Secure testing team - Jan 2009 - mediawiki: NMU to fix CVE-2008-5249, CVE-2008-5250, CVE-2008-5252

Hi,

the attacked debdiff is for a proposed NMU to fix CVE-2008-5249, CVE-2008-5250,
CVE-2008-5252 in lenny. (Backported from mediawiki 1.12.3)

mediawiki (1:1.12.0-2lenny2) testing-security; urgency=high

  * Security update, NMU to fix fix CVE-2008-5249, CVE-2008-5250, CVE-2008-5252
  * debian/patches/CVE-2008-5249_CVE-2008-5250_CVE-2008-5252.patch:
    - Fixed output escaping for reporting of non-MediaWiki exceptions.
      Potential XSS if an extension throws one of these with user input.
    - Avoid fatal error in profileinfo.php when not configured.
    - Fixed CSRF vulnerability in Special:Import. Fixed input validation in
      transwiki import feature.
    - Add a .htaccess to deleted images directory for additional protection
      against exposure of deleted files with known SHA-1 hashes on default
      installations.
    - Fixed XSS vulnerability for Internet Explorer clients, via file uploads
      which are interpreted by IE as HTML.
    - Fixed XSS vulnerability for clients with SVG scripting, on wikis where SVG
      uploads are enabled. Firefox 1.5+ is affected.
    - Avoid streaming uploaded files to the user via index.php. This allows
      security-conscious users to serve uploaded files via a different domain,
      and thus client-side scripts executed from that domain cannot access the
      login cookies. Affects Special:Undelete, img_auth.php and thumb.php.
    - When streaming files via index.php, use the MIME type detected from the
      file extension, not from the data. This reduces the XSS attack surface.
    - Blacklist redirects via Special:Filepath. Such redirects exacerbate any
      XSS vulnerabilities involving uploads of files containing scripts.
  Closes: #508869, #508870

 -- Giuseppe Iuculano <giuseppe at iuculano.it>  Sun, 18 Jan 2009 11:54:02
+0100




Cheers,
Giuseppe
-------------- next part --------------
A non-text attachment was scrubbed...
Name: mediawiki_1.12.0-2lenny2.debdiff.gz
Type: application/x-gzip
Size: 15052 bytes
Desc: not available
Url :
http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20090118/aedb3107/attachment-0001.bin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 197 bytes
Desc: OpenPGP digital signature
Url :
http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20090118/aedb3107/attachment-0001.pgp

Hi,
* Giuseppe Iuculano <giuseppe at iuculano.it> [2009-01-18
13:19]:
> the attacked debdiff is for a proposed NMU to fix CVE-2008-5249,
CVE-2008-5250,
> CVE-2008-5252 in lenny. (Backported from mediawiki 1.12.3)
[...] 
Thanks for the work! I will check the patches during the 
next week. How much testing did this patch receive so far? I 
am somehow unhappy get such a huge patch as NMU without 
maintainer input.

Cheers
Nico
-- 
Nico Golde - http://www.ngolde.de - nion at jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: not available
Url :
http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20090118/438fd421/attachment.pgp

Nico Golde ha scritto:
> Thanks for the work! I will check the patches during the 
> next week. How much testing did this patch receive so far?
I''m testing this version (not in production), and for the moment I
didn''t find
any evident problems, but sure it requires more testing.

> I 
> am somehow unhappy get such a huge patch as NMU without 
> maintainer input.
I agree wit you, patch is huge but substantially this is the upstream backported
security patch[1] to mediawiki 1.12 branch.
Maintainer wrote[2] he is too busy and help from contributors is welcome.

P.S. CVE-2008-4408: not affected in etch

[1]http://svn.wikimedia.org/viewvc/mediawiki?view=rev&revision=44599
[2]http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=508869#21

Cheers,
Giuseppe

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 197 bytes
Desc: OpenPGP digital signature
Url :
http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20090118/c8c0aca3/attachment.pgp

Le Sunday 18 January 2009 12:17:01 Giuseppe Iuculano, vous avez
?crit?:
> Hi,
	Hi !
> the attacked debdiff is for a proposed NMU to fix CVE-2008-5249,
> CVE-2008-5250, CVE-2008-5252 in lenny. (Backported from mediawiki 1.12.3)
Many thanks for this patch and your work !

I have build a fixed package and tested it, it works ok. Also, the changes 
looks clean from the packaging point.

However, I won''t comment on the content of the patch, I don''t
have enough time
for that. I hope someone else can help reviewing it.


Romain
> mediawiki (1:1.12.0-2lenny2) testing-security; urgency=high
>
>   * Security update, NMU to fix fix CVE-2008-5249, CVE-2008-5250,
> CVE-2008-5252 *
> debian/patches/CVE-2008-5249_CVE-2008-5250_CVE-2008-5252.patch: - Fixed
> output escaping for reporting of non-MediaWiki exceptions. Potential XSS if
> an extension throws one of these with user input. - Avoid fatal error in
> profileinfo.php when not configured.
>     - Fixed CSRF vulnerability in Special:Import. Fixed input validation in
>       transwiki import feature.
>     - Add a .htaccess to deleted images directory for additional protection
>       against exposure of deleted files with known SHA-1 hashes on default
>       installations.
>     - Fixed XSS vulnerability for Internet Explorer clients, via file
> uploads which are interpreted by IE as HTML.
>     - Fixed XSS vulnerability for clients with SVG scripting, on wikis
> where SVG uploads are enabled. Firefox 1.5+ is affected.
>     - Avoid streaming uploaded files to the user via index.php. This allows
>       security-conscious users to serve uploaded files via a different
> domain, and thus client-side scripts executed from that domain cannot
> access the login cookies. Affects Special:Undelete, img_auth.php and
> thumb.php. - When streaming files via index.php, use the MIME type detected
> from the file extension, not from the data. This reduces the XSS attack
> surface. - Blacklist redirects via Special:Filepath. Such redirects
> exacerbate any XSS vulnerabilities involving uploads of files containing
> scripts. Closes: #508869, #508870
>
>  -- Giuseppe Iuculano <giuseppe at iuculano.it>  Sun, 18 Jan 2009
11:54:02
> +0100
>
>
>
>
> Cheers,
> Giuseppe

Hi,
* Nico Golde <debian-secure-testing+ml at ngolde.de> [2009-01-18
16:03]:
> * Giuseppe Iuculano <giuseppe at iuculano.it> [2009-01-18 13:19]:
> > the attacked debdiff is for a proposed NMU to fix CVE-2008-5249,
CVE-2008-5250,
> > CVE-2008-5252 in lenny. (Backported from mediawiki 1.12.3)
> [...] 
> Thanks for the work! I will check the patches during the 
> next week. How much testing did this patch receive so far? I 
> am somehow unhappy get such a huge patch as NMU without 
> maintainer input.
As far as I can judge that the patch looks fine to me.
Please upload to testing-security as described on:
http://testing-security.debian.net/uploading.html

Cheers and thanks for the work!
Nico
-- 
Nico Golde - http://www.ngolde.de - nion at jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: not available
Url :
http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20090124/0ac73148/attachment.pgp

Hi Nico,

Nico Golde ha scritto:
> As far as I can judge that the patch looks fine to me.
> Please upload to testing-security as described on:
> http://testing-security.debian.net/uploading.html
Sorry but I''m not a DD, only a DM :) , so I can''t upload it.

Can you sponsor this upload? Otherwise I can ask to debian-mentors@ mailing
list.

Cheers,
Giuseppe.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 197 bytes
Desc: OpenPGP digital signature
Url :
http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20090124/2a5ba0ec/attachment.pgp