Debian Bug report logs - #696179
mediawiki-extensions-base: RSS_Reader Javascript injection

version graph

Package: mediawiki-extensions-base; Maintainer for mediawiki-extensions-base is Mediawiki Maintenance Team <pkg-mediawiki-devel@lists.alioth.debian.org>; Source for mediawiki-extensions-base is src:mediawiki-extensions.

Reported by: Thorsten Glaser <tg@mirbsd.de>

Date: Mon, 17 Dec 2012 16:24:02 UTC

Severity: grave

Tags: security, squeeze, upstream

Found in version mediawiki-extensions/2.9

Fixed in versions mediawiki-extensions/2.11, mediawiki-extensions/3.1, mediawiki-extensions/3.2, mediawiki-extensions/2.10, mediawiki-extensions/2.3squeeze2

Done: Jonathan Wiltshire <jmw@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, tg@mirbsd.de, joeyh@debian.org, fusionforge-general@lists.fusionforge.org, Mediawiki Maintenance Team <pkg-mediawiki-devel@lists.alioth.debian.org>:
Bug#696179; Package mediawiki-extensions-base. (Mon, 17 Dec 2012 16:24:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to Thorsten Glaser <tg@mirbsd.de>:
New Bug report received and forwarded. Copy sent to tg@mirbsd.de, joeyh@debian.org, fusionforge-general@lists.fusionforge.org, Mediawiki Maintenance Team <pkg-mediawiki-devel@lists.alioth.debian.org>. (Mon, 17 Dec 2012 16:24:04 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Thorsten Glaser <tg@mirbsd.de>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: mediawiki-extensions-base: RSS_Reader Javascript injection
Date: Mon, 17 Dec 2012 17:21:15 +0100
Package: mediawiki-extensions-base
Version: 2.9
Severity: grave
Justification: user security hole

Thanks to Joey Hess, who put
	<title>&lt;/yurt&gt;</title>
into his feed, and our FusionForge “pink popup”
which displays invalid XHTML immediately, a user
security hole could be identified today during
MediaWiki validation at tarent solutions GmbH
in mediawiki-extensions-base (RSS_Reader) and
gforge-base (Codendi RSS widget).

In mediawiki-extensions-base, this is an actual
user security hole: JavaScript placed, properly
escaped, into an RSS feed item’s title is executed
on the page. (In FusionForge, <script> tags are
stripped, but the invalid </yurt> is still emitted.
I will not file a security bug against FusionForge
because I do not believe it a user security hole
there, but still commit a fix into FF’s git repo.)

I will upload a fixed src:mediawiki-extensions ASAP.

-- System Information:
Debian Release: wheezy/sid
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: i386 (i686)

Kernel: Linux 3.2.0-4-686-pae (SMP w/1 CPU core)
Locale: LANG=C, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/mksh-static

mediawiki-extensions-base depends on no packages.

Versions of packages mediawiki-extensions-base recommends:
ii  mediawiki  1:1.19.3-1tarent1

mediawiki-extensions-base suggests no packages.

-- no debconf information



Reply sent to Thorsten Glaser <tg@mirbsd.de>:
You have taken responsibility. (Mon, 17 Dec 2012 16:36:06 GMT) Full text and rfc822 format available.

Notification sent to Thorsten Glaser <tg@mirbsd.de>:
Bug acknowledged by developer. (Mon, 17 Dec 2012 16:36:06 GMT) Full text and rfc822 format available.

Message #10 received at 696179-close@bugs.debian.org (full text, mbox):

From: Thorsten Glaser <tg@mirbsd.de>
To: 696179-close@bugs.debian.org
Subject: Bug#696179: fixed in mediawiki-extensions 2.10
Date: Mon, 17 Dec 2012 16:32:33 +0000
Source: mediawiki-extensions
Source-Version: 2.10

We believe that the bug you reported is fixed in the latest version of
mediawiki-extensions, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 696179@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Thorsten Glaser <tg@mirbsd.de> (supplier of updated mediawiki-extensions package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA384

Format: 1.8
Date: Mon, 17 Dec 2012 17:21:32 +0100
Source: mediawiki-extensions
Binary: mediawiki-extensions-base mediawiki-extensions-geshi mediawiki-extensions-ldapauth mediawiki-extensions-openid mediawiki-extensions-confirmedit mediawiki-extensions-collection mediawiki-extensions-graphviz mediawiki-extensions
Architecture: source all
Version: 2.10
Distribution: unstable
Urgency: high
Maintainer: Mediawiki Maintenance Team <pkg-mediawiki-devel@lists.alioth.debian.org>
Changed-By: Thorsten Glaser <tg@mirbsd.de>
Description: 
 mediawiki-extensions - Extensions for MediaWiki -- Meta package
 mediawiki-extensions-base - Extensions for MediaWiki -- Base package
 mediawiki-extensions-collection - Extensions for MediaWiki -- Collection extension
 mediawiki-extensions-confirmedit - Extensions for MediaWiki -- ConfirmEdit extension
 mediawiki-extensions-geshi - Extensions for MediaWiki -- SyntaxHighlight_GeSHi extension
 mediawiki-extensions-graphviz - Extensions for MediaWiki -- GraphViz extension
 mediawiki-extensions-ldapauth - Extensions for MediaWiki -- LdapAuthentication extension
 mediawiki-extensions-openid - Extensions for MediaWiki -- OpenID extension
Closes: 696179
Changes: 
 mediawiki-extensions (2.10) unstable; urgency=high
 .
   * RSS_Reader: fix Javascript injection (Closes: #696179)
Checksums-Sha1: 
 072465ffc517acba5cf2ad42c44d1de92013bba4 2329 mediawiki-extensions_2.10.dsc
 f1dd4fbddfeb589f6bf75ed7321b2875efc44c85 1642214 mediawiki-extensions_2.10.tar.gz
 1b1fc5066363f9fe55df38aedf0c068446e601fe 828994 mediawiki-extensions-base_2.10_all.deb
 e28badcca6dd7a0e2fdad0d52f5d57f3069b982b 33532 mediawiki-extensions-geshi_2.10_all.deb
 d7343a7a09e7e442fa4d020cf21dd2689576653b 26494 mediawiki-extensions-ldapauth_2.10_all.deb
 a4ebc02c5e5cbd71e0ab04efba2a7a1d6b01e318 196954 mediawiki-extensions-openid_2.10_all.deb
 a3f0a1b7027f11ff50104e0bac3c587afac524d2 246306 mediawiki-extensions-confirmedit_2.10_all.deb
 62b809b505079fbcfdb87d03f5f920ec8428053b 332422 mediawiki-extensions-collection_2.10_all.deb
 38b77a607c9ccd0bf813d89ee29b9124a7cb7e64 16654 mediawiki-extensions-graphviz_2.10_all.deb
 edb8fd4b92956fbcb46d56ee0c7f4ac865d63954 7092 mediawiki-extensions_2.10_all.deb
Checksums-Sha256: 
 019ead48b2ff5d3e6f689c6e1ae9f4ad048a8ffbb3aba08d85454147256da4f5 2329 mediawiki-extensions_2.10.dsc
 de290d16ab31557bc0042ab1eccca02982a0cab5bb509586faa5d5fb34cf451b 1642214 mediawiki-extensions_2.10.tar.gz
 1f5cff2d00165bd8266aafe13b5c30af9fd7d984ef2b8d078073e31b8ec362af 828994 mediawiki-extensions-base_2.10_all.deb
 b91e7b8fc437838071bcb6ad9abed590c57d6af23e92994ecae38ebb156ae4ba 33532 mediawiki-extensions-geshi_2.10_all.deb
 68b3962cd8a3338fc691e4c9a2b47933b40538ab00d2daf55ec9b04f0c265d0b 26494 mediawiki-extensions-ldapauth_2.10_all.deb
 2a0c80ed98b86ed9c73249b8930d16a6f14d39f8cfb2ab71783baf8cb0c204e5 196954 mediawiki-extensions-openid_2.10_all.deb
 67611cd97c9e1d640b01bfb42365681d55131e023f19e7aa03b4bd28bbac4dbd 246306 mediawiki-extensions-confirmedit_2.10_all.deb
 3a9613d19b8f64670582e0e11a79830ec05ab6b6cd4e9efaca33f1fd6bc35049 332422 mediawiki-extensions-collection_2.10_all.deb
 710f2aede654e0a02bf032d3ee22788db642c66bac3bfebbd4e99ad609acb8d7 16654 mediawiki-extensions-graphviz_2.10_all.deb
 1db4e30dccb248836c71967cf0cfdb044be17d39c84a373082d46c9df267b69f 7092 mediawiki-extensions_2.10_all.deb
Files: 
 798e4ef3f3ab4ee56945bc29dd508147 2329 web optional mediawiki-extensions_2.10.dsc
 4e777394327eae5bb77155c15498c68f 1642214 web optional mediawiki-extensions_2.10.tar.gz
 7747bdd4a9d8d2267403cea8bc957cb5 828994 web optional mediawiki-extensions-base_2.10_all.deb
 e887dfbcaf9ec01c1599ea0126cf3b5b 33532 web optional mediawiki-extensions-geshi_2.10_all.deb
 0834c6d2a9609c21556ab3ffd980cbc9 26494 web optional mediawiki-extensions-ldapauth_2.10_all.deb
 f489fca06ffcc7aab65c128563434e8a 196954 web optional mediawiki-extensions-openid_2.10_all.deb
 a4ffa55e48ab5f10df68414b99d660a4 246306 web optional mediawiki-extensions-confirmedit_2.10_all.deb
 cd3715c154714dc3a0988527377fdd3d 332422 web optional mediawiki-extensions-collection_2.10_all.deb
 28e44deea628ae7ddd5cce34f558fac2 16654 web optional mediawiki-extensions-graphviz_2.10_all.deb
 bb418b134a54770cdb6e415892e73a28 7092 web optional mediawiki-extensions_2.10_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MirBSD)

