[Pkg-mediawiki-commits] r492 - in mediawiki: branches trunk/debian trunk/debian/patches trunk/debian/po

Tue Dec 31 10:04:43 UTC 2013

Author: tg
Date: 2013-12-31 10:04:43 +0000 (Tue, 31 Dec 2013)
New Revision: 492

Added:
   mediawiki/trunk/debian/mediawiki-classes.install
   mediawiki/trunk/debian/patches/fix_CVE-2013-4567_and_CVE-2013-4568.patch
   mediawiki/trunk/debian/patches/fix_CVE-2013-4572.patch
   mediawiki/trunk/debian/po/pl.po
Removed:
   mediawiki/branches/nmu-merge/
Modified:
   mediawiki/trunk/debian/changelog
   mediawiki/trunk/debian/control
   mediawiki/trunk/debian/patches/series
   mediawiki/trunk/debian/rules
Log:
merge what happened between my last commit


Modified: mediawiki/trunk/debian/changelog
===================================================================

--- mediawiki/trunk/debian/changelog	2013-12-31 09:52:27 UTC (rev 491)
+++ mediawiki/trunk/debian/changelog	2013-12-31 10:04:43 UTC (rev 492)
@@ -9,6 +9,28 @@
 
  -- Jonathan Wiltshire <jmw at debian.org>  Sat, 28 Sep 2013 21:30:15 +0100
 
+mediawiki (1:1.19.8+dfsg-2.2) unstable; urgency=high
+
+  * Non-maintainer upload
+  * Security fixes (Closes: #729629):
+    - Kevin Israel (Wikipedia user PleaseStand) identified and reported two
+      vectors for injecting Javascript in CSS that bypassed MediaWiki's
+      blacklist [CVE-2013-4567, CVE-2013-4568]
+    - Internal review while debugging a site issue discovered that MediaWiki
+      and the CentralNotice extension were incorrectly setting cache headers
+      when a user was autocreated, causing the user's session cookies to be
+      cached, and returned to other users [CVE-2013-4572]
+  * New Polish debconf translation, thanks to Magdalena Z. Kubot
+    (Closes: #731381)
+
+ -- David Prévot <taffit at debian.org>  Sun, 08 Dec 2013 16:13:40 -0400
+
+mediawiki (1:1.19.8+dfsg-2.1) unstable; urgency=low
+
+  * Provide includes/libs in mediawiki-classes (Closes: #703837)
+
+ -- David Prévot <taffit at debian.org>  Wed, 23 Oct 2013 11:29:27 -0400
+
 mediawiki (1:1.19.8+dfsg-2) unstable; urgency=low
 
   [ Thorsten Glaser ]

Modified: mediawiki/trunk/debian/control
===================================================================
--- mediawiki/trunk/debian/control	2013-12-31 09:52:27 UTC (rev 491)
+++ mediawiki/trunk/debian/control	2013-12-31 10:04:43 UTC (rev 492)
@@ -13,7 +13,7 @@
 
 Package: mediawiki
 Architecture: all
-Depends: apache2 | httpd, php5, php5-mysql | php5-pgsql | php5-sqlite | php5-mysqlnd, mime-support, libjs-jquery, libjs-jquery-tipsy, libjs-jquery-cookie, libjs-jquery-form, ${misc:Depends}
+Depends: apache2 | httpd, php5, php5-mysql | php5-pgsql | php5-sqlite | php5-mysqlnd, mime-support, libjs-jquery, libjs-jquery-tipsy, libjs-jquery-cookie, libjs-jquery-form, mediawiki-classes, ${misc:Depends}
 Recommends: mysql-server | postgresql-contrib, php5-cli, python, php-wikidiff2, mediawiki-extensions-base
 Suggests: imagemagick | php5-gd, mediawiki-extensions-math, memcached, clamav
 Breaks: fusionforge-plugin-mediawiki (<< 5.2~rc1+1~),
@@ -36,3 +36,24 @@
  Moreover, it keeps track of changes, so users can receive
  notifications, view diffs and revert edits. This system has many
  other features and can easily be extended.
+
+Package: mediawiki-classes
+Architecture: all
+Depends: ${misc:Depends}
+Breaks: mediawiki (<< 1:1.19.8+dfsg-2.1~)
+Replaces: mediawiki (<< 1:1.19.8+dfsg-2.1~)
+Description: website engine for collaborative work - standalone classes
+ This package provides standalone classes from the remainder of the
+ MediaWiki codebase. They do not call on any other portions of MediaWiki
+ code, and can be used in portions of MediaWiki code, and can be used in
+ other projects without dependency issues.
+ .
+ MediaWiki is a wiki engine (a program for creating a collaboratively
+ edited website). It is designed to handle heavy websites containing
+ library-like document collections, and supports user uploads of
+ images/sounds, multilingual content, TOC autogeneration, ISBN links,
+ etc.
+ .
+ Moreover, it keeps track of changes, so users can receive
+ notifications, view diffs and revert edits. This system has many
+ other features and can easily be extended.

