[Pkg-mediawiki-devel] Bug#705535: unblock: mediawiki/1:1.19.5-1

Thorsten Glaser tg at mirbsd.de
Tue Apr 16 09:25:21 UTC 2013 

Package: release.debian.org
Severity: normal
User: release.debian.org at packages.debian.org
Usertags: unblock

Please unblock package mediawiki

Please consider allowing the new security bugfix release of
mediawiki’s long-term support branch into wheezy. The upload
to sid also contains a documentation and a code change both
related to correcting the installation/setup process.

The Debian changes, except patch-context-linenumber changes,
are as follows:

--- debian/changelog	(revision 430)
+++ debian/changelog	(working copy)
@@ -1,3 +1,21 @@
+mediawiki (1:1.19.5-1) unstable; urgency=high
+
+  [ Platonides ]
+  * Update config URL in README.Debian (Closes: #703804)
+
+  [ Thorsten Glaser ]
+  * Re-add LocalSettings creation snippet for support of the
+    mediawiki-extensions Debian packaging (Closes: #703852)
+  * New upstream security-only release:
+    - (bug 47251) SECURITY: Disable external entities in Import
+    - (bug 46859) SECURITY: Disable external entities in XMLReader
+    - (bug 46084) SECURITY: Sanitize $limitReport before outputting
+    - (bug 43594) Fix notices displayed on PHP 5.4
+    - (bug 40585) Don't drop 'step="any"' in HTML input fields.
+  * Refresh patches against new upstream code
+
+ -- Thorsten Glaser <tg at mirbsd.de>  Tue, 16 Apr 2013 11:04:05 +0200
+
 mediawiki (1:1.19.4-1) unstable; urgency=high
 
   * Urgency high for security fix
--- debian/patches/debian_specific_config.patch	(revision 0)
+++ debian/patches/debian_specific_config.patch	(revision 434)
@@ -0,0 +1,18 @@
+$Id$
+
+Support mediawiki-extensions Debian packaging (see #703852).
+
+--- a/includes/installer/LocalSettingsGenerator.php
++++ b/includes/installer/LocalSettingsGenerator.php
+@@ -333,6 +333,11 @@ if ( !defined( 'MEDIAWIKI' ) ) {
+ # Path to the GNU diff3 utility. Used for conflict resolution.
+ \$wgDiff3 = \"{$this->values['wgDiff3']}\";
+ 
++# debian-specific include:
++if (is_file(\"/etc/mediawiki-extensions/extensions.php\")) {
++	include(\"/etc/mediawiki-extensions/extensions.php\");
++}
++
+ # Query string length limit for ResourceLoader. You should only set this if
+ # your web server has a query string length limit (then set it to that limit),
+ # or if you have suhosin.get.max_value_length set in php.ini (then set it to

--- debian/patches/series	(revision 430)
+++ debian/patches/series	(working copy)
@@ -6,3 +6,4 @@
 bz29635.patch
 bz40889.patch
 bz39635.patch
+debian_specific_config.patch
--- debian/README.Debian	(revision 430)
+++ debian/README.Debian	(working copy)
@@ -14,14 +14,14 @@
 
 Configuration:
 	The configuration uses an easy web-based system ; just go to this URL :
-		http://www.myserver.org/mediawiki/config/index.php
+		http://www.myserver.org/mediawiki/mw-config/index.php
 		(replace by your own servername)
 	  You may of course configure your webserver to serve this URL. A default
 	  configuration can be found in /etc/mediawiki/. Apache and cherokee users
 	  may have linked this in their configuration automatically if they asked
 	  the installer to do so.
 	Then just copy the generated config to the real system location :
-		mv /var/lib/mediawiki/config/LocalSettings.php \
+		mv /var/lib/mediawiki/mw-config/LocalSettings.php \
 		 /etc/mediawiki
 	You should change file permissions for LocalSettings.php as required to
 	prevent other users on the server from reading passwords and

The upstream changes are as follows:

--- mediawiki-1.19.4/RELEASE-NOTES-1.19	2013-03-04 19:11:51.000000000 +0100
+++ mediawiki-1.19.5/RELEASE-NOTES-1.19	2013-04-15 18:23:52.000000000 +0200
@@ -3,6 +3,17 @@
 Security reminder: MediaWiki does not require PHP's register_globals
 setting since version 1.2.0. If you have it on, turn it '''off''' if you can.
 
