Debian Bug report logs -
#772764
mediawiki: CVE-2014-9277
Reported by: Sebastien Delafond <seb@debian.org>
Date: Wed, 10 Dec 2014 21:09:02 UTC
Severity: important
Tags: fixed-upstream, security, upstream
Found in version mediawiki/1:1.19.0-1
Fixed in version mediawiki/1:1.19.20+dfsg-2.1
Done: Sebastien Delafond <seb@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, Mediawiki Maintenance Team <pkg-mediawiki-devel@lists.alioth.debian.org>:
Bug#772764; Package mediawiki.
(Wed, 10 Dec 2014 21:09:06 GMT) (full text, mbox, link).
Acknowledgement sent
to Sebastien Delafond <seb@debian.org>:
New Bug report received and forwarded. Copy sent to Mediawiki Maintenance Team <pkg-mediawiki-devel@lists.alioth.debian.org>.
(Wed, 10 Dec 2014 21:09:06 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: mediawiki
Severity: important
Tags: security upstream
The <cross-domain-policy> mangling in OutputHandler.php poses a
potentially severe security problem for API clients written in PHP, in
that format=php is affected. See the following URL for more details:
https://phabricator.wikimedia.org/T73478
Cheers,
--Seb
Marked as found in versions mediawiki/1:1.19.0-1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Wed, 10 Dec 2014 21:24:12 GMT) (full text, mbox, link).
Added tag(s) fixed-upstream.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Wed, 10 Dec 2014 21:24:17 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Mediawiki Maintenance Team <pkg-mediawiki-devel@lists.alioth.debian.org>:
Bug#772764; Package mediawiki.
(Mon, 15 Dec 2014 19:36:09 GMT) (full text, mbox, link).
Acknowledgement sent
to Джонатан Вашингтон <dzhonw@mail.ru>:
Extra info received and forwarded to list. Copy sent to Mediawiki Maintenance Team <pkg-mediawiki-devel@lists.alioth.debian.org>.
(Mon, 15 Dec 2014 19:36:09 GMT) (full text, mbox, link).
Message #14 received at 772764@bugs.debian.org (full text, mbox, reply):
This patch also appears to break the API.
The following lines
if ( preg_match( '/\<\s*cross-domain-policy\s*\>/i',
$json ) ) {
$json = preg_replace(
'/\<(\s*cross-domain-policy\s*)\>/i',
'\03C$1\03E', $json
);
}
should be
if ( preg_match( '/\<\s*cross-domain-policy\s*\>/i', $json ) ) {
$json = preg_replace(
'/\<(\s*cross-domain-policy\s*)\>/i', '\03C$1\03E', $json
);
}
Otherwise the API returns 500 errors and the following appears in the error log:
[error] PHP Fatal error: Call-time pass-by-reference has been removed
in /usr/share/mediawiki/includes/api/ApiFormatJson.php on line 77
Fix was identified by the friendly folks in freenode#mediawiki :)
--
Jonathan
Information forwarded
to debian-bugs-dist@lists.debian.org, Mediawiki Maintenance Team <pkg-mediawiki-devel@lists.alioth.debian.org>:
Bug#772764; Package mediawiki.
(Mon, 15 Dec 2014 19:39:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Merlijn van Deen <valhallasw@arctus.nl>:
Extra info received and forwarded to list. Copy sent to Mediawiki Maintenance Team <pkg-mediawiki-devel@lists.alioth.debian.org>.
(Mon, 15 Dec 2014 19:39:04 GMT) (full text, mbox, link).
Message #19 received at 772764@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Hello,
CVE-2014-9277_2.patch seems to contain htmlentities for quotes:
+ if ( preg_match( '/\<\s*cross-domain-policy\s*\>/i', $json ) ) {
+ $json = preg_replace(
+ '/\<(\s*cross-domain-policy\s*)\>/i',
'\03C$1\03E', $json
+ );
+ }
which breaks both php files. Attached is a version where all ''s
have been replaced by '.
Merlijn
[CVE-2014-9277_2.patch (application/octet-stream, attachment)]
Information forwarded
to debian-bugs-dist@lists.debian.org, Mediawiki Maintenance Team <pkg-mediawiki-devel@lists.alioth.debian.org>:
Bug#772764; Package mediawiki.
(Wed, 17 Dec 2014 09:09:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Sébastien Delafond <seb@debian.org>:
Extra info received and forwarded to list. Copy sent to Mediawiki Maintenance Team <pkg-mediawiki-devel@lists.alioth.debian.org>.
(Wed, 17 Dec 2014 09:09:04 GMT) (full text, mbox, link).
Message #24 received at 772764@bugs.debian.org (full text, mbox, reply):
Thanks for the heads-up, this will be fixed shortly.
Cheers,
--Seb
Information forwarded
to debian-bugs-dist@lists.debian.org, Mediawiki Maintenance Team <pkg-mediawiki-devel@lists.alioth.debian.org>:
Bug#772764; Package mediawiki.
(Wed, 17 Dec 2014 09:21:10 GMT) (full text, mbox, link).