Copied: mediawiki/trunk/debian/mediawiki-classes.install (from rev 491, mediawiki/branches/nmu-merge/debian/mediawiki-classes.install)
===================================================================
--- mediawiki/trunk/debian/mediawiki-classes.install	                        (rev 0)
+++ mediawiki/trunk/debian/mediawiki-classes.install	2013-12-31 10:04:43 UTC (rev 492)
@@ -0,0 +1 @@
+includes/libs/*.php usr/share/mediawiki/includes/libs

Copied: mediawiki/trunk/debian/patches/fix_CVE-2013-4567_and_CVE-2013-4568.patch (from rev 491, mediawiki/branches/nmu-merge/debian/patches/fix_CVE-2013-4567_and_CVE-2013-4568.patch)
===================================================================
--- mediawiki/trunk/debian/patches/fix_CVE-2013-4567_and_CVE-2013-4568.patch	                        (rev 0)
+++ mediawiki/trunk/debian/patches/fix_CVE-2013-4567_and_CVE-2013-4568.patch	2013-12-31 10:04:43 UTC (rev 492)
@@ -0,0 +1,153 @@
+Description: Sanitizer::checkCss blacklist can be bypassed using vertical tab (ASCII 11)
+ .
+ Kevin Israel (Wikipedia user PleaseStand) identified and reported two
+ vectors for injecting Javascript in CSS that bypassed MediaWiki's blacklist
+ (CVE-2013-4567, CVE-2013-4568).
+Author: Chris Steipp, <csteipp at wikimedia.org>
+Origin: upstream, https://bugzilla.wikimedia.org/attachment.cgi?id=13772&action=difr
+Bug: https://bugzilla.wikimedia.org/show_bug.cgi?id=55332
+Bug-Debian: http://bugs.debian.org/729629
+
+--- a/includes/Sanitizer.php
++++ b/includes/Sanitizer.php
+@@ -882,6 +882,21 @@
+ 		$value = preg_replace_callback( $decodeRegex,
+ 			array( __CLASS__, 'cssDecodeCallback' ), $value );
+ 
++		// Normalize Halfwidth and Fullwidth Unicode block that IE6 might treat as ascii
++		$value = preg_replace_callback(
++			'/[！-ｚ]/u', // U+FF01 to U+FF5A
++			array( __CLASS__, 'cssNormalizeUnicodeWidth' ),
++			$value
++		);
++
++		// Convert more characters IE6 might treat as ascii
++		// U+0280, U+0274, U+207F, U+029F, U+026A, U+207D, U+208D
++		$value = str_replace(
++			array( 'ʀ', 'ɴ', 'ⁿ', 'ʟ', 'ɪ', '⁽', '₍' ),
++			array( 'r', 'n', 'n', 'l', 'i', '(', '(' ),
++			$value
++		);
++
+ 		// Remove any comments; IE gets token splitting wrong
+ 		// This must be done AFTER decoding character references and
+ 		// escape sequences, because those steps can introduce comments
+@@ -897,8 +912,24 @@
+ 			$value = substr( $value, 0, $commentPos );
+ 		}
+ 
++		// S followed by repeat, iteration, or prolonged sound marks,
++		// which IE will treat as "ss"
++		$value = preg_replace(
++			'/s(?:
++				\xE3\x80\xB1 | # U+3031
++				\xE3\x82\x9D | # U+309D
++				\xE3\x83\xBC | # U+30FC
++				\xE3\x83\xBD | # U+30FD
++				\xEF\xB9\xBC | # U+FE7C
++				\xEF\xB9\xBD | # U+FE7D
++				\xEF\xBD\xB0   # U+FF70
++			)/ix',
++			'ss',
++			$value
++		);
++
+ 		// Reject problematic keywords and control characters
+-		if ( preg_match( '/[\000-\010\016-\037\177]/', $value ) ) {
++		if ( preg_match( '/[\000-\010\013\016-\037\177]/', $value ) ) {