iQIcBAEBCQAGBQJQz0j5AAoJEHa1NLLpkAfgY84P/2IimCD100WaHaWe6nttz0JS
MbDfxBlMHYayFpatyjdEHf57GZuXVnuB3UAs/q7O0vOGsJIUsKZnrdS1yxWsTMQc
xO7r00D4TqMac3oFv2pUeuvqGt/wR+I05cdsCixM6U4Iu4ua25DcgpZKIearb/ZI
xMn7mlzjxFvyEx8cmRakocbs9/0IGZj12SSEwjcXwS/PXcEzTzV1d8Qjn4yJiL7S
ZFvn7XeMovdj3XGAJDKBaX15fQqOPJDzWywwZj/xRssCPnT8PwiEYiec32iMXiUl
CesqCdkvsdaQcYoBaJFpPUF6y15Hvxj17QjD+/EpuX6M82gBXN0B40ygVsZWEcrN
3U428vwuFvv2O3Rvf2XSl3cDn/+pZN/hCO96RNM9VPrMerG21G+395C2HzdnJhEL
zSJ0q7RZWr6nXFI/XpxB29u43KstzSQz7WjSB90OgwFnSdeYKImRIiVPCxXoMTPl
ctAKjgHITJNcWFT53vI11H1FkuGpFFriipQUXLRVBGMHa8lHP+9nKPqYOINIMVir
3dk4yX1Zi34Yo5yj71dd2143S2YbrUYVmwTiDwUnVT7lg8s3fhH2H7qJTjBuFAqq
/G8eKR1x6pl0NWkd7N+Dl4jQUGuo7eFTFJNgU44ltw2oJbFOn3UFL0ERHn7L/EXJ
OEGyQWhdUrXBclspUUbl
=Lmb2
-----END PGP SIGNATURE-----




Reply sent to Thorsten Glaser <tg@mirbsd.de>:
You have taken responsibility. (Mon, 17 Dec 2012 16:51:08 GMT) Full text and rfc822 format available.

Notification sent to Thorsten Glaser <tg@mirbsd.de>:
Bug acknowledged by developer. (Mon, 17 Dec 2012 16:51:08 GMT) Full text and rfc822 format available.

Message #15 received at 696179-close@bugs.debian.org (full text, mbox):

From: Thorsten Glaser <tg@mirbsd.de>
To: 696179-close@bugs.debian.org
Subject: Bug#696179: fixed in mediawiki-extensions 3.1
Date: Mon, 17 Dec 2012 16:47:42 +0000
Source: mediawiki-extensions
Source-Version: 3.1

We believe that the bug you reported is fixed in the latest version of
mediawiki-extensions, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 696179@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Thorsten Glaser <tg@mirbsd.de> (supplier of updated mediawiki-extensions package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA384

Format: 1.8
Date: Mon, 17 Dec 2012 17:30:00 +0100
Source: mediawiki-extensions
Binary: mediawiki-extensions-base mediawiki-extensions-geshi mediawiki-extensions-ldapauth mediawiki-extensions-openid mediawiki-extensions-confirmedit mediawiki-extensions-collection mediawiki-extensions-graphviz mediawiki-extensions
Architecture: source all
Version: 3.1
Distribution: experimental
Urgency: high
Maintainer: Mediawiki Maintenance Team <pkg-mediawiki-devel@lists.alioth.debian.org>
Changed-By: Thorsten Glaser <tg@mirbsd.de>
Description: 
 mediawiki-extensions - Extensions for MediaWiki -- Meta package
 mediawiki-extensions-base - Extensions for MediaWiki -- Base package
 mediawiki-extensions-collection - Extensions for MediaWiki -- Collection extension
 mediawiki-extensions-confirmedit - Extensions for MediaWiki -- ConfirmEdit extension
 mediawiki-extensions-geshi - Extensions for MediaWiki -- SyntaxHighlight_GeSHi extension
 mediawiki-extensions-graphviz - Extensions for MediaWiki -- GraphViz extension
 mediawiki-extensions-ldapauth - Extensions for MediaWiki -- LdapAuthentication extension
 mediawiki-extensions-openid - Extensions for MediaWiki -- OpenID extension
Closes: 696179
Changes: 
 mediawiki-extensions (3.1) experimental; urgency=high
 .
   * RSS_Reader: fix Javascript injection (Closes: #696179)
Checksums-Sha1: 
 656b5f7b00d7d53e5abdbfacf4bae17203de23b5 2325 mediawiki-extensions_3.1.dsc
 7db85d74325132c9f1a0e23980c9c368f47003f4 1643168 mediawiki-extensions_3.1.tar.gz
 2c5f02641f5a32dbe1030f2d5a885d54c748f0a9 829062 mediawiki-extensions-base_3.1_all.deb
 a8b1a98ae2d6ae19dd5b8291741a4717dab59b99 33606 mediawiki-extensions-geshi_3.1_all.deb
 aec845e46de64588f5e46b110834aeb47ae58607 26570 mediawiki-extensions-ldapauth_3.1_all.deb
 be0370903f349699d5e730ef4ab7e5ad235f5075 197050 mediawiki-extensions-openid_3.1_all.deb
 856845ec193c5908c0fc2e5f5832d23d4ca2d58e 246382 mediawiki-extensions-confirmedit_3.1_all.deb
 8c5389680fbfda2cef71bb8c96a6fecabc264cb3 332506 mediawiki-extensions-collection_3.1_all.deb
 55e64018e7a4177d6d3385bbc8753129d1e83ff6 16752 mediawiki-extensions-graphviz_3.1_all.deb
 853d9d296efd497d0dd111437ae5a492b6b4b36d 7180 mediawiki-extensions_3.1_all.deb
Checksums-Sha256: 
 2cc370a888c2d1ab4630222b2b0dbb31901a8d191d3712f023c24a3cddef834f 2325 mediawiki-extensions_3.1.dsc
 b12cf4a14f82b9e9a43bff7abf657b8e19bc9c7499d0d64fccf06caf8b15c42b 1643168 mediawiki-extensions_3.1.tar.gz
 f2411702e06058ac0e42d4d73ae0684be2c9905cbcb43ff04e81dd99ddac3f76 829062 mediawiki-extensions-base_3.1_all.deb
 50c685ff7964041c175f90ba99056a14f924148e9b9b218e6a0fd66650b84416 33606 mediawiki-extensions-geshi_3.1_all.deb
 7239a22a56b68ec99a9f40e1aa222a416ef00fb4eb36e3c2b8f66e1c7eb69cfc 26570 mediawiki-extensions-ldapauth_3.1_all.deb
 85a6e7effa41e14e5869425abc01a11b9cde4b9a554737c5103e89256d5b6a28 197050 mediawiki-extensions-openid_3.1_all.deb
 cd6f90db782db7fc1b29ac60004e82fa41ab8234444b17808efe155f12088a6e 246382 mediawiki-extensions-confirmedit_3.1_all.deb
 c24c1330f6739569787938ed59b6473aa121c9e4d8d1c5ba2da85ddaee0f5b70 332506 mediawiki-extensions-collection_3.1_all.deb
 71ae7446392224aeba2760c4d4bd65e6072b82b180adcb95f1b1ddc8dc6132d1 16752 mediawiki-extensions-graphviz_3.1_all.deb
 910b6297c45be666e007fbba5447e78d051fbdf85f9630f3cc405fa7cd578fb4 7180 mediawiki-extensions_3.1_all.deb
Files: 
 a7edc81f8d0849c8c2e202485cf20946 2325 web optional mediawiki-extensions_3.1.dsc
 d1e721315467e2803c544568c0f7abed 1643168 web optional mediawiki-extensions_3.1.tar.gz
 34433d00730e17265ce115ced50f88e7 829062 web optional mediawiki-extensions-base_3.1_all.deb
 9357e5acbd079191eab533e280f58cea 33606 web optional mediawiki-extensions-geshi_3.1_all.deb
 68bb961f45a460c394ea3e92d8626598 26570 web optional mediawiki-extensions-ldapauth_3.1_all.deb
 27e3f6e050f0d41495c7bab8c1c88c3e 197050 web optional mediawiki-extensions-openid_3.1_all.deb
 e749ecfe8a10ebd74fc58728f4f46150 246382 web optional mediawiki-extensions-confirmedit_3.1_all.deb
 f51b00c6a67eb9329773d421fb536d25 332506 web optional mediawiki-extensions-collection_3.1_all.deb
 2f003f63f0531a988634effde1e64198 16752 web optional mediawiki-extensions-graphviz_3.1_all.deb
 189486a9ad726bd88aff2fc3a208599b 7180 web optional mediawiki-extensions_3.1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MirBSD)

