mediawiki: security release CVE-2012-1578/CVE-2012-1579/CVE-2012-1580/CVE-2012-1581/CVE-2012-1582

Debian Bug report logs - #666269
mediawiki: security release CVE-2012-1578/CVE-2012-1579/CVE-2012-1580/CVE-2012-1581/CVE-2012-1582

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Henri Salo <henri@nerv.fi>

To: submit@bugs.debian.org

Subject: mediawiki: security release CVE-2012-1578/CVE-2012-1579/CVE-2012-1580/CVE-2012-1581/CVE-2012-1582

Date: Fri, 30 Mar 2012 10:21:04 +0300

Package: mediawiki
Version: 1.18.1-1
Severity: critical
Tags: security

Release announcement: http://lists.wikimedia.org/pipermail/wikitech-l/2012-March/059230.html
Requested CVE-identifiers in here: http://seclists.org/oss-sec/2012/q1/728
CVE-identifiers assigned in here: http://seclists.org/oss-sec/2012/q1/745

CVE-2012-1578 https://bugzilla.wikimedia.org/show_bug.cgi?id=34212
CVE-2012-1579 https://bugzilla.wikimedia.org/show_bug.cgi?id=34907
CVE-2012-1580 https://bugzilla.wikimedia.org/show_bug.cgi?id=35317
CVE-2012-1581 https://bugzilla.wikimedia.org/show_bug.cgi?id=35078
CVE-2012-1582 https://bugzilla.wikimedia.org/show_bug.cgi?id=35315

- Henri Salo

Message #8 received at 666269@bugs.debian.org (full text, mbox, reply):

From: Thorsten Glaser <tg@alioth.debian.org>

To: pkg-mediawiki-commits@lists.alioth.debian.org

Subject: [Pkg-mediawiki-commits] r310 - in mediawiki/sid-sec/debian: . patches

Date: Fri, 30 Mar 2012 08:43:27 +0000

Author: tg
Date: 2012-03-30 08:43:27 +0000 (Fri, 30 Mar 2012)
New Revision: 310

Added:
   mediawiki/sid-sec/debian/patches/CVE-2012-1582.patch
Modified:
   mediawiki/sid-sec/debian/changelog
   mediawiki/sid-sec/debian/patches/series
Log:
first cut at #666269 for sid-security:

?\226?\128?\162 three do not seem to affect us: the code doesn?\226?\128?\153t even appear to be in 1.15
?\226?\128?\162 one, I attempted to backport the fix (not yet tested)
?\226?\128?\162 one I cannot access?\226?\128?\166 wait for that to be disclosed


Modified: mediawiki/sid-sec/debian/changelog
===================================================================
--- mediawiki/sid-sec/debian/changelog	2012-03-20 10:15:18 UTC (rev 309)
+++ mediawiki/sid-sec/debian/changelog	2012-03-30 08:43:27 UTC (rev 310)
@@ -1,3 +1,14 @@
+mediawiki (1:1.15.5-9) UNRELEASED; urgency=high
+
+  * Address MW security release 1.18.1-1 (Closes: #666269)
+    - CVE-2012-1578 MW#34212: doesn’t affect 1.15
+    - CVE-2012-1579 MW#34907: doesn’t affect 1.15
+    - CVE-2012-1580 MW#35317: doesn’t affect 1.15
+    - CVE-2012-1581 MW#35078: (can’t access bugreport)
+    - CVE-2012-1582 MW#35315: fix backported
+
+ -- Thorsten Glaser <tg@mirbsd.de>  Fri, 30 Mar 2012 10:41:58 +0200
+
 mediawiki (1:1.15.5-8) unstable; urgency=low
 
