[Pkg-mediawiki-commits] r491 - in mediawiki/branches/nmu-merge/debian: . patches po

Thorsten Glaser tg at moszumanska.debian.org
Tue Dec 31 09:52:28 UTC 2013 

Author: tg
Date: 2013-12-31 09:52:27 +0000 (Tue, 31 Dec 2013)
New Revision: 491

Added:
   mediawiki/branches/nmu-merge/debian/patches/fix_CVE-2013-4567_and_CVE-2013-4568.patch
   mediawiki/branches/nmu-merge/debian/patches/fix_CVE-2013-4572.patch
   mediawiki/branches/nmu-merge/debian/po/pl.po
Modified:
   mediawiki/branches/nmu-merge/debian/changelog
   mediawiki/branches/nmu-merge/debian/patches/series
Log:
merge mediawiki (1:1.19.8+dfsg-2.2) by David Pr?\195?\169vot


Modified: mediawiki/branches/nmu-merge/debian/changelog
===================================================================
--- mediawiki/branches/nmu-merge/debian/changelog	2013-12-31 09:50:30 UTC (rev 490)
+++ mediawiki/branches/nmu-merge/debian/changelog	2013-12-31 09:52:27 UTC (rev 491)
@@ -1,3 +1,19 @@
+mediawiki (1:1.19.8+dfsg-2.2) unstable; urgency=high
+
+  * Non-maintainer upload
+  * Security fixes (Closes: #729629):
+    - Kevin Israel (Wikipedia user PleaseStand) identified and reported two
+      vectors for injecting Javascript in CSS that bypassed MediaWiki's
+      blacklist [CVE-2013-4567, CVE-2013-4568]
+    - Internal review while debugging a site issue discovered that MediaWiki
+      and the CentralNotice extension were incorrectly setting cache headers
+      when a user was autocreated, causing the user's session cookies to be
+      cached, and returned to other users [CVE-2013-4572]
+  * New Polish debconf translation, thanks to Magdalena Z. Kubot
+    (Closes: #731381)
+
+ -- David Prévot <taffit at debian.org>  Sun, 08 Dec 2013 16:13:40 -0400
+
 mediawiki (1:1.19.8+dfsg-2.1) unstable; urgency=low
 
   * Provide includes/libs in mediawiki-classes (Closes: #703837)

