[Pkg-mediawiki-devel] Bug#689156: unblock: mediawiki/1:1.19.2-1

Thorsten Glaser tg at mirbsd.de
Sat Sep 29 15:38:21 UTC 2012 

Package: release.debian.org
Severity: normal
User: release.debian.org at packages.debian.org
Usertags: unblock

Please unblock package mediawiki

This upload follows on both the threads for better MW 1.19 support
http://article.gmane.org/gmane.linux.debian.devel.release/56559
and the multiple security issues (Debian #686330) part:
http://thread.gmane.org/gmane.linux.debian.devel.secure-testing.general/5325

The changes can be split into multiple parts. The security issues
were fixed by the new upstream version, which I’ll detail below.
First are the changes inside debian/ which I’ll show as diffs
between the _patched_ sources again (like with mksh) because
diffs between "3.0 (quilt)" diffs are harder to read, except:

The file debian/patches/texvc_location.patch was removed, but it
was already not used in 1.19.1-1. The following patches were added
and have been attached to this message and removed from the diff:
fix_invalid_xhtml.patch, fix_warnings.patch

First, the packaging changes: add myself to Uploaders; do not
replace the jquery-tablesorter shipped with MW by the one in
Debian again because the MW one is a different/patched codebase
(fixes #687519); update Breaks wrt. the isochronal uploads of
src:fusionforge and src:mediawiki-exensions (for which I’ll also
file an unblock request); and Jonathan had added two Recommends.
I added a few “chmod +x” to quieten lintian and removed a COPYING
file from the .deb file after verifying its contents were already
in debian/copyright (which they were).

--- mediawiki-1.19.2-0/debian/changelog	2012-06-18 17:17:26.000000000 +0200
+++ mediawiki-1.19.2-1/debian/changelog	2012-09-20 13:45:26.000000000 +0200
@@ -1,3 +1,26 @@
+mediawiki (1:1.19.2-1) unstable; urgency=low
+
+  [ Thorsten Glaser ]
+  * New upstream: security fixes for CVE-2012-4377, CVE-2012-4378,
+    CVE-2012-4379, CVE-2012-4380, CVE-2012-4381, CVE-2012-4382
+    (Closes: #686330)
+  * Prevent <table></table> without any <tr /> inside, globally
+  * Fix more cases of not checking $wgHtml5
+  * MW’s ID (XML) sanitiser is there for a reason, use it!
+  * Prevent <ul></ul> without any <li /> inside in MonoBook
+  * Fix invalid XHTML caused by code not honouring $wgHtml5
+  * Quell some PHP warnings from sloppy code
+  * Do the wfSuppressWarnings patch used with FusionForge right
+  * Add myself to Uploaders and quieten lintian a bit
+  * Do not replace patched jquery-tablesorter with unpatched one;
+    unbreaks sortable tables (Closes: #687519)
+  * Update versioned Breaks against fusionforge and mw-extensions
+
+  [ Jonathan Wiltshire ]
+  * Add Recommends on mediawiki-extensions-base and php-wikidiff2
+
+ -- Thorsten Glaser <tg at mirbsd.de>  Thu, 20 Sep 2012 13:40:12 +0200
+
 mediawiki (1:1.19.1-1) unstable; urgency=low
 
   * New upstream bug fix release
--- mediawiki-1.19.2-0/debian/control	2012-06-18 16:31:31.000000000 +0200
+++ mediawiki-1.19.2-1/debian/control	2012-09-20 13:45:26.000000000 +0200
@@ -2,7 +2,7 @@ Source: mediawiki
 Section: web
 Priority: optional
 Maintainer: Mediawiki Maintenance Team <pkg-mediawiki-devel at lists.alioth.debian.org>
-Uploaders: Romain Beauxis <toots at rastageeks.org>, Jonathan Wiltshire <jmw at debian.org>
+Uploaders: Romain Beauxis <toots at rastageeks.org>, Jonathan Wiltshire <jmw at debian.org>, Thorsten Glaser <tg at mirbsd.de>
 Build-Depends: debhelper (>= 9),
  dh-buildinfo,
  ocaml-nox | ocaml, xsltproc, docbook-xml, docbook-xsl, po-debconf
@@ -13,10 +13,19 @@ Vcs-Browser: http://svn.debian.org/views
 