   * Fix reversing IPv4 address for SORBS blacklist; patch from

Added: mediawiki/sid-sec/debian/patches/CVE-2012-1582.patch
===================================================================
--- mediawiki/sid-sec/debian/patches/CVE-2012-1582.patch	                        (rev 0)
+++ mediawiki/sid-sec/debian/patches/CVE-2012-1582.patch	2012-03-30 08:43:27 UTC (rev 310)
@@ -0,0 +1,150 @@
+Description: Fixed a few "strip tag exposed" bugs.
+Author: Tim Starling (r114231)
+Bug: https://bugzilla.wikimedia.org/show_bug.cgi?id=35315
+
+Index: mediawiki-1.15.5/includes/parser/CoreParserFunctions.php
+===================================================================
+--- mediawiki-1.15.5.orig/includes/parser/CoreParserFunctions.php	2012-03-30 10:28:12.000000000 +0200
++++ mediawiki-1.15.5/includes/parser/CoreParserFunctions.php	2012-03-30 10:32:57.000000000 +0200
+@@ -120,7 +120,8 @@
+ 	}
+ 
+ 	static function urlencode( $parser, $s = '' ) {
+-		return urlencode( $s );
++		$func = 'urlencode';
++		return $parser->markerSkipCallback( $s, $func );
+ 	}
+ 
+ 	static function lcfirst( $parser, $s = '' ) {
+@@ -135,20 +136,12 @@
+ 
+ 	static function lc( $parser, $s = '' ) {
+ 		global $wgContLang;
+-		if ( is_callable( array( $parser, 'markerSkipCallback' ) ) ) {
+-			return $parser->markerSkipCallback( $s, array( $wgContLang, 'lc' ) );
+-		} else {
+-			return $wgContLang->lc( $s );
+-		}
++		return $parser->markerSkipCallback( $s, array( $wgContLang, 'lc' ) );
+ 	}
+ 
+ 	static function uc( $parser, $s = '' ) {
+ 		global $wgContLang;
+-		if ( is_callable( array( $parser, 'markerSkipCallback' ) ) ) {
+-			return $parser->markerSkipCallback( $s, array( $wgContLang, 'uc' ) );
+-		} else {
+-			return $wgContLang->uc( $s );
+-		}
++		return $parser->markerSkipCallback( $s, array( $wgContLang, 'uc' ) );
+ 	}
+ 
+ 	static function localurl( $parser, $s = '', $arg = null ) { return self::urlFunction( 'getLocalURL', $s, $arg ); }
+@@ -180,15 +173,17 @@
+ 		}
+ 	}
+ 
+-	static function formatNum( $parser, $num = '', $raw = null) {
+-		if ( self::israw( $raw ) ) {
+-			return $parser->getFunctionLang()->parseFormattedNumber( $num );
++	static function formatnum( $parser, $num = '', $raw = null) {
++		if ( self::isRaw( $raw ) ) {
++			$func = array( $parser->getFunctionLang(), 'parseFormattedNumber' );
+ 		} else {
+-			return $parser->getFunctionLang()->formatNum( $num );
++			$func = array( $parser->getFunctionLang(), 'formatNum' );
+ 		}
++		return $parser->markerSkipCallback( $num, $func );
+ 	}
+ 
+ 	static function grammar( $parser, $case = '', $word = '' ) {
++		$word = $parser->killMarkers( $word );
+ 		return $parser->getFunctionLang()->convertGrammar( $word, $case );
+ 	}
+ 
+@@ -495,7 +490,8 @@
+ 	/**
+ 	 * Unicode-safe str_pad with the restriction that $length is forced to be <= 500
+  	 */
+-	static function pad( $string, $length, $padding = '0', $direction = STR_PAD_RIGHT ) {
++	static function pad( $parser, $string, $length, $padding = '0', $direction = STR_PAD_RIGHT ) {
++		$padding = $parser->killMarkers( $padding );
+ 		$lengthOfPadding = mb_strlen( $padding );		
+ 		if ( $lengthOfPadding == 0 ) return $string;
+ 		
+@@ -519,14 +515,15 @@
+ 	}
+ 
+ 	static function padleft( $parser, $string = '', $length = 0, $padding = '0' ) {
+-		return self::pad( $string, $length, $padding, STR_PAD_LEFT );
++		return self::pad( $parser, $string, $length, $padding, STR_PAD_LEFT );
+ 	}
+ 
+ 	static function padright( $parser, $string = '', $length = 0, $padding = '0' ) {
+-		return self::pad( $string, $length, $padding );
++		return self::pad( $parser, $string, $length, $padding );
+ 	}
+ 
+ 	static function anchorencode( $parser, $text ) {
++		$text = $parser->killMarkers( $text );
+ 		$a = urlencode( $text );
+ 		$a = strtr( $a, array( '%' => '.', '+' => '_' ) );
+ 		# leave colons alone, however
+Index: mediawiki-1.15.5/includes/parser/Parser.php
+===================================================================
+--- mediawiki-1.15.5.orig/includes/parser/Parser.php	2012-03-30 10:21:44.000000000 +0200
++++ mediawiki-1.15.5/includes/parser/Parser.php	2012-03-30 10:33:57.000000000 +0200
+@@ -3521,14 +3521,17 @@
+ 			}
+ 
+ 			# The safe header is a version of the header text safe to use for links
+-			# Avoid insertion of weird stuff like <math> by expanding the relevant sections
+-			$safeHeadline = $this->mStripState->unstripBoth( $headline );
+ 
+ 			# Remove link placeholders by the link text.
+ 			#     <!--LINK number-->
+ 			# turns into
+ 			#     link text with suffix
+-			$safeHeadline = $this->replaceLinkHoldersText( $safeHeadline );
++
++			# Do this before unstrip since link text can contain strip markers
++			$safeHeadline = $this->replaceLinkHoldersText( $headline );
++
++			# Avoid insertion of weird stuff like <math> by expanding the relevant sections
++			$safeHeadline = $this->mStripState->unstripBoth( $safeHeadline );
+ 
+ 			# Strip out HTML (other than plain <sup> and <sub>: bug 8393)
+ 			$tocline = preg_replace(
+@@ -4896,6 +4899,16 @@
+ 		// Should be good to go.
+ 		return $text;
+ 	}
++
++	/**
++	 * Remove any strip markers found in the given text.
++	 *
++	 * @param $text Input string
++	 * @return string
++	 */
++	function killMarkers( $text ) {
++		return $this->mStripState->killMarkers( $text );
++	}
+ }
+ 
+ /**
+@@ -4940,6 +4953,16 @@
+ 		wfProfileOut( __METHOD__ );
+ 		return $text;
+ 	}
++
++	/**
++	 * Remove any strip markers found in the given text.
++	 *
++	 * @param $text Input string
++	 * @return string
++	 */
++	function killMarkers( $text ) {
++		return preg_replace( $this->regex, '', $text );
++	}
+ }
+ 
+ /**

