Author: tg
Date: 2012-03-30 08:43:27 +0000 (Fri, 30 Mar 2012)
New Revision: 310
Added:
mediawiki/sid-sec/debian/patches/CVE-2012-1582.patch
Modified:
mediawiki/sid-sec/debian/changelog
mediawiki/sid-sec/debian/patches/series
Log:
first cut at #666269 for sid-security:
?\226?\128?\162 three do not seem to affect us: the code doesn?\226?\128?\153t
even appear to be in 1.15
?\226?\128?\162 one, I attempted to backport the fix (not yet tested)
?\226?\128?\162 one I cannot access?\226?\128?\166 wait for that to be disclosed
Modified: mediawiki/sid-sec/debian/changelog
===================================================================
--- mediawiki/sid-sec/debian/changelog 2012-03-20 10:15:18 UTC (rev 309)
+++ mediawiki/sid-sec/debian/changelog 2012-03-30 08:43:27 UTC (rev 310)
@@ -1,3 +1,14 @@
+mediawiki (1:1.15.5-9) UNRELEASED; urgency=high
+
+ * Address MW security release 1.18.1-1 (Closes: #666269)
+ - CVE-2012-1578 MW#34212: doesn’t affect 1.15
+ - CVE-2012-1579 MW#34907: doesn’t affect 1.15
+ - CVE-2012-1580 MW#35317: doesn’t affect 1.15
+ - CVE-2012-1581 MW#35078: (can’t access bugreport)
+ - CVE-2012-1582 MW#35315: fix backported
+
+ -- Thorsten Glaser <t...@mirbsd.de> Fri, 30 Mar 2012 10:41:58 +0200
+
mediawiki (1:1.15.5-8) unstable; urgency=low
* Fix reversing IPv4 address for SORBS blacklist; patch from
Added: mediawiki/sid-sec/debian/patches/CVE-2012-1582.patch
===================================================================
--- mediawiki/sid-sec/debian/patches/CVE-2012-1582.patch
(rev 0)
+++ mediawiki/sid-sec/debian/patches/CVE-2012-1582.patch 2012-03-30
08:43:27 UTC (rev 310)
@@ -0,0 +1,150 @@
+Description: Fixed a few "strip tag exposed" bugs.
+Author: Tim Starling (r114231)
+Bug: https://bugzilla.wikimedia.org/show_bug.cgi?id=35315
+
+Index: mediawiki-1.15.5/includes/parser/CoreParserFunctions.php
+===================================================================
+--- mediawiki-1.15.5.orig/includes/parser/CoreParserFunctions.php
2012-03-30 10:28:12.000000000 +0200
++++ mediawiki-1.15.5/includes/parser/CoreParserFunctions.php 2012-03-30
10:32:57.000000000 +0200
+@@ -120,7 +120,8 @@
+ }
+
+ static function urlencode( $parser, $s = '' ) {
+- return urlencode( $s );
++ $func = 'urlencode';
++ return $parser->markerSkipCallback( $s, $func );
+ }
+
+ static function lcfirst( $parser, $s = '' ) {
+@@ -135,20 +136,12 @@
+
+ static function lc( $parser, $s = '' ) {
+ global $wgContLang;
+- if ( is_callable( array( $parser, 'markerSkipCallback' ) ) ) {
+- return $parser->markerSkipCallback( $s, array(
$wgContLang, 'lc' ) );
+- } else {
+- return $wgContLang->lc( $s );
+- }
++ return $parser->markerSkipCallback( $s, array( $wgContLang,
'lc' ) );
+ }
+
+ static function uc( $parser, $s = '' ) {
+ global $wgContLang;
+- if ( is_callable( array( $parser, 'markerSkipCallback' ) ) ) {
+- return $parser->markerSkipCallback( $s, array(
$wgContLang, 'uc' ) );
+- } else {
+- return $wgContLang->uc( $s );
+- }
++ return $parser->markerSkipCallback( $s, array( $wgContLang,
'uc' ) );
+ }
+
+ static function localurl( $parser, $s = '', $arg = null ) { return
self::urlFunction( 'getLocalURL', $s, $arg ); }
+@@ -180,15 +173,17 @@
+ }
+ }
+
+- static function formatNum( $parser, $num = '', $raw = null) {
+- if ( self::israw( $raw ) ) {
+- return
$parser->getFunctionLang()->parseFormattedNumber( $num );
++ static function formatnum( $parser, $num = '', $raw = null) {
++ if ( self::isRaw( $raw ) ) {
++ $func = array( $parser->getFunctionLang(),
'parseFormattedNumber' );
+ } else {
+- return $parser->getFunctionLang()->formatNum( $num );
++ $func = array( $parser->getFunctionLang(), 'formatNum'