+ 			return '/* invalid control char */';
+ 		} elseif ( preg_match( '! expression | filter\s*: | accelerator\s*: | url\s*\( !ix', $value ) ) {
+ 			return '/* insecure input */';
+@@ -907,6 +938,19 @@
+ 	}
+ 
+ 	/**
++	 * Normalize Unicode U+FF01 to U+FF5A
++	 * @param character $char
++	 * @return character in ASCII range \x21-\x7A
++	 */
++	static function cssNormalizeUnicodeWidth( $matches ) {
++		$cp = utf8ToCodepoint( $matches[0] );
++		if ( $cp === false ) {
++			return '';
++		}
++		return chr( $cp - 65248 ); // ASCII range \x21-\x7A
++	}
++
++	/**
+ 	 * @param $matches array
+ 	 * @return String
+ 	 */
+--- a/tests/parser/parserTests.txt
++++ b/tests/parser/parserTests.txt
+@@ -5059,6 +5059,70 @@
+ 
+ !! end
+ 
++!! test
++CSS safety test: vertical tab
++!! input
++<p style="font-size: 100px; background-image:url\b(https://www.google.com/images/srpr/logo6w.png)">A</p>
++!! result
++<p style="/* invalid control char */">A</p>
++
++!! end
++
++!! test
++MSIE CSS safety test: Fullwidth
++!! input
++<p style="font-size: 100px; color: ｅｘｐｒｅｓｓｉｏｎ((title='XSSed'),'red')">A</p>
++<div style="top:ＥＸＰＲＥＳＳＩＯＮ(alert())">B</div>
++!! result
++<p style="/* insecure input */">A</p>
++<div style="/* insecure input */">B</div>
++
++!! end
++
++!! test
++MSIE CSS safety test: IPA extensions
++!! input
++<div style="background-image:uʀʟ(javascript:alert())">A</div>
++<p style="font-size: 100px; color: expʀessɪoɴ((title='XSSed'),'red')">B</p>
++!! result
++<div style="/* insecure input */">A</div>
++<p style="/* insecure input */">B</p>
++
++!! end
++
++!! test
++MSIE CSS safety test: sup/sub script
++!! input
++<div style="background-image:url⁽javascript:alert())">A</div>
++<div style="background-image:url₍javascript:alert())">B</div>
++<p style="font-size: 100px; color: expressioⁿ((title='XSSed'),'red')">C</p>
++!! result
++<div style="/* insecure input */">A</div>
++<div style="/* insecure input */">B</div>
++<p style="/* insecure input */">C</p>
++
++!! end
++
++!! test
++MSIE CSS safety test: Repetition markers
++!! input
++<p style="font-size: 100px; color: expres〱ion((title='XSSed'),'red')">A</p>
++<p style="font-size: 100px; color: expresゝion((title='XSSed'),'red')">B</p>
++<p style="font-size: 100px; color: expresーion((title='XSSed'),'red')">C</p>
++<p style="font-size: 100px; color: expresヽion((title='XSSed'),'red')">D</p>
++<p style="font-size: 100px; color: expresﹽion((title='XSSed'),'red')">E</p>
++<p style="font-size: 100px; color: expresﹼion((title='XSSed'),'red')">F</p>
++<p style="font-size: 100px; color: expresｰion((title='XSSed'),'red')">G</p>
++!! result
++<p style="/* insecure input */">A</p>
++<p style="/* insecure input */">B</p>
++<p style="/* insecure input */">C</p>
++<p style="/* insecure input */">D</p>
++<p style="/* insecure input */">E</p>
++<p style="/* insecure input */">F</p>
++<p style="/* insecure input */">G</p>
++
++!! end
+ 
+ !! test
+ Table attribute legitimate extension