iQIcBAEBCQAGBQJQz0oIAAoJEHa1NLLpkAfgfP0P/0qeStH5LC1j9Pui6mH9g7E+
2fCZqIn0YIzF3JEdyFnOmXpmbI4CDDSGkYq4v0tSGkIApYTh5fWiU+cD9XEpy7tF
vkbY+HVF4u4pezrylPsXvUy/MrqF3wkWdkgtS8+Udv6JrJwp6X2HZtcWn2nfbKmS
F8I7ncV1eyzfnRdstoH3ttFj9Tt0MdX0yEySMqX26Ykfz7hVGLln5JiHOoOh7tHo
VeEtG1CiApYprJw7jinERWsyyeVld+iquofV5dGXgF93D2aQydrlzkw3JtoTLy8+
7B0WrenPG7N8cnFcVgEod+1/uWVX2EtLwSFdHw0FszG53lBn1MJRuSfb6UjWlI6+
EA8Fe88fBzvWlWmrfYQwOP1SaWvETG9dCGMEDPemYlXdOF/tnGFwq5jw82htm1wX
KTG4UsvYi7ID25YN2cTADnHko02Wfh2a34VyY4tIFC9sxz+6RV18J/Bc2ZHhEKhS
CsMJfoyTMPuLrhjt9BkNpiuZYyUWRlZ+fNa/8l2jpfzB+PIweE41rkRgy8LSgLWf
sZ0zEqBA05lWdlsVUCSBQjlCWf+5G+GQRQWNygSoFRtLJj4oOk6tx5osh2E33nu0
+V4YKq6JaLtiHoasR3LzSKqOQLOC3NOUJTjTDz4zIlDNfTPRdUI4er+EWc7zh4HZ
JS34VS+2Op5D1V3kDr5V
=XGHg
-----END PGP SIGNATURE-----




Information forwarded to debian-bugs-dist@lists.debian.org, Mediawiki Maintenance Team <pkg-mediawiki-devel@lists.alioth.debian.org>:
Bug#696179; Package mediawiki-extensions-base. (Mon, 17 Dec 2012 16:54:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to Jonathan Wiltshire <jmw@debian.org>:
Extra info received and forwarded to list. Copy sent to Mediawiki Maintenance Team <pkg-mediawiki-devel@lists.alioth.debian.org>. (Mon, 17 Dec 2012 16:54:04 GMT) Full text and rfc822 format available.

Message #20 received at 696179@bugs.debian.org (full text, mbox):

From: Jonathan Wiltshire <jmw@debian.org>
To: Thorsten Glaser <tg@mirbsd.de>, <696179@bugs.debian.org>, Maintenance team for the mediawiki package <pkg-mediawiki-devel@lists.alioth.debian.org>
Subject: Re: [Pkg-mediawiki-devel] Bug#696179: mediawiki-extensions-base: RSS_Reader Javascript injection
Date: Mon, 17 Dec 2012 16:50:52 +0000
Control: tag -1 + upstream security

On 2012-12-17 16:21, Thorsten Glaser wrote:
> Package: mediawiki-extensions-base
> Version: 2.9
> Severity: grave
> Justification: user security hole
>
> Thanks to Joey Hess, who put
> 	<title>&lt;/yurt&gt;</title>
> into his feed, and our FusionForge “pink popup”
> which displays invalid XHTML immediately, a user
> security hole could be identified today during
> MediaWiki validation at tarent solutions GmbH
> in mediawiki-extensions-base (RSS_Reader) and
> gforge-base (Codendi RSS widget).
>
> In mediawiki-extensions-base, this is an actual
> user security hole: JavaScript placed, properly
> escaped, into an RSS feed item’s title is executed
> on the page. (In FusionForge, <script> tags are
> stripped, but the invalid </yurt> is still emitted.
> I will not file a security bug against FusionForge
> because I do not believe it a user security hole
> there, but still commit a fix into FF’s git repo.)

At a quick glance this appears to affect upstream [1, as far as I'm 
able to find out]. Can you confirm this and have you sought out a CVE 
number?

The window of opportunity is small but the impact could be significant 
(drive-by downloads, session theft, XSS etc).

1: http://www.mediawiki.org/wiki/Extension:RSS_Reader

-- 
Jonathan Wiltshire                                      jmw@debian.org
Debian Developer                         http://people.debian.org/~jmw

4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC  74C3 5394 479D D352 4C51

<directhex> i have six years of solaris sysadmin experience, from
            8->10. i am well qualified to say it is made from bonghits
			layered on top of bonghits



Added tag(s) upstream and security. Request was from Jonathan Wiltshire <jmw@debian.org> to 696179-submit@bugs.debian.org. (Mon, 17 Dec 2012 16:54:04 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Mediawiki Maintenance Team <pkg-mediawiki-devel@lists.alioth.debian.org>:
Bug#696179; Package mediawiki-extensions-base. (Mon, 17 Dec 2012 17:03:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Thorsten Glaser <t.glaser@tarent.de>:
Extra info received and forwarded to list. Copy sent to Mediawiki Maintenance Team <pkg-mediawiki-devel@lists.alioth.debian.org>. (Mon, 17 Dec 2012 17:03:03 GMT) Full text and rfc822 format available.

Message #27 received at 696179@bugs.debian.org (full text, mbox):

From: Thorsten Glaser <t.glaser@tarent.de>
To: Maintenance team for the mediawiki package <pkg-mediawiki-devel@lists.alioth.debian.org>
Cc: 696179@bugs.debian.org
Subject: Re: [Pkg-mediawiki-devel] Bug#696179: mediawiki-extensions-base: RSS_Reader Javascript injection
Date: Mon, 17 Dec 2012 18:00:10 +0100 (CET)
On Mon, 17 Dec 2012, Jonathan Wiltshire wrote:

> At a quick glance this appears to affect upstream
> Can you confirm this

Yes, it does.

