[Pkg-mediawiki-commits] r287 - in mediawiki/sid-sec/debian: . patches

Sun Dec 18 23:49:21 UTC 2011

Author: jmw
Date: 2011-12-18 23:49:21 +0000 (Sun, 18 Dec 2011)
New Revision: 287

Added:
   mediawiki/sid-sec/debian/patches/CVE-2011-1578.patch
   mediawiki/sid-sec/debian/patches/CVE-2011-1579.patch
   mediawiki/sid-sec/debian/patches/CVE-2011-1580.patch
   mediawiki/sid-sec/debian/patches/CVE-2011-1587.patch
Modified:
   mediawiki/sid-sec/debian/changelog
   mediawiki/sid-sec/debian/patches/series
Log:
April 2011 security patches

Modified: mediawiki/sid-sec/debian/changelog
===================================================================

--- mediawiki/sid-sec/debian/changelog	2011-12-18 23:44:13 UTC (rev 286)
+++ mediawiki/sid-sec/debian/changelog	2011-12-18 23:49:21 UTC (rev 287)
@@ -1,3 +1,13 @@
+mediawiki (1:1.15.5-5) unstable; urgency=high
+
+  * Security fixes from upstream:
+    CVE-2011-1578 - XSS for IE <= 6
+    CVE-2011-1579 - CSS validation error in wikitext parser
+    CVE-2011-1580 - access control checks on transwiki import feature
+    CVE-2011-1587 - fix incomplete patch for CVE-2011-1578
+
+ -- Jonathan Wiltshire <jmw at debian.org>  Sun, 18 Dec 2011 23:48:18 +0000
+
 mediawiki (1:1.15.5-4) unstable; urgency=low
 
   [ Thorsten Glaser ]

