[Pkg-mediawiki-devel] Notes on CVE fixes for squeeze

Dominik George nik at naturalnet.de
Thu Dec 13 11:59:40 UTC 2012

Hash: SHA256


first off, thanks to Thorsten for uploading my changes.

I know that Thorsten will not care the least for stable because it doesn't 
affect him, so here are some notes for the others on my backport of the 
patches to 1.15.5.

The problem while backporting was that Mediawiki introduced a workaround 
for insecure PHP session-id generation somewhere along the way and 
apparently, the Debian packaging team chose to not backport these changes 
to 1.15.5. The fix for CVE-2012-5395 could be used as is (after finding 
the relevant parts of the code and merging with the older source), but the 
patch for CVE-2012-5391 used methods introduced with the change described 
above. I chose to remove the parts that relied on MediaWikis own 
MWCrytRand implementation and, as all other parts of 1.15.5 do, rely on 
PHP's session id generation in all cases.

Thus, the problems described in the CVEs were addressed and 1.15.5 is no 
longer vulnerable to the exploits. Addressing PHP's potentially insecure 
session id generation was not part of the fix (and probably was ignored by 
the team for a good reason in the first place).

I hope that seomeone will upload to squeeze-security for me.


- -- 
* mirabilos is handling my post-1990 smartphone *
<mirabilos> Aaah, it vibrates! Wherefor art thou, daemonic device??

PGP fingerprint: 2086 9A4B E67D 1DCD FFF6  F6C1 59FC 8E1D 6F2A 8001
gpg: Beglaubigung fehlgeschlagen: Dateiende
gpg: [stdin]: clearsign failed: Dateiende

More information about the Pkg-mediawiki-devel mailing list