Bug#773641: marked as done (unblock: mediawiki/1.19.20+dfsg-2.1)

[owner@bugs.debian.org (Debian Bug Tracking System)]

Your message dated Sun, 21 Dec 2014 14:12:18 +0000
with message-id <1419171138.17974.16.camel@adam-barratt.org.uk>
and subject line Re: Bug#773641: unblock: mediawiki/1.19.20+dfsg-2.1
has caused the Debian Bug report #773641,
regarding unblock: mediawiki/1.19.20+dfsg-2.1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
773641: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=773641
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

• To: Debian Bug Tracking System <submit@bugs.debian.org>
• Subject: unblock: mediawiki/1.19.20+dfsg-2.1
• From: Sebastien Delafond <seb@debian.org>
• Date: Sun, 21 Dec 2014 12:38:52 +0100
• Message-id: <[🔎] 20141221113852.30433.52705.reportbug@hetz1.mine.nu>

Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock

Please unblock package mediawiki; it fixes CVE-2014-9277, which is a
security issue referenced in #772764. THe description of the problem
is as follows (taken from the recently released mediawiki DSA):

  | The <cross-domain-policy> mangling in OutputHandler.php poses a
  | potentially severe security problem for API clients written in
  | PHP, in that format=php is affected.

unblock mediawiki/1.19.20+dfsg-2.1

-- System Information:
Debian Release: 7.7
  APT prefers stable
  APT policy: (501, 'stable'), (500, 'oldstable-proposed-updates'), (500, 'oldstable'), (1, 'unstable'), (1, 'testing')
Architecture: i386 (i686)

Kernel: Linux 3.2.0-4-686-pae (SMP w/1 CPU core)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash


-- Debdiff:

diff -Nru mediawiki-1.19.20+dfsg/debian/changelog mediawiki-1.19.20+dfsg/debian/changelog
--- mediawiki-1.19.20+dfsg/debian/changelog	2014-10-07 20:14:04.000000000 +0200
+++ mediawiki-1.19.20+dfsg/debian/changelog	2014-12-14 18:27:31.000000000 +0100
@@ -1,3 +1,12 @@
+mediawiki (1:1.19.20+dfsg-2.1) unstable; urgency=medium
+
+  * Non-maintainer upload.
+  * CVE-2014-9277: The <cross-domain-policy> mangling in OutputHandler.php
+    poses a potentially severe security problem for API clients written in
+    PHP, in that format=php is affected (Closes: #772764).
+
+ -- Sebastien Delafond <seb@debian.org>  Sun, 14 Dec 2014 18:23:47 +0100
+
 mediawiki (1:1.19.20+dfsg-2) unstable; urgency=low
 
