On Tue, Nov 29, 2011 at 07:38:46PM +0100, Luciano Bello wrote: > In the 1.17.1 release announce, two grave vulnerabilities have been > fixed: > http://lists.wikimedia.org/pipermail/mediawiki-announce/2011- > November/000104.html > Patches are included in the wikimedia bugzilla: > https://bugzilla.wikimedia.org/show_bug.cgi?id=32276 > https://bugzilla.wikimedia.org/show_bug.cgi?id=32616 > Please, consider backport those patches to stable and oldstable since > they look affected. Coordinate with the security team a DSA release.
Please find patches attached. The upload is unstable has migrated and these backports have had limited testing from me, as I only have a small wiki to play with. If you approve please allocate a DSA number and I will write up the text. Thanks, -- Jonathan Wiltshire j...@debian.org Debian Developer http://people.debian.org/~jmw 4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC 74C3 5394 479D D352 4C51
diff -u mediawiki-1.12.0/debian/changelog mediawiki-1.12.0/debian/changelog --- mediawiki-1.12.0/debian/changelog +++ mediawiki-1.12.0/debian/changelog @@ -1,3 +1,13 @@ +mediawiki (1:1.12.0-2lenny9) oldstable-security; urgency=low + + * Security fixes from upstream (Closes: #650434): + CVE-2011-4360 - page titles on private wikis could be exposed + bypassing different page ids to index.php + CVE-2011-4361 - action=ajax requests were dispatched to the + relevant function without any read permission checks being done + + -- Jonathan Wiltshire <j...@debian.org> Mon, 05 Dec 2011 22:01:20 +0000 + mediawiki (1:1.12.0-2lenny8) oldstable; urgency=high * Oldstable upload. diff -u mediawiki-1.12.0/debian/patches/series mediawiki-1.12.0/debian/patches/series --- mediawiki-1.12.0/debian/patches/series +++ mediawiki-1.12.0/debian/patches/series @@ -15,0 +16,2 @@ +CVE-2011-4360.patch +CVE-2011-4361.patch only in patch2: unchanged: --- mediawiki-1.12.0.orig/debian/patches/CVE-2011-4361.patch +++ mediawiki-1.12.0/debian/patches/CVE-2011-4361.patch @@ -0,0 +1,35 @@ +Description: CVE-2011-4361 + Tim Starling discovered that action=ajax requests were dispatched to the + relevant function without any read permission checks being done. + This could have led to data leakage on private wikis. +Origin: https://www.mediawiki.org/wiki/Special:Code/MediaWiki/104506 +Bug: https://bugzilla.wikimedia.org/show_bug.cgi?id=32276 +Bug-Debian: http://bugs.debian.org/650434 +Forwarded: not-needed +Last-Update: 2011-11-30 + +--- mediawiki-1.12.0.orig/includes/AjaxDispatcher.php ++++ mediawiki-1.12.0/includes/AjaxDispatcher.php +@@ -73,7 +73,7 @@ + * request. + */ + function performAction() { +- global $wgAjaxExportList, $wgOut; ++ global $wgAjaxExportList, $wgOut, $wgUser; + + if ( empty( $this->mode ) ) { + return; +@@ -83,6 +83,13 @@ + if (! in_array( $this->func_name, $wgAjaxExportList ) ) { + wfHttpError( 400, 'Bad Request', + "unknown function " . (string) $this->func_name ); ++ } elseif ( !in_array( 'read', User::getGroupPermissions( array( '*' ) ), true ) ++ && !$wgUser->isAllowed( 'read' ) ) ++ { ++ wfHttpError( ++ 403, ++ 'Forbidden', ++ 'You must log in to view pages.' ); + } else { + if ( strpos( $this->func_name, '::' ) !== false ) { + $func = explode( '::', $this->func_name, 2 ); only in patch2: unchanged: --- mediawiki-1.12.0.orig/debian/patches/CVE-2011-4360.patch +++ mediawiki-1.12.0/debian/patches/CVE-2011-4360.patch @@ -0,0 +1,31 @@ +Description: CVE-2011-4360 + Alexandre Emsenhuber discovered an issue where page titles on private + wikis could be exposed bypassing different page ids to index.php. In the + case of the user not having correct permissions, they will now be + redirected to Special:BadTitle. +Origin: https://www.mediawiki.org/wiki/Special:Code/MediaWiki/104506 +Bug: https://bugzilla.wikimedia.org/show_bug.cgi?id=32276 +Bug-Debian: http://bugs.debian.org/650434 +Forwarded: not-needed +Last-Update: 2011-11-30 + + +--- mediawiki-1.12.0.orig/includes/Wiki.php ++++ mediawiki-1.12.0/includes/Wiki.php +@@ -123,6 +123,16 @@ + # the Read array in order for the user to see it. (We have to check here to + # catch special pages etc. We check again in Article::view()) + if ( !is_null( $title ) && !$title->userCanRead() ) { ++ // Bug 32276: allowing the skin to generate output with $wgTitle ++ // set to the input title would allow anonymous users to ++ // determine whether a page exists, potentially leaking private data. In fact, the ++ // curid and oldid request parameters would allow page titles to be enumerated even ++ // when they are not guessable. So we reset the title to Special:Badtitle before the ++ // permissions error is displayed. ++ $badtitle = SpecialPage::getTitleFor( 'Badtitle' ); ++ $output->setTitle( $badtitle ); ++ $wgTitle = $badtitle; ++ + $output->loginToUse(); + $output->output(); + exit;