Added: mediawiki/branches/nmu-merge/debian/patches/fix_CVE-2013-4567_and_CVE-2013-4568.patch
===================================================================
--- mediawiki/branches/nmu-merge/debian/patches/fix_CVE-2013-4567_and_CVE-2013-4568.patch	                        (rev 0)
+++ mediawiki/branches/nmu-merge/debian/patches/fix_CVE-2013-4567_and_CVE-2013-4568.patch	2013-12-31 09:52:27 UTC (rev 491)
@@ -0,0 +1,153 @@
+Description: Sanitizer::checkCss blacklist can be bypassed using vertical tab (ASCII 11)
+
+Kevin Israel (Wikipedia user PleaseStand) identified and reported two
+vectors for injecting Javascript in CSS that bypassed MediaWiki's blacklist
+(CVE-2013-4567, CVE-2013-4568).
+
+Author: Chris Steipp, <csteipp at wikimedia.org>
+Origin: upstream, https://bugzilla.wikimedia.org/attachment.cgi?id=13772&action=difr
+Bug: https://bugzilla.wikimedia.org/show_bug.cgi?id=55332
+Bug-Debian: http://bugs.debian.org/729629
+--- a/includes/Sanitizer.php
++++ b/includes/Sanitizer.php
+@@ -882,6 +882,21 @@
+ 		$value = preg_replace_callback( $decodeRegex,
+ 			array( __CLASS__, 'cssDecodeCallback' ), $value );
+ 
++		// Normalize Halfwidth and Fullwidth Unicode block that IE6 might treat as ascii
++		$value = preg_replace_callback(
++			'/[!-z]/u', // U+FF01 to U+FF5A
++			array( __CLASS__, 'cssNormalizeUnicodeWidth' ),
++			$value
++		);
++
++		// Convert more characters IE6 might treat as ascii
++		// U+0280, U+0274, U+207F, U+029F, U+026A, U+207D, U+208D
++		$value = str_replace(
++			array( 'ʀ', 'ɴ', 'ⁿ', 'ʟ', 'ɪ', '⁽', '₍' ),
++			array( 'r', 'n', 'n', 'l', 'i', '(', '(' ),
++			$value
++		);
++
+ 		// Remove any comments; IE gets token splitting wrong
+ 		// This must be done AFTER decoding character references and
+ 		// escape sequences, because those steps can introduce comments
+@@ -897,8 +912,24 @@
+ 			$value = substr( $value, 0, $commentPos );
+ 		}
+ 
++		// S followed by repeat, iteration, or prolonged sound marks,
++		// which IE will treat as "ss"
++		$value = preg_replace(
++			'/s(?:
++				\xE3\x80\xB1 | # U+3031
++				\xE3\x82\x9D | # U+309D
++				\xE3\x83\xBC | # U+30FC
++				\xE3\x83\xBD | # U+30FD
++				\xEF\xB9\xBC | # U+FE7C
++				\xEF\xB9\xBD | # U+FE7D
++				\xEF\xBD\xB0   # U+FF70
++			)/ix',
++			'ss',
++			$value
++		);
++
+ 		// Reject problematic keywords and control characters
+-		if ( preg_match( '/[\000-\010\016-\037\177]/', $value ) ) {
++		if ( preg_match( '/[\000-\010\013\016-\037\177]/', $value ) ) {
+ 			return '/* invalid control char */';
+ 		} elseif ( preg_match( '! expression | filter\s*: | accelerator\s*: | url\s*\( !ix', $value ) ) {
+ 			return '/* insecure input */';
+@@ -907,6 +938,19 @@
+ 	}
+ 
+ 	/**
++	 * Normalize Unicode U+FF01 to U+FF5A
++	 * @param character $char
++	 * @return character in ASCII range \x21-\x7A
++	 */
++	static function cssNormalizeUnicodeWidth( $matches ) {
++		$cp = utf8ToCodepoint( $matches[0] );
++		if ( $cp === false ) {
++			return '';
++		}
++		return chr( $cp - 65248 ); // ASCII range \x21-\x7A
++	}
++
++	/**
+ 	 * @param $matches array
+ 	 * @return String
+ 	 */
+--- a/tests/parser/parserTests.txt
++++ b/tests/parser/parserTests.txt
+@@ -5059,6 +5059,70 @@
+ 
+ !! end
+ 
++!! test
++CSS safety test: vertical tab
++!! input
++<p style="font-size: 100px; background-image:url\b(https://www.google.com/images/srpr/logo6w.png)">A</p>
++!! result
++<p style="/* invalid control char */">A</p>
++
++!! end
++
++!! test
++MSIE CSS safety test: Fullwidth
++!! input
++<p style="font-size: 100px; color: expression((title='XSSed'),'red')">A</p>
++<div style="top:EXPRESSION(alert())">B</div>
++!! result
++<p style="/* insecure input */">A</p>
++<div style="/* insecure input */">B</div>
++
++!! end
++
++!! test
++MSIE CSS safety test: IPA extensions
++!! input
++<div style="background-image:uʀʟ(javascript:alert())">A</div>
++<p style="font-size: 100px; color: expʀessɪoɴ((title='XSSed'),'red')">B</p>
++!! result
++<div style="/* insecure input */">A</div>
++<p style="/* insecure input */">B</p>
++
++!! end
++
++!! test
++MSIE CSS safety test: sup/sub script
++!! input
++<div style="background-image:url⁽javascript:alert())">A</div>
++<div style="background-image:url₍javascript:alert())">B</div>
++<p style="font-size: 100px; color: expressioⁿ((title='XSSed'),'red')">C</p>
++!! result
++<div style="/* insecure input */">A</div>
++<div style="/* insecure input */">B</div>
++<p style="/* insecure input */">C</p>
++
++!! end
++
++!! test
++MSIE CSS safety test: Repetition markers
++!! input
++<p style="font-size: 100px; color: expres〱ion((title='XSSed'),'red')">A</p>
++<p style="font-size: 100px; color: expresゝion((title='XSSed'),'red')">B</p>
++<p style="font-size: 100px; color: expresーion((title='XSSed'),'red')">C</p>
++<p style="font-size: 100px; color: expresヽion((title='XSSed'),'red')">D</p>
++<p style="font-size: 100px; color: expresﹽion((title='XSSed'),'red')">E</p>
++<p style="font-size: 100px; color: expresﹼion((title='XSSed'),'red')">F</p>
++<p style="font-size: 100px; color: expresーion((title='XSSed'),'red')">G</p>
++!! result
++<p style="/* insecure input */">A</p>
++<p style="/* insecure input */">B</p>
++<p style="/* insecure input */">C</p>
++<p style="/* insecure input */">D</p>
++<p style="/* insecure input */">E</p>
++<p style="/* insecure input */">F</p>
++<p style="/* insecure input */">G</p>
++
++!! end
+ 
+ !! test
+ Table attribute legitimate extension

