[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

[OSRM] Approval for mediawiki_1.12.0-2lenny8

Hi,

Please consider the attached diff to fix CVE-2011-0047 in oldstable.

jona@lupin:~/debian/packages/mediawiki/build-area$ diffstat lenny8.diff 
 debian/patches/CVE-2011-0047.patch     |   46 +++++++++++++++++++++++++++++++++
 mediawiki-1.12.0/debian/changelog      |    8 +++++
 mediawiki-1.12.0/debian/patches/series |    1 
 3 files changed, 55 insertions(+)

Thanks,



-- 
Jonathan Wiltshire                                      jmw@debian.org
Debian Developer                         http://people.debian.org/~jmw

4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC  74C3 5394 479D D352 4C51

diff -u mediawiki-1.12.0/debian/changelog mediawiki-1.12.0/debian/changelog
--- mediawiki-1.12.0/debian/changelog
+++ mediawiki-1.12.0/debian/changelog
@@ -1,3 +1,11 @@
+mediawiki (1:1.12.0-2lenny8) oldstable; urgency=high
+
+  * Oldstable upload.
+  * CVE-2011-0047: Protect against a CSS injection vulnerability
+    (closes: #611787)
+
+ -- Jonathan Wiltshire <jmw@debian.org>  Sun, 06 Feb 2011 16:16:23 +0000
+
 mediawiki (1:1.12.0-2lenny7) stable; urgency=high
 
   * Stable upload.
diff -u mediawiki-1.12.0/debian/patches/series mediawiki-1.12.0/debian/patches/series
--- mediawiki-1.12.0/debian/patches/series
+++ mediawiki-1.12.0/debian/patches/series
@@ -14,0 +15 @@
+CVE-2011-0047.patch
only in patch2:
unchanged:
--- mediawiki-1.12.0.orig/debian/patches/CVE-2011-0047.patch
+++ mediawiki-1.12.0/debian/patches/CVE-2011-0047.patch
@@ -0,0 +1,46 @@
+Description: prevent CSS injection vulnerability
+Origin: http://www.mediawiki.org/wiki/Special:Code/MediaWiki/81333
+Bug: https://bugzilla.wikimedia.org/show_bug.cgi?id=27093
+Author: Tim Starling, Roan
+Last-Update: 2011-02-06
+
+--- mediawiki-1.15.5.orig/includes/Sanitizer.php
++++ mediawiki-1.15.5/includes/Sanitizer.php
+@@ -659,6 +659,13 @@
+ 		// Remove any comments; IE gets token splitting wrong
+ 		$value = StringUtils::delimiterReplace( '/*', '*/', ' ', $value );
+ 
++		// Remove anything after a comment-start token, to guard against
++		// incorrect client implementations.
++		$commentPos = strpos( $value, '/*' );
++		if ( $commentPos !== false ) {
++			$value = substr( $value, 0, $commentPos );
++		}
++
+ 		// Decode escape sequences and line continuation
+ 		// See the grammar in the CSS 2 spec, appendix D.
+ 		static $decodeRegex, $reencodeTable;
+--- mediawiki-1.15.5.orig/includes/StringUtils.php
++++ mediawiki-1.15.5/includes/StringUtils.php
+@@ -77,16 +77,20 @@
+ 			}
+ 
+ 			if ( $tokenType == 'start' ) {
+-				$inputPos = $tokenOffset + $tokenLength;
+ 				# Only move the start position if we haven't already found a start
+ 				# This means that START START END matches outer pair
+ 				if ( !$foundStart ) {
+ 					# Found start
++					$inputPos = $tokenOffset + $tokenLength;
+ 					# Write out the non-matching section
+ 					$output .= substr( $subject, $outputPos, $tokenOffset - $outputPos );
+ 					$outputPos = $tokenOffset;
+ 					$contentPos = $inputPos;
+ 					$foundStart = true;
++				} else {
++					# Move the input position past the *first character* of START,
++					# to protect against missing END when it overlaps with START
++					$inputPos = $tokenOffset + 1;
+ 				}
+ 			} elseif ( $tokenType == 'end' ) {
+ 				if ( $foundStart ) {

Attachment: signature.asc
Description: Digital signature

Reply to: