[Pkg-mediawiki-commits] r401 - in mediawiki: branches/squeeze/debian branches/squeeze/debian/patches tarballs trunk/debian
Dominik George
natureshadow-guest at alioth.debian.org
Thu Dec 13 09:37:17 UTC 2012
Author: natureshadow-guest
Date: 2012-12-13 09:37:17 +0000 (Thu, 13 Dec 2012)
New Revision: 401
Added:
mediawiki/branches/squeeze/debian/patches/CVE-2012-5391.patch
mediawiki/branches/squeeze/debian/patches/CVE-2012-5395.patch
mediawiki/tarballs/mediawiki_1.19.3.orig.tar.gz
Modified:
mediawiki/branches/squeeze/debian/changelog
mediawiki/branches/squeeze/debian/patches/series
mediawiki/trunk/debian/changelog
Log:
New upstream version 1.19.3 to fix security issues CVE-2012-5931 and CVE-2012-5935.
Backport of fixes to 1.15.5 for squeeze-security.
Modified: mediawiki/branches/squeeze/debian/changelog
===================================================================
--- mediawiki/branches/squeeze/debian/changelog 2012-11-29 15:56:33 UTC (rev 400)
+++ mediawiki/branches/squeeze/debian/changelog 2012-12-13 09:37:17 UTC (rev 401)
@@ -1,3 +1,12 @@
+mediawiki (1:1.15.5-2squeeze4.1) squeeze-security; urgency=low
+
+ * Team upload
+ * Security fixes from upstream (Closes: #694998):
+ CVE-2012-5391 - Prevent session fixation in Special:UserLogin
+ CVE-2012-5395 - Prevent linker regex from exceeding backtrack limit
+
+ -- Dominik George <nik at naturalnet.de> Wed, 12 Dec 2012 11:08:56 +0100
+
mediawiki (1:1.15.5-2squeeze4) stable; urgency=low
* Disable CVE-2011-4360.patch, it causes ugly error messages in certain
Added: mediawiki/branches/squeeze/debian/patches/CVE-2012-5391.patch
===================================================================
--- mediawiki/branches/squeeze/debian/patches/CVE-2012-5391.patch (rev 0)
+++ mediawiki/branches/squeeze/debian/patches/CVE-2012-5391.patch 2012-12-13 09:37:17 UTC (rev 401)
@@ -0,0 +1,33 @@
+Description: Prevent session fixation in Special:UserLogin (CVE-2012-5391)
+ Sessions id's in the default MediaWiki authentication are not refreshed on
+ login or logout. An attacker can use this to impersonate a user.
+Author: Chris Steipp <csteipp at wikimedia.org>
+Origin: upstream, https://gerrit.wikimedia.org/r/#/c/36079/
+Bug: https://bugzilla.wikimedia.org/show_bug.cgi?id=40995
+Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=694998
+Reviewed-by: Dominik George <nik at naturalnet.de>
+--- a/includes/specials/SpecialUserlogin.php
++++ b/includes/specials/SpecialUserlogin.php
+@@ -591,6 +591,8 @@
+ global $wgLang, $wgRequest;
+ $code = $wgRequest->getVal( 'uselang', $wgUser->getOption( 'language' ) );
+ $wgLang = Language::factory( $code );
++ // Reset SessionID on Successful login (bug 40995)
++ $this->renewSessionId();
+ return $this->successfulLogin();
+ } else {
+ return $this->cookieRedirectCheck( 'login' );
+@@ -1062,6 +1064,13 @@
+ $wgRequest->setSessionData( 'wsCreateaccountToken', null );
+ }
+
++ /**
++ * Renew the user's session id
++ */
++ private function renewSessionId() {
++ session_regenerate_id( false );
++ }
++
+ /**
+ * @private
+ */
Added: mediawiki/branches/squeeze/debian/patches/CVE-2012-5395.patch
===================================================================
--- mediawiki/branches/squeeze/debian/patches/CVE-2012-5395.patch (rev 0)
+++ mediawiki/branches/squeeze/debian/patches/CVE-2012-5395.patch 2012-12-13 09:37:17 UTC (rev 401)
@@ -0,0 +1,50 @@
+Description: Prevent linker regex from exceeding PCRE backtrack limit
+ Sessions id's in the default MediaWiki authentication are not refreshed on
+ login or logout. An attacker can use this to impersonate a user.