 Package: mediawiki
 Architecture: all
-Depends: apache2 | httpd, php5, php5-mysql | php5-pgsql | php5-sqlite, mime-support, libjs-jquery, libjs-jquery-tipsy, libjs-jquery-cookie, libjs-jquery-form, libjs-jquery-tablesorter, ${misc:Depends} 
-Recommends: mysql-server | postgresql-contrib, php5-cli, python
+Depends: apache2 | httpd, php5, php5-mysql | php5-pgsql | php5-sqlite, mime-support, libjs-jquery, libjs-jquery-tipsy, libjs-jquery-cookie, libjs-jquery-form, ${misc:Depends}
+Recommends: mysql-server | postgresql-contrib, php5-cli, python, php-wikidiff2,  mediawiki-extensions-base
 Suggests: imagemagick | php5-gd, mediawiki-math, memcached, clamav
-Breaks: fusionforge-plugin-mediawiki (<< 5.2~rc1-4~)
+Breaks: fusionforge-plugin-mediawiki (<< 5.2~rc1+1~),
+ mediawiki-extensions-base (<< 2.8~),
+ mediawiki-extensions-geshi (<< 2.8~),
+ mediawiki-extensions-ldapauth (<< 2.8~),
+ mediawiki-extensions-openid (<< 2.8~),
+ mediawiki-extensions-confirmedit (<< 2.8~),
+ mediawiki-extensions-fckeditor (<< 2.8~),
+ mediawiki-extensions-collection (<< 2.8~),
+ mediawiki-extensions-graphviz (<< 2.8~),
+ mediawiki-extensions (<< 2.8~)
 Description: website engine for collaborative work
  MediaWiki is a wiki engine (a program for creating a collaboratively
  edited website). It is designed to handle heavy websites containing
--- mediawiki-1.19.2-0/debian/rules	2012-06-18 16:51:36.000000000 +0200
+++ mediawiki-1.19.2-1/debian/rules	2012-09-20 13:45:26.000000000 +0200
@@ -6,9 +6,14 @@ DEB_UPSTREAM_VERSION ?= $(shell echo $(D
 
 override_dh_install:
 	dh_install
+	# Ugh. This is easier than patching, though.
+	chmod a+x debian/mediawiki/usr/share/mediawiki/includes/normal/UtfNormalTest2.php
 	# Now some tidying up is required
 	chmod a+x debian/mediawiki/usr/share/mediawiki/maintenance/postgres/compare_schemas.pl
 	chmod a+x debian/mediawiki/usr/share/mediawiki/maintenance/postgres/mediawiki_mysql2postgres.pl
+	chmod a+x debian/mediawiki/var/lib/mediawiki/extensions/ConfirmEdit/captcha.py
+	chmod a-x debian/mediawiki/usr/share/mediawiki/resources/jquery/images/marker.png
+	chmod a-x debian/mediawiki/var/lib/mediawiki/extensions/WikiEditor/modules/jquery.wikiEditor.toolbar.config.js
 	find debian/mediawiki/usr/share/mediawiki -maxdepth 1 -mindepth 1 | grep -v "\(LocalSettings.php\|AdminSettings.php\|debian-scripts\|images\|extensions\|config\)" | \
 	while read i; do \
 		dh_link "`echo "$$i" | sed -e s#debian/mediawiki/##`" \
@@ -19,7 +24,7 @@ override_dh_install:
 	rm debian/mediawiki/usr/share/mediawiki/resources/jquery.tipsy/jquery.tipsy.js
 	dh_link usr/share/javascript/jquery/jquery.min.js usr/share/mediawiki/resources/jquery/jquery.js
 	dh_link usr/share/javascript/jquery-tipsy/jquery.tipsy.min.js usr/share/mediawiki/resources/jquery.tipsy/jquery.tipsy.js; \
-	for lib in cookie form tablesorter; do \
+	for lib in cookie form; do \
 		rm debian/mediawiki/usr/share/mediawiki/resources/jquery/jquery.$$lib.js; \
 		dh_link usr/share/javascript/jquery-$$lib/jquery.$$lib.min.js usr/share/mediawiki/resources/jquery/jquery.$$lib.js; \
 		echo $$lib; \
@@ -33,6 +38,7 @@ override_dh_install:
 	rm -f debian/mediawiki/usr/share/mediawiki/maintenance/cssjanus/COPYING
 	rm -f debian/mediawiki/usr/share/mediawiki/maintenance/cssjanus/LICENSE
 	rm -f debian/mediawiki/var/lib/mediawiki/extensions/ParserFunctions/COPYING
+	rm -f debian/mediawiki/var/lib/mediawiki/extensions/Nuke/COPYING
 	# Put debian version for mediawiki version..
 	sed -e "s#$(DEB_UPSTREAM_VERSION)#$(DEB_NOEPOCH_VERSION)#" \
 			-i debian/mediawiki/usr/share/mediawiki/includes/DefaultSettings.php
--- mediawiki-1.19.2-0/debian/watch	2012-01-15 00:44:13.000000000 +0100
+++ mediawiki-1.19.2-1/debian/watch	2012-09-20 13:45:26.000000000 +0200
@@ -1,8 +1,3 @@
-# Example watch control file for uscan
-# Rename this file to "watch" and then you can run the "uscan" command
-# to check for upstream updates and more.
-# See uscan(1) for format
-
 # Compulsory line, this is a version 3 file
 version=3
 