);
+ }
++ return $parser->markerSkipCallback( $num, $func );
+ }
+
+ static function grammar( $parser, $case = '', $word = '' ) {
++ $word = $parser->killMarkers( $word );
+ return $parser->getFunctionLang()->convertGrammar( $word, $case
);
+ }
+
+@@ -495,7 +490,8 @@
+ /**
+ * Unicode-safe str_pad with the restriction that $length is forced to
be <= 500
+ */
+- static function pad( $string, $length, $padding = '0', $direction =
STR_PAD_RIGHT ) {
++ static function pad( $parser, $string, $length, $padding = '0',
$direction = STR_PAD_RIGHT ) {
++ $padding = $parser->killMarkers( $padding );
+ $lengthOfPadding = mb_strlen( $padding );
+ if ( $lengthOfPadding == 0 ) return $string;
+
+@@ -519,14 +515,15 @@
+ }
+
+ static function padleft( $parser, $string = '', $length = 0, $padding =
'0' ) {
+- return self::pad( $string, $length, $padding, STR_PAD_LEFT );
++ return self::pad( $parser, $string, $length, $padding,
STR_PAD_LEFT );
+ }
+
+ static function padright( $parser, $string = '', $length = 0, $padding
= '0' ) {
+- return self::pad( $string, $length, $padding );
++ return self::pad( $parser, $string, $length, $padding );
+ }
+
+ static function anchorencode( $parser, $text ) {
++ $text = $parser->killMarkers( $text );
+ $a = urlencode( $text );
+ $a = strtr( $a, array( '%' => '.', '+' => '_' ) );
+ # leave colons alone, however
+Index: mediawiki-1.15.5/includes/parser/Parser.php
+===================================================================
+--- mediawiki-1.15.5.orig/includes/parser/Parser.php 2012-03-30
10:21:44.000000000 +0200
++++ mediawiki-1.15.5/includes/parser/Parser.php 2012-03-30
10:33:57.000000000 +0200
+@@ -3521,14 +3521,17 @@
+ }
+
+ # The safe header is a version of the header text safe
to use for links
+- # Avoid insertion of weird stuff like <math> by
expanding the relevant sections
+- $safeHeadline = $this->mStripState->unstripBoth(
$headline );
+
+ # Remove link placeholders by the link text.
+ # <!--LINK number-->
+ # turns into
+ # link text with suffix
+- $safeHeadline = $this->replaceLinkHoldersText(
$safeHeadline );
++
++ # Do this before unstrip since link text can contain
strip markers
++ $safeHeadline = $this->replaceLinkHoldersText(
$headline );
++
++ # Avoid insertion of weird stuff like <math> by
expanding the relevant sections
++ $safeHeadline = $this->mStripState->unstripBoth(
$safeHeadline );
+
+ # Strip out HTML (other than plain <sup> and <sub>: bug
8393)
+ $tocline = preg_replace(
+@@ -4896,6 +4899,16 @@
+ // Should be good to go.
+ return $text;
+ }
++
++ /**
++ * Remove any strip markers found in the given text.
++ *
++ * @param $text Input string
++ * @return string
++ */
++ function killMarkers( $text ) {
++ return $this->mStripState->killMarkers( $text );
++ }
+ }
+
+ /**
+@@ -4940,6 +4953,16 @@
+ wfProfileOut( __METHOD__ );
+ return $text;
+ }
++
++ /**
++ * Remove any strip markers found in the given text.
++ *
++ * @param $text Input string
++ * @return string
++ */
++ function killMarkers( $text ) {
++ return preg_replace( $this->regex, '', $text );
++ }
+ }
+
+ /**
Modified: mediawiki/sid-sec/debian/patches/series
===================================================================
--- mediawiki/sid-sec/debian/patches/series 2012-03-20 10:15:18 UTC (rev
309)
+++ mediawiki/sid-sec/debian/patches/series 2012-03-30 08:43:27 UTC (rev
310)
@@ -19,3 +19,4 @@
backport-block-prevent.patch
fix-blacklist.patch
php54.patch
+CVE-2012-1582.patch
_______________________________________________
Pkg-mediawiki-commits mailing list
pkg-mediawiki-comm...@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-mediawiki-commits
