Package: release.debian.org
Severity: normal
User: release.debian....@packages.debian.org
Usertags: unblock
Dear Release Team,
on behalf of the Security Team, could you please unblock the package
mediawiki ? It fixes yet another security vulnerability (CVE
assignment pending), which prompted the issuing of DSA-3110-1 for
wheezy-security. The corresponding Debian bug is 773654.
You can find the debdiff at the end of this email.
unblock mediawiki/1:1.19.20+dfsg-2.2
-- System Information:
Debian Release: 7.7
APT prefers stable
APT policy: (501, 'stable'), (500, 'oldstable-proposed-updates'), (500,
'oldstable'), (1, 'unstable'), (1, 'testing')
Architecture: i386 (i686)
Kernel: Linux 3.2.0-4-686-pae (SMP w/1 CPU core)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
diff -Nru mediawiki-1.19.20+dfsg/debian/changelog
mediawiki-1.19.20+dfsg/debian/changelog
--- mediawiki-1.19.20+dfsg/debian/changelog 2014-12-14 18:27:31.000000000
+0100
+++ mediawiki-1.19.20+dfsg/debian/changelog 2014-12-21 13:11:10.000000000
+0100
@@ -1,3 +1,12 @@
+mediawiki (1:1.19.20+dfsg-2.2) unstable; urgency=medium
+
+ * Non-maintainer upload.
+ * Add patch fixing T76686: thumb.php outputs wikitext message as raw
+ HTML, which could lead to xss. Permission to edit MediaWiki namespace
+ is required to exploit this.
+
+ -- Sebastien Delafond <s...@debian.org> Sun, 21 Dec 2014 13:11:10 +0100
+
mediawiki (1:1.19.20+dfsg-2.1) unstable; urgency=medium
* Non-maintainer upload.
diff -Nru mediawiki-1.19.20+dfsg/debian/patches/series
mediawiki-1.19.20+dfsg/debian/patches/series
--- mediawiki-1.19.20+dfsg/debian/patches/series 2014-12-14
18:22:55.000000000 +0100
+++ mediawiki-1.19.20+dfsg/debian/patches/series 2014-12-21
13:10:23.000000000 +0100
@@ -11,3 +11,4 @@
suppress_warnings.patch
CVE-2014-9277_1.patch
CVE-2014-9277_2.patch
+T76686.patch
diff -Nru mediawiki-1.19.20+dfsg/debian/patches/T76686.patch
mediawiki-1.19.20+dfsg/debian/patches/T76686.patch
--- mediawiki-1.19.20+dfsg/debian/patches/T76686.patch 1970-01-01
01:00:00.000000000 +0100
+++ mediawiki-1.19.20+dfsg/debian/patches/T76686.patch 2014-12-21
13:10:21.000000000 +0100
@@ -0,0 +1,55 @@
+From fdd3f464ef9aa7f3276a2a8dddc85e3769cfda83 Mon Sep 17 00:00:00 2001
+From: Kunal Mehta <lego...@gmail.com>
+Date: Thu, 4 Dec 2014 14:06:55 -0800
+Subject: [PATCH] thumb.php: Set proper output formats for messages going into
+ HTML
+
+* Use ->parse() instead of ->text() for wikitext messages that were
+ being treated as HTML
+* Explicitly specify ->parse() if no output format was set
+* Document that wfThumbError() takes HTML
+
+Bug: T76686
+Change-Id: Id6e7548b2e081cfda7803772ed0395a15feb1f84
+---
+ thumb.php | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/thumb.php b/thumb.php
+index 60a7ffb..a7a09fc 100644
+--- a/thumb.php
++++ b/thumb.php
+@@ -107,13 +107,13 @@ function wfStreamThumb( array $params ) {
+ // Format is <timestamp>!<name>
+ $bits = explode( '!', $fileName, 2 );
+ if ( count( $bits ) != 2 ) {
+- wfThumbError( 404, wfMsg( 'badtitletext' ) );
++ wfThumbError( 404, wfMessage( 'badtitletext' )->parse()
);
+ wfProfileOut( __METHOD__ );
+ return;
+ }
+ $title = Title::makeTitleSafe( NS_FILE, $bits[1] );
+ if ( !$title ) {
+- wfThumbError( 404, wfMsg( 'badtitletext' ) );
++ wfThumbError( 404, wfMessage( 'badtitletext' )->parse()
);
+ wfProfileOut( __METHOD__ );
+ return;
+ }
+@@ -136,7 +136,7 @@ function wfStreamThumb( array $params ) {
+
+ // Check the source file storage path
+ if ( !$img ) {
+- wfThumbError( 404, wfMsg( 'badtitletext' ) );
++ wfThumbError( 404, wfMessage( 'badtitletext' )->parse() );
+ wfProfileOut( __METHOD__ );
+ return;
+ }
+@@ -291,7 +291,7 @@ function wfExtractThumbParams( $uri ) {
+ * Output a thumbnail generation error message
+ *
+ * @param $status integer
+- * @param $msg string
++ * @param string $msg HTML
+ * @return void
+ */
+ function wfThumbError( $status, $msg ) {
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
