Bug#773641: unblock: mediawiki/1.19.20+dfsg-2.1
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock
Please unblock package mediawiki; it fixes CVE-2014-9277, which is a
security issue referenced in #772764. THe description of the problem
is as follows (taken from the recently released mediawiki DSA):
| The <cross-domain-policy> mangling in OutputHandler.php poses a
| potentially severe security problem for API clients written in
| PHP, in that format=php is affected.
unblock mediawiki/1.19.20+dfsg-2.1
-- System Information:
Debian Release: 7.7
APT prefers stable
APT policy: (501, 'stable'), (500, 'oldstable-proposed-updates'), (500, 'oldstable'), (1, 'unstable'), (1, 'testing')
Architecture: i386 (i686)
Kernel: Linux 3.2.0-4-686-pae (SMP w/1 CPU core)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
-- Debdiff:
diff -Nru mediawiki-1.19.20+dfsg/debian/changelog mediawiki-1.19.20+dfsg/debian/changelog
--- mediawiki-1.19.20+dfsg/debian/changelog 2014-10-07 20:14:04.000000000 +0200
+++ mediawiki-1.19.20+dfsg/debian/changelog 2014-12-14 18:27:31.000000000 +0100
@@ -1,3 +1,12 @@
+mediawiki (1:1.19.20+dfsg-2.1) unstable; urgency=medium
+
+ * Non-maintainer upload.
+ * CVE-2014-9277: The <cross-domain-policy> mangling in OutputHandler.php
+ poses a potentially severe security problem for API clients written in
+ PHP, in that format=php is affected (Closes: #772764).
+
+ -- Sebastien Delafond <seb@debian.org> Sun, 14 Dec 2014 18:23:47 +0100
+
mediawiki (1:1.19.20+dfsg-2) unstable; urgency=low
* Team upload.
diff -Nru mediawiki-1.19.20+dfsg/debian/patches/CVE-2014-9277_1.patch mediawiki-1.19.20+dfsg/debian/patches/CVE-2014-9277_1.patch
--- mediawiki-1.19.20+dfsg/debian/patches/CVE-2014-9277_1.patch 1970-01-01 01:00:00.000000000 +0100
+++ mediawiki-1.19.20+dfsg/debian/patches/CVE-2014-9277_1.patch 2014-12-14 18:22:36.000000000 +0100
@@ -0,0 +1,32 @@
+--- a/includes/DefaultSettings.php
++++ b/includes/DefaultSettings.php
+@@ -2688,6 +2688,14 @@
+ */
+ $wgResourceLoaderExperimentalAsyncLoading = false;
+
++/**
++ * When OutputHandler is used, mangle any output that contains
++ * <cross-domain-policy>. Without this, an attacker can send their own
++ * cross-domain policy unless it is prevented by the crossdomain.xml file at
++ * the domain root.
++ */
++$wgMangleFlashPolicy = true;
++
+ /** @} */ # End of resource loader settings }
+
+
+--- a/includes/OutputHandler.php
++++ b/includes/OutputHandler.php
+@@ -13,8 +13,10 @@
+ * @return string
+ */
+ function wfOutputHandler( $s ) {
+- global $wgDisableOutputCompression, $wgValidateAllHtml;
+- $s = wfMangleFlashPolicy( $s );
++ global $wgDisableOutputCompression, $wgValidateAllHtml, $wgMangleFlashPolicy;
++ if ( $wgMangleFlashPolicy ) {
++ $s = wfMangleFlashPolicy( $s );
++ }
+ if ( $wgValidateAllHtml ) {
+ $headers = apache_response_headers();
+ $isHTML = true;
diff -Nru mediawiki-1.19.20+dfsg/debian/patches/CVE-2014-9277_2.patch mediawiki-1.19.20+dfsg/debian/patches/CVE-2014-9277_2.patch
--- mediawiki-1.19.20+dfsg/debian/patches/CVE-2014-9277_2.patch 1970-01-01 01:00:00.000000000 +0100
+++ mediawiki-1.19.20+dfsg/debian/patches/CVE-2014-9277_2.patch 2014-12-14 18:22:36.000000000 +0100
@@ -0,0 +1,53 @@
+--- a/includes/api/ApiFormatJson.php
++++ b/includes/api/ApiFormatJson.php
+@@ -67,9 +67,21 @@
+ $prefix = ( "/**/$prefix" );
+ $suffix = ')';
+ }
++
++ $json = FormatJson::encode( $this->getResultData(), $this->getIsHtml() );
++
++ // Bug 66776: wfMangleFlashPolicy() is needed to avoid a nasty bug in
++ // Flash, but what it does isn't friendly for the API, so we need to
++ // work around it.
++ if ( preg_match( '/\<\s*cross-domain-policy\s*\>/i', $json ) ) {
++ $json = preg_replace(
++ '/\<(\s*cross-domain-policy\s*)\>/i', '\\u003C$1\\u003E', $json
++ );
++ }
++
+ $this->printText(
+ $prefix .
+- FormatJson::encode( $this->getResultData(), $this->getIsHtml() ) .
++ $json .
+ $suffix
+ );
+ }
+--- a/includes/api/ApiFormatPhp.php
++++ b/includes/api/ApiFormatPhp.php
+@@ -39,7 +39,24 @@
+ }
+
+ public function execute() {
+- $this->printText( serialize( $this->getResultData() ) );
++ global $wgMangleFlashPolicy;
++ $text = serialize( $this->getResultData() );
++
++ // Bug 66776: wfMangleFlashPolicy() is needed to avoid a nasty bug in
++ // Flash, but what it does isn't friendly for the API. There's nothing
++ // we can do here that isn't actively broken in some manner, so let's
++ // just be broken in a useful manner.
++ if ( $wgMangleFlashPolicy &&
++ in_array( 'wfOutputHandler', ob_list_handlers(), true ) &&
++ preg_match( '/\<\s*cross-domain-policy\s*\>/i', $text )
++ ) {
++ $this->dieUsage(
++ 'This response cannot be represented using format=php. See https://bugzilla.wikimedia.org/show_bug.cgi?id=66776',
++ 'internalerror'
++ );
++ }
++
++ $this->printText( $text );
+ }
+
+ public function getDescription() {
diff -Nru mediawiki-1.19.20+dfsg/debian/patches/series mediawiki-1.19.20+dfsg/debian/patches/series
--- mediawiki-1.19.20+dfsg/debian/patches/series 2014-08-24 06:52:14.000000000 +0200
+++ mediawiki-1.19.20+dfsg/debian/patches/series 2014-12-14 18:22:55.000000000 +0100
@@ -9,3 +9,5 @@
fix_warnings.patch
mimetypes.patch
suppress_warnings.patch
+CVE-2014-9277_1.patch
+CVE-2014-9277_2.patch
Reply to: