[Pkg-mediawiki-devel] Notes on CVE fixes for squeeze
Dominik George
nik at naturalnet.de
Thu Dec 13 11:59:40 UTC 2012
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Hi,
first off, thanks to Thorsten for uploading my changes.
I know that Thorsten will not care the least for stable because it doesn't
affect him, so here are some notes for the others on my backport of the
patches to 1.15.5.
The problem while backporting was that Mediawiki introduced a workaround
for insecure PHP session-id generation somewhere along the way and
apparently, the Debian packaging team chose to not backport these changes
to 1.15.5. The fix for CVE-2012-5395 could be used as is (after finding
the relevant parts of the code and merging with the older source), but the
patch for CVE-2012-5391 used methods introduced with the change described
above. I chose to remove the parts that relied on MediaWikis own
MWCrytRand implementation and, as all other parts of 1.15.5 do, rely on
PHP's session id generation in all cases.
Thus, the problems described in the CVEs were addressed and 1.15.5 is no
longer vulnerable to the exploits. Addressing PHP's potentially insecure
session id generation was not part of the fix (and probably was ignored by
the team for a good reason in the first place).
I hope that seomeone will upload to squeeze-security for me.
Cheers,
Nik
- --
* mirabilos is handling my post-1990 smartphone *
<mirabilos> Aaah, it vibrates! Wherefor art thou, daemonic device??
PGP fingerprint: 2086 9A4B E67D 1DCD FFF6 F6C1 59FC 8E1D 6F2A 8001
gpg: Beglaubigung fehlgeschlagen: Dateiende
gpg: [stdin]: clearsign failed: Dateiende
More information about the Pkg-mediawiki-devel
mailing list