Your message dated Wed, 24 Dec 2014 11:17:11 +0000
with message-id <[email protected]>
and subject line Re: Bug#773866: unblock: mediawiki/1:1.19.20+dfsg-2.2
has caused the Debian Bug report #773866,
regarding unblock: mediawiki/1:1.19.20+dfsg-2.2
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
773866: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=773866
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
User: [email protected]
Usertags: unblock
Dear Release Team,
on behalf of the Security Team, could you please unblock the package
mediawiki ? It fixes yet another security vulnerability (CVE
assignment pending), which prompted the issuing of DSA-3110-1 for
wheezy-security. The corresponding Debian bug is 773654.
You can find the debdiff at the end of this email.
unblock mediawiki/1:1.19.20+dfsg-2.2
-- System Information:
Debian Release: 7.7
APT prefers stable
APT policy: (501, 'stable'), (500, 'oldstable-proposed-updates'), (500,
'oldstable'), (1, 'unstable'), (1, 'testing')
Architecture: i386 (i686)
Kernel: Linux 3.2.0-4-686-pae (SMP w/1 CPU core)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
diff -Nru mediawiki-1.19.20+dfsg/debian/changelog
mediawiki-1.19.20+dfsg/debian/changelog
--- mediawiki-1.19.20+dfsg/debian/changelog 2014-12-14 18:27:31.000000000
+0100
+++ mediawiki-1.19.20+dfsg/debian/changelog 2014-12-21 13:11:10.000000000
+0100
@@ -1,3 +1,12 @@
+mediawiki (1:1.19.20+dfsg-2.2) unstable; urgency=medium
+
+ * Non-maintainer upload.
+ * Add patch fixing T76686: thumb.php outputs wikitext message as raw
+ HTML, which could lead to xss. Permission to edit MediaWiki namespace
+ is required to exploit this.
+
+ -- Sebastien Delafond <[email protected]> Sun, 21 Dec 2014 13:11:10 +0100
+
mediawiki (1:1.19.20+dfsg-2.1) unstable; urgency=medium
* Non-maintainer upload.
diff -Nru mediawiki-1.19.20+dfsg/debian/patches/series
mediawiki-1.19.20+dfsg/debian/patches/series
--- mediawiki-1.19.20+dfsg/debian/patches/series 2014-12-14
18:22:55.000000000 +0100
+++ mediawiki-1.19.20+dfsg/debian/patches/series 2014-12-21
13:10:23.000000000 +0100
@@ -11,3 +11,4 @@
suppress_warnings.patch
CVE-2014-9277_1.patch
CVE-2014-9277_2.patch
+T76686.patch
diff -Nru mediawiki-1.19.20+dfsg/debian/patches/T76686.patch
mediawiki-1.19.20+dfsg/debian/patches/T76686.patch
--- mediawiki-1.19.20+dfsg/debian/patches/T76686.patch 1970-01-01
01:00:00.000000000 +0100
+++ mediawiki-1.19.20+dfsg/debian/patches/T76686.patch 2014-12-21
13:10:21.000000000 +0100
@@ -0,0 +1,55 @@
+From fdd3f464ef9aa7f3276a2a8dddc85e3769cfda83 Mon Sep 17 00:00:00 2001
+From: Kunal Mehta <[email protected]>
+Date: Thu, 4 Dec 2014 14:06:55 -0800
+Subject: [PATCH] thumb.php: Set proper output formats for messages going into
+ HTML
+
+* Use ->parse() instead of ->text() for wikitext messages that were
+ being treated as HTML
+* Explicitly specify ->parse() if no output format was set
+* Document that wfThumbError() takes HTML
+
+Bug: T76686
+Change-Id: Id6e7548b2e081cfda7803772ed0395a15feb1f84
+---
+ thumb.php | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/thumb.php b/thumb.php
+index 60a7ffb..a7a09fc 100644
+--- a/thumb.php
++++ b/thumb.php
+@@ -107,13 +107,13 @@ function wfStreamThumb( array $params ) {
+ // Format is <timestamp>!<name>
+ $bits = explode( '!', $fileName, 2 );
+ if ( count( $bits ) != 2 ) {
+- wfThumbError( 404, wfMsg( 'badtitletext' ) );
++ wfThumbError( 404, wfMessage( 'badtitletext' )->parse()
);
+ wfProfileOut( __METHOD__ );
+ return;
+ }
+ $title = Title::makeTitleSafe( NS_FILE, $bits[1] );
+ if ( !$title ) {
+- wfThumbError( 404, wfMsg( 'badtitletext' ) );
++ wfThumbError( 404, wfMessage( 'badtitletext' )->parse()
);
+ wfProfileOut( __METHOD__ );
+ return;
+ }
+@@ -136,7 +136,7 @@ function wfStreamThumb( array $params ) {
+
+ // Check the source file storage path
+ if ( !$img ) {
+- wfThumbError( 404, wfMsg( 'badtitletext' ) );
++ wfThumbError( 404, wfMessage( 'badtitletext' )->parse() );
+ wfProfileOut( __METHOD__ );
+ return;
+ }
+@@ -291,7 +291,7 @@ function wfExtractThumbParams( $uri ) {
+ * Output a thumbnail generation error message
+ *
+ * @param $status integer
+- * @param $msg string
++ * @param string $msg HTML
+ * @return void
+ */
+ function wfThumbError( $status, $msg ) {
--- End Message ---
--- Begin Message ---
On 2014-12-24 11:03, Sebastien Delafond wrote:
on behalf of the Security Team, could you please unblock the package
mediawiki ? It fixes yet another security vulnerability (CVE
assignment pending), which prompted the issuing of DSA-3110-1 for
wheezy-security. The corresponding Debian bug is 773654.
Previous unblock for -2.1 updated. Hopefully it'll actually manage to
migrate before -2.3 appears.
Regards,
Adam
--- End Message ---
