[evolvis-commits] r18313: Patch for CVE-2011-0047

mirabilos at evolvis.org mirabilos at evolvis.org
Wed Apr 11 11:16:37 CEST 2012


Author: mirabilos
Date: 2012-04-11 11:16:36 +0200 (Wed, 11 Apr 2012)
New Revision: 18313

Added:
   trunk/mediawiki/debian/patches/CVE-2011-0047.patch
Modified:
   trunk/mediawiki/debian/changelog
   trunk/mediawiki/debian/patches/series
Log:
Patch for CVE-2011-0047

Modified: trunk/mediawiki/debian/changelog
===================================================================
--- trunk/mediawiki/debian/changelog	2012-04-11 09:16:30 UTC (rev 18312)
+++ trunk/mediawiki/debian/changelog	2012-04-11 09:16:36 UTC (rev 18313)
@@ -1,11 +1,16 @@
 mediawiki (1:1.15.5-3) UNRELEASED; urgency=low
 
+  [ Thorsten Glaser ]
   * debian/patches/fix_datetime.patch: new, convert argument into
     the format expected by other methods, fixes date/time output
     in e.g. the News/RSS extensions
 
- -- Thorsten Glaser <tg at mirbsd.de>  Tue, 07 Sep 2010 11:04:26 +0200
+  [ Jonathan Wiltshire ]
+  * CVE-2011-0047: Protect against a CSS injection vulnerability
+    (closes: #611787)
 
+ -- Jonathan Wiltshire <debian at jwiltshire.org.uk>  Sun, 06 Feb 2011 13:45:39 +0000
+
 mediawiki (1:1.15.5-2) testing-security; urgency=high
 
   * CVE-2011-0003: Protect against clickjacking by sending the

Added: trunk/mediawiki/debian/patches/CVE-2011-0047.patch
===================================================================
--- trunk/mediawiki/debian/patches/CVE-2011-0047.patch	                        (rev 0)
+++ trunk/mediawiki/debian/patches/CVE-2011-0047.patch	2012-04-11 09:16:36 UTC (rev 18313)
@@ -0,0 +1,58 @@
+Description: prevent CSS injection vulnerability
+Origin: http://www.mediawiki.org/wiki/Special:Code/MediaWiki/81333
+Bug: https://bugzilla.wikimedia.org/show_bug.cgi?id=27093
+Author: Tim Starling, Roan
+Last-Update: 2011-02-06
+
+--- mediawiki-1.15.5.orig/RELEASE-NOTES
++++ mediawiki-1.15.5/RELEASE-NOTES
+@@ -3,6 +3,9 @@
+ Security reminder: MediaWiki does not require PHP's register_globals
+ setting since version 1.2.0. If you have it on, turn it *off* if you can.
+ 
++== Changes since 1.15.5 ==
++* (bug 27093, CVE-2011-0047): Fixed CSS injection vulnerability.
++
+ == MediaWiki 1.15.5 ==
+ 
+ 2010-07-28
+--- mediawiki-1.15.5.orig/includes/Sanitizer.php
++++ mediawiki-1.15.5/includes/Sanitizer.php
+@@ -659,6 +659,13 @@
+ 		// Remove any comments; IE gets token splitting wrong
+ 		$value = StringUtils::delimiterReplace( '/*', '*/', ' ', $value );
+ 
++		// Remove anything after a comment-start token, to guard against
++		// incorrect client implementations.
++		$commentPos = strpos( $value, '/*' );
++		if ( $commentPos !== false ) {
++			$value = substr( $value, 0, $commentPos );
++		}
++
+ 		// Decode escape sequences and line continuation
+ 		// See the grammar in the CSS 2 spec, appendix D.
+ 		static $decodeRegex, $reencodeTable;
+--- mediawiki-1.15.5.orig/includes/StringUtils.php
++++ mediawiki-1.15.5/includes/StringUtils.php
+@@ -77,16 +77,20 @@
+ 			}
+ 
+ 			if ( $tokenType == 'start' ) {
+-				$inputPos = $tokenOffset + $tokenLength;
+ 				# Only move the start position if we haven't already found a start
+ 				# This means that START START END matches outer pair
+ 				if ( !$foundStart ) {
+ 					# Found start
++					$inputPos = $tokenOffset + $tokenLength;
+ 					# Write out the non-matching section
+ 					$output .= substr( $subject, $outputPos, $tokenOffset - $outputPos );
+ 					$outputPos = $tokenOffset;
+ 					$contentPos = $inputPos;
+ 					$foundStart = true;
++				} else {
++					# Move the input position past the *first character* of START,
++					# to protect against missing END when it overlaps with START
++					$inputPos = $tokenOffset + 1;
+ 				}
+ 			} elseif ( $tokenType == 'end' ) {
+ 				if ( $foundStart ) {

Modified: trunk/mediawiki/debian/patches/series
===================================================================
--- trunk/mediawiki/debian/patches/series	2012-04-11 09:16:30 UTC (rev 18312)
+++ trunk/mediawiki/debian/patches/series	2012-04-11 09:16:36 UTC (rev 18313)
@@ -7,3 +7,4 @@
 suppress_warnings.patch
 CVE-2011-0003.patch
 fix_datetime.patch
+CVE-2011-0047.patch



More information about the evolvis-commits mailing list