+Author: Chris Steipp <csteipp at wikimedia.org>
+Origin: upstream
+Bug: https://bugzilla.wikimedia.org/show_bug.cgi?id=41400
+Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=694998
+Reviewed-by: Dominik George <nik at naturalnet.de>
+--- a/includes/Linker.php
++++ b/includes/Linker.php
+@@ -1297,7 +1297,18 @@
+ */
+ public function formatLinksInComment( $comment ) {
+ return preg_replace_callback(
+- '/\[\[:?(.*?)(\|(.*?))*\]\]([^[]*)/',
++ '/
++ \[\[
++ :? # ignore optional leading colon
++ ([^\]|]+) # 1. link target; page names cannot include ] or |
++ (?:\|
++ # 2. a pipe-separated substring; only the last is captured
++ # Stop matching at | and ]] without relying on backtracking.
++ ((?:]?[^\]|])*+)
++ )*
++ \]\]
++ ([^[]*) # 3. link trail (the text up until the next link)
++ /x',
+ array( $this, 'formatLinksInCommentCallback' ),
+ $comment );
+ }
+@@ -1316,8 +1327,8 @@
+ }
+
+ # Handle link renaming [[foo|text]] will show link as "text"
+- if( "" != $match[3] ) {
+- $text = $match[3];
++ if( "" != $match[2] ) {
++ $text = $match[2];
+ } else {
+ $text = $match[1];
+ }
+@@ -1328,7 +1339,7 @@
+ $thelink = $this->makeMediaLink( $submatch[1], "", $text );
+ } else {
+ # Other kind of link
+- if( preg_match( $wgContLang->linkTrail(), $match[4], $submatch ) ) {
++ if( preg_match( $wgContLang->linkTrail(), $match[3], $submatch ) ) {
+ $trail = $submatch[1];
+ } else {
+ $trail = "";
Modified: mediawiki/branches/squeeze/debian/patches/series
===================================================================
--- mediawiki/branches/squeeze/debian/patches/series 2012-11-29 15:56:33 UTC (rev 400)
+++ mediawiki/branches/squeeze/debian/patches/series 2012-12-13 09:37:17 UTC (rev 401)
@@ -13,3 +13,5 @@
CVE-2011-1587.patch
CVE-2011-4361.patch
CVE-2012-0046.patch
+CVE-2012-5391.patch
+CVE-2012-5395.patch
Added: mediawiki/tarballs/mediawiki_1.19.3.orig.tar.gz
===================================================================
(Binary files differ)
Property changes on: mediawiki/tarballs/mediawiki_1.19.3.orig.tar.gz
___________________________________________________________________
Added: svn:mime-type
+ application/octet-stream
Modified: mediawiki/trunk/debian/changelog
===================================================================
--- mediawiki/trunk/debian/changelog 2012-11-29 15:56:33 UTC (rev 400)
+++ mediawiki/trunk/debian/changelog 2012-12-13 09:37:17 UTC (rev 401)
@@ -1,3 +1,14 @@
+mediawiki (1:1.19.3-1) unstable; urgency=high
+
+ * Team upload
+ * New upstream version fixes security issues (Closes: 694998).
+ + Prevent session fixation in Special:UserLogin (CVE-2012-5391)
+ https://bugzilla.wikimedia.org/show_bug.cgi?id=40995
+ + Prevent linker regex from exceeding PCRE backtrack limit
+ https://bugzilla.wikimedia.org/show_bug.cgi?id=41400
+
+ -- Dominik George <nik at naturalnet.de> Wed, 12 Dec 2012 09:44:08 +0100
+
mediawiki (1:1.19.2-2) unstable; urgency=low
* debian/watch: mangle the epoch away so DDPO is green again
More information about the Pkg-mediawiki-commits
mailing list