[Pkg-mediawiki-devel] Bug#666269: [Pkg-mediawiki-commits] r310 - in mediawiki/sid-sec/debian: . patches

Fri Mar 30 08:43:27 UTC 2012

Author: tg
Date: 2012-03-30 08:43:27 +0000 (Fri, 30 Mar 2012)
New Revision: 310

Added:
   mediawiki/sid-sec/debian/patches/CVE-2012-1582.patch
Modified:
   mediawiki/sid-sec/debian/changelog
   mediawiki/sid-sec/debian/patches/series
Log:
first cut at #666269 for sid-security:

?\226?\128?\162 three do not seem to affect us: the code doesn?\226?\128?\153t even appear to be in 1.15
?\226?\128?\162 one, I attempted to backport the fix (not yet tested)
?\226?\128?\162 one I cannot access?\226?\128?\166 wait for that to be disclosed


Modified: mediawiki/sid-sec/debian/changelog
===================================================================

--- mediawiki/sid-sec/debian/changelog	2012-03-20 10:15:18 UTC (rev 309)
+++ mediawiki/sid-sec/debian/changelog	2012-03-30 08:43:27 UTC (rev 310)
@@ -1,3 +1,14 @@
+mediawiki (1:1.15.5-9) UNRELEASED; urgency=high
+
+  * Address MW security release 1.18.1-1 (Closes: #666269)
+    - CVE-2012-1578 MW#34212: doesn’t affect 1.15
+    - CVE-2012-1579 MW#34907: doesn’t affect 1.15
+    - CVE-2012-1580 MW#35317: doesn’t affect 1.15
+    - CVE-2012-1581 MW#35078: (can’t access bugreport)
+    - CVE-2012-1582 MW#35315: fix backported
+
+ -- Thorsten Glaser <tg at mirbsd.de>  Fri, 30 Mar 2012 10:41:58 +0200
+
 mediawiki (1:1.15.5-8) unstable; urgency=low
 
