[Pkg-mediawiki-commits] r271 - in mediawiki/lenny/debian: . patches
Jonathan Wiltshire
jmw at alioth.debian.org
Thu Dec 1 12:34:38 UTC 2011
Author: jmw
Date: 2011-12-01 12:34:38 +0000 (Thu, 01 Dec 2011)
New Revision: 271
Added:
mediawiki/lenny/debian/patches/CVE-2011-0047.patch
Modified:
mediawiki/lenny/debian/changelog
mediawiki/lenny/debian/patches/series
Log:
CVE-2011-0047
Modified: mediawiki/lenny/debian/changelog
===================================================================
--- mediawiki/lenny/debian/changelog 2011-12-01 10:52:50 UTC (rev 270)
+++ mediawiki/lenny/debian/changelog 2011-12-01 12:34:38 UTC (rev 271)
@@ -1,3 +1,11 @@
+mediawiki (1:1.12.0-2lenny8) oldstable; urgency=high
+
+ * Oldstable upload.
+ * CVE-2011-0047: Protect against a CSS injection vulnerability
+ (closes: #611787)
+
+ -- Jonathan Wiltshire <jmw at debian.org> Sun, 06 Feb 2011 16:16:23 +0000
+
mediawiki (1:1.12.0-2lenny7) stable; urgency=high
* Stable upload.
Copied: mediawiki/lenny/debian/patches/CVE-2011-0047.patch (from rev 241, mediawiki/squeeze/debian/patches/CVE-2011-0047.patch)
===================================================================
--- mediawiki/lenny/debian/patches/CVE-2011-0047.patch (rev 0)
+++ mediawiki/lenny/debian/patches/CVE-2011-0047.patch 2011-12-01 12:34:38 UTC (rev 271)
@@ -0,0 +1,46 @@
+Description: prevent CSS injection vulnerability
+Origin: http://www.mediawiki.org/wiki/Special:Code/MediaWiki/81333
+Bug: https://bugzilla.wikimedia.org/show_bug.cgi?id=27093
+Author: Tim Starling, Roan
+Last-Update: 2011-02-06
+
+--- mediawiki-1.15.5.orig/includes/Sanitizer.php
++++ mediawiki-1.15.5/includes/Sanitizer.php
+@@ -659,6 +659,13 @@
+ // Remove any comments; IE gets token splitting wrong
+ $value = StringUtils::delimiterReplace( '/*', '*/', ' ', $value );
+
++ // Remove anything after a comment-start token, to guard against
++ // incorrect client implementations.
++ $commentPos = strpos( $value, '/*' );
++ if ( $commentPos !== false ) {
++ $value = substr( $value, 0, $commentPos );
++ }
++
+ // Decode escape sequences and line continuation
+ // See the grammar in the CSS 2 spec, appendix D.
+ static $decodeRegex, $reencodeTable;
+--- mediawiki-1.15.5.orig/includes/StringUtils.php
++++ mediawiki-1.15.5/includes/StringUtils.php
+@@ -77,16 +77,20 @@
+ }
+
+ if ( $tokenType == 'start' ) {
+- $inputPos = $tokenOffset + $tokenLength;
+ # Only move the start position if we haven't already found a start
+ # This means that START START END matches outer pair
+ if ( !$foundStart ) {
+ # Found start
++ $inputPos = $tokenOffset + $tokenLength;
+ # Write out the non-matching section
+ $output .= substr( $subject, $outputPos, $tokenOffset - $outputPos );
+ $outputPos = $tokenOffset;
+ $contentPos = $inputPos;
+ $foundStart = true;
++ } else {
++ # Move the input position past the *first character* of START,
++ # to protect against missing END when it overlaps with START
++ $inputPos = $tokenOffset + 1;
+ }
+ } elseif ( $tokenType == 'end' ) {
+ if ( $foundStart ) {
Modified: mediawiki/lenny/debian/patches/series
===================================================================
--- mediawiki/lenny/debian/patches/series 2011-12-01 10:52:50 UTC (rev 270)
+++ mediawiki/lenny/debian/patches/series 2011-12-01 12:34:38 UTC (rev 271)
@@ -12,3 +12,4 @@
1.15.4-css-security.patch
1.15.5-profileinfo-security.patch
CVE-2011-0003.patch
+CVE-2011-0047.patch
More information about the Pkg-mediawiki-commits
mailing list