Added: mediawiki/sid-sec/debian/patches/CVE-2011-1578.patch
===================================================================
--- mediawiki/sid-sec/debian/patches/CVE-2011-1578.patch	                        (rev 0)
+++ mediawiki/sid-sec/debian/patches/CVE-2011-1578.patch	2011-12-18 23:49:21 UTC (rev 287)
@@ -0,0 +1,134 @@
+Description: cross-site scripting problem in IE <= 6 clients
+ Due to the diversity of uploaded files that we allow, MediaWiki does
+ not guarantee that uploaded files will be safe if they are interpreted
+ by the client as some arbitrary file type, such as HTML. We rely on
+ the web server to send the correct Content-Type header, and we rely on
+ the web browser to respect it. This XSS issue arises due to IE 6
+ looking for a file extension in the query string of the URL (i.e.
+ after the "?"), if no extension is found in path part of the URL.
+ Masato Kinugawa discovered that the file extension in the path part
+ can be hidden from IE 6 by substituting the "." with "%2E".
+Origin: upstream,r85844/r85849
+Bug: https://bugzilla.wikimedia.org/show_bug.cgi?id=28235
+Last-Update: 2011-12-17
+
+--- /dev/null
++++ mediawiki-1.15.5/images/.htaccess
+@@ -0,0 +1,6 @@
++# Protect against bug 28235
++<IfModule rewrite_module>
++	RewriteEngine On
++	RewriteCond %{QUERY_STRING} \.[a-z]{1,4}$ [nocase]
++	RewriteRule . - [forbidden]
++</IfModule>
+--- mediawiki-1.15.5.orig/img_auth.php
++++ mediawiki-1.15.5/img_auth.php
+@@ -25,6 +25,13 @@
+ 	wfPublicError();
+ }
+ 
++// Check for bug 28235: QUERY_STRING overriding the correct extension
++if ( isset( $_SERVER['QUERY_STRING'] )
++	&& preg_match( '/\.[a-z]{1,4}$/i', $_SERVER['QUERY_STRING'] ) )
++{
++	wfForbidden();
++}
++
+ // Extract path and image information
+ if( !isset( $_SERVER['PATH_INFO'] ) ) {
+ 	wfDebugLog( 'img_auth', 'Missing PATH_INFO' );
+--- mediawiki-1.15.5.orig/includes/RawPage.php
++++ mediawiki-1.15.5/includes/RawPage.php
+@@ -109,7 +109,7 @@
+ 	}
+ 
+ 	function view() {
+-		global $wgOut, $wgScript;
++		global $wgOut, $wgScript, $wgRequest;
+ 
+ 		if( isset( $_SERVER['SCRIPT_URL'] ) ) {
+ 			# Normally we use PHP_SELF to get the URL to the script
+@@ -136,7 +136,7 @@
+ 			return;
+ 		}
+ 
+-		if( strcmp( $wgScript, $url ) ) {
++		if( $wgRequest->isPathInfoBad() ) {
+ 			# Internet Explorer will ignore the Content-Type header if it
+ 			# thinks it sees a file extension it recognizes. Make sure that
+ 			# all raw requests are done through the script node, which will
+@@ -150,6 +150,7 @@
+ 			#
+ 			# Just return a 403 Forbidden and get it over with.
+ 			wfHttpError( 403, 'Forbidden',
++				'Invalid file extension found in PATH_INFO or QUERY_STRING. ' .
+ 				'Raw pages must be accessed through the primary script entry point.' );
+ 			return;
+ 		}
+--- mediawiki-1.15.5.orig/includes/WebRequest.php
++++ mediawiki-1.15.5/includes/WebRequest.php
+@@ -662,6 +662,50 @@
+ 	function setSessionData( $key, $data ) {
+ 		$_SESSION[$key] = $data;
+ 	}
++
++	/**
++	 * Returns true if the PATH_INFO ends with an extension other than a script
++	 * extension. This could confuse IE for scripts that send arbitrary data which
++	 * is not HTML but may be detected as such.
++	 *
++	 * Various past attempts to use the URL to make this check have generally
++	 * run up against the fact that CGI does not provide a standard method to
++	 * determine the URL. PATH_INFO may be mangled (e.g. if cgi.fix_pathinfo=0),
++	 * but only by prefixing it with the script name and maybe some other stuff,
++	 * the extension is not mangled. So this should be a reasonably portable
++	 * way to perform this security check.
++	 *
++	 * Also checks for anything that looks like a file extension at the end of
++	 * QUERY_STRING, since IE 6 and earlier will use this to get the file type
++	 * if there was no dot before the question mark (bug 28235).
++	 */
++	public function isPathInfoBad() {
++		global $wgScriptExtension;
++
++		if ( isset( $_SERVER['QUERY_STRING'] )
++			&& preg_match( '/\.[a-z]{1,4}$/i', $_SERVER['QUERY_STRING'] ) )
++		{
++			// Bug 28235
++			// Block only Internet Explorer, and requests with missing UA
++			// headers that could be IE users behind a privacy proxy.
++			if ( !isset( $_SERVER['HTTP_USER_AGENT'] )
++				|| preg_match( '/; *MSIE/', $_SERVER['HTTP_USER_AGENT'] ) )
++			{
++				return true;
++			}
++		}
++
++		if ( !isset( $_SERVER['PATH_INFO'] ) ) {
++			return false;
++		}
++		$pi = $_SERVER['PATH_INFO'];
++		$dotPos = strrpos( $pi, '.' );
++		if ( $dotPos === false ) {
++			return false;
++		}
++		$ext = substr( $pi, $dotPos );
++		return !in_array( $ext, array( $wgScriptExtension, '.php', '.php5' ) );
++	}
+ }
+ 
+ /**
+--- mediawiki-1.15.5.orig/api.php
++++ mediawiki-1.15.5/api.php
+@@ -56,9 +56,9 @@
+ } else {
+ 	$url = $_SERVER['PHP_SELF'];
+ }
+-if( strcmp( "$wgScriptPath/api$wgScriptExtension", $url ) ) {
++if ( $wgRequest->isPathInfoBad() ) {
+ 	wfHttpError( 403, 'Forbidden',
+-		'API must be accessed through the primary script entry point.' );
++		'Invalid file extension found in PATH_INFO or QUERY_STRING.' );
+ 	return;
+ }
+ 

