[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#773866: marked as done (unblock: mediawiki/1:1.19.20+dfsg-2.2)

Your message dated Wed, 24 Dec 2014 11:17:11 +0000
with message-id <788300eb63164ce3bfb2eab7f3eeebd1@mail.adsl.funky-badger.org>
and subject line Re: Bug#773866: unblock: mediawiki/1:1.19.20+dfsg-2.2
has caused the Debian Bug report #773866,
regarding unblock: mediawiki/1:1.19.20+dfsg-2.2
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
773866: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=773866
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock

Dear Release Team,

on behalf of the Security Team, could you please unblock the package
mediawiki ? It fixes yet another security vulnerability (CVE
assignment pending), which prompted the issuing of DSA-3110-1 for
wheezy-security. The corresponding Debian bug is 773654.

You can find the debdiff at the end of this email.

unblock mediawiki/1:1.19.20+dfsg-2.2

-- System Information:
Debian Release: 7.7
  APT prefers stable
  APT policy: (501, 'stable'), (500, 'oldstable-proposed-updates'), (500, 'oldstable'), (1, 'unstable'), (1, 'testing')
Architecture: i386 (i686)

Kernel: Linux 3.2.0-4-686-pae (SMP w/1 CPU core)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

diff -Nru mediawiki-1.19.20+dfsg/debian/changelog mediawiki-1.19.20+dfsg/debian/changelog
--- mediawiki-1.19.20+dfsg/debian/changelog	2014-12-14 18:27:31.000000000 +0100
+++ mediawiki-1.19.20+dfsg/debian/changelog	2014-12-21 13:11:10.000000000 +0100
@@ -1,3 +1,12 @@
+mediawiki (1:1.19.20+dfsg-2.2) unstable; urgency=medium
+
+  * Non-maintainer upload.
+  * Add patch fixing T76686: thumb.php outputs wikitext message as raw
+    HTML, which could lead to xss. Permission to edit MediaWiki namespace
+    is required to exploit this.
+
+ -- Sebastien Delafond <seb@debian.org>  Sun, 21 Dec 2014 13:11:10 +0100
+
 mediawiki (1:1.19.20+dfsg-2.1) unstable; urgency=medium
 
   * Non-maintainer upload.
diff -Nru mediawiki-1.19.20+dfsg/debian/patches/series mediawiki-1.19.20+dfsg/debian/patches/series
--- mediawiki-1.19.20+dfsg/debian/patches/series	2014-12-14 18:22:55.000000000 +0100
+++ mediawiki-1.19.20+dfsg/debian/patches/series	2014-12-21 13:10:23.000000000 +0100
@@ -11,3 +11,4 @@
 suppress_warnings.patch
 CVE-2014-9277_1.patch
 CVE-2014-9277_2.patch
+T76686.patch
diff -Nru mediawiki-1.19.20+dfsg/debian/patches/T76686.patch mediawiki-1.19.20+dfsg/debian/patches/T76686.patch
--- mediawiki-1.19.20+dfsg/debian/patches/T76686.patch	1970-01-01 01:00:00.000000000 +0100
+++ mediawiki-1.19.20+dfsg/debian/patches/T76686.patch	2014-12-21 13:10:21.000000000 +0100
@@ -0,0 +1,55 @@
+From fdd3f464ef9aa7f3276a2a8dddc85e3769cfda83 Mon Sep 17 00:00:00 2001
+From: Kunal Mehta <legoktm@gmail.com>
+Date: Thu, 4 Dec 2014 14:06:55 -0800
+Subject: [PATCH] thumb.php: Set proper output formats for messages going into
+ HTML
+
+* Use ->parse() instead of ->text() for wikitext messages that were
+  being treated as HTML
+* Explicitly specify ->parse() if no output format was set
+* Document that wfThumbError() takes HTML
+
+Bug: T76686
+Change-Id: Id6e7548b2e081cfda7803772ed0395a15feb1f84
+---
+ thumb.php | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/thumb.php b/thumb.php
+index 60a7ffb..a7a09fc 100644
+--- a/thumb.php
++++ b/thumb.php
+@@ -107,13 +107,13 @@ function wfStreamThumb( array $params ) {
+ 		// Format is <timestamp>!<name>
+ 		$bits = explode( '!', $fileName, 2 );
+ 		if ( count( $bits ) != 2 ) {
+-			wfThumbError( 404, wfMsg( 'badtitletext' ) );
++			wfThumbError( 404, wfMessage( 'badtitletext' )->parse() );
+ 			wfProfileOut( __METHOD__ );
+ 			return;
+ 		}
+ 		$title = Title::makeTitleSafe( NS_FILE, $bits[1] );
+ 		if ( !$title ) {
+-			wfThumbError( 404, wfMsg( 'badtitletext' ) );
++			wfThumbError( 404, wfMessage( 'badtitletext' )->parse() );
+ 			wfProfileOut( __METHOD__ );
+ 			return;
+ 		}
+@@ -136,7 +136,7 @@ function wfStreamThumb( array $params ) {
+ 
+ 	// Check the source file storage path
+ 	if ( !$img ) {
+-		wfThumbError( 404, wfMsg( 'badtitletext' ) );
++		wfThumbError( 404, wfMessage( 'badtitletext' )->parse() );
+ 		wfProfileOut( __METHOD__ );
+ 		return;
+ 	}
+@@ -291,7 +291,7 @@ function wfExtractThumbParams( $uri ) {
+  * Output a thumbnail generation error message
+  *
+  * @param $status integer
+- * @param $msg string
++ * @param string $msg HTML
+  * @return void
+  */
+ function wfThumbError( $status, $msg ) {

--- End Message ---
--- Begin Message --- 
On 2014-12-24 11:03, Sebastien Delafond wrote:

on behalf of the Security Team, could you please unblock the package
mediawiki ? It fixes yet another security vulnerability (CVE
assignment pending), which prompted the issuing of DSA-3110-1 for
wheezy-security. The corresponding Debian bug is 773654.
Previous unblock for -2.1 updated. Hopefully it'll actually manage to migrate before -2.3 appears. 

Regards,

Adam

--- End Message ---
Reply to: