tags 729629 + pending tags 731381 + pending thanks Dear maintainer,
I've prepared an NMU for mediawiki (versioned as 1:1.19.8+dfsg-2.2) and uploaded it to DELAYED/5. Please feel free to tell me if I should delay it longer. Regards. David
diff -Nru mediawiki-1.19.8+dfsg/debian/changelog mediawiki-1.19.8+dfsg/debian/changelog --- mediawiki-1.19.8+dfsg/debian/changelog 2013-10-23 11:38:02.000000000 -0400 +++ mediawiki-1.19.8+dfsg/debian/changelog 2013-12-08 16:13:51.000000000 -0400 @@ -1,3 +1,19 @@ +mediawiki (1:1.19.8+dfsg-2.2) unstable; urgency=high + + * Non-maintainer upload + * Security fixes (Closes: #729629): + - Kevin Israel (Wikipedia user PleaseStand) identified and reported two + vectors for injecting Javascript in CSS that bypassed MediaWiki's + blacklist [CVE-2013-4567, CVE-2013-4568] + - Internal review while debugging a site issue discovered that MediaWiki + and the CentralNotice extension were incorrectly setting cache headers + when a user was autocreated, causing the user's session cookies to be + cached, and returned to other users [CVE-2013-4572] + * New Polish debconf translation, thanks to Magdalena Z. Kubot + (Closes: #731381) + + -- David Prévot <taf...@debian.org> Sun, 08 Dec 2013 16:13:40 -0400 + mediawiki (1:1.19.8+dfsg-2.1) unstable; urgency=low * Provide includes/libs in mediawiki-classes (Closes: #703837) diff -Nru mediawiki-1.19.8+dfsg/debian/patches/fix_CVE-2013-4567_and_CVE-2013-4568.patch mediawiki-1.19.8+dfsg/debian/patches/fix_CVE-2013-4567_and_CVE-2013-4568.patch --- mediawiki-1.19.8+dfsg/debian/patches/fix_CVE-2013-4567_and_CVE-2013-4568.patch 1969-12-31 20:00:00.000000000 -0400 +++ mediawiki-1.19.8+dfsg/debian/patches/fix_CVE-2013-4567_and_CVE-2013-4568.patch 2013-12-08 16:10:47.000000000 -0400 @@ -0,0 +1,153 @@ +Description: Sanitizer::checkCss blacklist can be bypassed using vertical tab (ASCII 11) + +Kevin Israel (Wikipedia user PleaseStand) identified and reported two +vectors for injecting Javascript in CSS that bypassed MediaWiki's blacklist +(CVE-2013-4567, CVE-2013-4568). + +Author: Chris Steipp, <cste...@wikimedia.org> +Origin: upstream, https://bugzilla.wikimedia.org/attachment.cgi?id=13772&action=difr +Bug: https://bugzilla.wikimedia.org/show_bug.cgi?id=55332 +Bug-Debian: http://bugs.debian.org/729629 +--- a/includes/Sanitizer.php ++++ b/includes/Sanitizer.php +@@ -882,6 +882,21 @@ + $value = preg_replace_callback( $decodeRegex, + array( __CLASS__, 'cssDecodeCallback' ), $value ); + ++ // Normalize Halfwidth and Fullwidth Unicode block that IE6 might treat as ascii ++ $value = preg_replace_callback( ++ '/[!-z]/u', // U+FF01 to U+FF5A ++ array( __CLASS__, 'cssNormalizeUnicodeWidth' ), ++ $value ++ ); ++ ++ // Convert more characters IE6 might treat as ascii ++ // U+0280, U+0274, U+207F, U+029F, U+026A, U+207D, U+208D ++ $value = str_replace( ++ array( 'ʀ', 'ɴ', 'ⁿ', 'ʟ', 'ɪ', '⁽', '₍' ), ++ array( 'r', 'n', 'n', 'l', 'i', '(', '(' ), ++ $value ++ ); ++ + // Remove any comments; IE gets token splitting wrong + // This must be done AFTER decoding character references and + // escape sequences, because those steps can introduce comments +@@ -897,8 +912,24 @@ + $value = substr( $value, 0, $commentPos ); + } + ++ // S followed by repeat, iteration, or prolonged sound marks, ++ // which IE will treat as "ss" ++ $value = preg_replace( ++ '/s(?: ++ \xE3\x80\xB1 | # U+3031 ++ \xE3\x82\x9D | # U+309D ++ \xE3\x83\xBC | # U+30FC ++ \xE3\x83\xBD | # U+30FD ++ \xEF\xB9\xBC | # U+FE7C ++ \xEF\xB9\xBD | # U+FE7D ++ \xEF\xBD\xB0 # U+FF70 ++ )/ix', ++ 'ss', ++ $value ++ ); ++ + // Reject problematic keywords and control characters +- if ( preg_match( '/[\000-\010\016-\037\177]/', $value ) ) { ++ if ( preg_match( '/[\000-\010\013\016-\037\177]/', $value ) ) { + return '/* invalid control char */'; + } elseif ( preg_match( '! expression | filter\s*: | accelerator\s*: | url\s*\( !ix', $value ) ) { + return '/* insecure input */'; +@@ -907,6 +938,19 @@ + } + + /** ++ * Normalize Unicode U+FF01 to U+FF5A ++ * @param character $char ++ * @return character in ASCII range \x21-\x7A ++ */ ++ static function cssNormalizeUnicodeWidth( $matches ) { ++ $cp = utf8ToCodepoint( $matches[0] ); ++ if ( $cp === false ) { ++ return ''; ++ } ++ return chr( $cp - 65248 ); // ASCII range \x21-\x7A ++ } ++ ++ /** + * @param $matches array + * @return String + */ +--- a/tests/parser/parserTests.txt ++++ b/tests/parser/parserTests.txt +@@ -5059,6 +5059,70 @@ + + !! end + ++!! test ++CSS safety test: vertical tab ++!! input ++<p style="font-size: 100px; background-image:url\b(https://www.google.com/images/srpr/logo6w.png)">A</p> ++!! result ++<p style="/* invalid control char */">A</p> ++ ++!! end ++ ++!! test ++MSIE CSS safety test: Fullwidth ++!! input ++<p style="font-size: 100px; color: expression((title='XSSed'),'red')">A</p> ++<div style="top:EXPRESSION(alert())">B</div> ++!! result ++<p style="/* insecure input */">A</p> ++<div style="/* insecure input */">B</div> ++ ++!! end ++ ++!! test ++MSIE CSS safety test: IPA extensions ++!! input ++<div style="background-image:uʀʟ(javascript:alert())">A</div> ++<p style="font-size: 100px; color: expʀessɪoɴ((title='XSSed'),'red')">B</p> ++!! result ++<div style="/* insecure input */">A</div> ++<p style="/* insecure input */">B</p> ++ ++!! end ++ ++!! test ++MSIE CSS safety test: sup/sub script ++!! input ++<div style="background-image:url⁽javascript:alert())">A</div> ++<div style="background-image:url₍javascript:alert())">B</div> ++<p style="font-size: 100px; color: expressioⁿ((title='XSSed'),'red')">C</p> ++!! result ++<div style="/* insecure input */">A</div> ++<div style="/* insecure input */">B</div> ++<p style="/* insecure input */">C</p> ++ ++!! end ++ ++!! test ++MSIE CSS safety test: Repetition markers ++!! input ++<p style="font-size: 100px; color: expres〱ion((title='XSSed'),'red')">A</p> ++<p style="font-size: 100px; color: expresゝion((title='XSSed'),'red')">B</p> ++<p style="font-size: 100px; color: expresーion((title='XSSed'),'red')">C</p> ++<p style="font-size: 100px; color: expresヽion((title='XSSed'),'red')">D</p> ++<p style="font-size: 100px; color: expresﹽion((title='XSSed'),'red')">E</p> ++<p style="font-size: 100px; color: expresﹼion((title='XSSed'),'red')">F</p> ++<p style="font-size: 100px; color: expresーion((title='XSSed'),'red')">G</p> ++!! result ++<p style="/* insecure input */">A</p> ++<p style="/* insecure input */">B</p> ++<p style="/* insecure input */">C</p> ++<p style="/* insecure input */">D</p> ++<p style="/* insecure input */">E</p> ++<p style="/* insecure input */">F</p> ++<p style="/* insecure input */">G</p> ++ ++!! end + + !! test + Table attribute legitimate extension diff -Nru mediawiki-1.19.8+dfsg/debian/patches/fix_CVE-2013-4572.patch mediawiki-1.19.8+dfsg/debian/patches/fix_CVE-2013-4572.patch --- mediawiki-1.19.8+dfsg/debian/patches/fix_CVE-2013-4572.patch 1969-12-31 20:00:00.000000000 -0400 +++ mediawiki-1.19.8+dfsg/debian/patches/fix_CVE-2013-4572.patch 2013-12-08 16:04:59.000000000 -0400 @@ -0,0 +1,36 @@ +Description: Multiple users with the same session ID + +Internal review while debugging a site issue discovered that MediaWiki +and the CentralNotice extension were incorrectly setting cache headers when +a user was autocreated, causing the user's session cookies to be cached, +and returned to other users (CVE-2013-4572). + +Author: Chris Steipp, <cste...