This change lets FusionForge, which has a “developer mode” in which
it does things to error reporting so a developer knows when they make
a mistake, know whether we are in a “sloppy” section of MW code: the
MediaWiki way of doing things is to temporarily disable warnings when
they know they do something that produces one, and these clutter the
FF debug mode enormously. While FusionForge was removed from testing,
I hereby ask that this change still be considered, so we can use all
“other” packages straight from the then-to-be release, including its
security fixes. (This can also be used by others…)

--- mediawiki-1.19.2-0/includes/GlobalFunctions.php	2012-09-29 17:19:21.000000000 +0200
+++ mediawiki-1.19.2-1/includes/GlobalFunctions.php	2012-09-29 17:21:13.000000000 +0200
@@ -2199,7 +2199,9 @@ function wfNegotiateType( $cprefs, $spre
  *
  * @param $end Bool
  */
+$wf__warnings_suppressed = false;
 function wfSuppressWarnings( $end = false ) {
+	global $wf__warnings_suppressed;
 	static $suppressCount = 0;
 	static $originalLevel = false;
 
@@ -2208,6 +2210,7 @@ function wfSuppressWarnings( $end = fals
 			--$suppressCount;
 			if ( !$suppressCount ) {
 				error_reporting( $originalLevel );
+				$wf__warnings_suppressed = false;
 			}
 		}
 	} else {
@@ -2217,6 +2220,7 @@ function wfSuppressWarnings( $end = fals
 				define( 'E_DEPRECATED', 8192 );
 			}
 			$originalLevel = error_reporting( E_ALL & ~( E_WARNING | E_NOTICE | E_USER_WARNING | E_USER_NOTICE | E_DEPRECATED ) );
+			$wf__warnings_suppressed = true;
 		}
 		++$suppressCount;
 	}

fix_invalid_xhtml.patch mostly fixes some sloppy coding on the
MediaWiki side as well as places where they forgot to check
whether HTML5 or XHTML was requested. fix_warnings.patch comes
in similar spirit to the $wf__warnings_suppressed change.

Now, the changes between upstream 1.19.1 and 1.19.2 can also
be separated in translation and other changes. The translation
changes are all in languages/messages/ but the diff between
them is 10.2 MB, which is a tad large for this message, so I
politely ask that you look at that part yourselves or trust in
upstream they really only included translation changes.

All other changes boil down to upstream removing the .gitignore
files from the .orig.tar.gz and the file mw-1-19-2.diff attached,
which are release notes and what I hope are only the fixes for
the security issues mentioned (the changes look okay-ish to me,
but I’m not capable of analysing them fully, since I normally
don’t hang that deep inside MW source code).

unblock mediawiki/1:1.19.2-1

-- System Information:
Debian Release: wheezy/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (500, 'testing')
Architecture: i386 (i686)

Kernel: Linux 3.2.0-3-686-pae (SMP w/1 CPU core)
Locale: LANG=C, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/mksh-static
-------------- next part --------------
A non-text attachment was scrubbed...
Name: fix_invalid_xhtml.patch
Type: text/x-diff
Size: 5978 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-mediawiki-devel/attachments/20120929/565f90c9/attachment-0002.patch>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: fix_warnings.patch
Type: text/x-diff
Size: 828 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-mediawiki-devel/attachments/20120929/565f90c9/attachment-0003.patch>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: mw-1-19-2.diff
Type: text/x-diff
Size: 19614 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-mediawiki-devel/attachments/20120929/565f90c9/attachment-0001.diff>

More information about the Pkg-mediawiki-devel mailing list