debian/patches/CVE-2011-4360.patch | 31 +++++++++++++++++++++++++++++ debian/patches/CVE-2011-4361.patch | 35 +++++++++++++++++++++++++++++++++ mediawiki-1.12.0/debian/changelog | 10 +++++++++ mediawiki-1.12.0/debian/patches/series | 2 + 4 files changed, 78 insertions(+)
diff -Nru mediawiki-1.15.5/debian/changelog mediawiki-1.15.5/debian/changelog --- mediawiki-1.15.5/debian/changelog 2011-02-06 14:18:52.000000000 +0000 +++ mediawiki-1.15.5/debian/changelog 2011-12-05 21:40:04.000000000 +0000 @@ -1,3 +1,13 @@ +mediawiki (1:1.15.5-2squeeze2) stable-security; urgency=low + + * Security fixes from upstream (Closes: #650434): + CVE-2011-4360 - page titles on private wikis could be exposed + bypassing different page ids to index.php + CVE-2011-4361 - action=ajax requests were dispatched to the + relevant function without any read permission checks being done + + -- Jonathan Wiltshire <j...@debian.org> Mon, 05 Dec 2011 21:23:40 +0000 + mediawiki (1:1.15.5-2squeeze1) stable; urgency=high * CVE-2011-0047: Protect against a CSS injection vulnerability diff -Nru mediawiki-1.15.5/debian/patches/CVE-2011-4360.patch mediawiki-1.15.5/debian/patches/CVE-2011-4360.patch --- mediawiki-1.15.5/debian/patches/CVE-2011-4360.patch 1970-01-01 01:00:00.000000000 +0100 +++ mediawiki-1.15.5/debian/patches/CVE-2011-4360.patch 2011-12-05 21:24:19.000000000 +0000 @@ -0,0 +1,31 @@ +Description: CVE-2011-4360 + Alexandre Emsenhuber discovered an issue where page titles on private + wikis could be exposed bypassing different page ids to index.php. In the + case of the user not having correct permissions, they will now be + redirected to Special:BadTitle. +Origin: https://www.mediawiki.org/wiki/Special:Code/MediaWiki/104506 +Bug: https://bugzilla.wikimedia.org/show_bug.cgi?id=32276 +Bug-Debian: http://bugs.debian.org/650434 +Forwarded: not-needed +Last-Update: 2011-11-30 + + +--- mediawiki-1.15.5.orig/includes/Wiki.php ++++ mediawiki-1.15.5/includes/Wiki.php +@@ -149,6 +149,16 @@ + # the Read array in order for the user to see it. (We have to check here to + # catch special pages etc. We check again in Article::view()) + if( !is_null( $title ) && !$title->userCanRead() ) { ++ // Bug 32276: allowing the skin to generate output with $wgTitle ++ // set to the input title would allow anonymous users to ++ // determine whether a page exists, potentially leaking private data. In fact, the ++ // curid and oldid request parameters would allow page titles to be enumerated even ++ // when they are not guessable. So we reset the title to Special:Badtitle before the ++ // permissions error is displayed. ++ $badtitle = SpecialPage::getTitleFor( 'Badtitle' ); ++ $output->setTitle( $badtitle ); ++ $wgTitle = $badtitle; ++ + $output->loginToUse(); + $output->output(); + $output->disable(); diff -Nru mediawiki-1.15.5/debian/patches/CVE-2011-4361.patch mediawiki-1.15.5/debian/patches/CVE-2011-4361.patch --- mediawiki-1.15.5/debian/patches/CVE-2011-4361.patch 1970-01-01 01:00:00.000000000 +0100 +++ mediawiki-1.15.5/debian/patches/CVE-2011-4361.patch 2011-12-05 21:24:19.000000000 +0000 @@ -0,0 +1,35 @@ +Description: CVE-2011-4361 + Tim Starling discovered that action=ajax requests were dispatched to the + relevant function without any read permission checks being done. + This could have led to data leakage on private wikis. +Origin: https://www.mediawiki.org/wiki/Special:Code/MediaWiki/104506 +Bug: https://bugzilla.wikimedia.org/show_bug.cgi?id=32276 +Bug-Debian: http://bugs.debian.org/650434 +Forwarded: not-needed +Last-Update: 2011-11-30 + +--- mediawiki-1.15.5.orig/includes/AjaxDispatcher.php ++++ mediawiki-1.15.5/includes/AjaxDispatcher.php +@@ -78,7 +78,7 @@ + * request. + */ + function performAction() { +- global $wgAjaxExportList, $wgOut; ++ global $wgAjaxExportList, $wgOut, $wgUser; + + if ( empty( $this->mode ) ) { + return; +@@ -90,6 +90,13 @@ + + wfHttpError( 400, 'Bad Request', + "unknown function " . (string) $this->func_name ); ++ } elseif ( !in_array( 'read', User::getGroupPermissions( array( '*' ) ), true ) ++ && !$wgUser->isAllowed( 'read' ) ) ++ { ++ wfHttpError( ++ 403, ++ 'Forbidden', ++ 'You must log in to view pages.' ); + } else { + wfDebug( __METHOD__ . ' dispatching ' . $this->func_name . "\n" ); + diff -Nru mediawiki-1.15.5/debian/patches/series mediawiki-1.15.5/debian/patches/series --- mediawiki-1.15.5/debian/patches/series 2011-02-06 13:39:36.000000000 +0000 +++ mediawiki-1.15.5/debian/patches/series 2011-12-05 21:23:22.000000000 +0000 @@ -7,3 +7,5 @@ suppress_warnings.patch CVE-2011-0003.patch CVE-2011-0047.patch +CVE-2011-4360.patch +CVE-2011-4361.patch
changelog | 10 ++++++++++ patches/CVE-2011-4360.patch | 31 +++++++++++++++++++++++++++++++ patches/CVE-2011-4361.patch | 35 +++++++++++++++++++++++++++++++++++ patches/series | 2 ++ 4 files changed, 78 insertions(+)
signature.asc
Description: Digital signature