Author: tg Date: 2012-03-30 08:43:27 +0000 (Fri, 30 Mar 2012) New Revision: 310
Added: mediawiki/sid-sec/debian/patches/CVE-2012-1582.patch Modified: mediawiki/sid-sec/debian/changelog mediawiki/sid-sec/debian/patches/series Log: first cut at #666269 for sid-security: ?\226?\128?\162 three do not seem to affect us: the code doesn?\226?\128?\153t even appear to be in 1.15 ?\226?\128?\162 one, I attempted to backport the fix (not yet tested) ?\226?\128?\162 one I cannot access?\226?\128?\166 wait for that to be disclosed Modified: mediawiki/sid-sec/debian/changelog =================================================================== --- mediawiki/sid-sec/debian/changelog 2012-03-20 10:15:18 UTC (rev 309) +++ mediawiki/sid-sec/debian/changelog 2012-03-30 08:43:27 UTC (rev 310) @@ -1,3 +1,14 @@ +mediawiki (1:1.15.5-9) UNRELEASED; urgency=high + + * Address MW security release 1.18.1-1 (Closes: #666269) + - CVE-2012-1578 MW#34212: doesn’t affect 1.15 + - CVE-2012-1579 MW#34907: doesn’t affect 1.15 + - CVE-2012-1580 MW#35317: doesn’t affect 1.15 + - CVE-2012-1581 MW#35078: (can’t access bugreport) + - CVE-2012-1582 MW#35315: fix backported + + -- Thorsten Glaser <t...@mirbsd.de> Fri, 30 Mar 2012 10:41:58 +0200 + mediawiki (1:1.15.5-8) unstable; urgency=low * Fix reversing IPv4 address for SORBS blacklist; patch from Added: mediawiki/sid-sec/debian/patches/CVE-2012-1582.patch =================================================================== --- mediawiki/sid-sec/debian/patches/CVE-2012-1582.patch (rev 0) +++ mediawiki/sid-sec/debian/patches/CVE-2012-1582.patch 2012-03-30 08:43:27 UTC (rev 310) @@ -0,0 +1,150 @@ +Description: Fixed a few "strip tag exposed" bugs. +Author: Tim Starling (r114231) +Bug: https://bugzilla.wikimedia.org/show_bug.cgi?id=35315 + +Index: mediawiki-1.15.5/includes/parser/CoreParserFunctions.php +=================================================================== +--- mediawiki-1.15.5.orig/includes/parser/CoreParserFunctions.php 2012-03-30 10:28:12.000000000 +0200 ++++ mediawiki-1.15.5/includes/parser/CoreParserFunctions.php 2012-03-30 10:32:57.000000000 +0200 +@@ -120,7 +120,8 @@ + } + + static function urlencode( $parser, $s = '' ) { +- return urlencode( $s ); ++ $func = 'urlencode'; ++ return $parser->markerSkipCallback( $s, $func ); + } + + static function lcfirst( $parser, $s = '' ) { +@@ -135,20 +136,12 @@ + + static function lc( $parser, $s = '' ) { + global $wgContLang; +- if ( is_callable( array( $parser, 'markerSkipCallback' ) ) ) { +- return $parser->markerSkipCallback( $s, array( $wgContLang, 'lc' ) ); +- } else { +- return $wgContLang->lc( $s ); +- } ++ return $parser->markerSkipCallback( $s, array( $wgContLang, 'lc' ) ); + } + + static function uc( $parser, $s = '' ) { + global $wgContLang; +- if ( is_callable( array( $parser, 'markerSkipCallback' ) ) ) { +- return $parser->markerSkipCallback( $s, array( $wgContLang, 'uc' ) ); +- } else { +- return $wgContLang->uc( $s ); +- } ++ return $parser->markerSkipCallback( $s, array( $wgContLang, 'uc' ) ); + } + + static function localurl( $parser, $s = '', $arg = null ) { return self::urlFunction( 'getLocalURL', $s, $arg ); } +@@ -180,15 +173,17 @@ + } + } + +- static function formatNum( $parser, $num = '', $raw = null) { +- if ( self::israw( $raw ) ) { +- return $parser->getFunctionLang()->parseFormattedNumber( $num ); ++ static function formatnum( $parser, $num = '', $raw = null) { ++ if ( self::isRaw( $raw ) ) { ++ $func = array( $parser->getFunctionLang(), 'parseFormattedNumber' ); + } else { +- return $parser->getFunctionLang()->formatNum( $num ); ++ $func = array( $parser->getFunctionLang(), 