@wikimedia.org> +Origin: upstream, https://bugzilla.wikimedia.org/attachment.cgi?id=13779&action=diff +Bug: https://bugzilla.wikimedia.org/show_bug.cgi?id=53032 +Bug-Debian: http://bugs.debian.org/729629 +--- a/includes/actions/RawAction.php ++++ b/includes/actions/RawAction.php +@@ -79,6 +79,11 @@ + # Output may contain user-specific data; + # vary generated content for open sessions on private wikis + $privateCache = !$wgGroupPermissions['*']['read'] && ( $smaxage == 0 || session_id() != '' ); ++ // Bug 53032 - make this private if user is logged in, ++ // so we don't accidentally cache cookies ++ if ( !$privateCache ) { ++ $privateCache = $this->getUser()->isLoggedIn(); ++ } + # allow the client to cache this for 24 hours + $mode = $privateCache ? 'private' : 'public'; + $response->header( 'Cache-Control: ' . $mode . ', s-maxage=' . $smaxage . ', max-age=' . $maxage ); +--- a/includes/specials/SpecialUploadStash.php ++++ b/includes/specials/SpecialUploadStash.php +@@ -279,6 +279,8 @@ + header( "Content-Type: $contentType", true ); + header( 'Content-Transfer-Encoding: binary', true ); + header( 'Expires: Sun, 17-Jan-2038 19:14:07 GMT', true ); ++ // Bug 53032 - It shouldn't be a problem here, but let's be safe and not cache ++ header( 'Cache-Control: private' ); + header( "Content-Length: $size", true ); + } + diff -Nru mediawiki-1.19.8+dfsg/debian/patches/series mediawiki-1.19.8+dfsg/debian/patches/series --- mediawiki-1.19.8+dfsg/debian/patches/series 2013-09-08 14:12:26.000000000 -0400 +++ mediawiki-1.19.8+dfsg/debian/patches/series 2013-12-08 16:00:10.000000000 -0400 @@ -9,3 +9,5 @@ fix_warnings.patch mimetypes.patch suppress_warnings.patch +fix_CVE-2013-4567_and_CVE-2013-4568.patch +fix_CVE-2013-4572.patch diff -Nru mediawiki-1.19.8+dfsg/debian/po/pl.po mediawiki-1.19.8+dfsg/debian/po/pl.po --- mediawiki-1.19.8+dfsg/debian/po/pl.po 1969-12-31 20:00:00.000000000 -0400 +++ mediawiki-1.19.8+dfsg/debian/po/pl.po 2013-12-08 16:11:50.000000000 -0400 @@ -0,0 +1,31 @@ +# Translation of mediawiki debconf templates to Polish +# Copyright (C) 2004 +# This file is distributed under the same license as the mediawiki package. +# +# Magdalena Z. Kubot <magdalena.ku...@gmail.com>, 2013. +msgid "" +msgstr "" +"Project-Id-Version: mediawiki\n" +"Report-Msgid-Bugs-To: pkg-mediawiki-de...@lists.alioth.debian.org\n" +"POT-Creation-Date: 2007-10-22 02:37+0200\n" +"PO-Revision-Date: 2013-12-04 20:50+0100\n" +"Last-Translator: Magdalena Z. Kubot <magdalena.ku...@gmail.com>\n" +"Language-Team: Polish <debian-l10n-pol...@lists.debian.org>\n" +"Language: pl\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Plural-Forms: nplurals=3; plural=(n==1 ? 0 : n%10>=2 && n%10<=4 && (n%100<10 || n%100>=20) ? 1 : 2);\n" + +#. Type: multiselect +#. Description +#: ../templates:2001 +msgid "Web server(s) to configure automatically:" +msgstr "Serwery WWW do automatycznej konfiguracji:" + +#. Type: multiselect +#. Description +#: ../templates:2001 +msgid "Please select the web server(s) that should be configured automatically for MediaWiki." +msgstr "Proszę wybrać serwery WWW, które mają być skonfigurowane automatycznie dla MediaWiki." +
signature.asc
Description: Digital signature