Modified: mediawiki/sid-sec/debian/patches/series
===================================================================
--- mediawiki/sid-sec/debian/patches/series	2012-03-20 10:15:18 UTC (rev 309)
+++ mediawiki/sid-sec/debian/patches/series	2012-03-30 08:43:27 UTC (rev 310)
@@ -19,3 +19,4 @@
 backport-block-prevent.patch
 fix-blacklist.patch
 php54.patch
+CVE-2012-1582.patch


_______________________________________________
Pkg-mediawiki-commits mailing list
Pkg-mediawiki-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-mediawiki-commits

Message #13 received at 666269@bugs.debian.org (full text, mbox, reply):

From: Thorsten Glaser <t.glaser@tarent.de>

To: 666269@bugs.debian.org

Subject: update

Date: Fri, 4 May 2012 11:52:39 +0200 (CEST)

Hi,

just looked at this again, and I *still* do not have the
permissions to access the bug
https://bugzilla.wikimedia.org/show_bug.cgi?id=35078
which is kinda hindering…

bye,
//mirabilos
-- 
tarent solutions GmbH
Rochusstraße 2-4, D-53123 Bonn • http://www.tarent.de/
Tel: +49 228 54881-393 • Fax: +49 228 54881-314
HRB AG Bonn 5168 • USt-ID (VAT): DE122264941
Geschäftsführer: Boris Esser, Elmar Geese

Message #18 received at 666269@bugs.debian.org (full text, mbox, reply):

From: Snowolf <mtazio@gmail.com>

To: t.glaser@tarent.de, 666269@bugs.debian.org

Subject: Re: Bug#666269: update

Date: Fri, 04 May 2012 12:02:31 +0200

[Message part 1 (text/html, inline)]

Message #23 received at 666269@bugs.debian.org (full text, mbox, reply):

From: Thorsten Glaser <t.glaser@tarent.de>

To: snowolf@snowolf.eu

Cc: 666269@bugs.debian.org

Subject: Re: Bug#666269: update

Date: Fri, 4 May 2012 14:28:45 +0200 (CEST)

On Fri, 4 May 2012, Snowolf wrote:

> have you tried asking about it on #mediawiki on freenode?

Thanks, that helped. Tim Starling told me which patches
to apply/backport, will do so.

bye,
//mirabilos
-- 
tarent solutions GmbH
Rochusstraße 2-4, D-53123 Bonn • http://www.tarent.de/
Tel: +49 228 54881-393 • Fax: +49 228 54881-314
HRB AG Bonn 5168 • USt-ID (VAT): DE122264941
Geschäftsführer: Boris Esser, Elmar Geese

Message #30 received at 666269-close@bugs.debian.org (full text, mbox, reply):

From: Thorsten Glaser <tg@mirbsd.de>

To: 666269-close@bugs.debian.org

Subject: Bug#666269: fixed in mediawiki 1:1.15.5-9

Date: Wed, 16 May 2012 13:20:47 +0000

Source: mediawiki
Source-Version: 1:1.15.5-9

We believe that the bug you reported is fixed in the latest version of
mediawiki, which is due to be installed in the Debian FTP archive:

mediawiki_1.15.5-9.debian.tar.gz
  to main/m/mediawiki/mediawiki_1.15.5-9.debian.tar.gz
mediawiki_1.15.5-9.dsc
  to main/m/mediawiki/mediawiki_1.15.5-9.dsc
mediawiki_1.15.5-9_all.deb
  to main/m/mediawiki/mediawiki_1.15.5-9_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 666269@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Thorsten Glaser <tg@mirbsd.de> (supplier of updated mediawiki package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA384

