[Pkg-mediawiki-devel] Bug #772764

Sébastien Delafond seb at debian.org
Mon Dec 15 10:52:35 UTC 2014 

On Dec/12, Sébastien Delafond wrote:
> a fix for CVE-2014-9277 (bug #772764) is about to be uploaded to
> wheezy-security. Does anyone in your team plan to package a recent 1.19,
> and upload it to sid, to fix it ?

I've uploaded 1.19.20+dfsg-2.1, fixing this issue, to
delayed/2. Attached is the debdiff, if you'd like to re-integrate it in
your SVN repository.

Cheers,

--Seb
-------------- next part --------------
diff -Nru mediawiki-1.19.20+dfsg/debian/changelog mediawiki-1.19.20+dfsg/debian/changelog
--- mediawiki-1.19.20+dfsg/debian/changelog	2014-10-07 20:14:04.000000000 +0200
+++ mediawiki-1.19.20+dfsg/debian/changelog	2014-12-14 18:27:31.000000000 +0100
@@ -1,3 +1,12 @@
+mediawiki (1:1.19.20+dfsg-2.1) unstable; urgency=medium
+
+  * Non-maintainer upload.
+  * CVE-2014-9277: The <cross-domain-policy> mangling in OutputHandler.php
+    poses a potentially severe security problem for API clients written in
+    PHP, in that format=php is affected (Closes: #772764).
+
+ -- Sebastien Delafond <seb at debian.org>  Sun, 14 Dec 2014 18:23:47 +0100
+
 mediawiki (1:1.19.20+dfsg-2) unstable; urgency=low
 
   * Team upload.
diff -Nru mediawiki-1.19.20+dfsg/debian/patches/CVE-2014-9277_1.patch mediawiki-1.19.20+dfsg/debian/patches/CVE-2014-9277_1.patch
--- mediawiki-1.19.20+dfsg/debian/patches/CVE-2014-9277_1.patch	1970-01-01 01:00:00.000000000 +0100
+++ mediawiki-1.19.20+dfsg/debian/patches/CVE-2014-9277_1.patch	2014-12-14 18:22:36.000000000 +0100
@@ -0,0 +1,32 @@
+--- a/includes/DefaultSettings.php
++++ b/includes/DefaultSettings.php
+@@ -2688,6 +2688,14 @@
+  */
+ $wgResourceLoaderExperimentalAsyncLoading = false;
+ 
++/**
++ * When OutputHandler is used, mangle any output that contains
++ * <cross-domain-policy>. Without this, an attacker can send their own
++ * cross-domain policy unless it is prevented by the crossdomain.xml file at
++ * the domain root.
++ */
++$wgMangleFlashPolicy = true;
++
+ /** @} */ # End of resource loader settings }
+ 
+ 
+--- a/includes/OutputHandler.php
++++ b/includes/OutputHandler.php
+@@ -13,8 +13,10 @@
+  * @return string
+  */
+ function wfOutputHandler( $s ) {
+-	global $wgDisableOutputCompression, $wgValidateAllHtml;
+-	$s = wfMangleFlashPolicy( $s );
++	global $wgDisableOutputCompression, $wgValidateAllHtml, $wgMangleFlashPolicy;
++	if ( $wgMangleFlashPolicy ) {
++		$s = wfMangleFlashPolicy( $s );
++	}
+ 	if ( $wgValidateAllHtml ) {
+ 		$headers = apache_response_headers();
+ 		$isHTML = true;
diff -Nru mediawiki-1.19.20+dfsg/debian/patches/CVE-2014-9277_2.patch mediawiki-1.19.20+dfsg/debian/patches/CVE-2014-9277_2.patch
--- mediawiki-1.19.20+dfsg/debian/patches/CVE-2014-9277_2.patch	1970-01-01 01:00:00.000000000 +0100
+++ mediawiki-1.19.20+dfsg/debian/patches/CVE-2014-9277_2.patch	2014-12-14 18:22:36.000000000 +0100
@@ -0,0 +1,53 @@
+--- a/includes/api/ApiFormatJson.php
++++ b/includes/api/ApiFormatJson.php
+@@ -67,9 +67,21 @@
+ 			$prefix = ( "/**/$prefix" );
+ 			$suffix = ')';
+ 		}
++
++		$json = FormatJson::encode( $this->getResultData(), $this->getIsHtml() );
++
++		// Bug 66776: wfMangleFlashPolicy() is needed to avoid a nasty bug in
++		// Flash, but what it does isn't friendly for the API, so we need to
++		// work around it.
++		if ( preg_match( '/\<\s*cross-domain-policy\s*\>/i', $json ) ) {
++			$json = preg_replace(
++				'/\<(\s*cross-domain-policy\s*)\>/i', '\\u003C$1\\u003E', $json
++			);
++		}
++
+ 		$this->printText(
+ 			$prefix .
+-			FormatJson::encode( $this->getResultData(), $this->getIsHtml() ) .
++			$json .
+ 			$suffix
+ 		);
+ 	}
+--- a/includes/api/ApiFormatPhp.php
++++ b/includes/api/ApiFormatPhp.php
+@@ -39,7 +39,24 @@
+ 	}
+ 
+ 	public function execute() {
+-		$this->printText( serialize( $this->getResultData() ) );
++		global $wgMangleFlashPolicy;
++		$text = serialize( $this->getResultData() );
++
++		// Bug 66776: wfMangleFlashPolicy() is needed to avoid a nasty bug in
++		// Flash, but what it does isn't friendly for the API. There's nothing
++		// we can do here that isn't actively broken in some manner, so let's
++		// just be broken in a useful manner.
++		if ( $wgMangleFlashPolicy &&
++			in_array( 'wfOutputHandler', ob_list_handlers(), true ) &&
++			preg_match( '/\<\s*cross-domain-policy\s*\>/i', $text )
++		) {
++			$this->dieUsage(
++				'This response cannot be represented using format=php. See https://bugzilla.wikimedia.org/show_bug.cgi?id=66776',
++				'internalerror'
++			);
++		}
++
++		$this->printText( $text );
+ 	}
+ 
+ 	public function getDescription() {
diff -Nru mediawiki-1.19.20+dfsg/debian/patches/series mediawiki-1.19.20+dfsg/debian/patches/series
--- mediawiki-1.19.20+dfsg/debian/patches/series	2014-08-24 06:52:14.000000000 +0200
+++ mediawiki-1.19.20+dfsg/debian/patches/series	2014-12-14 18:22:55.000000000 +0100
@@ -9,3 +9,5 @@
 fix_warnings.patch
 mimetypes.patch
 suppress_warnings.patch
+CVE-2014-9277_1.patch
+CVE-2014-9277_2.patch

More information about the Pkg-mediawiki-devel mailing list