   * Fix reversing IPv4 address for SORBS blacklist; patch from

Added: mediawiki/sid-sec/debian/patches/CVE-2012-1582.patch
===================================================================
--- mediawiki/sid-sec/debian/patches/CVE-2012-1582.patch	                        (rev 0)
+++ mediawiki/sid-sec/debian/patches/CVE-2012-1582.patch	2012-03-30 08:43:27 UTC (rev 310)
@@ -0,0 +1,150 @@
+Description: Fixed a few "strip tag exposed" bugs.
+Author: Tim Starling (r114231)
+Bug: https://bugzilla.wikimedia.org/show_bug.cgi?id=35315
+
+Index: mediawiki-1.15.5/includes/parser/CoreParserFunctions.php
+===================================================================
+--- mediawiki-1.15.5.orig/includes/parser/CoreParserFunctions.php	2012-03-30 10:28:12.000000000 +0200
++++ mediawiki-1.15.5/includes/parser/CoreParserFunctions.php	2012-03-30 10:32:57.000000000 +0200
+@@ -120,7 +120,8 @@
+ 	}
+ 
+ 	static function urlencode( $parser, $s = '' ) {
+-		return urlencode( $s );
++		$func = 'urlencode';
++		return $parser->markerSkipCallback( $s, $func );
+ 	}
+ 
+ 	static function lcfirst( $parser, $s = '' ) {
+@@ -135,20 +136,12 @@
+ 
+ 	static function lc( $parser, $s = '' ) {
+ 		global $wgContLang;
+-		if ( is_callable( array( $parser, 'markerSkipCallback' ) ) ) {
+-			return $parser->markerSkipCallback( $s, array( $wgContLang, 'lc' ) );
+-		} else {
+-			return $wgContLang->lc( $s );
+-		}
++		return $parser->markerSkipCallback( $s, array( $wgContLang, 'lc' ) );
+ 	}
+ 
+ 	static function uc( $parser, $s = '' ) {
+ 		global $wgContLang;
+-		if ( is_callable( array( $parser, 'markerSkipCallback' ) ) ) {
+-			return $parser->markerSkipCallback( $s, array( $wgContLang, 'uc' ) );
+-		} else {
+-			return $wgContLang->uc( $s );
+-		}
++		return $parser->markerSkipCallback( $s, array( $wgContLang, 'uc' ) );
+ 	}
+ 
+ 	static function localurl( $parser, $s = '', $arg = null ) { return self::urlFunction( 'getLocalURL', $s, $arg ); }
+@@ -180,15 +173,17 @@
+ 		}
+ 	}
+ 
+-	static function formatNum( $parser, $num = '', $raw = null) {
+-		if ( self::israw( $raw ) ) {
+-			return $parser->getFunctionLang()->parseFormattedNumber( $num );
++	static function formatnum( $parser, $num = '', $raw = null) {
++		if ( self::isRaw( $raw ) ) {
++			$func = array( $parser->getFunctionLang(), 'parseFormattedNumber' );
+ 		} else {
+-			return $parser->getFunctionLang()->formatNum( $num );
++			$func = array( $parser->getFunctionLang(), 'formatNum' );
+ 		}
++		return $parser->markerSkipCallback( $num, $func );
+ 	}
+ 
+ 	static function grammar( $parser, $case = '', $word = '' ) {
++		$word = $parser->killMarkers( $word );
+ 		return $parser->getFunctionLang()->convertGrammar( $word, $case );
+ 	}
+ 
+@@ -495,7 +490,8 @@
+ 	/**
+ 	 * Unicode-safe str_pad with the restriction that $length is forced to be <= 500
+  	 */
+-	static function pad( $string, $length, $padding = '0', $direction = STR_PAD_RIGHT ) {
++	static function pad( $parser, $string, $length, $padding = '0', $direction = STR_PAD_RIGHT ) {
++		$padding = $parser->killMarkers( $padding );
+ 		$lengthOfPadding = mb_strlen( $padding );		
+ 		if ( $lengthOfPadding == 0 ) return $string;
+ 		
+@@ -519,14 +515,15 @@
+ 	}
+ 
+ 	static function padleft( $parser, $string = '', $length = 0, $padding = '0' ) {
+-		return self::pad( $string, $length, $padding, STR_PAD_LEFT );
++		return self::pad( $parser, $string, $length, $padding, STR_PAD_LEFT );
+ 	}
+ 
+ 	static function padright( $parser, $string = '', $length = 0, $padding = '0' ) {
+-		return self::pad( $string, $length, $padding );
++		return self::pad( $parser, $string, $length, $padding );
+ 	}
+ 
+ 	static function anchorencode( $parser, $text ) {
++		$text = $parser->killMarkers( $text );
+ 		$a = urlencode( $text );
+ 		$a = strtr( $a, array( '%' => '.', '+' => '_' ) );
+ 		# leave colons alone, however
+Index: mediawiki-1.15.5/includes/parser/Parser.php
+===================================================================
+--- mediawiki-1.15.5.orig/includes/parser/Parser.php	2012-03-30 10:21:44.000000000 +0200
++++ mediawiki-1.15.5/includes/parser/Parser.php	2012-03-30 10:33:57.000000000 +0200
+@@ -3521,14 +3521,17 @@
+ 			}
+ 
+ 			# The safe header is a version of the header text safe to use for links
+-			# Avoid insertion of weird stuff like <math> by expanding the relevant sections
+-			$safeHeadline = $this->mStripState->unstripBoth( $headline );
+ 
+ 			# Remove link placeholders by the link text.
+ 			#     <!--LINK number-->
+ 			# turns into
+ 			#     link text with suffix
+-			$safeHeadline = $this->replaceLinkHoldersText( $safeHeadline );
++
++			# Do this before unstrip since link text can contain strip markers
++			$safeHeadline = $this->replaceLinkHoldersText( $headline );
++
++			# Avoid insertion of weird stuff like <math> by expanding the relevant sections
++			$safeHeadline = $this->mStripState->unstripBoth( $safeHeadline );
+ 
+ 			# Strip out HTML (other than plain <sup> and <sub>: bug 8393)
+ 			$tocline = preg_replace(
+@@ -4896,6 +4899,16 @@
+ 		// Should be good to go.
+ 		return $text;
+ 	}
++
++	/**
++	 * Remove any strip markers found in the given text.
++	 *
++	 * @param $text Input string
++	 * @return string
++	 */
++	function killMarkers( $text ) {
++		return $this->mStripState->killMarkers( $text );
++	}
+ }
+ 
+ /**
+@@ -4940,6 +4953,16 @@
+ 		wfProfileOut( __METHOD__ );
+ 		return $text;
+ 	}
++
++	/**
++	 * Remove any strip markers found in the given text.
++	 *
++	 * @param $text Input string
++	 * @return string
++	 */
++	function killMarkers( $text ) {
++		return preg_replace( $this->regex, '', $text );
++	}
+ }
+ 
+ /**

Modified: mediawiki/sid-sec/debian/patches/series
===================================================================
--- mediawiki/sid-sec/debian/patches/series	2012-03-20 10:15:18 UTC (rev 309)
+++ mediawiki/sid-sec/debian/patches/series	2012-03-30 08:43:27 UTC (rev 310)
@@ -19,3 +19,4 @@
 backport-block-prevent.patch
 fix-blacklist.patch
 php54.patch
+CVE-2012-1582.patch


_______________________________________________
Pkg-mediawiki-commits mailing list
Pkg-mediawiki-commits at lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-mediawiki-commits
