Bug#773641: marked as done (unblock: mediawiki/1.19.20+dfsg-2.1)

Debian Bug Tracking System Sun, 21 Dec 2014 06:15:39 -0800

Your message dated Sun, 21 Dec 2014 14:12:18 +0000
with message-id <[email protected]>
and subject line Re: Bug#773641: unblock: mediawiki/1.19.20+dfsg-2.1
has caused the Debian Bug report #773641,
regarding unblock: mediawiki/1.19.20+dfsg-2.1
to be marked as done.


This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
773641: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=773641
Debian Bug Tracking System
Contact [email protected] with problems

--- Begin Message ---

Package: release.debian.org
Severity: normal
User: [email protected]
Usertags: unblock

Please unblock package mediawiki; it fixes CVE-2014-9277, which is a
security issue referenced in #772764. THe description of the problem
is as follows (taken from the recently released mediawiki DSA):

  | The <cross-domain-policy> mangling in OutputHandler.php poses a
  | potentially severe security problem for API clients written in
  | PHP, in that format=php is affected.

unblock mediawiki/1.19.20+dfsg-2.1

-- System Information:
Debian Release: 7.7
  APT prefers stable
  APT policy: (501, 'stable'), (500, 'oldstable-proposed-updates'), (500, 
'oldstable'), (1, 'unstable'), (1, 'testing')
Architecture: i386 (i686)

Kernel: Linux 3.2.0-4-686-pae (SMP w/1 CPU core)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash


-- Debdiff:

diff -Nru mediawiki-1.19.20+dfsg/debian/changelog 
mediawiki-1.19.20+dfsg/debian/changelog
--- mediawiki-1.19.20+dfsg/debian/changelog     2014-10-07 20:14:04.000000000 
+0200
+++ mediawiki-1.19.20+dfsg/debian/changelog     2014-12-14 18:27:31.000000000 
+0100
@@ -1,3 +1,12 @@
+mediawiki (1:1.19.20+dfsg-2.1) unstable; urgency=medium
+
+  * Non-maintainer upload.
+  * CVE-2014-9277: The <cross-domain-policy> mangling in OutputHandler.php
+    poses a potentially severe security problem for API clients written in
+    PHP, in that format=php is affected (Closes: #772764).
+
+ -- Sebastien Delafond <[email protected]>  Sun, 14 Dec 2014 18:23:47 +0100
+
 mediawiki (1:1.19.20+dfsg-2) unstable; urgency=low
 