> have you sought out a CVE 
> number?

No, I’ve got no idea how all this CVE stuff works.

Do you volunteer, or one of the Mediawiki guys lurking here?
Otherwise I’d just open an entry in the MW bugtracker now,
if extensions are tracked there, that is.

> The window of opportunity is small but the impact could be significant 
> (drive-by downloads, session theft, XSS etc).

Actually, it’s not small. I’ve got Planet Debian in a
test project, both as Codendi Widget on the Group Summary
page of FusionForge and on a Wiki page demonstrating this
extension. I got invalid XHTML on both. I then added a test
feed – http://www.mirbsd.org/tag_event.rss hand-edited to
add a check for this vulnerability, will *not* stay having
this content – to a new page and got a Javascript popup in
the Wiki, none (but still an xmlstarlet error on <yurt/>)
on the Forge.

Planet Debian is somewhat trusted but has hundreds of feeds
it aggregates. The situation elsewhere could be much worse,
therefore I believe the impact is not low. I’ve got no idea
what other feeds people have on their sites. And _then_ most
feeds are served using http not https… (in fact, I haven’t
even tried https myself… why?) MITM fun, especially when the
Wiki is then served using https, to a browser that may have
been configured to trust https more than http.

I guess stealing Mediawiki credentials is even easy with it.

I bet joeyh is amusing himself that the Yurt is good for
something even after its dismantling ☺

bye,
//mirabilos
-- 
tarent solutions GmbH
Rochusstraße 2-4, D-53123 Bonn • http://www.tarent.de/
Tel: +49 228 54881-393 • Fax: +49 228 54881-314
HRB 5168 (AG Bonn) • USt-ID (VAT): DE122264941
Geschäftsführer: Boris Esser, Sebastian Mancke



Information forwarded to debian-bugs-dist@lists.debian.org, Mediawiki Maintenance Team <pkg-mediawiki-devel@lists.alioth.debian.org>:
Bug#696179; Package mediawiki-extensions-base. (Mon, 17 Dec 2012 17:15:05 GMT) Full text and rfc822 format available.

Acknowledgement sent to Thorsten Glaser <t.glaser@tarent.de>:
Extra info received and forwarded to list. Copy sent to Mediawiki Maintenance Team <pkg-mediawiki-devel@lists.alioth.debian.org>. (Mon, 17 Dec 2012 17:15:05 GMT) Full text and rfc822 format available.

Message #32 received at 696179@bugs.debian.org (full text, mbox):

From: Thorsten Glaser <t.glaser@tarent.de>
To: Maintenance team for the mediawiki package <pkg-mediawiki-devel@lists.alioth.debian.org>
Cc: 696179@bugs.debian.org, fusionforge-general@lists.fusionforge.org, discussions@planetforge.org
Subject: Re: Codendi and mediawiki-extensions-base: RSS_Reader Javascript injection
Date: Mon, 17 Dec 2012 18:13:56 +0100 (CET)
Dixi quod…

> On Mon, 17 Dec 2012, Jonathan Wiltshire wrote:

> > have you sought out a CVE 
> > number?
> 
> No, I’ve got no idea how all this CVE stuff works.
> 
> Do you volunteer, or one of the Mediawiki guys lurking here?
> Otherwise I’d just open an entry in the MW bugtracker now,
> if extensions are tracked there, that is.

For CVE tracking, here’s a list of vulnerable softwares:

• FusionForge 5.1, 5.2 and trunk, but not 5.0 or below;
  commit f7b371af6f7576058971fd248a93dd864d5b1ce1 fix on
  Branch_5_1 confirmed to close this hole; will be merged
  into 5.2 and trunk later
  ⇒ Impact: low (<script> filtered)

• Tuleap, tested with version 5.7.99.9, possibly “all”,
  and possibly also Codendi (which is where Tuleap and
  FusionForge both have this widget from)
  ⇒ Impact: low (<script> filtered)

• MediaWiki RSS_Reader extension (fix tested, works)
  ⇒ Impact: high (<script> *not* filtered)

bye,
//mirabilos
-- 
tarent solutions GmbH
Rochusstraße 2-4, D-53123 Bonn • http://www.tarent.de/
Tel: +49 228 54881-393 • Fax: +49 228 54881-314
HRB 5168 (AG Bonn) • USt-ID (VAT): DE122264941
Geschäftsführer: Boris Esser, Sebastian Mancke



Information forwarded to debian-bugs-dist@lists.debian.org, Mediawiki Maintenance Team <pkg-mediawiki-devel@lists.alioth.debian.org>:
Bug#696179; Package mediawiki-extensions-base. (Mon, 17 Dec 2012 17:21:05 GMT) Full text and rfc822 format available.

Acknowledgement sent to Platonides <platonides@gmail.com>:
Extra info received and forwarded to list. Copy sent to Mediawiki Maintenance Team <pkg-mediawiki-devel@lists.alioth.debian.org>. (Mon, 17 Dec 2012 17:21:05 GMT) Full text and rfc822 format available.

Message #37 received at 696179@bugs.debian.org (full text, mbox):

From: Platonides <platonides@gmail.com>
To: Thorsten Glaser <t.glaser@tarent.de>, 696179@bugs.debian.org, Maintenance team for the mediawiki package <pkg-mediawiki-devel@lists.alioth.debian.org>
Subject: Re: [Pkg-mediawiki-devel] Bug#696179: Bug#696179: mediawiki-extensions-base: RSS_Reader Javascript injection
Date: Mon, 17 Dec 2012 18:16:55 +0100
http://www.mediawiki.org/wiki/Extension:RSS_Reader seems to live
exclusively at the wiki page, instead of being at a repository.

Injection vulnerabilities are quite common in these kind of extensions.
With a quick glance, it misses to escape the output everywhere.

Just edit the page when fixing the bug.

I don't think it is actively maintained, but you can contact the author
http://www.mediawiki.org/wiki/User:DFRussia



Information stored :
Bug#696179; Package mediawiki-extensions-base. (Mon, 17 Dec 2012 17:21:07 GMT) Full text and rfc822 format available.

Acknowledgement sent to Thorsten Glaser <t.glaser@tarent.de>:
Extra info received and filed, but not forwarded. (Mon, 17 Dec 2012 17:21:07 GMT) Full text and rfc822 format available.

Message #42 received at 696179-quiet@bugs.debian.org (full text, mbox):

From: Thorsten Glaser <t.glaser@tarent.de>
To: Maintenance team for the mediawiki package <pkg-mediawiki-devel@lists.alioth.debian.org>
Cc: 696179-quiet@bugs.debian.org, joeyh@debian.org
Subject: Re: [Pkg-mediawiki-devel] Bug#696179: mediawiki-extensions-base: RSS_Reader Javascript injection
Date: Mon, 17 Dec 2012 18:18:51 +0100 (CET)
Dixi quod…

> I bet joeyh is amusing himself that the Yurt is good for
> something even after its dismantling ☺

And the most insulting of all is actually Planet Debian,
the indirectly-guilty party: it displays the blogpost as
	&lt;/yurt&gt;
so it escapes “too much” into the o̲t̲h̲e̲r̲ direction…

bye,
//mirabilos
-- 
tarent solutions GmbH
Rochusstraße 2-4, D-53123 Bonn • http://www.tarent.de/
Tel: +49 228 54881-393 • Fax: +49 228 54881-314
HRB 5168 (AG Bonn) • USt-ID (VAT): DE122264941
Geschäftsführer: Boris Esser, Sebastian Mancke



Information stored :
Bug#696179; Package mediawiki-extensions-base. (Mon, 17 Dec 2012 17:24:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Jonathan Wiltshire <jmw@debian.org>:
Extra info received and filed, but not forwarded. (Mon, 17 Dec 2012 17:24:03 GMT) Full text and rfc822 format available.