Copied: mediawiki/trunk/debian/patches/fix_CVE-2013-4572.patch (from rev 491, mediawiki/branches/nmu-merge/debian/patches/fix_CVE-2013-4572.patch)
===================================================================
--- mediawiki/trunk/debian/patches/fix_CVE-2013-4572.patch	                        (rev 0)
+++ mediawiki/trunk/debian/patches/fix_CVE-2013-4572.patch	2013-12-31 10:04:43 UTC (rev 492)
@@ -0,0 +1,36 @@
+Description: Multiple users with the same session ID
+ .
+ Internal review while debugging a site issue discovered that MediaWiki
+ and the CentralNotice extension were incorrectly setting cache headers when
+ a user was autocreated, causing the user's session cookies to be cached,
+ and returned to other users (CVE-2013-4572).
+Author: Chris Steipp, <csteipp at wikimedia.org>
+Origin: upstream, https://bugzilla.wikimedia.org/attachment.cgi?id=13779&action=diff
+Bug: https://bugzilla.wikimedia.org/show_bug.cgi?id=53032
+Bug-Debian: http://bugs.debian.org/729629
+
+--- a/includes/actions/RawAction.php
++++ b/includes/actions/RawAction.php
+@@ -79,6 +79,11 @@
+ 		# Output may contain user-specific data;
+ 		# vary generated content for open sessions on private wikis
+ 		$privateCache = !$wgGroupPermissions['*']['read'] && ( $smaxage == 0 || session_id() != '' );
++		// Bug 53032 - make this private if user is logged in,
++		// so we don't accidentally cache cookies
++		if ( !$privateCache ) {
++			$privateCache = $this->getUser()->isLoggedIn();
++		}
+ 		# allow the client to cache this for 24 hours
+ 		$mode = $privateCache ? 'private' : 'public';
+ 		$response->header( 'Cache-Control: ' . $mode . ', s-maxage=' . $smaxage . ', max-age=' . $maxage );
+--- a/includes/specials/SpecialUploadStash.php
++++ b/includes/specials/SpecialUploadStash.php
+@@ -279,6 +279,8 @@
+ 		header( "Content-Type: $contentType", true );
+ 		header( 'Content-Transfer-Encoding: binary', true );
+ 		header( 'Expires: Sun, 17-Jan-2038 19:14:07 GMT', true );
++		// Bug 53032 - It shouldn't be a problem here, but let's be safe and not cache
++		header( 'Cache-Control: private' );
+ 		header( "Content-Length: $size", true );
+ 	}
+ 

Modified: mediawiki/trunk/debian/patches/series
===================================================================
--- mediawiki/trunk/debian/patches/series	2013-12-31 09:52:27 UTC (rev 491)
+++ mediawiki/trunk/debian/patches/series	2013-12-31 10:04:43 UTC (rev 492)
@@ -9,3 +9,5 @@
 fix_warnings.patch
 mimetypes.patch
 suppress_warnings.patch
+fix_CVE-2013-4567_and_CVE-2013-4568.patch
+fix_CVE-2013-4572.patch