Added: mediawiki/sid-sec/debian/patches/CVE-2011-1579.patch
===================================================================
--- mediawiki/sid-sec/debian/patches/CVE-2011-1579.patch	                        (rev 0)
+++ mediawiki/sid-sec/debian/patches/CVE-2011-1579.patch	2011-12-18 23:49:21 UTC (rev 287)
@@ -0,0 +1,80 @@
+Description: CSS validation error in wikitext parser
+ Wikipedia user Suffusion of Yellow discovered a CSS validation error
+ in the wikitext parser. This is an XSS issue for Internet Explorer
+ clients, and a privacy loss issue for other clients since it allows
+ the embedding of arbitrary remote images.
+Origin: upstream,http://svn.wikimedia.org/viewvc/mediawiki?view=revision&revision=85856
+Bug: https://bugzilla.wikimedia.org/show_bug.cgi?id=28450
+Last-Update: 2011-12-17
+
+--- mediawiki-1.15.5.orig/includes/Sanitizer.php
++++ mediawiki-1.15.5/includes/Sanitizer.php
+@@ -646,28 +646,34 @@
+ 
+ 	/**
+ 	 * Pick apart some CSS and check it for forbidden or unsafe structures.
+-	 * Returns a sanitized string, or false if it was just too evil.
++	 * Returns a sanitized string. This sanitized string will have
++	 * character references and escape sequences decoded, and comments
++	 * stripped. If the input is just too evil, only a comment complaining
++	 * about evilness will be returned.
+ 	 *
+ 	 * Currently URL references, 'expression', 'tps' are forbidden.
+ 	 *
++	 * NOTE: Despite the fact that character references are decoded, the
++	 * returned string may contain character references given certain
++	 * clever input strings. These character references must
++	 * be escaped before the return value is embedded in HTML.
++	 *
+ 	 * @param string $value
+-	 * @return mixed
++	 * @return string
+ 	 */
+ 	static function checkCss( $value ) {
++		// Decode character references like {
+ 		$value = Sanitizer::decodeCharReferences( $value );
+ 
+-		// Remove any comments; IE gets token splitting wrong
+-		$value = StringUtils::delimiterReplace( '/*', '*/', ' ', $value );
+-
+-		// Remove anything after a comment-start token, to guard against
+-		// incorrect client implementations.
+-		$commentPos = strpos( $value, '/*' );
+-		if ( $commentPos !== false ) {
+-			$value = substr( $value, 0, $commentPos );
+-		}
+-
+ 		// Decode escape sequences and line continuation
+ 		// See the grammar in the CSS 2 spec, appendix D.
++		// This has to be done AFTER decoding character references.
++		// This means it isn't possible for this function to return
++		// unsanitized escape sequences. It is possible to manufacture
++		// input that contains character references that decode to
++		// escape sequences that decode to character references, but
++		// it's OK for the return value to contain character references
++		// because the caller is supposed to escape those anyway.
+ 		static $decodeRegex, $reencodeTable;
+ 		if ( !$decodeRegex ) {
+ 			$space = '[\\x20\\t\\r\\n\\f]';
+@@ -684,6 +690,21 @@
+ 		$value = preg_replace_callback( $decodeRegex,
+ 			array( __CLASS__, 'cssDecodeCallback' ), $value );
+ 
++		// Remove any comments; IE gets token splitting wrong
++		// This must be done AFTER decoding character references and
++		// escape sequences, because those steps can introduce comments
++		// This step cannot introduce character references or escape
++		// sequences, because it replaces comments with spaces rather
++		// than removing them completely.
++		$value = StringUtils::delimiterReplace( '/*', '*/', ' ', $value );
++
++		// Remove anything after a comment-start token, to guard against
++		// incorrect client implementations.
++		$commentPos = strpos( $value, '/*' );
++		if ( $commentPos !== false ) {
++			$value = substr( $value, 0, $commentPos );
++		}
++
+ 		// Reject problematic keywords and control characters
+ 		if ( preg_match( '/[\000-\010\016-\037\177]/', $value ) ) {
+ 			return '/* invalid control char */';