Message #47 received at 696179-quiet@bugs.debian.org (full text, mbox):

From: Jonathan Wiltshire <jmw@debian.org>
To: Maintenance team for the mediawiki package <pkg-mediawiki-devel@lists.alioth.debian.org>
Cc: <696179-quiet@bugs.debian.org>, <team@security.debian.org>
Subject: Re: [Pkg-mediawiki-devel] Bug#696179: mediawiki-extensions-base: RSS_Reader Javascript injection
Date: Mon, 17 Dec 2012 17:21:01 +0000
Added security team to CC.

On 2012-12-17 17:00, Thorsten Glaser wrote:
> On Mon, 17 Dec 2012, Jonathan Wiltshire wrote:
>
>> At a quick glance this appears to affect upstream
>> Can you confirm this
>
> Yes, it does.
>
>> have you sought out a CVE
>> number?
>
> No, I’ve got no idea how all this CVE stuff works.
>
> Do you volunteer, or one of the Mediawiki guys lurking here?
> Otherwise I’d just open an entry in the MW bugtracker now,
> if extensions are tracked there, that is.

Security team: is it too late to get a CVE through you now that a 
public bug has been filed? And should a DSA be prepared, as I have not 
looked but can be fairly sure this will affect stable.

(for those following at home: Debian can only issue CVEs for non-public 
issues AIUI, which is why it's a shame you didn't bring them into the 
loop before opening a bug.)

>> The window of opportunity is small but the impact could be 
>> significant
>> (drive-by downloads, session theft, XSS etc).
>
> Actually, it’s not small.

Ok, what I really meant was that you'd have to know someone is using 
Mediawiki to read your feed, which is probably feasible but I can't 
imagine there are thousands of people doing so. We don't really know 
either way, we should probably play it cautious.


-- 
Jonathan Wiltshire                                      jmw@debian.org
Debian Developer                         http://people.debian.org/~jmw

4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC  74C3 5394 479D D352 4C51

<directhex> i have six years of solaris sysadmin experience, from
            8->10. i am well qualified to say it is made from bonghits
			layered on top of bonghits



Information forwarded to debian-bugs-dist@lists.debian.org, Mediawiki Maintenance Team <pkg-mediawiki-devel@lists.alioth.debian.org>:
Bug#696179; Package mediawiki-extensions-base. (Mon, 17 Dec 2012 17:39:06 GMT) Full text and rfc822 format available.

Acknowledgement sent to Thorsten Glaser <t.glaser@tarent.de>:
Extra info received and forwarded to list. Copy sent to Mediawiki Maintenance Team <pkg-mediawiki-devel@lists.alioth.debian.org>. (Mon, 17 Dec 2012 17:39:06 GMT) Full text and rfc822 format available.

Message #52 received at 696179@bugs.debian.org (full text, mbox):

From: Thorsten Glaser <t.glaser@tarent.de>
To: Maintenance team for the mediawiki package <pkg-mediawiki-devel@lists.alioth.debian.org>
Cc: 696179@bugs.debian.org, team@security.debian.org
Subject: Re: [Pkg-mediawiki-devel] Bug#696179: mediawiki-extensions-base: RSS_Reader Javascript injection
Date: Mon, 17 Dec 2012 18:37:21 +0100 (CET)
On Mon, 17 Dec 2012, Platonides wrote:

> http://www.mediawiki.org/wiki/Extension:RSS_Reader seems to live
> exclusively at the wiki page, instead of being at a repository.
[…]
> Just edit the page when fixing the bug.

Oh, okay. I just did so.


On Mon, 17 Dec 2012, Jonathan Wiltshire wrote:

> (for those following at home: Debian can only issue CVEs for non-public 
> issues AIUI, which is why it's a shame you didn't bring them into the 
> loop before opening a bug.)

Oh, I didn’t know that. I’ve got about zero experience dealing
with security issues. This might show. I’ll listen and learn ☺

(Why? I mean, I’d make all issues public immediately, no?)

> Ok, what I really meant was that you'd have to know someone is using 
> Mediawiki to read your feed, which is probably feasible but I can't 
> imagine there are thousands of people doing so. We don't really know 
> either way, we should probably play it cautious.

Hrm.

tg@eurynome:~ $ fgrep tag_event.rss /var/www/logs/access_log
[…]
fb-n15-11.unbelievable-machine.net - - [17/Dec/2012:16:08:25 +0000] -:-:IPv4"www.mirbsd.org" "GET /tag_event.rss HTTP/1.0" 200 66185 "-" "-"
fb-n15-11.unbelievable-machine.net - - [17/Dec/2012:17:07:49 +0000] -:-:IPv4"www.mirbsd.org" "GET /tag_event.rss HTTP/1.1" 200 66185 "http://www.mirbsd.org/tag_event.rss" "SimplePie/1.1.3 (Feed Parser; http://simplepie.org; Allow like Gecko) Build/20081219"

SimplePie is used by FusionForge (that’s the thing which
actually does strip <script> but not <yurt> or </yurt>;
maybe I should clone the bug, with lower severity, against
it to ask they should validate that titles don’t contain
HTML?), and the other is probably Mediawiki (there’s only
a third UA in my access_log, and that’s Google’s feed
fetcher, so it has to be this one, and the IPv4 matches).

So when you get requests without a referer or UA, which
are *not* periodic, from some site, you can assume with
a not-low chance that it’s Mediawiki. (Feeds are read
upon first access and then cached for a while.)

bye,
//mirabilos
-- 
tarent solutions GmbH
Rochusstraße 2-4, D-53123 Bonn • http://www.tarent.de/
Tel: +49 228 54881-393 • Fax: +49 228 54881-314
HRB 5168 (AG Bonn) • USt-ID (VAT): DE122264941
Geschäftsführer: Boris Esser, Sebastian Mancke



Information forwarded to debian-bugs-dist@lists.debian.org, Mediawiki Maintenance Team <pkg-mediawiki-devel@lists.alioth.debian.org>:
Bug#696179; Package mediawiki-extensions-base. (Mon, 17 Dec 2012 18:48:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Thorsten Glaser <t.glaser@tarent.de>:
Extra info received and forwarded to list. Copy sent to Mediawiki Maintenance Team <pkg-mediawiki-devel@lists.alioth.debian.org>. (Mon, 17 Dec 2012 18:48:03 GMT) Full text and rfc822 format available.

Message #57 received at 696179@bugs.debian.org (full text, mbox):

From: Thorsten Glaser <t.glaser@tarent.de>
To: Platonides <platonides@gmail.com>
Cc: 696179@bugs.debian.org, Maintenance team for the mediawiki package <pkg-mediawiki-devel@lists.alioth.debian.org>
Subject: Re: [Pkg-mediawiki-devel] Bug#696179: Bug#696179: mediawiki-extensions-base: RSS_Reader Javascript injection
Date: Mon, 17 Dec 2012 19:44:55 +0100 (CET)
On Mon, 17 Dec 2012, Platonides wrote:

> With a quick glance, it misses to escape the output everywhere.

Right, when enabling text mode, it probably (not yet
tested, I’m about to head home) will execute scripts
as well. The content is a bit harder to fix though,
as, in contrast to the title, it _is_ supposed to
contain HTML of some sort.

Does Mediawiki have an API which you can pass some
string of HTML which will throw out all unknown or
“unsafe” (whatever that means) tags, tidy it up to
produce valid XHTML, and return that? Otherweise,
I guess Suggests: php-htmlpurifier and using that
if existent, saying “I don’t wanna” if not and the
text mode (as opposed to the default just-the-headlines
mode) is enabled is the way forward.

bye,
//mirabilos
-- 
tarent solutions GmbH
Rochusstraße 2-4, D-53123 Bonn • http://www.tarent.de/
Tel: +49 228 54881-393 • Fax: +49 228 54881-314
HRB 5168 (AG Bonn) • USt-ID (VAT): DE122264941
Geschäftsführer: Boris Esser, Sebastian Mancke



Information forwarded to debian-bugs-dist@lists.debian.org, Mediawiki Maintenance Team <pkg-mediawiki-devel@lists.alioth.debian.org>:
Bug#696179; Package mediawiki-extensions-base. (Mon, 17 Dec 2012 19:30:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Platonides <platonides@gmail.com>:
Extra info received and forwarded to list. Copy sent to Mediawiki Maintenance Team <pkg-mediawiki-devel@lists.alioth.debian.org>. (Mon, 17 Dec 2012 19:30:03 GMT) Full text and rfc822 format available.

