[Pkg-mediawiki-commits] r270 - in mediawiki/squeeze/debian: . patches

Jonathan Wiltshire jmw at alioth.debian.org
Thu Dec 1 10:52:50 UTC 2011 

Author: jmw
Date: 2011-12-01 10:52:50 +0000 (Thu, 01 Dec 2011)
New Revision: 270

Added:
   mediawiki/squeeze/debian/patches/CVE-2011-4360.patch
   mediawiki/squeeze/debian/patches/CVE-2011-4361.patch
Modified:
   mediawiki/squeeze/debian/changelog
   mediawiki/squeeze/debian/patches/series
Log:
Backport security fixes for CVE-2011-4360 and CVE-2011-4361


Modified: mediawiki/squeeze/debian/changelog
===================================================================
--- mediawiki/squeeze/debian/changelog	2011-11-30 22:43:19 UTC (rev 269)
+++ mediawiki/squeeze/debian/changelog	2011-12-01 10:52:50 UTC (rev 270)
@@ -1,3 +1,13 @@
+mediawiki (1:1.15.5-2squeeze2) UNRELEASED; urgency=low
+
+  * Security fixes from upstream (Closes: #650434):
+    CVE-2011-4360 - page titles on private wikis could be exposed
+    bypassing different page ids to index.php
+    CVE-2011-4361 - action=ajax requests were dispatched to the
+    relevant function without any read permission checks being done
+
+ -- Jonathan Wiltshire <jmw at debian.org>  Thu, 01 Dec 2011 10:50:30 +0000
+
 mediawiki (1:1.15.5-2squeeze1) stable; urgency=high
 
   * CVE-2011-0047: Protect against a CSS injection vulnerability

Added: mediawiki/squeeze/debian/patches/CVE-2011-4360.patch
===================================================================
--- mediawiki/squeeze/debian/patches/CVE-2011-4360.patch	                        (rev 0)
+++ mediawiki/squeeze/debian/patches/CVE-2011-4360.patch	2011-12-01 10:52:50 UTC (rev 270)
@@ -0,0 +1,31 @@
+Description: CVE-2011-4360
+ Alexandre Emsenhuber discovered an issue where page titles on private
+ wikis could be exposed bypassing different page ids to index.php. In the
+ case of the user not having correct permissions, they will now be
+ redirected to Special:BadTitle.
+Origin: https://www.mediawiki.org/wiki/Special:Code/MediaWiki/104506
+Bug: https://bugzilla.wikimedia.org/show_bug.cgi?id=32276
+Bug-Debian: http://bugs.debian.org/650434
+Forwarded: not-needed
+Last-Update: 2011-11-30
+
+
+--- mediawiki-1.15.5.orig/includes/Wiki.php
++++ mediawiki-1.15.5/includes/Wiki.php
+@@ -149,6 +149,16 @@
+ 		# the Read array in order for the user to see it. (We have to check here to
+ 		# catch special pages etc. We check again in Article::view())
+ 		if( !is_null( $title ) && !$title->userCanRead() ) {
++			// Bug 32276: allowing the skin to generate output with $wgTitle
++			// set to the input title would allow anonymous users to
++			// determine whether a page exists, potentially leaking private data. In fact, the
++			// curid and oldid request  parameters would allow page titles to be enumerated even
++			// when they are not guessable. So we reset the title to Special:Badtitle before the
++			// permissions error is displayed.
++			$badtitle = SpecialPage::getTitleFor( 'Badtitle' );
++			$output->setTitle( $badtitle );
++			$wgTitle = $badtitle;
++
+ 			$output->loginToUse();
+ 			$output->output();
+ 			$output->disable();

Added: mediawiki/squeeze/debian/patches/CVE-2011-4361.patch
===================================================================
--- mediawiki/squeeze/debian/patches/CVE-2011-4361.patch	                        (rev 0)
+++ mediawiki/squeeze/debian/patches/CVE-2011-4361.patch	2011-12-01 10:52:50 UTC (rev 270)
@@ -0,0 +1,35 @@
+Description: CVE-2011-4361
+ Tim Starling discovered that action=ajax requests were dispatched to the
+ relevant function without any read permission checks being done.
+ This could have led to data leakage on private wikis.
+Origin: https://www.mediawiki.org/wiki/Special:Code/MediaWiki/104506
+Bug: https://bugzilla.wikimedia.org/show_bug.cgi?id=32276
+Bug-Debian: http://bugs.debian.org/650434
+Forwarded: not-needed
+Last-Update: 2011-11-30
+
+--- mediawiki-1.15.5.orig/includes/AjaxDispatcher.php
++++ mediawiki-1.15.5/includes/AjaxDispatcher.php
+@@ -78,7 +78,7 @@
+ 	 * request.
+ 	 */
+ 	function performAction() {
+-		global $wgAjaxExportList, $wgOut;
++		global $wgAjaxExportList, $wgOut, $wgUser;
+ 
+ 		if ( empty( $this->mode ) ) {
+ 			return;
+@@ -90,6 +90,13 @@
+ 
+ 			wfHttpError( 400, 'Bad Request',
+ 				"unknown function " . (string) $this->func_name );
++		} elseif ( !in_array( 'read', User::getGroupPermissions( array( '*' ) ), true )
++			&& !$wgUser->isAllowed( 'read' ) )
++		{
++			wfHttpError(
++				403,
++				'Forbidden',
++				'You must log in to view pages.' );
+ 		} else {
+ 			wfDebug( __METHOD__ . ' dispatching ' . $this->func_name . "\n" );
+ 

Modified: mediawiki/squeeze/debian/patches/series
===================================================================
--- mediawiki/squeeze/debian/patches/series	2011-11-30 22:43:19 UTC (rev 269)
+++ mediawiki/squeeze/debian/patches/series	2011-12-01 10:52:50 UTC (rev 270)
@@ -7,3 +7,5 @@
 suppress_warnings.patch
 CVE-2011-0003.patch
 CVE-2011-0047.patch
+CVE-2011-4360.patch
+CVE-2011-4361.patch

More information about the Pkg-mediawiki-commits mailing list