[Pkg-mediawiki-commits] r401 - in mediawiki: branches/squeeze/debian branches/squeeze/debian/patches tarballs trunk/debian

Dominik George natureshadow-guest at alioth.debian.org
Thu Dec 13 09:37:17 UTC 2012 

Author: natureshadow-guest
Date: 2012-12-13 09:37:17 +0000 (Thu, 13 Dec 2012)
New Revision: 401

Added:
   mediawiki/branches/squeeze/debian/patches/CVE-2012-5391.patch
   mediawiki/branches/squeeze/debian/patches/CVE-2012-5395.patch
   mediawiki/tarballs/mediawiki_1.19.3.orig.tar.gz
Modified:
   mediawiki/branches/squeeze/debian/changelog
   mediawiki/branches/squeeze/debian/patches/series
   mediawiki/trunk/debian/changelog
Log:
New upstream version 1.19.3 to fix security issues CVE-2012-5931 and CVE-2012-5935.
Backport of fixes to 1.15.5 for squeeze-security.


Modified: mediawiki/branches/squeeze/debian/changelog
===================================================================
--- mediawiki/branches/squeeze/debian/changelog	2012-11-29 15:56:33 UTC (rev 400)
+++ mediawiki/branches/squeeze/debian/changelog	2012-12-13 09:37:17 UTC (rev 401)
@@ -1,3 +1,12 @@
+mediawiki (1:1.15.5-2squeeze4.1) squeeze-security; urgency=low
+
+  * Team upload
+  * Security fixes from upstream (Closes: #694998):
+    CVE-2012-5391 - Prevent session fixation in Special:UserLogin
+    CVE-2012-5395 - Prevent linker regex from exceeding backtrack limit
+
+ -- Dominik George <nik at naturalnet.de>  Wed, 12 Dec 2012 11:08:56 +0100
+
 mediawiki (1:1.15.5-2squeeze4) stable; urgency=low
 
   * Disable CVE-2011-4360.patch, it causes ugly error messages in certain

Added: mediawiki/branches/squeeze/debian/patches/CVE-2012-5391.patch
===================================================================
--- mediawiki/branches/squeeze/debian/patches/CVE-2012-5391.patch	                        (rev 0)
+++ mediawiki/branches/squeeze/debian/patches/CVE-2012-5391.patch	2012-12-13 09:37:17 UTC (rev 401)
@@ -0,0 +1,33 @@
+Description: Prevent session fixation in Special:UserLogin (CVE-2012-5391)
+ Sessions id's in the default MediaWiki authentication are not refreshed on
+ login or logout. An attacker can use this to impersonate a user.
+Author: Chris Steipp <csteipp at wikimedia.org>
+Origin: upstream, https://gerrit.wikimedia.org/r/#/c/36079/
+Bug: https://bugzilla.wikimedia.org/show_bug.cgi?id=40995
+Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=694998
+Reviewed-by: Dominik George <nik at naturalnet.de>
+--- a/includes/specials/SpecialUserlogin.php
++++ b/includes/specials/SpecialUserlogin.php
+@@ -591,6 +591,8 @@
+ 					global $wgLang, $wgRequest;
+ 					$code = $wgRequest->getVal( 'uselang', $wgUser->getOption( 'language' ) );
+ 					$wgLang = Language::factory( $code );
++                                        // Reset SessionID on Successful login (bug 40995)
++                                        $this->renewSessionId();
+ 					return $this->successfulLogin();
+ 				} else {
+ 					return $this->cookieRedirectCheck( 'login' );
+@@ -1062,6 +1064,13 @@
+ 		$wgRequest->setSessionData( 'wsCreateaccountToken', null );
+ 	}
+ 
++        /**
++         * Renew the user's session id
++         */
++        private function renewSessionId() {
++                session_regenerate_id( false );
++        }
++
+ 	/**
+ 	 * @private
+ 	 */