Added: mediawiki/sid-sec/debian/patches/CVE-2011-1580.patch
===================================================================
--- mediawiki/sid-sec/debian/patches/CVE-2011-1580.patch	                        (rev 0)
+++ mediawiki/sid-sec/debian/patches/CVE-2011-1580.patch	2011-12-18 23:49:21 UTC (rev 287)
@@ -0,0 +1,68 @@
+Description: access control check on transwiki import feature
+ The transwiki import feature is disabled by default. If it is enabled,
+ it allows wiki pages to be copied from a remote wiki listed in
+ $wgImportSources. The issue means that any user can trigger such an
+ import to occur.
+Origin: upstream,http://svn.wikimedia.org/viewvc/mediawiki?view=revision&revision=85099
+Bug: https://bugzilla.wikimedia.org/show_bug.cgi?id=28449
+Last-Update: 2011-12-17
+
+--- mediawiki-1.15.5.orig/includes/Title.php
++++ mediawiki-1.15.5/includes/Title.php
+@@ -1090,8 +1090,14 @@
+ 			$errors[] = array( 'confirmedittext' );
+ 		}
+ 
+-		// Edit blocks should not affect reading. Account creation blocks handled at userlogin.
+-		if ( $action != 'read' && $action != 'createaccount' && $user->isBlockedFrom( $this ) ) {
++		if ( in_array( $action, array( 'read', 'createaccount', 'unblock' ) ) ){
++			// Edit blocks should not affect reading.
++			// Account creation blocks handled at userlogin.
++			// Unblocking handled in SpecialUnblock
++		} elseif( ( $action == 'edit' || $action == 'create' ) && !$user->isBlockedFrom( $this ) ){
++			// Don't block the user from editing their own talk page unless they've been
++			// explicitly blocked from that too.
++		} elseif( $user->isBlocked() && $user->mBlock->prevents( $action ) !== false ) {
+ 			$block = $user->mBlock;
+ 
+ 			// This is from OutputPage::blockedPage
+--- mediawiki-1.15.5.orig/includes/specials/SpecialImport.php
++++ mediawiki-1.15.5/includes/specials/SpecialImport.php
+@@ -45,7 +45,7 @@
+ 	 * Execute
+ 	 */
+ 	function execute( $par ) {
+-		global $wgRequest;
++		global $wgRequest, $wgUser, $wgOut;
+ 		
+ 		$this->setHeaders();
+ 		$this->outputHeader();
+@@ -55,7 +55,18 @@
+ 			$wgOut->readOnlyPage();
+ 			return;
+ 		}
+-		
++
++		if( !$wgUser->isAllowedAny( 'import', 'importupload' ) ) {
++			return $wgOut->permissionRequired( 'import' );
++		}
++
++		# TODO: allow Title::getUserPermissionsErrors() to take an array
++		# FIXME: Title::checkSpecialsAndNSPermissions() has a very wierd expectation of what
++		# getUserPermissionsErrors() might actually be used for, hence the 'ns-specialprotected'
++		$errors = wfMergeErrorArrays(
++			$this->getTitle()->getUserPermissionsErrors( 'import', $wgUser, true, array( 'ns-specialprotected' ) ),
++			$this->getTitle()->getUserPermissionsErrors( 'importupload', $wgUser, true, array( 'ns-specialprotected' ) )
++		);
+ 		if ( $wgRequest->wasPosted() && $wgRequest->getVal( 'action' ) == 'submit' ) {
+ 			$this->doImport();
+ 		}
+@@ -133,8 +144,6 @@
+ 
+ 	private function showForm() {
+ 		global $wgUser, $wgOut, $wgRequest, $wgTitle, $wgImportSources, $wgExportMaxLinkDepth;
+-		if( !$wgUser->isAllowed( 'import' ) && !$wgUser->isAllowed( 'importupload' ) )
+-			return $wgOut->permissionRequired( 'import' );
+ 
+ 		$action = $wgTitle->getLocalUrl( 'action=submit' );
+ 