+== MediaWiki 1.19.5 ==
+
+This is a security and maintenance release of the MediaWiki 1.19 branch
+
+=== Changes since 1.19.4 ===
+* (bug 47251) SECURITY: Disable external entities in Import
+* (bug 46859) SECURITY: Disable external entities in XMLReader
+* (bug 46084) SECURITY: Sanitize $limitReport before outputting
+* (bug 43594) Fix notices displayed on PHP 5.4
+* (bug 40585) Don't drop 'step="any"' in HTML input fields.
+
 == MediaWiki 1.19.4 ==
 
 This is a maintenance release of the MediaWiki 1.19 branch
--- mediawiki-1.19.4/includes/DefaultSettings.php	2013-03-04 19:11:51.000000000 +0100
+++ mediawiki-1.19.5/includes/DefaultSettings.php	2013-04-15 18:23:52.000000000 +0200
@@ -33,7 +33,7 @@ $wgConf = new SiteConfiguration;
 /** @endcond */
 
 /** MediaWiki version number */
-$wgVersion = '1.19.4';
+$wgVersion = '1.19.5';
 
 /** Name of the site. It must be changed in LocalSettings.php */
 $wgSitename = 'MediaWiki';
--- mediawiki-1.19.4/includes/GlobalFunctions.php	2013-03-04 19:11:51.000000000 +0100
+++ mediawiki-1.19.5/includes/GlobalFunctions.php	2013-04-15 18:23:52.000000000 +0200
@@ -2216,7 +2216,7 @@ function wfSuppressWarnings( $end = fals
 			if( !defined( 'E_DEPRECATED' ) ) {
 				define( 'E_DEPRECATED', 8192 );
 			}
-			$originalLevel = error_reporting( E_ALL & ~( E_WARNING | E_NOTICE | E_USER_WARNING | E_USER_NOTICE | E_DEPRECATED ) );
+			$originalLevel = error_reporting( E_ALL & ~( E_WARNING | E_NOTICE | E_USER_WARNING | E_USER_NOTICE | E_DEPRECATED | E_USER_DEPRECATED | E_STRICT ) );
 		}
 		++$suppressCount;
 	}
--- mediawiki-1.19.4/includes/Html.php	2013-03-04 19:11:51.000000000 +0100
+++ mediawiki-1.19.5/includes/Html.php	2013-04-15 18:23:52.000000000 +0200
@@ -434,7 +434,13 @@ class Html {
 			# server-side validation.  Opera is the only other implementation at
 			# this time, and has ugly UI, so just kill the feature entirely until
 			# we have at least one good implementation.
-			if ( in_array( $key, array( 'max', 'min', 'pattern', 'required', 'step' ) ) ) {
+
+			# As the default value of "1" for "step" rejects decimal
+			# numbers to be entered in 'type="number"' fields, allow
+			# the special case 'step="any"'.
+
+			if ( in_array( $key, array( 'max', 'min', 'pattern', 'required' ) ) ||
+				 $key === 'step' && $value !== 'any' ) {
 				continue;
 			}
 
--- mediawiki-1.19.4/includes/Import.php	2013-03-04 19:11:51.000000000 +0100
+++ mediawiki-1.19.5/includes/Import.php	2013-04-15 18:23:52.000000000 +0200
@@ -396,9 +396,15 @@ class WikiImporter {
 	 * Primary entry point
 	 */
 	public function doImport() {
+
+		// Calls to reader->read need to be wrapped in calls to
+		// libxml_disable_entity_loader() to avoid local file
+		// inclusion attacks (bug 46932).
+		$oldDisable = libxml_disable_entity_loader( true );
 		$this->reader->read();
 
 		if ( $this->reader->name != 'mediawiki' ) {
+			libxml_disable_entity_loader( $oldDisable );
 			throw new MWException( "Expected <mediawiki> tag, got ".
 				$this->reader->name );
 		}
@@ -437,6 +443,7 @@ class WikiImporter {
 			}
 		}
 