   * Team upload.
diff -Nru mediawiki-1.19.20+dfsg/debian/patches/CVE-2014-9277_1.patch 
mediawiki-1.19.20+dfsg/debian/patches/CVE-2014-9277_1.patch
--- mediawiki-1.19.20+dfsg/debian/patches/CVE-2014-9277_1.patch 1970-01-01 
01:00:00.000000000 +0100
+++ mediawiki-1.19.20+dfsg/debian/patches/CVE-2014-9277_1.patch 2014-12-14 
18:22:36.000000000 +0100
@@ -0,0 +1,32 @@
+--- a/includes/DefaultSettings.php
++++ b/includes/DefaultSettings.php
+@@ -2688,6 +2688,14 @@
+  */
+ $wgResourceLoaderExperimentalAsyncLoading = false;
+ 
++/**
++ * When OutputHandler is used, mangle any output that contains
++ * <cross-domain-policy>. Without this, an attacker can send their own
++ * cross-domain policy unless it is prevented by the crossdomain.xml file at
++ * the domain root.
++ */
++$wgMangleFlashPolicy = true;
++
+ /** @} */ # End of resource loader settings }
+ 
+ 
+--- a/includes/OutputHandler.php
++++ b/includes/OutputHandler.php
+@@ -13,8 +13,10 @@
+  * @return string
+  */
+ function wfOutputHandler( $s ) {
+-      global $wgDisableOutputCompression, $wgValidateAllHtml;
+-      $s = wfMangleFlashPolicy( $s );
++      global $wgDisableOutputCompression, $wgValidateAllHtml, 
$wgMangleFlashPolicy;
++      if ( $wgMangleFlashPolicy ) {
++              $s = wfMangleFlashPolicy( $s );
++      }
+       if ( $wgValidateAllHtml ) {
+               $headers = apache_response_headers();
+               $isHTML = true;
diff -Nru mediawiki-1.19.20+dfsg/debian/patches/CVE-2014-9277_2.patch 
mediawiki-1.19.20+dfsg/debian/patches/CVE-2014-9277_2.patch
--- mediawiki-1.19.20+dfsg/debian/patches/CVE-2014-9277_2.patch 1970-01-01 
01:00:00.000000000 +0100
+++ mediawiki-1.19.20+dfsg/debian/patches/CVE-2014-9277_2.patch 2014-12-14 
18:22:36.000000000 +0100
@@ -0,0 +1,53 @@
+--- a/includes/api/ApiFormatJson.php
++++ b/includes/api/ApiFormatJson.php
+@@ -67,9 +67,21 @@
+                       $prefix = ( "/**/$prefix" );
+                       $suffix = ')';
+               }
++
++              $json = FormatJson::encode( $this->getResultData(), 
$this->getIsHtml() );
++
++              // Bug 66776: wfMangleFlashPolicy() is needed to avoid a nasty 
bug in
++              // Flash, but what it does isn&#039;t friendly for the API, so 
we need to
++              // work around it.
++              if ( preg_match( &#039;/\<\s*cross-domain-policy\s*\>/i&#039;, 
$json ) ) {
++                      $json = preg_replace(
++                              &#039;/\<(\s*cross-domain-policy\s*)\>/i&#039;, 
&#039;\\u003C$1\\u003E&#039;, $json
++                      );
++              }
++
+               $this->printText(
+                       $prefix .
+-                      FormatJson::encode( $this->getResultData(), 
$this->getIsHtml() ) .
++                      $json .
+                       $suffix
+               );
+       }
+--- a/includes/api/ApiFormatPhp.php
++++ b/includes/api/ApiFormatPhp.php
+@@ -39,7 +39,24 @@
+       }
+ 
+       public function execute() {
+-              $this->printText( serialize( $this->getResultData() ) );
++              global $wgMangleFlashPolicy;
++              $text = serialize( $this->getResultData() );
++
++              // Bug 66776: wfMangleFlashPolicy() is needed to avoid a nasty 
bug in
++              // Flash, but what it does isn&#039;t friendly for the API. 
There&#039;s nothing
++              // we can do here that isn&#039;t actively broken in some 
manner, so let&#039;s
++              // just be broken in a useful manner.
++              if ( $wgMangleFlashPolicy &&
++                      in_array( &#039;wfOutputHandler&#039;, 
ob_list_handlers(), true ) &&
++                      preg_match( 
&#039;/\<\s*cross-domain-policy\s*\>/i&#039;, $text )
++              ) {
++                      $this->dieUsage(
++                              &#039;This response cannot be represented using 
format=php. See https://bugzilla.wikimedia.org/show_bug.cgi?id=66776&#039;,
++                              &#039;internalerror&#039;
++                      );
++              }
++
++              $this->printText( $text );
+       }
+ 
+       public function getDescription() {
diff -Nru mediawiki-1.19.20+dfsg/debian/patches/series 
mediawiki-1.19.20+dfsg/debian/patches/series
--- mediawiki-1.19.20+dfsg/debian/patches/series        2014-08-24 
06:52:14.000000000 +0200
+++ mediawiki-1.19.20+dfsg/debian/patches/series        2014-12-14 
18:22:55.000000000 +0100
@@ -9,3 +9,5 @@
 fix_warnings.patch
 mimetypes.patch
 suppress_warnings.patch
+CVE-2014-9277_1.patch
+CVE-2014-9277_2.patch

--- End Message ---

--- Begin Message ---

On Sun, 2014-12-21 at 12:38 +0100, Sebastien Delafond wrote:
> Please unblock package mediawiki; it fixes CVE-2014-9277, which is a
> security issue referenced in #772764. THe description of the problem
> is as follows (taken from the recently released mediawiki DSA):
> 
>   | The <cross-domain-policy> mangling in OutputHandler.php poses a
>   | potentially severe security problem for API clients written in
>   | PHP, in that format=php is affected.

Unblocked, thanks.

Regards,

Adam

--- End Message ---

Bug#773641: marked as done (unblock: mediawiki/1.19.20+dfsg-2.1)

Reply via email to