Added: mediawiki/sid-sec/debian/patches/CVE-2011-1587.patch
===================================================================
--- mediawiki/sid-sec/debian/patches/CVE-2011-1587.patch	                        (rev 0)
+++ mediawiki/sid-sec/debian/patches/CVE-2011-1587.patch	2011-12-18 23:49:21 UTC (rev 287)
@@ -0,0 +1,37 @@
+Description: fix insufficient patch for CVE-2011-1578
+Origin: upstream,http://svn.wikimedia.org/viewvc/mediawiki?view=revision&revision=86027
+Bug: https://bugzilla.wikimedia.org/show_bug.cgi?id=28507
+Last-Update: 2011-12-17
+
+--- mediawiki-1.15.5.orig/images/.htaccess
++++ mediawiki-1.15.5/images/.htaccess
+@@ -1,6 +1,6 @@
+ # Protect against bug 28235
+ <IfModule rewrite_module>
+ 	RewriteEngine On
+-	RewriteCond %{QUERY_STRING} \.[a-z]{1,4}$ [nocase]
++	RewriteCond %{QUERY_STRING} \.[a-z0-9]{1,4}(#|\?|$) [nocase]
+ 	RewriteRule . - [forbidden]
+ </IfModule>
+--- mediawiki-1.15.5.orig/img_auth.php
++++ mediawiki-1.15.5/img_auth.php
+@@ -27,7 +27,7 @@
+ 
+ // Check for bug 28235: QUERY_STRING overriding the correct extension
+ if ( isset( $_SERVER['QUERY_STRING'] )
+-	&& preg_match( '/\.[a-z]{1,4}$/i', $_SERVER['QUERY_STRING'] ) )
++	&& preg_match( '/\.[a-z0-9]{1,4}(#|\?|$)/i', $_SERVER['QUERY_STRING'] ) )
+ {
+ 	wfForbidden();
+ }
+--- mediawiki-1.15.5.orig/includes/WebRequest.php
++++ mediawiki-1.15.5/includes/WebRequest.php
+@@ -683,7 +683,7 @@
+ 		global $wgScriptExtension;
+ 
+ 		if ( isset( $_SERVER['QUERY_STRING'] )
+-			&& preg_match( '/\.[a-z]{1,4}$/i', $_SERVER['QUERY_STRING'] ) )
++			&& preg_match( '/\.[a-z0-9]{1,4}(#|\?|$)/i', $_SERVER['QUERY_STRING'] ) )
+ 		{
+ 			// Bug 28235
+ 			// Block only Internet Explorer, and requests with missing UA

Modified: mediawiki/sid-sec/debian/patches/series
===================================================================
--- mediawiki/sid-sec/debian/patches/series	2011-12-18 23:44:13 UTC (rev 286)
+++ mediawiki/sid-sec/debian/patches/series	2011-12-18 23:49:21 UTC (rev 287)
@@ -9,5 +9,9 @@
 fix_datetime.patch
 CVE-2011-0047.patch
 fix_invalid_sql.patch
+CVE-2011-1578.patch
+CVE-2011-1579.patch
+CVE-2011-1580.patch
+CVE-2011-1587.patch
 CVE-2011-4360.patch
 CVE-2011-4361.patch


