Reedy has uploaded a new change for review. ( https://gerrit.wikimedia.org/r/391381 )
Change subject: SECURITY: update.php: Remove eval-stdin.php if necessary ...................................................................... SECURITY: update.php: Remove eval-stdin.php if necessary If phpunit's eval-stdin.php file exists and is one of the vulnerable versions, delete it when running update.php as most people should run that when updating to a new release. If the unlink() call fails, we'll warn the user but continue with update.php processing and hope they've mitigated it in some other way. Bug: T180231 Change-Id: I5b838686ede9764083c52853cc05c52ea72739df --- M RELEASE-NOTES-1.27 M maintenance/update.php 2 files changed, 19 insertions(+), 0 deletions(-) git pull ssh://gerrit.wikimedia.org:29418/mediawiki/core refs/changes/81/391381/1 diff --git a/RELEASE-NOTES-1.27 b/RELEASE-NOTES-1.27 index 9c40e39..ed6b1f6 100644 --- a/RELEASE-NOTES-1.27 +++ b/RELEASE-NOTES-1.27 @@ -26,6 +26,7 @@ * (T176247) SECURITY: Ensure Message::rawParams can't lead to XSS. * (T125163) SECURITY: Make anchor for headlines escape > and <. * (T180237) SECURITY: Protect vendor folder with .htaccess. +* (T180231) SECURITY: Remove PHPUnit file with known RCE if exists in update.php. == MediaWiki 1.27.3 == Due to a packaging error, the wrong version of the SyntaxHighlight extension was diff --git a/maintenance/update.php b/maintenance/update.php index 775fa7b..8d8a15b 100755 --- a/maintenance/update.php +++ b/maintenance/update.php @@ -165,6 +165,24 @@ $time1 = microtime( true ); + $badPhpUnit = dirname( __DIR__ ) . '/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php'; + if ( file_exists( $badPhpUnit ) ) { + // Bad versions of the file are: + // https://raw.githubusercontent.com/sebastianbergmann/phpunit/c820f915bfae34e5a836f94967a2a5ea5ef34f21/src/Util/PHP/eval-stdin.php + // https://raw.githubusercontent.com/sebastianbergmann/phpunit/3aaddb1c5bd9b9b8d070b4cf120e71c36fd08412/src/Util/PHP/eval-stdin.php + $md5 = md5_file( $badPhpUnit ); + if ( $md5 === '120ac49800671dc383b6f3709c25c099' + || $md5 === '28af792cb38fc9a1b236b91c1aad2876' + ) { + $success = unlink( $badPhpUnit ); + if ( $success ) { + $this->output( "Removed PHPUnit eval-stdin.php to protect against CVE-2017-9841\n" ); + } else { + $this->error( "Unable to remove $badPhpUnit, you should manually. See CVE-2017-9841" ); + } + } + } + $shared = $this->hasOption( 'doshared' ); $updates = [ 'core', 'extensions' ]; -- To view, visit https://gerrit.wikimedia.org/r/391381 To unsubscribe, visit https://gerrit.wikimedia.org/r/settings Gerrit-MessageType: newchange Gerrit-Change-Id: I5b838686ede9764083c52853cc05c52ea72739df Gerrit-PatchSet: 1 Gerrit-Project: mediawiki/core Gerrit-Branch: REL1_27 Gerrit-Owner: Reedy <re...@wikimedia.org> Gerrit-Reviewer: Legoktm <lego...@member.fsf.org> _______________________________________________ MediaWiki-commits mailing list MediaWiki-commits@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits