. + ++== Changes since 1.15.5 == ++* (bug 27093, CVE-2011-0047): Fixed CSS injection vulnerability. ++ + == MediaWiki 1.15.5 == + + 2010-07-28 +--- mediawiki-1.15.5.orig/includes/Sanitizer.php ++++ mediawiki-1.15.5/includes/Sanitizer.php +@@ -659,6 +659,13 @@ + // Remove any comments; IE gets token splitting wrong + $value = StringUtils::delimiterReplace( '/*', '*/', ' ', $value ); + ++ // Remove anything after a comment-start token, to guard against ++ // incorrect client implementations. ++ $commentPos = strpos( $value, '/*' ); ++ if ( $commentPos !== false ) { ++ $value = substr( $value, 0, $commentPos ); ++ } ++ + // Decode escape sequences and line continuation + // See the grammar in the CSS 2 spec, appendix D. + static $decodeRegex, $reencodeTable; +--- mediawiki-1.15.5.orig/includes/StringUtils.php ++++ mediawiki-1.15.5/includes/StringUtils.php +@@ -77,16 +77,20 @@ + } + + if ( $tokenType == 'start' ) { +- $inputPos = $tokenOffset + $tokenLength; + # Only move the start position if we haven't already found a start + # This means that START START END matches outer pair + if ( !$foundStart ) { + # Found start ++ $inputPos = $tokenOffset + $tokenLength; + # Write out the non-matching section + $output .= substr( $subject, $outputPos, $tokenOffset - $outputPos ); + $outputPos = $tokenOffset; + $contentPos = $inputPos; + $foundStart = true; ++ } else { ++ # Move the input position past the *first character* of START, ++ # to protect against missing END when it overlaps with START ++ $inputPos = $tokenOffset + 1; + } + } elseif ( $tokenType == 'end' ) { + if ( $foundStart ) { diff -Nru mediawiki-1.15.5/debian/patches/series mediawiki-1.15.5/debian/patches/series --- mediawiki-1.15.5/debian/patches/series 2011-01-04 22:34:42.000000000 +0000 +++ mediawiki-1.15.5/debian/patches/series 2011-02-06 13:39:36.000000000 +0000 @@ -6,3 +6,4 @@ backup_documentation.patch suppress_warnings.patch CVE-2011-0003.patch +CVE-2011-0047.patch
Attachment:
signature.asc
Description: Digital signature