Message #62 received at 696179@bugs.debian.org (full text, mbox):

From: Platonides <platonides@gmail.com>
To: Thorsten Glaser <t.glaser@tarent.de>
Cc: 696179@bugs.debian.org, Maintenance team for the mediawiki package <pkg-mediawiki-devel@lists.alioth.debian.org>
Subject: Re: [Pkg-mediawiki-devel] Bug#696179: Bug#696179: mediawiki-extensions-base: RSS_Reader Javascript injection
Date: Mon, 17 Dec 2012 20:24:50 +0100
Thorsten Glaser wrote:
> Does Mediawiki have an API which you can pass some
> string of HTML which will throw out all unknown or
> “unsafe” (whatever that means) tags, tidy it up to
> produce valid XHTML, and return that? Otherweise,
> I guess Suggests: php-htmlpurifier and using that
> if existent, saying “I don’t wanna” if not and the
> text mode (as opposed to the default just-the-headlines
> mode) is enabled is the way forward.

Yep. Take a look at includes/Sanitizer.php



Information forwarded to debian-bugs-dist@lists.debian.org, Mediawiki Maintenance Team <pkg-mediawiki-devel@lists.alioth.debian.org>:
Bug#696179; Package mediawiki-extensions-base. (Mon, 17 Dec 2012 19:51:05 GMT) Full text and rfc822 format available.

Acknowledgement sent to Nicolas TERRAY <nicolas.terray@enalean.com>:
Extra info received and forwarded to list. Copy sent to Mediawiki Maintenance Team <pkg-mediawiki-devel@lists.alioth.debian.org>. (Mon, 17 Dec 2012 19:51:05 GMT) Full text and rfc822 format available.

Message #67 received at 696179@bugs.debian.org (full text, mbox):

From: Nicolas TERRAY <nicolas.terray@enalean.com>
To: Thorsten Glaser <t.glaser@tarent.de>
Cc: 696179@bugs.debian.org, fusionforge-general@lists.fusionforge.org, discussions@planetforge.org, Maintenance team for the mediawiki package <pkg-mediawiki-devel@lists.alioth.debian.org>
Subject: Re: [Discussions] Codendi and mediawiki-extensions-base: RSS_Reader Javascript injection
Date: Mon, 17 Dec 2012 20:40:01 +0100 (CET)
Thanks for reporting. Do you have any reproducible scenario?

Regards,
Nicolas Terray

----- Mail original -----
> De: "Thorsten Glaser" <t.glaser@tarent.de>
> À: "Maintenance team for the mediawiki package" <pkg-mediawiki-devel@lists.alioth.debian.org>
> Cc: 696179@bugs.debian.org, fusionforge-general@lists.fusionforge.org, discussions@planetforge.org
> Envoyé: Lundi 17 Décembre 2012 18:13:56
> Objet: Re: [Discussions] Codendi and mediawiki-extensions-base: RSS_Reader Javascript injection
>
> Dixi quod…
>
> > On Mon, 17 Dec 2012, Jonathan Wiltshire wrote:
>
> > > have you sought out a CVE
> > > number?
> >
> > No, I’ve got no idea how all this CVE stuff works.
> >
> > Do you volunteer, or one of the Mediawiki guys lurking here?
> > Otherwise I’d just open an entry in the MW bugtracker now,
> > if extensions are tracked there, that is.
>
> For CVE tracking, here’s a list of vulnerable softwares:
>
> • FusionForge 5.1, 5.2 and trunk, but not 5.0 or below;
>   commit f7b371af6f7576058971fd248a93dd864d5b1ce1 fix on
>   Branch_5_1 confirmed to close this hole; will be merged
>   into 5.2 and trunk later
>   ⇒ Impact: low (<script> filtered)
>
> • Tuleap, tested with version 5.7.99.9, possibly “all”,
>   and possibly also Codendi (which is where Tuleap and
>   FusionForge both have this widget from)
>   ⇒ Impact: low (<script> filtered)
>
> • MediaWiki RSS_Reader extension (fix tested, works)
>   ⇒ Impact: high (<script> *not* filtered)
>
> bye,
> //mirabilos
> --
> tarent solutions GmbH
> Rochusstraße 2-4, D-53123 Bonn • http://www.tarent.de/
> Tel: +49 228 54881-393 • Fax: +49 228 54881-314
> HRB 5168 (AG Bonn) • USt-ID (VAT): DE122264941
> Geschäftsführer: Boris Esser, Sebastian Mancke
>
> _______________________________________________
> Discussions mailing list
> Discussions@planetforge.org
> http://lists.planetforge.org/cgi-bin/mailman/listinfo/discussions
>



Information stored :
Bug#696179; Package mediawiki-extensions-base. (Mon, 17 Dec 2012 20:18:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Thorsten Glaser <t.glaser@tarent.de>:
Extra info received and filed, but not forwarded. (Mon, 17 Dec 2012 20:18:03 GMT) Full text and rfc822 format available.

Message #72 received at 696179-quiet@bugs.debian.org (full text, mbox):

From: Thorsten Glaser <t.glaser@tarent.de>
To: Nicolas TERRAY <nicolas.terray@enalean.com>, 696179-quiet@bugs.debian.org
Cc: fusionforge-general@lists.fusionforge.org, discussions@planetforge.org
Subject: Re: Bug#696179: [Discussions] Codendi and mediawiki-extensions-base: RSS_Reader Javascript injection
Date: Mon, 17 Dec 2012 21:15:29 +0100 (CET)
On Mon, 17 Dec 2012, Nicolas TERRAY wrote:

> Thanks for reporting. Do you have any reproducible scenario?

Sure. I guess I’ll copy it to the side…

Go to the Group Summary page of any group (I did it on the test system
to /projects/codendi/) and add a widget of type RSS with the URL:
http://www.mirbsd.org/b696179.rss

Then look at the text shown, and at the HTML of the page.

The correct titles for the first *two* items are:
• Vulnerability <yurt>test</yurt>: <script type="text/javascript">alert("title is vulnerable");</script>
• ’M &back.

Any fix that changes the second one to “’M &amp;back.” is broken.
Anything that shows less than the above text may or may not be
broken. Anything that lets <yurt>test</yurt> through into the HTML
is broken, script or not. (This is what the Codendi widget does.
You can see that best by going to the page with a browser that
doesn’t do Javascript, then go to the widget’s IFRAME, then look
at its HTML source code.)

> ----- Mail original -----

http://www.afaik.de/usenet/faq/zitieren/ (it has an English link)

bye,
//mirabilos
-- 
«MyISAM tables -will- get corrupted eventually. This is a fact of life. »
“mysql is about as much database as ms access” – “MSSQL at least descends
from a database” “it's a rebranded SyBase” “MySQL however was born from a
flatfile and went downhill from there” – “at least jetDB doesn’t claim to
be a database”	(#nosec)    ‣‣‣ Please let MySQL and MariaDB finally die!



Information forwarded to debian-bugs-dist@lists.debian.org, Mediawiki Maintenance Team <pkg-mediawiki-devel@lists.alioth.debian.org>:
Bug#696179; Package mediawiki-extensions-base. (Mon, 17 Dec 2012 20:27:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Thorsten Glaser <t.glaser@tarent.de>:
Extra info received and forwarded to list. Copy sent to Mediawiki Maintenance Team <pkg-mediawiki-devel@lists.alioth.debian.org>. (Mon, 17 Dec 2012 20:27:03 GMT) Full text and rfc822 format available.

Message #77 received at 696179@bugs.debian.org (full text, mbox):

From: Thorsten Glaser <t.glaser@tarent.de>
To: Maintenance team for the mediawiki package <pkg-mediawiki-devel@lists.alioth.debian.org>
Cc: 696179@bugs.debian.org
Subject: Re: [Pkg-mediawiki-devel] Bug#696179: mediawiki-extensions-base: RSS_Reader Javascript injection
Date: Mon, 17 Dec 2012 21:22:49 +0100 (CET)
Dixi quod…

> extension. I got invalid XHTML on both. I then added a test
> feed – http://www.mirbsd.org/tag_event.rss hand-edited to
> add a check for this vulnerability, will *not* stay having

I put it up here now: http://www.mirbsd.org/b696179.rss
I expect this to stay there for a while.

