Hi, Please consider the attached diff to fix CVE-2011-0047 in oldstable. jona@lupin:~/debian/packages/mediawiki/build-area$ diffstat lenny8.diff debian/patches/CVE-2011-0047.patch | 46 +++++++++++++++++++++++++++++++++ mediawiki-1.12.0/debian/changelog | 8 +++++ mediawiki-1.12.0/debian/patches/series | 1 3 files changed, 55 insertions(+) Thanks, -- Jonathan Wiltshire jmw@debian.org Debian Developer http://people.debian.org/~jmw 4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC 74C3 5394 479D D352 4C51
diff -u mediawiki-1.12.0/debian/changelog mediawiki-1.12.0/debian/changelog --- mediawiki-1.12.0/debian/changelog +++ mediawiki-1.12.0/debian/changelog @@ -1,3 +1,11 @@ +mediawiki (1:1.12.0-2lenny8) oldstable; urgency=high + + * Oldstable upload. + * CVE-2011-0047: Protect against a CSS injection vulnerability + (closes: #611787) + + -- Jonathan Wiltshire <jmw@debian.org> Sun, 06 Feb 2011 16:16:23 +0000 + mediawiki (1:1.12.0-2lenny7) stable; urgency=high * Stable upload. diff -u mediawiki-1.12.0/debian/patches/series mediawiki-1.12.0/debian/patches/series --- mediawiki-1.12.0/debian/patches/series +++ mediawiki-1.12.0/debian/patches/series @@ -14,0 +15 @@ +CVE-2011-0047.patch only in patch2: unchanged: --- mediawiki-1.12.0.orig/debian/patches/CVE-2011-0047.patch +++ mediawiki-1.12.0/debian/patches/CVE-2011-0047.patch @@ -0,0 +1,46 @@ +Description: prevent CSS injection vulnerability +Origin: http://www.mediawiki.org/wiki/Special:Code/MediaWiki/81333 +Bug: https://bugzilla.wikimedia.org/show_bug.cgi?id=27093 +Author: Tim Starling, Roan +Last-Update: 2011-02-06 + +--- mediawiki-1.15.5.orig/includes/Sanitizer.php ++++ mediawiki-1.15.5/includes/Sanitizer.php +@@ -659,6 +659,13 @@ + // Remove any comments; IE gets token splitting wrong + $value = StringUtils::delimiterReplace( '/*', '*/', ' ', $value ); + ++ // Remove anything after a comment-start token, to guard against ++ // incorrect client implementations. ++ $commentPos = strpos( $value, '/*' ); ++ if ( $commentPos !== false ) { ++ $value = substr( $value, 0, $commentPos ); ++ } ++ + // Decode escape sequences and line continuation + // See the grammar in the CSS 2 spec, appendix D. + static $decodeRegex, $reencodeTable; +--- mediawiki-1.15.5.orig/includes/StringUtils.php ++++ mediawiki-1.15.5/includes/StringUtils.php +@@ -77,16 +77,20 @@ + } + + if ( $tokenType == 'start' ) { +- $inputPos = $tokenOffset + $tokenLength; + # Only move the start position if we haven't already found a start + # This means that START START END matches outer pair + if ( !$foundStart ) { + # Found start ++ $inputPos = $tokenOffset + $tokenLength; + # Write out the non-matching section + $output .= substr( $subject, $outputPos, $tokenOffset - $outputPos ); + $outputPos = $tokenOffset; + $contentPos = $inputPos; + $foundStart = true; ++ } else { ++ # Move the input position past the *first character* of START, ++ # to protect against missing END when it overlaps with START ++ $inputPos = $tokenOffset + 1; + } + } elseif ( $tokenType == 'end' ) { + if ( $foundStart ) {
Attachment:
signature.asc
Description: Digital signature