+		libxml_disable_entity_loader( $oldDisable );
 		return true;
 	}
 
--- mediawiki-1.19.4/includes/cache/FileCacheBase.php	2013-03-04 19:11:51.000000000 +0100
+++ mediawiki-1.19.5/includes/cache/FileCacheBase.php	2013-04-15 18:23:52.000000000 +0200
@@ -116,9 +116,12 @@ abstract class FileCacheBase {
 	 * @return string
 	 */
 	public function fetchText() {
-		// gzopen can transparently read from gziped or plain text
-		$fh = gzopen( $this->cachePath(), 'rb' );
-		return stream_get_contents( $fh );
+		if( $this->useGzip() ) {
+			$fh = gzopen( $this->cachePath(), 'rb' );
+			return stream_get_contents( $fh );
+		} else {
+			return file_get_contents( $this->cachePath() );
+		}
 	}
 
 	/**
--- mediawiki-1.19.4/includes/media/SVGMetadataExtractor.php	2013-03-04 19:11:51.000000000 +0100
+++ mediawiki-1.19.5/includes/media/SVGMetadataExtractor.php	2013-04-15 18:23:52.000000000 +0200
@@ -71,7 +71,12 @@ class SVGReader {
 		// Expand entities, since Adobe Illustrator uses them for xmlns 
 		// attributes (bug 31719). Note that libxml2 has some protection 
 		// against large recursive entity expansions so this is not as 
-		// insecure as it might appear to be.
+		// insecure as it might appear to be. However, it is still extremely
+		// insecure. It's necessary to wrap any read() calls with
+		// libxml_disable_entity_loader() to avoid arbitrary local file
+		// inclusion, or even arbitrary code execution if the expect
+		// extension is installed (bug 46859).
+		$oldDisable = libxml_disable_entity_loader( true );
 		$this->reader->setParserProperty( XMLReader::SUBST_ENTITIES, true );
 
 		$this->metadata['width'] = self::DEFAULT_WIDTH;
@@ -85,9 +90,11 @@ class SVGReader {
 			$this->read();
 		} catch( Exception $e ) {
 			wfRestoreWarnings();
+			libxml_disable_entity_loader( $oldDisable );
 			throw $e;
 		}
 		wfRestoreWarnings();
+		libxml_disable_entity_loader( $oldDisable );
 	}
 
 	/**
@@ -100,7 +107,7 @@ class SVGReader {
 	/**
 	 * Read the SVG
 	 */
-	public function read() {
+	protected function read() {
 		$keepReading = $this->reader->read();
 
 		/* Skip until first element */
--- mediawiki-1.19.4/includes/parser/Parser.php	2013-03-04 19:11:51.000000000 +0100
+++ mediawiki-1.19.5/includes/parser/Parser.php	2013-04-15 18:23:52.000000000 +0200
@@ -460,6 +460,11 @@ class Parser {
 				"Template argument size: {$this->mIncludeSizes['arg']}/$max bytes\n".
 				$PFreport;
 			wfRunHooks( 'ParserLimitReport', array( $this, &$limitReport ) );
+
+			// Sanitize for comment. Note '‐' in the replacement is U+2010,
+			// which looks much like the problematic '-'.
+			$limitReport = str_replace( array( '-', '&' ), array( '‐', '&' ), $limitReport );
+
 			$text .= "\n<!-- \n$limitReport-->\n";
 		}
 		$this->mOutput->setText( $text );
--- mediawiki-1.19.4/tests/phpunit/includes/HtmlTest.php	2013-03-04 19:11:51.000000000 +0100
+++ mediawiki-1.19.5/tests/phpunit/includes/HtmlTest.php	2013-04-15 18:23:52.000000000 +0200
@@ -330,4 +330,16 @@ class HtmlTest extends MediaWikiTestCase
 		);
 	}
 
+	public function testFormValidationBlacklist() {
+		$this->assertEmpty(
+			Html::expandAttributes( array( 'min' => 1, 'max' => 100, 'pattern' => 'abc', 'required' => true, 'step' => 2 ) ),
+			'Blacklist form validation attributes.'
+		);
+		$this->assertEquals(
+			' step="any"',
+			Html::expandAttributes( array( 'min' => 1, 'max' => 100, 'pattern' => 'abc', 'required' => true, 'step' => 'any' ) ),
+			"Allow special case 'step=\"any\"'."
+		);
+	}
+
 }

unblock mediawiki/1:1.19.5-1

-- System Information:
Debian Release: 7.0
  APT prefers unstable
  APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: i386 (i686)

Kernel: Linux 3.2.0-4-amd64 (SMP w/4 CPU cores)
Locale: LANG=C, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/mksh-static

More information about the Pkg-mediawiki-devel mailing list