[Pkg-mediawiki-commits] r270 - in mediawiki/squeeze/debian: . patches
Jonathan Wiltshire
jmw at alioth.debian.org
Thu Dec 1 10:52:50 UTC 2011
Author: jmw
Date: 2011-12-01 10:52:50 +0000 (Thu, 01 Dec 2011)
New Revision: 270
Added:
mediawiki/squeeze/debian/patches/CVE-2011-4360.patch
mediawiki/squeeze/debian/patches/CVE-2011-4361.patch
Modified:
mediawiki/squeeze/debian/changelog
mediawiki/squeeze/debian/patches/series
Log:
Backport security fixes for CVE-2011-4360 and CVE-2011-4361
Modified: mediawiki/squeeze/debian/changelog
===================================================================
--- mediawiki/squeeze/debian/changelog 2011-11-30 22:43:19 UTC (rev 269)
+++ mediawiki/squeeze/debian/changelog 2011-12-01 10:52:50 UTC (rev 270)
@@ -1,3 +1,13 @@
+mediawiki (1:1.15.5-2squeeze2) UNRELEASED; urgency=low
+
+ * Security fixes from upstream (Closes: #650434):
+ CVE-2011-4360 - page titles on private wikis could be exposed
+ bypassing different page ids to index.php
+ CVE-2011-4361 - action=ajax requests were dispatched to the
+ relevant function without any read permission checks being done
+
+ -- Jonathan Wiltshire <jmw at debian.org> Thu, 01 Dec 2011 10:50:30 +0000
+
mediawiki (1:1.15.5-2squeeze1) stable; urgency=high
* CVE-2011-0047: Protect against a CSS injection vulnerability
Added: mediawiki/squeeze/debian/patches/CVE-2011-4360.patch
===================================================================
--- mediawiki/squeeze/debian/patches/CVE-2011-4360.patch (rev 0)
+++ mediawiki/squeeze/debian/patches/CVE-2011-4360.patch 2011-12-01 10:52:50 UTC (rev 270)
@@ -0,0 +1,31 @@
+Description: CVE-2011-4360
+ Alexandre Emsenhuber discovered an issue where page titles on private
+ wikis could be exposed bypassing different page ids to index.php. In the
+ case of the user not having correct permissions, they will now be
+ redirected to Special:BadTitle.
+Origin: https://www.mediawiki.org/wiki/Special:Code/MediaWiki/104506
+Bug: https://bugzilla.wikimedia.org/show_bug.cgi?id=32276
+Bug-Debian: http://bugs.debian.org/650434
+Forwarded: not-needed
+Last-Update: 2011-11-30
+
+
+--- mediawiki-1.15.5.orig/includes/Wiki.php
++++ mediawiki-1.15.5/includes/Wiki.php
+@@ -149,6 +149,16 @@
+ # the Read array in order for the user to see it. (We have to check here to
+ # catch special pages etc. We check again in Article::view())
+ if( !is_null( $title ) && !$title->userCanRead() ) {
++ // Bug 32276: allowing the skin to generate output with $wgTitle
++ // set to the input title would allow anonymous users to
++ // determine whether a page exists, potentially leaking private data. In fact, the
++ // curid and oldid request parameters would allow page titles to be enumerated even
++ // when they are not guessable. So we reset the title to Special:Badtitle before the
++ // permissions error is displayed.
++ $badtitle = SpecialPage::getTitleFor( 'Badtitle' );
++ $output->setTitle( $badtitle );
++ $wgTitle = $badtitle;
++
+ $output->loginToUse();
+ $output->output();
+ $output->disable();
Added: mediawiki/squeeze/debian/patches/CVE-2011-4361.patch
===================================================================
--- mediawiki/squeeze/debian/patches/CVE-2011-4361.patch (rev 0)
+++ mediawiki/squeeze/debian/patches/CVE-2011-4361.patch 2011-12-01 10:52:50 UTC (rev 270)
@@ -0,0 +1,35 @@
+Description: CVE-2011-4361
+ Tim Starling discovered that action=ajax requests were dispatched to the
+ relevant function without any read permission checks being done.
+ This could have led to data leakage on private wikis.
+Origin: https://www.mediawiki.org/wiki/Special:Code/MediaWiki/104506
+Bug: https://bugzilla.wikimedia.org/show_bug.cgi?id=32276
+Bug-Debian: http://bugs.debian.org/650434
+Forwarded: not-needed
+Last-Update: 2011-11-30
+
+--- mediawiki-1.15.5.orig/includes/AjaxDispatcher.php
++++ mediawiki-1.15.5/includes/AjaxDispatcher.php
+@@ -78,7 +78,7 @@
+ * request.
+ */
+ function performAction() {
+- global $wgAjaxExportList, $wgOut;
++ global $wgAjaxExportList, $wgOut, $wgUser;
+
+ if ( empty( $this->mode ) ) {
+ return;
+@@ -90,6 +90,13 @@
+
+ wfHttpError( 400, 'Bad Request',
+ "unknown function " . (string) $this->func_name );
++ } elseif ( !in_array( 'read', User::getGroupPermissions( array( '*' ) ), true )
++ && !$wgUser->isAllowed( 'read' ) )
++ {
++ wfHttpError(
++ 403,
++ 'Forbidden',
++ 'You must log in to view pages.' );
+ } else {
+ wfDebug( __METHOD__ . ' dispatching ' . $this->func_name . "\n" );
+
Modified: mediawiki/squeeze/debian/patches/series
===================================================================
--- mediawiki/squeeze/debian/patches/series 2011-11-30 22:43:19 UTC (rev 269)
+++ mediawiki/squeeze/debian/patches/series 2011-12-01 10:52:50 UTC (rev 270)
@@ -7,3 +7,5 @@
suppress_warnings.patch
CVE-2011-0003.patch
CVE-2011-0047.patch
+CVE-2011-4360.patch
+CVE-2011-4361.patch
More information about the Pkg-mediawiki-commits
mailing list