[Pkg-mediawiki-commits] r279 - in mediawiki/lenny/debian: . patches

Jonathan Wiltshire jmw at alioth.debian.org
Sat Dec 17 23:34:59 UTC 2011 

Author: jmw
Date: 2011-12-17 23:34:59 +0000 (Sat, 17 Dec 2011)
New Revision: 279

Added:
   mediawiki/lenny/debian/patches/CVE-2011-1579.patch
Modified:
   mediawiki/lenny/debian/changelog
   mediawiki/lenny/debian/patches/series
Log:
CVE-2011-1579 - CSS validation error in wikitext parser

Modified: mediawiki/lenny/debian/changelog
===================================================================
--- mediawiki/lenny/debian/changelog	2011-12-17 23:33:56 UTC (rev 278)
+++ mediawiki/lenny/debian/changelog	2011-12-17 23:34:59 UTC (rev 279)
@@ -6,8 +6,9 @@
     CVE-2011-4361 - action=ajax requests were dispatched to the
     relevant function without any read permission checks being done
     CVE-2011-1578 - XSS for IE <= 6
+    CVE-2011-1579 - CSS validation error in wikitext parser
 
- -- Jonathan Wiltshire <jmw at debian.org>  Sat, 17 Dec 2011 23:32:21 +0000
+ -- Jonathan Wiltshire <jmw at debian.org>  Sat, 17 Dec 2011 23:34:25 +0000
 
 mediawiki (1:1.12.0-2lenny8) oldstable; urgency=high
 

Added: mediawiki/lenny/debian/patches/CVE-2011-1579.patch
===================================================================
--- mediawiki/lenny/debian/patches/CVE-2011-1579.patch	                        (rev 0)
+++ mediawiki/lenny/debian/patches/CVE-2011-1579.patch	2011-12-17 23:34:59 UTC (rev 279)
@@ -0,0 +1,80 @@
+Description: CSS validation error in wikitext parser
+ Wikipedia user Suffusion of Yellow discovered a CSS validation error
+ in the wikitext parser. This is an XSS issue for Internet Explorer
+ clients, and a privacy loss issue for other clients since it allows
+ the embedding of arbitrary remote images.
+Origin: upstream,http://svn.wikimedia.org/viewvc/mediawiki?view=revision&revision=85856
+Bug: https://bugzilla.wikimedia.org/show_bug.cgi?id=28450
+Last-Update: 2011-12-17
+
+--- mediawiki-1.15.5.orig/includes/Sanitizer.php
++++ mediawiki-1.15.5/includes/Sanitizer.php
+@@ -646,28 +646,34 @@
+ 
+ 	/**
+ 	 * Pick apart some CSS and check it for forbidden or unsafe structures.
+-	 * Returns a sanitized string, or false if it was just too evil.
++	 * Returns a sanitized string. This sanitized string will have
++	 * character references and escape sequences decoded, and comments
++	 * stripped. If the input is just too evil, only a comment complaining
++	 * about evilness will be returned.
+ 	 *
+ 	 * Currently URL references, 'expression', 'tps' are forbidden.
+ 	 *
++	 * NOTE: Despite the fact that character references are decoded, the
++	 * returned string may contain character references given certain
++	 * clever input strings. These character references must
++	 * be escaped before the return value is embedded in HTML.
++	 *
+ 	 * @param string $value
+-	 * @return mixed
++	 * @return string
+ 	 */
+ 	static function checkCss( $value ) {
++		// Decode character references like {
+ 		$value = Sanitizer::decodeCharReferences( $value );
+ 
+-		// Remove any comments; IE gets token splitting wrong
+-		$value = StringUtils::delimiterReplace( '/*', '*/', ' ', $value );
+-
+-		// Remove anything after a comment-start token, to guard against
+-		// incorrect client implementations.
+-		$commentPos = strpos( $value, '/*' );
+-		if ( $commentPos !== false ) {
+-			$value = substr( $value, 0, $commentPos );
+-		}
+-
+ 		// Decode escape sequences and line continuation
+ 		// See the grammar in the CSS 2 spec, appendix D.
++		// This has to be done AFTER decoding character references.
++		// This means it isn't possible for this function to return
++		// unsanitized escape sequences. It is possible to manufacture
++		// input that contains character references that decode to
++		// escape sequences that decode to character references, but
++		// it's OK for the return value to contain character references
++		// because the caller is supposed to escape those anyway.
+ 		static $decodeRegex, $reencodeTable;
+ 		if ( !$decodeRegex ) {
+ 			$space = '[\\x20\\t\\r\\n\\f]';
+@@ -684,6 +690,21 @@
+ 		$value = preg_replace_callback( $decodeRegex,
+ 			array( __CLASS__, 'cssDecodeCallback' ), $value );
+ 
++		// Remove any comments; IE gets token splitting wrong
++		// This must be done AFTER decoding character references and
++		// escape sequences, because those steps can introduce comments
++		// This step cannot introduce character references or escape
++		// sequences, because it replaces comments with spaces rather
++		// than removing them completely.
++		$value = StringUtils::delimiterReplace( '/*', '*/', ' ', $value );
++
++		// Remove anything after a comment-start token, to guard against
++		// incorrect client implementations.
++		$commentPos = strpos( $value, '/*' );
++		if ( $commentPos !== false ) {
++			$value = substr( $value, 0, $commentPos );
++		}
++
+ 		// Reject problematic keywords and control characters
+ 		if ( preg_match( '/[\000-\010\016-\037\177]/', $value ) ) {
+ 			return '/* invalid control char */';

Modified: mediawiki/lenny/debian/patches/series
===================================================================
--- mediawiki/lenny/debian/patches/series	2011-12-17 23:33:56 UTC (rev 278)
+++ mediawiki/lenny/debian/patches/series	2011-12-17 23:34:59 UTC (rev 279)
@@ -14,5 +14,6 @@
 CVE-2011-0003.patch
 CVE-2011-0047.patch
 CVE-2011-1578.patch
+CVE-2011-1579.patch
 CVE-2011-4360.patch
 CVE-2011-4361.patch

More information about the Pkg-mediawiki-commits mailing list