Added: mediawiki/branches/squeeze/debian/patches/CVE-2012-5395.patch
===================================================================
--- mediawiki/branches/squeeze/debian/patches/CVE-2012-5395.patch	                        (rev 0)
+++ mediawiki/branches/squeeze/debian/patches/CVE-2012-5395.patch	2012-12-13 09:37:17 UTC (rev 401)
@@ -0,0 +1,50 @@
+Description: Prevent linker regex from exceeding PCRE backtrack limit
+ Sessions id's in the default MediaWiki authentication are not refreshed on
+ login or logout. An attacker can use this to impersonate a user.
+Author: Chris Steipp <csteipp at wikimedia.org>
+Origin: upstream
+Bug: https://bugzilla.wikimedia.org/show_bug.cgi?id=41400
+Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=694998
+Reviewed-by: Dominik George <nik at naturalnet.de>
+--- a/includes/Linker.php
++++ b/includes/Linker.php
+@@ -1297,7 +1297,18 @@
+ 	 */
+ 	public function formatLinksInComment( $comment ) {
+ 		return preg_replace_callback(
+-			'/\[\[:?(.*?)(\|(.*?))*\]\]([^[]*)/',
++                        '/
++                                \[\[
++                                :? # ignore optional leading colon
++                                ([^\]|]+) # 1. link target; page names cannot include ] or |
++                                (?:\|
++                                        # 2. a pipe-separated substring; only the last is captured
++                                        # Stop matching at | and ]] without relying on backtracking.
++                                        ((?:]?[^\]|])*+)
++                                )*
++                                \]\]
++                                ([^[]*) # 3. link trail (the text up until the next link)
++                        /x',
+ 			array( $this, 'formatLinksInCommentCallback' ),
+ 			$comment );
+ 	}
+@@ -1316,8 +1327,8 @@
+ 		}
+ 
+ 		# Handle link renaming [[foo|text]] will show link as "text"
+-		if( "" != $match[3] ) {
+-			$text = $match[3];
++		if( "" != $match[2] ) {
++			$text = $match[2];
+ 		} else {
+ 			$text = $match[1];
+ 		}
+@@ -1328,7 +1339,7 @@
+ 			$thelink = $this->makeMediaLink( $submatch[1], "", $text );
+ 		} else {
+ 			# Other kind of link
+-			if( preg_match( $wgContLang->linkTrail(), $match[4], $submatch ) ) {
++			if( preg_match( $wgContLang->linkTrail(), $match[3], $submatch ) ) {
+ 				$trail = $submatch[1];
+ 			} else {
+ 				$trail = "";

Modified: mediawiki/branches/squeeze/debian/patches/series
===================================================================
--- mediawiki/branches/squeeze/debian/patches/series	2012-11-29 15:56:33 UTC (rev 400)
+++ mediawiki/branches/squeeze/debian/patches/series	2012-12-13 09:37:17 UTC (rev 401)
@@ -13,3 +13,5 @@
 CVE-2011-1587.patch
 CVE-2011-4361.patch
 CVE-2012-0046.patch
+CVE-2012-5391.patch
+CVE-2012-5395.patch

Added: mediawiki/tarballs/mediawiki_1.19.3.orig.tar.gz
===================================================================
(Binary files differ)


Property changes on: mediawiki/tarballs/mediawiki_1.19.3.orig.tar.gz
___________________________________________________________________
Added: svn:mime-type
   + application/octet-stream

Modified: mediawiki/trunk/debian/changelog
===================================================================
--- mediawiki/trunk/debian/changelog	2012-11-29 15:56:33 UTC (rev 400)
+++ mediawiki/trunk/debian/changelog	2012-12-13 09:37:17 UTC (rev 401)
@@ -1,3 +1,14 @@
+mediawiki (1:1.19.3-1) unstable; urgency=high
+
+  * Team upload
+  * New upstream version fixes security issues (Closes: 694998).
+    + Prevent session fixation in Special:UserLogin (CVE-2012-5391)
+      https://bugzilla.wikimedia.org/show_bug.cgi?id=40995
+    + Prevent linker regex from exceeding PCRE backtrack limit
+      https://bugzilla.wikimedia.org/show_bug.cgi?id=41400
+
+ -- Dominik George <nik at naturalnet.de>  Wed, 12 Dec 2012 09:44:08 +0100
+
 mediawiki (1:1.19.2-2) unstable; urgency=low
 
   * debian/watch: mangle the epoch away so DDPO is green again

More information about the Pkg-mediawiki-commits mailing list