[evolvis-commits] r18319: Security fixes for CVE-2011-4360 and CVE-2011-4361

mirabilos at evolvis.org mirabilos at evolvis.org
Wed Apr 11 11:16:48 CEST 2012


Author: mirabilos
Date: 2012-04-11 11:16:48 +0200 (Wed, 11 Apr 2012)
New Revision: 18319

Added:
   trunk/mediawiki/debian/patches/CVE-2011-4360.patch
   trunk/mediawiki/debian/patches/CVE-2011-4361.patch
Modified:
   trunk/mediawiki/debian/changelog
   trunk/mediawiki/debian/patches/series
Log:
Security fixes for CVE-2011-4360 and CVE-2011-4361

Modified: trunk/mediawiki/debian/changelog
===================================================================
--- trunk/mediawiki/debian/changelog	2012-04-11 09:16:46 UTC (rev 18318)
+++ trunk/mediawiki/debian/changelog	2012-04-11 09:16:48 UTC (rev 18319)
@@ -3,8 +3,15 @@
   [ Thorsten Glaser ]
   * debian/patches/fix_invalid_sql.patch: new (Closes: #615983)
 
- -- Thorsten Glaser <tg at mirbsd.de>  Wed, 06 Jul 2011 12:21:31 +0200
+  [ Jonathan Wiltshire ]
+  * Security fixes from upstream (Closes: #650434):
+    CVE-2011-4360 - page titles on private wikis could be exposed
+	bypassing different page ids to index.php
+    CVE-2011-4361 - action=ajax requests were dispatched to the
+	relevant function without any read permission checks being done
 
+ -- Jonathan Wiltshire <jmw at debian.org>  Wed, 30 Nov 2011 22:36:51 +0000
+
 mediawiki (1:1.15.5-3) unstable; urgency=high
 
   [ Thorsten Glaser ]

Added: trunk/mediawiki/debian/patches/CVE-2011-4360.patch
===================================================================
--- trunk/mediawiki/debian/patches/CVE-2011-4360.patch	                        (rev 0)
+++ trunk/mediawiki/debian/patches/CVE-2011-4360.patch	2012-04-11 09:16:48 UTC (rev 18319)
@@ -0,0 +1,31 @@
+Description: CVE-2011-4360
+ Alexandre Emsenhuber discovered an issue where page titles on private
+ wikis could be exposed bypassing different page ids to index.php. In the
+ case of the user not having correct permissions, they will now be
+ redirected to Special:BadTitle.
+Origin: https://www.mediawiki.org/wiki/Special:Code/MediaWiki/104506
+Bug: https://bugzilla.wikimedia.org/show_bug.cgi?id=32276
+Bug-Debian: http://bugs.debian.org/650434
+Forwarded: not-needed
+Last-Update: 2011-11-30
+
+
+--- mediawiki-1.15.5.orig/includes/Wiki.php
++++ mediawiki-1.15.5/includes/Wiki.php
+@@ -149,6 +149,16 @@
+ 		# the Read array in order for the user to see it. (We have to check here to
+ 		# catch special pages etc. We check again in Article::view())
+ 		if( !is_null( $title ) && !$title->userCanRead() ) {
++			// Bug 32276: allowing the skin to generate output with $wgTitle
++			// set to the input title would allow anonymous users to
++			// determine whether a page exists, potentially leaking private data. In fact, the
++			// curid and oldid request  parameters would allow page titles to be enumerated even
++			// when they are not guessable. So we reset the title to Special:Badtitle before the
++			// permissions error is displayed.
++			$badtitle = SpecialPage::getTitleFor( 'Badtitle' );
++			$output->setTitle( $badtitle );
++			$wgTitle = $badtitle;
++
+ 			$output->loginToUse();
+ 			$output->output();
+ 			$output->disable();

Added: trunk/mediawiki/debian/patches/CVE-2011-4361.patch
===================================================================
--- trunk/mediawiki/debian/patches/CVE-2011-4361.patch	                        (rev 0)
+++ trunk/mediawiki/debian/patches/CVE-2011-4361.patch	2012-04-11 09:16:48 UTC (rev 18319)
@@ -0,0 +1,35 @@
+Description: CVE-2011-4361
+ Tim Starling discovered that action=ajax requests were dispatched to the
+ relevant function without any read permission checks being done.
+ This could have led to data leakage on private wikis.
+Origin: https://www.mediawiki.org/wiki/Special:Code/MediaWiki/104506
+Bug: https://bugzilla.wikimedia.org/show_bug.cgi?id=32276
+Bug-Debian: http://bugs.debian.org/650434
+Forwarded: not-needed
+Last-Update: 2011-11-30
+
+--- mediawiki-1.15.5.orig/includes/AjaxDispatcher.php
++++ mediawiki-1.15.5/includes/AjaxDispatcher.php
+@@ -78,7 +78,7 @@
+ 	 * request.
+ 	 */
+ 	function performAction() {
+-		global $wgAjaxExportList, $wgOut;
++		global $wgAjaxExportList, $wgOut, $wgUser;
+ 
+ 		if ( empty( $this->mode ) ) {
+ 			return;
+@@ -90,6 +90,13 @@
+ 
+ 			wfHttpError( 400, 'Bad Request',
+ 				"unknown function " . (string) $this->func_name );
++		} elseif ( !in_array( 'read', User::getGroupPermissions( array( '*' ) ), true )
++			&& !$wgUser->isAllowed( 'read' ) )
++		{
++			wfHttpError(
++				403,
++				'Forbidden',
++				'You must log in to view pages.' );
+ 		} else {
+ 			wfDebug( __METHOD__ . ' dispatching ' . $this->func_name . "\n" );
+ 

Modified: trunk/mediawiki/debian/patches/series
===================================================================
--- trunk/mediawiki/debian/patches/series	2012-04-11 09:16:46 UTC (rev 18318)
+++ trunk/mediawiki/debian/patches/series	2012-04-11 09:16:48 UTC (rev 18319)
@@ -9,3 +9,5 @@
 fix_datetime.patch
 CVE-2011-0047.patch
 fix_invalid_sql.patch
+CVE-2011-4360.patch
+CVE-2011-4361.patch



More information about the evolvis-commits mailing list