Copied: mediawiki/trunk/debian/po/pl.po (from rev 491, mediawiki/branches/nmu-merge/debian/po/pl.po)
===================================================================
--- mediawiki/trunk/debian/po/pl.po	                        (rev 0)
+++ mediawiki/trunk/debian/po/pl.po	2013-12-31 10:04:43 UTC (rev 492)
@@ -0,0 +1,30 @@
+# Translation of mediawiki debconf templates to Polish
+# Copyright (C) 2004
+# This file is distributed under the same license as the mediawiki package.
+# 
+# Magdalena Z. Kubot <magdalena.kubot at gmail.com>, 2013.
+msgid ""
+msgstr ""
+"Project-Id-Version: mediawiki\n"
+"Report-Msgid-Bugs-To: pkg-mediawiki-devel at lists.alioth.debian.org\n"
+"POT-Creation-Date: 2007-10-22 02:37+0200\n"
+"PO-Revision-Date: 2013-12-04 20:50+0100\n"
+"Last-Translator: Magdalena Z. Kubot <magdalena.kubot at gmail.com>\n"
+"Language-Team: Polish <debian-l10n-polish at lists.debian.org>\n"
+"Language: pl\n"
+"MIME-Version: 1.0\n"
+"Content-Type: text/plain; charset=UTF-8\n"
+"Content-Transfer-Encoding: 8bit\n"
+"Plural-Forms: nplurals=3; plural=(n==1 ? 0 : n%10>=2 && n%10<=4 && (n%100<10 || n%100>=20) ? 1 : 2);\n"
+
+#. Type: multiselect
+#. Description
+#: ../templates:2001
+msgid "Web server(s) to configure automatically:"
+msgstr "Serwery WWW do automatycznej konfiguracji:"
+
+#. Type: multiselect
+#. Description
+#: ../templates:2001
+msgid "Please select the web server(s) that should be configured automatically for MediaWiki."
+msgstr "Proszę wybrać serwery WWW, które mają być skonfigurowane automatycznie dla MediaWiki."

Modified: mediawiki/trunk/debian/rules
===================================================================
--- mediawiki/trunk/debian/rules	2013-12-31 09:52:27 UTC (rev 491)
+++ mediawiki/trunk/debian/rules	2013-12-31 10:04:43 UTC (rev 492)
@@ -42,14 +42,31 @@
 	# Put debian version for mediawiki version..
 	sed -e "s#$(DEB_UPSTREAM_VERSION)#$(DEB_NOEPOCH_VERSION)#" \
 			-i debian/mediawiki/usr/share/mediawiki/includes/DefaultSettings.php
+	# includes/libs is provided by mediawiki-classes
+	rm -rf debian/mediawiki/usr/share/mediawiki/includes/libs
 
 override_dh_installdeb:
 	find debian/mediawiki -depth \( -name ".cvsignore" -o -name ".gitignore" -o -name ".arch-ids" \) -exec rm -rf {} \;
 	dh_installdeb
 
 # DevRef §6.7.8.2.
-.PHONY: get-orig-source
-get-orig-source:
+.PHONY: get-orig-source-tg
+get-orig-source-tg:
+	mksh -o pipefail -e -x -c 'DEB_UPSTREAM_VERSION=${DEB_UPSTREAM_VERSION}; \
+		rm -rf debian/tmp; mkdir debian/tmp; cd debian/tmp; \
+		[[ -s ../../../mediawiki-${DEB_UPSTREAM_VERSION}.tar.gz ]] && \
+		    ln -s ../../../mediawiki-${DEB_UPSTREAM_VERSION}.tar.gz || \
+		    wget http://dumps.wikimedia.org/mediawiki/$${DEB_UPSTREAM_VERSION%.*}/mediawiki-${DEB_UPSTREAM_VERSION}.tar.gz; \
+		paxtar xzf mediawiki-${DEB_UPSTREAM_VERSION}.tar.gz; \
+		rm -f mediawiki-${DEB_UPSTREAM_VERSION}/skins/common/images/cc-*; \
+		mv mediawiki-${DEB_UPSTREAM_VERSION} mediawiki-${DEB_UPSTREAM_VERSION}.orig; \
+		find mediawiki-${DEB_UPSTREAM_VERSION}.orig -type f | \
+		    sort | paxcpio -oC512 -Hustar -Mdist | \
+		    xz -6e >../../mediawiki_${DEB_UPSTREAM_VERSION}+dfsg.orig.tar.xz; \
+		cd ..; rm -rf tmp'
+	@ls -l mediawiki_${DEB_UPSTREAM_VERSION}+dfsg.orig.tar.xz
+.PHONY: get-orig-source-jmw
+get-orig-source-jmw:
 	$(eval TMPDIR=$(shell mktemp -d))
 	$(eval MWTAR=mediawiki_${DEB_UPSTREAM_VERSION}.orig.tar.gz)
 	$(eval DFSGTAR=mediawiki_${DEB_UPSTREAM_VERSION}+dfsg.orig.tar.xz)