The correct titles (as shown by the browser) for the first
*two* items are:
• Vulnerability <yurt>test</yurt>: <script type="text/javascript">alert("title is vulnerable");</script>
• ’M &back.

Any fix that changes the second one to “’M &amp;back.” is broken.
Anything that shows less than the above text may or may not be
broken. Anything that lets <yurt>test</yurt> through into the HTML
is broken, script or not. (This is what the Codendi widget does.)

The method to render a feed’s <title>foo</title> is basically:
① take “foo”
② convert any entities (only &lt; &gt; &amp; and numeric are
  allowed by the spec) back to text
③ sanitise that
④ output the result

Sanitising here means that the one-time-entity-decoded foo is
supposed to be plaintext, not HTML. I use the following sequence
for sanitising such strings in FusionForge/PHP:
ⓐ run through html_entity_decode which will decode it if it was
  valid entities, and is a nop otherwise
ⓑ run through htmlspecialchars, which will encode everything that
  must be encoded again; if the previous step decoded, the result
  of the two operations in a row will be a nop (save for things
  like “"” which do not need encoding); otherwise, it will have
  been secured
In FusionForge, this is util_html_secure().

Of course, this will not work on the message body. I’ll look at
the MW sanitiser later. (I remembered I’m off work tomorrow and
may not have time to do so before Wednesday thus. I’m supposed
to do *all* household chores tomorrow… that have queued up…)

bye,
//mirabilos
-- 
15:41⎜<Lo-lan-do:#fusionforge> Somebody write a testsuite for helloworld :-)



Information forwarded to debian-bugs-dist@lists.debian.org, Mediawiki Maintenance Team <pkg-mediawiki-devel@lists.alioth.debian.org>:
Bug#696179; Package mediawiki-extensions-base. (Wed, 19 Dec 2012 10:51:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Thorsten Glaser <t.glaser@tarent.de>:
Extra info received and forwarded to list. Copy sent to Mediawiki Maintenance Team <pkg-mediawiki-devel@lists.alioth.debian.org>. (Wed, 19 Dec 2012 10:51:03 GMT) Full text and rfc822 format available.

Message #82 received at 696179@bugs.debian.org (full text, mbox):

From: Thorsten Glaser <t.glaser@tarent.de>
To: Maintenance team for the mediawiki package <pkg-mediawiki-devel@lists.alioth.debian.org>
Cc: 696179@bugs.debian.org
Subject: Re: [Pkg-mediawiki-devel] Bug#696179: mediawiki-extensions-base: RSS_Reader Javascript injection
Date: Wed, 19 Dec 2012 11:48:24 +0100 (CET)
Dixi quod…

> Of course, this will not work on the message body. I’ll look at

Ok, it’s worse than I expected: when using “text” mode
with desc=on, the body is also vulnerable but on the
other hand, proper HTML is broken:
‣ <p>Will drive to <a href=&#34;http://www.google.com/webhp?hl=la&amp;q=Chemnitzer+Linuxtage&#34;>Chemnitz</a>

> the MW sanitiser later.

Lunchbreak, then that, I guess.

bye,
//mirabilos
-- 
tarent solutions GmbH
Rochusstraße 2-4, D-53123 Bonn • http://www.tarent.de/
Tel: +49 228 54881-393 • Fax: +49 228 54881-314
HRB 5168 (AG Bonn) • USt-ID (VAT): DE122264941
Geschäftsführer: Boris Esser, Sebastian Mancke



Information stored :
Bug#696179; Package mediawiki-extensions-base. (Wed, 19 Dec 2012 13:03:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Thorsten Glaser <t.glaser@tarent.de>:
Extra info received and filed, but not forwarded. (Wed, 19 Dec 2012 13:03:03 GMT) Full text and rfc822 format available.

Message #87 received at 696179-quiet@bugs.debian.org (full text, mbox):

From: Thorsten Glaser <t.glaser@tarent.de>
To: Platonides <platonides@gmail.com>
Cc: 696179-quiet@bugs.debian.org, Maintenance team for the mediawiki package <pkg-mediawiki-devel@lists.alioth.debian.org>
Subject: Re: [Pkg-mediawiki-devel] Bug#696179: Bug#696179: mediawiki-extensions-base: RSS_Reader Javascript injection
Date: Wed, 19 Dec 2012 14:00:38 +0100 (CET)
On Mon, 17 Dec 2012, Platonides wrote:

> Yep. Take a look at includes/Sanitizer.php

That’s almost perfect but excludes hyperlinks and possibly
(depending on a global setting) images.

Is it safe to add them to the $extratags argument of removeHTMLtags?

Thanks,
//mirabilos
-- 
tarent solutions GmbH
Rochusstraße 2-4, D-53123 Bonn • http://www.tarent.de/
Tel: +49 228 54881-393 • Fax: +49 228 54881-314
HRB 5168 (AG Bonn) • USt-ID (VAT): DE122264941
Geschäftsführer: Boris Esser, Sebastian Mancke



Information stored :
Bug#696179; Package mediawiki-extensions-base. (Wed, 19 Dec 2012 13:39:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Thorsten Glaser <t.glaser@tarent.de>:
Extra info received and filed, but not forwarded. (Wed, 19 Dec 2012 13:39:03 GMT) Full text and rfc822 format available.

Message #92 received at 696179-quiet@bugs.debian.org (full text, mbox):

From: Thorsten Glaser <t.glaser@tarent.de>
To: 696179-quiet@bugs.debian.org
Cc: Platonides <platonides@gmail.com>, Maintenance team for the mediawiki package <pkg-mediawiki-devel@lists.alioth.debian.org>
Subject: Re: Bug#696179: [Pkg-mediawiki-devel] Bug#696179: Bug#696179: mediawiki-extensions-base: RSS_Reader Javascript injection
Date: Wed, 19 Dec 2012 14:34:48 +0100 (CET)
Dixi quod…

> On Mon, 17 Dec 2012, Platonides wrote:
> 
> > Yep. Take a look at includes/Sanitizer.php
> 
> That’s almost perfect but excludes hyperlinks and possibly
> (depending on a global setting) images.

The global setting appears to be disabled by default.

> Is it safe to add them to the $extratags argument of removeHTMLtags?

This works for a but actually does _not_ work for img due to
the order of checks and extratags being added to tagpairs…
(not an answer on the question of safety though).

I’ve done a draft commit, but I’m not 100% happy with it at
the moment. On the other hand, people could always follow
the head link…

I’ll update the code on the Wiki page again once we found
a solution (and re-exclude the Debian specific disabling
caching by default due to the code location not being
writable). I guess I should bump the version then ;-)

bye,
//mirabilos
-- 
tarent solutions GmbH
Rochusstraße 2-4, D-53123 Bonn • http://www.tarent.de/
Tel: +49 228 54881-393 • Fax: +49 228 54881-314
HRB 5168 (AG Bonn) • USt-ID (VAT): DE122264941
Geschäftsführer: Boris Esser, Sebastian Mancke



Information stored :
Bug#696179; Package mediawiki-extensions-base. (Wed, 19 Dec 2012 19:33:05 GMT) Full text and rfc822 format available.

Acknowledgement sent to Giuseppe Iuculano <giuseppe@iuculano.it>:
Extra info received and filed, but not forwarded. (Wed, 19 Dec 2012 19:33:05 GMT) Full text and rfc822 format available.

Message #97 received at 696179-quiet@bugs.debian.org (full text, mbox):

From: Giuseppe Iuculano <giuseppe@iuculano.it>
To: Jonathan Wiltshire <jmw@debian.org>
Cc: Maintenance team for the mediawiki package <pkg-mediawiki-devel@lists.alioth.debian.org>, 696179-quiet@bugs.debian.org, team@security.debian.org
Subject: Re: [Pkg-mediawiki-devel] Bug#696179: mediawiki-extensions-base: RSS_Reader Javascript injection
Date: Wed, 19 Dec 2012 20:06:06 +0100
[Message part 1 (text/plain, inline)]
Hi,

On 17/12/2012 18:21, Jonathan Wiltshire wrote:
> Security team: is it too late to get a CVE through you now that a public
> bug has been filed? And should a DSA be prepared, as I have not looked
> but can be fairly sure this will affect stable.

yes, if it is public, we cannot assign a CVE. you can ask
cve-assign@mitre.org to request one.