Acknowledgement sent
to Sébastien Delafond <seb@debian.org>:
Extra info received and forwarded to list. Copy sent to Mediawiki Maintenance Team <pkg-mediawiki-devel@lists.alioth.debian.org>.
(Wed, 17 Dec 2014 09:21:11 GMT) (full text, mbox, link).
Message #29 received at 772764@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
You can find it attached.
Cheers,
--Seb
[mediawiki_CVE-2014-9277.debdiff (text/plain, attachment)]
Reply sent
to Sebastien Delafond <seb@debian.org>:
You have taken responsibility.
(Fri, 19 Dec 2014 09:39:10 GMT) (full text, mbox, link).
Notification sent
to Sebastien Delafond <seb@debian.org>:
Bug acknowledged by developer.
(Fri, 19 Dec 2014 09:39:10 GMT) (full text, mbox, link).
Message #34 received at 772764-close@bugs.debian.org (full text, mbox, reply):
Source: mediawiki
Source-Version: 1:1.19.20+dfsg-2.1
We believe that the bug you reported is fixed in the latest version of
mediawiki, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 772764@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Sebastien Delafond <seb@debian.org> (supplier of updated mediawiki package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Sun, 14 Dec 2014 18:23:47 +0100
Source: mediawiki
Binary: mediawiki mediawiki-classes
Architecture: source all
Version: 1:1.19.20+dfsg-2.1
Distribution: unstable
Urgency: medium
Maintainer: Mediawiki Maintenance Team <pkg-mediawiki-devel@lists.alioth.debian.org>
Changed-By: Sebastien Delafond <seb@debian.org>
Description:
mediawiki - website engine for collaborative work
mediawiki-classes - website engine for collaborative work - standalone classes
Closes: 772764
Changes:
mediawiki (1:1.19.20+dfsg-2.1) unstable; urgency=medium
.
* Non-maintainer upload.
* CVE-2014-9277: The <cross-domain-policy> mangling in OutputHandler.php
poses a potentially severe security problem for API clients written in
PHP, in that format=php is affected (Closes: #772764).
Checksums-Sha1:
8e4cd4dcb7be95a4482b0ceacae852bf8bc54f34 1786 mediawiki_1.19.20+dfsg-2.1.dsc
4de23cd0dc48d3bae685f9c914c83178284309e8 62812 mediawiki_1.19.20+dfsg-2.1.debian.tar.xz
ebc5dca716480f8e9b12bd90d287920597b4ce2e 11767180 mediawiki_1.19.20+dfsg-2.1_all.deb
fb1415b4f8519848f60a0883c2b56e41e4ec2e14 238560 mediawiki-classes_1.19.20+dfsg-2.1_all.deb
Checksums-Sha256:
54996134afa9b5578893c52c05b85aa4c051a27b6fb1d66202311043434bbe1e 1786 mediawiki_1.19.20+dfsg-2.1.dsc
bced0756dd6f54083f0bc88d3b9895d093e595c9db30bd474e7796964d72d603 62812 mediawiki_1.19.20+dfsg-2.1.debian.tar.xz
421848f6492385e6d80c72721fcc589f65faf392c3534f8d476e04f2efa7eaf4 11767180 mediawiki_1.19.20+dfsg-2.1_all.deb
6ed6437617490622b2a7f28237cc45c7147900168ed4a1a0ad4827f09dd75b55 238560 mediawiki-classes_1.19.20+dfsg-2.1_all.deb
Files:
0d44ca868b6c13a9531578aa46942050 1786 web optional mediawiki_1.19.20+dfsg-2.1.dsc
bbc955e0b9428a8d3b594caed572e202 62812 web optional mediawiki_1.19.20+dfsg-2.1.debian.tar.xz
7ad6459af2d2a6e62878fbd6ee959bb9 11767180 web optional mediawiki_1.19.20+dfsg-2.1_all.deb
e808dc36639dd4b1ec2128412e144734 238560 web optional mediawiki-classes_1.19.20+dfsg-2.1_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQEcBAEBCAAGBQJUkUlVAAoJEBC+iYPz1Z1kTdkH+gKty7b6B6/noBKMoXhxCMMg
0yZtQ1Y7zdPUv9Zqg7l1GcTNCwfzt0AVDACGyyUwHZ3xrBIWr3fTXbv0PhEinemr
UHJkgIsuFhyXymXjz+InggDTxmnaAUPCLYuLXlrR1cU5ioUZSdI2MLx/ne9FYFMn
rSrctbKs5WvWKrKuPtaByoTBDXQHtAiQtbEwlcs4OfdKAgcun4Mslxuo07xWpV0W
ERwLt7fmCZlEb5eTtzc9XtrjaTrjj1bzdsLTvBdUdEZ9JII3nPs0uePJpYRvm4tP
U/GvLiDLN5zqx07ya712n5dZ1zeP5Zy6XltX97Zv8s+L4O+pZXSCSwZZP4bqIy8=
=8YeZ
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Sat, 17 Jan 2015 07:28:52 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 15:02:33 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon