[Pkg-mediawiki-devel] Please comment on DSA for mediawiki
Jonathan Wiltshire
jmw at debian.org
Sun Dec 16 20:40:05 UTC 2012
Hi,
Please speak now if the attached debdiff for security problems should be a
DSA. I'm happy to prepare and write one if so, otherwise it will go via
proposed-updates as the current changelog indicates.
Thanks,
--
Jonathan Wiltshire jmw at debian.org
Debian Developer http://people.debian.org/~jmw
4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC 74C3 5394 479D D352 4C51
<directhex> i have six years of solaris sysadmin experience, from
8->10. i am well qualified to say it is made from bonghits
layered on top of bonghits
-------------- next part --------------
diff -Nru mediawiki-1.15.5/debian/changelog mediawiki-1.15.5/debian/changelog
--- mediawiki-1.15.5/debian/changelog 2012-01-21 21:08:01.000000000 +0000
+++ mediawiki-1.15.5/debian/changelog 2012-12-16 17:54:27.000000000 +0000
@@ -1,3 +1,12 @@
+mediawiki (1:1.15.5-2squeeze5) stable; urgency=low
+
+ [ Dominik George ]
+ * Security fixes from upstream (Closes: #694998):
+ - CVE-2012-5391 - Prevent session fixation in Special:UserLogin
+ - Prevent linker regex from exceeding backtrack limit
+
+ -- Jonathan Wiltshire <jmw at debian.org> Sun, 16 Dec 2012 17:53:38 +0000
+
mediawiki (1:1.15.5-2squeeze4) stable; urgency=low
* Disable CVE-2011-4360.patch, it causes ugly error messages in certain
diff -Nru mediawiki-1.15.5/debian/patches/CVE-2012-5391.patch mediawiki-1.15.5/debian/patches/CVE-2012-5391.patch
--- mediawiki-1.15.5/debian/patches/CVE-2012-5391.patch 1970-01-01 01:00:00.000000000 +0100
+++ mediawiki-1.15.5/debian/patches/CVE-2012-5391.patch 2012-12-16 15:34:48.000000000 +0000
@@ -0,0 +1,33 @@
+Description: Prevent session fixation in Special:UserLogin (CVE-2012-5391)
+ Sessions id's in the default MediaWiki authentication are not refreshed on
+ login or logout. An attacker can use this to impersonate a user.
+Author: Chris Steipp <csteipp at wikimedia.org>
+Origin: upstream, https://gerrit.wikimedia.org/r/#/c/36079/
+Bug: https://bugzilla.wikimedia.org/show_bug.cgi?id=40995
+Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=694998
+Reviewed-by: Dominik George <nik at naturalnet.de>
+--- a/includes/specials/SpecialUserlogin.php
++++ b/includes/specials/SpecialUserlogin.php
+@@ -591,6 +591,8 @@
+ global $wgLang, $wgRequest;
+ $code = $wgRequest->getVal( 'uselang', $wgUser->getOption( 'language' ) );
+ $wgLang = Language::factory( $code );
++ // Reset SessionID on Successful login (bug 40995)
++ $this->renewSessionId();
+ return $this->successfulLogin();
+ } else {
+ return $this->cookieRedirectCheck( 'login' );
+@@ -1062,6 +1064,13 @@
+ $wgRequest->setSessionData( 'wsCreateaccountToken', null );
+ }
+
++ /**
++ * Renew the user's session id
++ */
++ private function renewSessionId() {
++ session_regenerate_id( false );
++ }
++
+ /**
+ * @private
+ */
diff -Nru mediawiki-1.15.5/debian/patches/pcre-linker-backtrack.patch mediawiki-1.15.5/debian/patches/pcre-linker-backtrack.patch
--- mediawiki-1.15.5/debian/patches/pcre-linker-backtrack.patch 1970-01-01 01:00:00.000000000 +0100
+++ mediawiki-1.15.5/debian/patches/pcre-linker-backtrack.patch 2012-12-16 16:40:44.000000000 +0000
@@ -0,0 +1,48 @@
+Description: Prevent linker regex from exceeding PCRE backtrack limit
+Author: Chris Steipp <csteipp at wikimedia.org>
+Origin: upstream
+Bug: https://bugzilla.wikimedia.org/show_bug.cgi?id=41400
+Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=694998
+Reviewed-by: Dominik George <nik at naturalnet.de>
+--- a/includes/Linker.php
++++ b/includes/Linker.php
+@@ -1297,7 +1297,18 @@
+ */
+ public function formatLinksInComment( $comment ) {
+ return preg_replace_callback(
+- '/\[\[:?(.*?)(\|(.*?))*\]\]([^[]*)/',
++ '/
++ \[\[
++ :? # ignore optional leading colon
++ ([^\]|]+) # 1. link target; page names cannot include ] or |
++ (?:\|
++ # 2. a pipe-separated substring; only the last is captured
++ # Stop matching at | and ]] without relying on backtracking.
++ ((?:]?[^\]|])*+)
++ )*
++ \]\]
++ ([^[]*) # 3. link trail (the text up until the next link)
++ /x',
+ array( $this, 'formatLinksInCommentCallback' ),
+ $comment );
+ }
+@@ -1316,8 +1327,8 @@
+ }
+
+ # Handle link renaming [[foo|text]] will show link as "text"
+- if( "" != $match[3] ) {
+- $text = $match[3];
++ if( "" != $match[2] ) {
++ $text = $match[2];
+ } else {
+ $text = $match[1];
+ }
+@@ -1328,7 +1339,7 @@
+ $thelink = $this->makeMediaLink( $submatch[1], "", $text );
+ } else {
+ # Other kind of link
+- if( preg_match( $wgContLang->linkTrail(), $match[4], $submatch ) ) {
++ if( preg_match( $wgContLang->linkTrail(), $match[3], $submatch ) ) {
+ $trail = $submatch[1];
+ } else {
+ $trail = "";
diff -Nru mediawiki-1.15.5/debian/patches/series mediawiki-1.15.5/debian/patches/series
--- mediawiki-1.15.5/debian/patches/series 2012-01-21 20:57:43.000000000 +0000
+++ mediawiki-1.15.5/debian/patches/series 2012-12-16 16:41:00.000000000 +0000
@@ -13,3 +13,5 @@
CVE-2011-1587.patch
CVE-2011-4361.patch
CVE-2012-0046.patch
+CVE-2012-5391.patch
+pcre-linker-backtrack.patch
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: Digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-mediawiki-devel/attachments/20121216/06c06be9/attachment.pgp>
More information about the Pkg-mediawiki-devel
mailing list