Format: 1.8
Date: Wed, 16 May 2012 15:01:06 +0200
Source: mediawiki
Binary: mediawiki mediawiki-math
Architecture: source all
Version: 1:1.15.5-9
Distribution: unstable
Urgency: high
Maintainer: Mediawiki Maintenance Team <pkg-mediawiki-devel@lists.alioth.debian.org>
Changed-By: Thorsten Glaser <tg@mirbsd.de>
Description: 
 mediawiki  - website engine for collaborative work
 mediawiki-math - math rendering plugin for MediaWiki
Closes: 666269
Changes: 
 mediawiki (1:1.15.5-9) unstable; urgency=high
 .
   * Team upload.
   * Address MW security release 1.18.1-1 (Closes: #666269)
     - CVE-2012-1578 MW#34212: doesn’t affect 1.15
     - CVE-2012-1579 MW#34907: doesn’t affect 1.15
     - CVE-2012-1580 MW#35317: doesn’t affect 1.15
     - CVE-2012-1581 MW#35078: fix backported
     - CVE-2012-1582 MW#35315: fix backported
   * Apply some lintian cleanup
Checksums-Sha1: 
 bb12107e677383db2da50941a9e35c858e5fe668 2127 mediawiki_1.15.5-9.dsc
 bedabccd8bb62d60b799b2b5cc5f5c9203f99a17 54987 mediawiki_1.15.5-9.debian.tar.gz
 771c0007cf017a91bc9808e9f103bdd4642eefb9 11723472 mediawiki_1.15.5-9_all.deb
Checksums-Sha256: 
 c67a75bba739fddb5428b1823619674f348bf1905c7f32a28264507c08a64698 2127 mediawiki_1.15.5-9.dsc
 7c81215707aaefd4476f04102b0e778462631a25e5b21e2018c11587fc3beff0 54987 mediawiki_1.15.5-9.debian.tar.gz
 cd4152885804a3c0f219558cf07e9b1599e81e8f22187b300330d79df46e898e 11723472 mediawiki_1.15.5-9_all.deb
Files: 
 54dc1122bc37e3a35a7735430e963bf9 2127 web optional mediawiki_1.15.5-9.dsc
 df6ab81cbf2d4eedc14ff429cb5c0f5e 54987 web optional mediawiki_1.15.5-9.debian.tar.gz
 7e1c69a5f2c09044bd5e9be247a5285a 11723472 web optional mediawiki_1.15.5-9_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MirBSD)

iQIcBAEBCQAGBQJPs6flAAoJEHa1NLLpkAfgsDEQANUyjGNJeI0udsXYXR7v3JkW
tm6NlFFVVRPEyqz/STs4MTaR1gquN0b5ib+ayoVSbD+XKh4f7H7uiSODzt4o/qIT
l/AQxV3rWVgJSsJzhUmEDq6zOEZVGvS3tB+kB4d5K9npHZYhAyuqjRgf0ly2tkaZ
MGFEqMvHPv6949RCB8ukHQ5WB4nRCK0H/aESMO5JWezOF2gKsIj5rS25Pj74MnDL
FMYYyvdZh5driWTNnZ1Yozs/ZN34DDB+qO6DPrwHpKBO981r1zsyCTUtxACUt7Cs
1gFkX7iEQ0LT5YWuzsioUi2ZZGdG00oW+6BsE2GLmnZigK/S0FJetxPpaQgKmwq4
w+YYq9Bc/SSqDDlXEzPfXbf4FXLOg7MkA2dmW/MxQyZ+mS/CyEyOUS3bl7+NEyBB
ZfOv3oYr1gpn8xp8KY4Xb3pLzOUxujK4g/QKvqgIxI0f4nj18Hkw9iOD6zEusRiF
gAARbICP8jCMOMm1TXtCmfY6UIO2jDS4geUm/VribIBQ4JedEfPVTPZGNi/YEU5Q
oK5aafewUWhlJpcOdpzL3MG8GeXTAzDcQBFTEEX9SeIN4sEln+0ukeB9d6qI7DJe
+LBsgBvWhIWd+iCkZJ/BJveOXTd+v6G4BRNd5FIcR1dD3uRQjFqKHcnljGWu45Me
fr0+hsp+F1MwXuMm6FkL
=GOfX
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.