   * Team upload.
diff -Nru mediawiki-1.19.20+dfsg/debian/patches/CVE-2014-9277_1.patch mediawiki-1.19.20+dfsg/debian/patches/CVE-2014-9277_1.patch
--- mediawiki-1.19.20+dfsg/debian/patches/CVE-2014-9277_1.patch	1970-01-01 01:00:00.000000000 +0100
+++ mediawiki-1.19.20+dfsg/debian/patches/CVE-2014-9277_1.patch	2014-12-14 18:22:36.000000000 +0100
@@ -0,0 +1,32 @@
+--- a/includes/DefaultSettings.php
++++ b/includes/DefaultSettings.php
+@@ -2688,6 +2688,14 @@
+  */
+ $wgResourceLoaderExperimentalAsyncLoading = false;
+ 
++/**
++ * When OutputHandler is used, mangle any output that contains
++ * <cross-domain-policy>. Without this, an attacker can send their own
++ * cross-domain policy unless it is prevented by the crossdomain.xml file at
++ * the domain root.
++ */
++$wgMangleFlashPolicy = true;
++
+ /** @} */ # End of resource loader settings }
+ 
+ 
+--- a/includes/OutputHandler.php
++++ b/includes/OutputHandler.php
+@@ -13,8 +13,10 @@
+  * @return string
+  */
+ function wfOutputHandler( $s ) {
+-	global $wgDisableOutputCompression, $wgValidateAllHtml;
+-	$s = wfMangleFlashPolicy( $s );
++	global $wgDisableOutputCompression, $wgValidateAllHtml, $wgMangleFlashPolicy;
++	if ( $wgMangleFlashPolicy ) {
++		$s = wfMangleFlashPolicy( $s );
++	}
+ 	if ( $wgValidateAllHtml ) {
+ 		$headers = apache_response_headers();
+ 		$isHTML = true;
diff -Nru mediawiki-1.19.20+dfsg/debian/patches/CVE-2014-9277_2.patch mediawiki-1.19.20+dfsg/debian/patches/CVE-2014-9277_2.patch
--- mediawiki-1.19.20+dfsg/debian/patches/CVE-2014-9277_2.patch	1970-01-01 01:00:00.000000000 +0100
+++ mediawiki-1.19.20+dfsg/debian/patches/CVE-2014-9277_2.patch	2014-12-14 18:22:36.000000000 +0100
@@ -0,0 +1,53 @@
+--- a/includes/api/ApiFormatJson.php
++++ b/includes/api/ApiFormatJson.php
+@@ -67,9 +67,21 @@
+ 			$prefix = ( "/**/$prefix" );
+ 			$suffix = ')';
+ 		}
++
++		$json = FormatJson::encode( $this->getResultData(), $this->getIsHtml() );
++
++		// Bug 66776: wfMangleFlashPolicy() is needed to avoid a nasty bug in
++		// Flash, but what it does isn&#039;t friendly for the API, so we need to
++		// work around it.
++		if ( preg_match( &#039;/\<\s*cross-domain-policy\s*\>/i&#039;, $json ) ) {
++			$json = preg_replace(
++				&#039;/\<(\s*cross-domain-policy\s*)\>/i&#039;, &#039;\\u003C$1\\u003E&#039;, $json
++			);
++		}
++
+ 		$this->printText(
+ 			$prefix .
+-			FormatJson::encode( $this->getResultData(), $this->getIsHtml() ) .
++			$json .
+ 			$suffix
+ 		);
+ 	}
+--- a/includes/api/ApiFormatPhp.php
++++ b/includes/api/ApiFormatPhp.php
+@@ -39,7 +39,24 @@
+ 	}
+ 
+ 	public function execute() {
+-		$this->printText( serialize( $this->getResultData() ) );
++		global $wgMangleFlashPolicy;
++		$text = serialize( $this->getResultData() );
++
++		// Bug 66776: wfMangleFlashPolicy() is needed to avoid a nasty bug in
++		// Flash, but what it does isn&#039;t friendly for the API. There&#039;s nothing
++		// we can do here that isn&#039;t actively broken in some manner, so let&#039;s
++		// just be broken in a useful manner.
++		if ( $wgMangleFlashPolicy &&
++			in_array( &#039;wfOutputHandler&#039;, ob_list_handlers(), true ) &&
++			preg_match( &#039;/\<\s*cross-domain-policy\s*\>/i&#039;, $text )
++		) {
++			$this->dieUsage(
++				&#039;This response cannot be represented using format=php. See https://bugzilla.wikimedia.org/show_bug.cgi?id=66776&#039;,
++				&#039;internalerror&#039;
++			);
++		}
++
++		$this->printText( $text );
+ 	}
+ 
+ 	public function getDescription() {
diff -Nru mediawiki-1.19.20+dfsg/debian/patches/series mediawiki-1.19.20+dfsg/debian/patches/series
--- mediawiki-1.19.20+dfsg/debian/patches/series	2014-08-24 06:52:14.000000000 +0200
+++ mediawiki-1.19.20+dfsg/debian/patches/series	2014-12-14 18:22:55.000000000 +0100
@@ -9,3 +9,5 @@
 fix_warnings.patch
 mimetypes.patch
 suppress_warnings.patch
+CVE-2014-9277_1.patch
+CVE-2014-9277_2.patch

--- End Message ---

--- Begin Message ---

• To: Sebastien Delafond <seb@debian.org>, 773641-done@bugs.debian.org
• Subject: Re: Bug#773641: unblock: mediawiki/1.19.20+dfsg-2.1
• From: "Adam D. Barratt" <adam@adam-barratt.org.uk>
• Date: Sun, 21 Dec 2014 14:12:18 +0000
• Message-id: <1419171138.17974.16.camel@adam-barratt.org.uk>
• In-reply-to: <[🔎] 20141221113852.30433.52705.reportbug@hetz1.mine.nu>
• References: <[🔎] 20141221113852.30433.52705.reportbug@hetz1.mine.nu>

On Sun, 2014-12-21 at 12:38 +0100, Sebastien Delafond wrote:
> Please unblock package mediawiki; it fixes CVE-2014-9277, which is a
> security issue referenced in #772764. THe description of the problem
> is as follows (taken from the recently released mediawiki DSA):
> 
>   | The <cross-domain-policy> mangling in OutputHandler.php poses a
>   | potentially severe security problem for API clients written in
>   | PHP, in that format=php is affected.

Unblocked, thanks.

Regards,

Adam

--- End Message ---