Added: mediawiki/branches/nmu-merge/debian/patches/fix_CVE-2013-4572.patch
===================================================================
--- mediawiki/branches/nmu-merge/debian/patches/fix_CVE-2013-4572.patch	                        (rev 0)
+++ mediawiki/branches/nmu-merge/debian/patches/fix_CVE-2013-4572.patch	2013-12-31 09:52:27 UTC (rev 491)
@@ -0,0 +1,36 @@
+Description: Multiple users with the same session ID
+
+Internal review while debugging a site issue discovered that MediaWiki
+and the CentralNotice extension were incorrectly setting cache headers when
+a user was autocreated, causing the user's session cookies to be cached,
+and returned to other users (CVE-2013-4572).
+
+Author: Chris Steipp, <csteipp at wikimedia.org>
+Origin: upstream, https://bugzilla.wikimedia.org/attachment.cgi?id=13779&action=diff
+Bug: https://bugzilla.wikimedia.org/show_bug.cgi?id=53032
+Bug-Debian: http://bugs.debian.org/729629
+--- a/includes/actions/RawAction.php
++++ b/includes/actions/RawAction.php
+@@ -79,6 +79,11 @@
+ 		# Output may contain user-specific data;
+ 		# vary generated content for open sessions on private wikis
+ 		$privateCache = !$wgGroupPermissions['*']['read'] && ( $smaxage == 0 || session_id() != '' );
++		// Bug 53032 - make this private if user is logged in,
++		// so we don't accidentally cache cookies
++		if ( !$privateCache ) {
++			$privateCache = $this->getUser()->isLoggedIn();
++		}
+ 		# allow the client to cache this for 24 hours
+ 		$mode = $privateCache ? 'private' : 'public';
+ 		$response->header( 'Cache-Control: ' . $mode . ', s-maxage=' . $smaxage . ', max-age=' . $maxage );
+--- a/includes/specials/SpecialUploadStash.php
++++ b/includes/specials/SpecialUploadStash.php
+@@ -279,6 +279,8 @@
+ 		header( "Content-Type: $contentType", true );
+ 		header( 'Content-Transfer-Encoding: binary', true );
+ 		header( 'Expires: Sun, 17-Jan-2038 19:14:07 GMT', true );
++		// Bug 53032 - It shouldn't be a problem here, but let's be safe and not cache
++		header( 'Cache-Control: private' );
+ 		header( "Content-Length: $size", true );
+ 	}
+ 

Modified: mediawiki/branches/nmu-merge/debian/patches/series
===================================================================
--- mediawiki/branches/nmu-merge/debian/patches/series	2013-12-31 09:50:30 UTC (rev 490)
+++ mediawiki/branches/nmu-merge/debian/patches/series	2013-12-31 09:52:27 UTC (rev 491)
@@ -9,3 +9,5 @@
 fix_warnings.patch
 mimetypes.patch
 suppress_warnings.patch
+fix_CVE-2013-4567_and_CVE-2013-4568.patch
+fix_CVE-2013-4572.patch

Added: mediawiki/branches/nmu-merge/debian/po/pl.po
===================================================================
--- mediawiki/branches/nmu-merge/debian/po/pl.po	                        (rev 0)
+++ mediawiki/branches/nmu-merge/debian/po/pl.po	2013-12-31 09:52:27 UTC (rev 491)
@@ -0,0 +1,31 @@
+# Translation of mediawiki debconf templates to Polish
+# Copyright (C) 2004
+# This file is distributed under the same license as the mediawiki package.
+# 
+# Magdalena Z. Kubot <magdalena.kubot at gmail.com>, 2013.
+msgid ""
+msgstr ""
+"Project-Id-Version: mediawiki\n"
+"Report-Msgid-Bugs-To: pkg-mediawiki-devel at lists.alioth.debian.org\n"
+"POT-Creation-Date: 2007-10-22 02:37+0200\n"
+"PO-Revision-Date: 2013-12-04 20:50+0100\n"
+"Last-Translator: Magdalena Z. Kubot <magdalena.kubot at gmail.com>\n"
+"Language-Team: Polish <debian-l10n-polish at lists.debian.org>\n"
+"Language: pl\n"
+"MIME-Version: 1.0\n"
+"Content-Type: text/plain; charset=UTF-8\n"
+"Content-Transfer-Encoding: 8bit\n"
+"Plural-Forms: nplurals=3; plural=(n==1 ? 0 : n%10>=2 && n%10<=4 && (n%100<10 || n%100>=20) ? 1 : 2);\n"
+
+#. Type: multiselect
+#. Description
+#: ../templates:2001
+msgid "Web server(s) to configure automatically:"
+msgstr "Serwery WWW do automatycznej konfiguracji:"
+
+#. Type: multiselect
+#. Description
+#: ../templates:2001
+msgid "Please select the web server(s) that should be configured automatically for MediaWiki."
+msgstr "Proszę wybrać serwery WWW, które mają być skonfigurowane automatycznie dla MediaWiki."
+

More information about the Pkg-mediawiki-commits mailing list