'formatNum' ); + } ++ return $parser->markerSkipCallback( $num, $func ); + } + + static function grammar( $parser, $case = '', $word = '' ) { ++ $word = $parser->killMarkers( $word ); + return $parser->getFunctionLang()->convertGrammar( $word, $case ); + } + +@@ -495,7 +490,8 @@ + /** + * Unicode-safe str_pad with the restriction that $length is forced to be <= 500 + */ +- static function pad( $string, $length, $padding = '0', $direction = STR_PAD_RIGHT ) { ++ static function pad( $parser, $string, $length, $padding = '0', $direction = STR_PAD_RIGHT ) { ++ $padding = $parser->killMarkers( $padding ); + $lengthOfPadding = mb_strlen( $padding ); + if ( $lengthOfPadding == 0 ) return $string; + +@@ -519,14 +515,15 @@ + } + + static function padleft( $parser, $string = '', $length = 0, $padding = '0' ) { +- return self::pad( $string, $length, $padding, STR_PAD_LEFT ); ++ return self::pad( $parser, $string, $length, $padding, STR_PAD_LEFT ); + } + + static function padright( $parser, $string = '', $length = 0, $padding = '0' ) { +- return self::pad( $string, $length, $padding ); ++ return self::pad( $parser, $string, $length, $padding ); + } + + static function anchorencode( $parser, $text ) { ++ $text = $parser->killMarkers( $text ); + $a = urlencode( $text ); + $a = strtr( $a, array( '%' => '.', '+' => '_' ) ); + # leave colons alone, however +Index: mediawiki-1.15.5/includes/parser/Parser.php +=================================================================== +--- mediawiki-1.15.5.orig/includes/parser/Parser.php 2012-03-30 10:21:44.000000000 +0200 ++++ mediawiki-1.15.5/includes/parser/Parser.php 2012-03-30 10:33:57.000000000 +0200 +@@ -3521,14 +3521,17 @@ + } + + # The safe header is a version of the header text safe to use for links +- # Avoid insertion of weird stuff like <math> by expanding the relevant sections +- $safeHeadline = $this->mStripState->unstripBoth( $headline ); + + # Remove link placeholders by the link text. + # <!--LINK number--> + # turns into + # link text with suffix +- $safeHeadline = $this->replaceLinkHoldersText( $safeHeadline ); ++ ++ # Do this before unstrip since link text can contain strip markers ++ $safeHeadline = $this->replaceLinkHoldersText( $headline ); ++ ++ # Avoid insertion of weird stuff like <math> by expanding the relevant sections ++ $safeHeadline = $this->mStripState->unstripBoth( $safeHeadline ); + + # Strip out HTML (other than plain <sup> and <sub>: bug 8393) + $tocline = preg_replace( +@@ -4896,6 +4899,16 @@ + // Should be good to go. + return $text; + } ++ ++ /** ++ * Remove any strip markers found in the given text. ++ * ++ * @param $text Input string ++ * @return string ++ */ ++ function killMarkers( $text ) { ++ return $this->mStripState->killMarkers( $text ); ++ } + } + + /** +@@ -4940,6 +4953,16 @@ + wfProfileOut( __METHOD__ ); + return $text; + } ++ ++ /** ++ * Remove any strip markers found in the given text. ++ * ++ * @param $text Input string ++ * @return string ++ */ ++ function killMarkers( $text ) { ++ return preg_replace( $this->regex, '', $text ); ++ } + } + + /** Modified: mediawiki/sid-sec/debian/patches/series =================================================================== --- mediawiki/sid-sec/debian/patches/series 2012-03-20 10:15:18 UTC (rev 309) +++ mediawiki/sid-sec/debian/patches/series 2012-03-30 08:43:27 UTC (rev 310) @@ -19,3 +19,4 @@ backport-block-prevent.patch fix-blacklist.patch php54.patch +CVE-2012-1582.patch _______________________________________________ Pkg-mediawiki-commits mailing list pkg-mediawiki-comm...@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-mediawiki-commits