Reedy has uploaded a new change for review. (
https://gerrit.wikimedia.org/r/391381 )
Change subject: SECURITY: update.php: Remove eval-stdin.php if necessary
......................................................................
SECURITY: update.php: Remove eval-stdin.php if necessary
If phpunit's eval-stdin.php file exists and is one of the vulnerable
versions, delete it when running update.php as most people should run
that when updating to a new release. If the unlink() call fails, we'll
warn the user but continue with update.php processing and hope they've
mitigated it in some other way.
Bug: T180231
Change-Id: I5b838686ede9764083c52853cc05c52ea72739df
---
M RELEASE-NOTES-1.27
M maintenance/update.php
2 files changed, 19 insertions(+), 0 deletions(-)
git pull ssh://gerrit.wikimedia.org:29418/mediawiki/core
refs/changes/81/391381/1
diff --git a/RELEASE-NOTES-1.27 b/RELEASE-NOTES-1.27
index 9c40e39..ed6b1f6 100644
--- a/RELEASE-NOTES-1.27
+++ b/RELEASE-NOTES-1.27
@@ -26,6 +26,7 @@
* (T176247) SECURITY: Ensure Message::rawParams can't lead to XSS.
* (T125163) SECURITY: Make anchor for headlines escape > and <.
* (T180237) SECURITY: Protect vendor folder with .htaccess.
+* (T180231) SECURITY: Remove PHPUnit file with known RCE if exists in
update.php.
== MediaWiki 1.27.3 ==
Due to a packaging error, the wrong version of the SyntaxHighlight extension
was
diff --git a/maintenance/update.php b/maintenance/update.php
index 775fa7b..8d8a15b 100755
--- a/maintenance/update.php
+++ b/maintenance/update.php
@@ -165,6 +165,24 @@
$time1 = microtime( true );
+ $badPhpUnit = dirname( __DIR__ ) .
'/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php';
+ if ( file_exists( $badPhpUnit ) ) {
+ // Bad versions of the file are:
+ //
https://raw.githubusercontent.com/sebastianbergmann/phpunit/c820f915bfae34e5a836f94967a2a5ea5ef34f21/src/Util/PHP/eval-stdin.php
+ //
https://raw.githubusercontent.com/sebastianbergmann/phpunit/3aaddb1c5bd9b9b8d070b4cf120e71c36fd08412/src/Util/PHP/eval-stdin.php
+ $md5 = md5_file( $badPhpUnit );
+ if ( $md5 === '120ac49800671dc383b6f3709c25c099'
+ || $md5 === '28af792cb38fc9a1b236b91c1aad2876'
+ ) {
+ $success = unlink( $badPhpUnit );
+ if ( $success ) {
+ $this->output( "Removed PHPUnit
eval-stdin.php to protect against CVE-2017-9841\n" );
+ } else {
+ $this->error( "Unable to remove
$badPhpUnit, you should manually. See CVE-2017-9841" );
+ }
+ }
+ }
+
$shared = $this->hasOption( 'doshared' );
$updates = [ 'core', 'extensions' ];
--
To view, visit https://gerrit.wikimedia.org/r/391381
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings
Gerrit-MessageType: newchange
Gerrit-Change-Id: I5b838686ede9764083c52853cc05c52ea72739df
Gerrit-PatchSet: 1
Gerrit-Project: mediawiki/core
Gerrit-Branch: REL1_27
Gerrit-Owner: Reedy <re...@wikimedia.org>
Gerrit-Reviewer: Legoktm <lego...@member.fsf.org>
_______________________________________________
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
