[Pkg-mediawiki-commits] r272 - in mediawiki/lenny/debian: . patches

Jonathan Wiltshire jmw at alioth.debian.org
Thu Dec 1 12:38:41 UTC 2011 

Author: jmw
Date: 2011-12-01 12:38:40 +0000 (Thu, 01 Dec 2011)
New Revision: 272

Added:
   mediawiki/lenny/debian/patches/CVE-2011-4360.patch
   mediawiki/lenny/debian/patches/CVE-2011-4361.patch
Modified:
   mediawiki/lenny/debian/changelog
   mediawiki/lenny/debian/patches/series
Log:
Backport security fixes for CVE-2011-4360 and CVE-2011-4361

Modified: mediawiki/lenny/debian/changelog
===================================================================
--- mediawiki/lenny/debian/changelog	2011-12-01 12:34:38 UTC (rev 271)
+++ mediawiki/lenny/debian/changelog	2011-12-01 12:38:40 UTC (rev 272)
@@ -1,3 +1,13 @@
+mediawiki (1:1.12.0-2lenny9) UNRELEASED; urgency=low
+
+  * Security fixes from upstream (Closes: #650434):
+    CVE-2011-4360 - page titles on private wikis could be exposed
+    bypassing different page ids to index.php
+    CVE-2011-4361 - action=ajax requests were dispatched to the
+    relevant function without any read permission checks being done
+
+ -- Jonathan Wiltshire <jmw at debian.org>  Thu, 01 Dec 2011 12:37:28 +0000
+
 mediawiki (1:1.12.0-2lenny8) oldstable; urgency=high
 
   * Oldstable upload.

Added: mediawiki/lenny/debian/patches/CVE-2011-4360.patch
===================================================================
--- mediawiki/lenny/debian/patches/CVE-2011-4360.patch	                        (rev 0)
+++ mediawiki/lenny/debian/patches/CVE-2011-4360.patch	2011-12-01 12:38:40 UTC (rev 272)
@@ -0,0 +1,31 @@
+Description: CVE-2011-4360
+ Alexandre Emsenhuber discovered an issue where page titles on private
+ wikis could be exposed bypassing different page ids to index.php. In the
+ case of the user not having correct permissions, they will now be
+ redirected to Special:BadTitle.
+Origin: https://www.mediawiki.org/wiki/Special:Code/MediaWiki/104506
+Bug: https://bugzilla.wikimedia.org/show_bug.cgi?id=32276
+Bug-Debian: http://bugs.debian.org/650434
+Forwarded: not-needed
+Last-Update: 2011-11-30
+
+
+--- mediawiki-1.15.5.orig/includes/Wiki.php
++++ mediawiki-1.15.5/includes/Wiki.php
+@@ -149,6 +149,16 @@
+ 		# the Read array in order for the user to see it. (We have to check here to
+ 		# catch special pages etc. We check again in Article::view())
+ 		if( !is_null( $title ) && !$title->userCanRead() ) {
++			// Bug 32276: allowing the skin to generate output with $wgTitle
++			// set to the input title would allow anonymous users to
++			// determine whether a page exists, potentially leaking private data. In fact, the
++			// curid and oldid request  parameters would allow page titles to be enumerated even
++			// when they are not guessable. So we reset the title to Special:Badtitle before the
++			// permissions error is displayed.
++			$badtitle = SpecialPage::getTitleFor( 'Badtitle' );
++			$output->setTitle( $badtitle );
++			$wgTitle = $badtitle;
++
+ 			$output->loginToUse();
+ 			$output->output();
+ 			$output->disable();

Added: mediawiki/lenny/debian/patches/CVE-2011-4361.patch
===================================================================
--- mediawiki/lenny/debian/patches/CVE-2011-4361.patch	                        (rev 0)
+++ mediawiki/lenny/debian/patches/CVE-2011-4361.patch	2011-12-01 12:38:40 UTC (rev 272)
@@ -0,0 +1,35 @@
+Description: CVE-2011-4361
+ Tim Starling discovered that action=ajax requests were dispatched to the
+ relevant function without any read permission checks being done.
+ This could have led to data leakage on private wikis.
+Origin: https://www.mediawiki.org/wiki/Special:Code/MediaWiki/104506
+Bug: https://bugzilla.wikimedia.org/show_bug.cgi?id=32276
+Bug-Debian: http://bugs.debian.org/650434
+Forwarded: not-needed
+Last-Update: 2011-11-30
+
+--- mediawiki-1.15.5.orig/includes/AjaxDispatcher.php
++++ mediawiki-1.15.5/includes/AjaxDispatcher.php
+@@ -78,7 +78,7 @@
+ 	 * request.
+ 	 */
+ 	function performAction() {
+-		global $wgAjaxExportList, $wgOut;
++		global $wgAjaxExportList, $wgOut, $wgUser;
+ 
+ 		if ( empty( $this->mode ) ) {
+ 			return;
+@@ -90,6 +90,13 @@
+ 
+ 			wfHttpError( 400, 'Bad Request',
+ 				"unknown function " . (string) $this->func_name );
++		} elseif ( !in_array( 'read', User::getGroupPermissions( array( '*' ) ), true )
++			&& !$wgUser->isAllowed( 'read' ) )
++		{
++			wfHttpError(
++				403,
++				'Forbidden',
++				'You must log in to view pages.' );
+ 		} else {
+ 			wfDebug( __METHOD__ . ' dispatching ' . $this->func_name . "\n" );
+ 

Modified: mediawiki/lenny/debian/patches/series
===================================================================
--- mediawiki/lenny/debian/patches/series	2011-12-01 12:34:38 UTC (rev 271)
+++ mediawiki/lenny/debian/patches/series	2011-12-01 12:38:40 UTC (rev 272)
@@ -13,3 +13,5 @@
 1.15.5-profileinfo-security.patch
 CVE-2011-0003.patch
 CVE-2011-0047.patch
+CVE-2011-4360.patch
+CVE-2011-4361.patch

More information about the Pkg-mediawiki-commits mailing list