>>> The window of opportunity is small but the impact could be significant
>>> (drive-by downloads, session theft, XSS etc).
>>
>> Actually, it’s not small.
> 
> Ok, what I really meant was that you'd have to know someone is using
> Mediawiki to read your feed, which is probably feasible but I can't
> imagine there are thousands of people doing so. We don't really know
> either way, we should probably play it cautious.


I agree, this issue doesn't warrant a DSA, but you could still fix it
through a point update:
http://www.debian.org/doc/manuals/developers-reference/pkgs.html#upload-stable

Cheers,
Giuseppe.


[signature.asc (application/pgp-signature, attachment)]

Information stored :
Bug#696179; Package mediawiki-extensions-base. (Thu, 20 Dec 2012 09:39:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Thorsten Glaser <tg@debian.org>:
Extra info received and filed, but not forwarded. (Thu, 20 Dec 2012 09:39:03 GMT) Full text and rfc822 format available.

Message #102 received at 696179-quiet@bugs.debian.org (full text, mbox):

From: Thorsten Glaser <tg@debian.org>
To: cve-assign@mitre.org
Cc: team@security.debian.org, 696179-quiet@bugs.debian.org, Maintenance team for the mediawiki package <pkg-mediawiki-devel@lists.alioth.debian.org>
Subject: Re: [Pkg-mediawiki-devel] Bug#696179: mediawiki-extensions-base: RSS_Reader Javascript injection
Date: Thu, 20 Dec 2012 10:37:22 +0100 (CET)
On Wed, 19 Dec 2012, Giuseppe Iuculano wrote:

> On 17/12/2012 18:21, Jonathan Wiltshire wrote:
[ Debian ]
> > Security team: is it too late to get a CVE through you now that a public
> > bug has been filed? And should a DSA be prepared, as I have not looked
> > but can be fairly sure this will affect stable.
>
> yes, if it is public, we cannot assign a CVE. you can ask
> cve-assign@mitre.org to request one.

Okay, doing that.

Hello MITRE people,

we would like to request a CVE number for an issue in the
RSS_Reader Mediawiki extension that allows injection of
unchecked HTML including Javascript into wikis via feeds.
See http://bugs.debian.org/696179 for details.

My apologies on not getting the process done correctly.

Thanks,
//mirabilos
-- 
15:41⎜<Lo-lan-do:#fusionforge> Somebody write a testsuite for helloworld :-)



Information stored :
Bug#696179; Package mediawiki-extensions-base. (Wed, 26 Dec 2012 17:57:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Jonathan Wiltshire <jmw@debian.org>:
Extra info received and filed, but not forwarded. (Wed, 26 Dec 2012 17:57:03 GMT) Full text and rfc822 format available.

Message #107 received at 696179-quiet@bugs.debian.org (full text, mbox):

From: Jonathan Wiltshire <jmw@debian.org>
To: Maintenance team for the mediawiki package <pkg-mediawiki-devel@lists.alioth.debian.org>
Cc: team@security.debian.org, 696179-quiet@bugs.debian.org
Subject: Re: [Pkg-mediawiki-devel] Bug#696179: mediawiki-extensions-base: RSS_Reader Javascript injection
Date: Wed, 26 Dec 2012 17:53:20 +0000
[Message part 1 (text/plain, inline)]
On Thu, Dec 20, 2012 at 10:37:22AM +0100, Thorsten Glaser wrote:
> On Wed, 19 Dec 2012, Giuseppe Iuculano wrote:
> 
> > On 17/12/2012 18:21, Jonathan Wiltshire wrote:
> [ Debian ]
> > > Security team: is it too late to get a CVE through you now that a public
> > > bug has been filed? And should a DSA be prepared, as I have not looked
> > > but can be fairly sure this will affect stable.
> >
> > yes, if it is public, we cannot assign a CVE. you can ask
> > cve-assign@mitre.org to request one.
> 
> Okay, doing that.
> 
> Hello MITRE people,

[...]

Did you hear anything about this yet?



-- 
Jonathan Wiltshire                                      jmw@debian.org
Debian Developer                         http://people.debian.org/~jmw

4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC  74C3 5394 479D D352 4C51

<directhex> i have six years of solaris sysadmin experience, from
            8->10. i am well qualified to say it is made from bonghits
			layered on top of bonghits
[signature.asc (application/pgp-signature, inline)]

Information stored :
Bug#696179; Package mediawiki-extensions-base. (Sat, 29 Dec 2012 17:54:22 GMT) Full text and rfc822 format available.

Acknowledgement sent to Thorsten Glaser <t.glaser@tarent.de>:
Extra info received and filed, but not forwarded. (Sat, 29 Dec 2012 17:54:22 GMT) Full text and rfc822 format available.

Message #112 received at 696179-quiet@bugs.debian.org (full text, mbox):

From: Thorsten Glaser <t.glaser@tarent.de>
To: Jonathan Wiltshire <jmw@debian.org>, 696179-quiet@bugs.debian.org
Cc: Maintenance team for the mediawiki package <pkg-mediawiki-devel@lists.alioth.debian.org>, team@security.debian.org
Subject: Re: Bug#696179: [Pkg-mediawiki-devel] Bug#696179: mediawiki-extensions-base: RSS_Reader Javascript injection
Date: Sat, 29 Dec 2012 18:45:57 +0100 (CET)
On Wed, 26 Dec 2012, Jonathan Wiltshire wrote:

> > Hello MITRE people,

> Did you hear anything about this yet?

Nothing. They are probably on holidays or something.

bye,
//mirabilos
-- 
«MyISAM tables -will- get corrupted eventually. This is a fact of life. »
“mysql is about as much database as ms access” – “MSSQL at least descends
from a database” “it's a rebranded SyBase” “MySQL however was born from a
flatfile and went downhill from there” – “at least jetDB doesn’t claim to
be a database”	(#nosec)    ‣‣‣ Please let MySQL and MariaDB finally die!



Added tag(s) squeeze. Request was from Jonathan Wiltshire <jmw@debian.org> to control@bugs.debian.org. (Sat, 29 Dec 2012 18:27:05 GMT) Full text and rfc822 format available.

Reply sent to Thorsten Glaser <tg@mirbsd.de>:
You have taken responsibility. (Sat, 29 Dec 2012 22:06:05 GMT) Full text and rfc822 format available.

Notification sent to Thorsten Glaser <tg@mirbsd.de>:
Bug acknowledged by developer. (Sat, 29 Dec 2012 22:06:06 GMT) Full text and rfc822 format available.

Message #119 received at 696179-close@bugs.debian.org (full text, mbox):

From: Thorsten Glaser <tg@mirbsd.de>
To: 696179-close@bugs.debian.org
Subject: Bug#696179: fixed in mediawiki-extensions 2.11
Date: Sat, 29 Dec 2012 22:03:15 +0000
Source: mediawiki-extensions
Source-Version: 2.11

We believe that the bug you reported is fixed in the latest version of
mediawiki-extensions, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 696179@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Thorsten Glaser <tg@mirbsd.de> (supplier of updated mediawiki-extensions package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA384

Format: 1.8
Date: Sat, 29 Dec 2012 19:12:39 +0100
Source: mediawiki-extensions
Binary: mediawiki-extensions-base mediawiki-extensions-geshi mediawiki-extensions-ldapauth mediawiki-extensions-openid mediawiki-extensions-confirmedit mediawiki-extensions-collection mediawiki-extensions-graphviz mediawiki-extensions
Architecture: source all
Version: 2.11
Distribution: unstable
Urgency: medium
Maintainer: Mediawiki Maintenance Team <pkg-mediawiki-devel@lists.alioth.debian.org>
Changed-By: Thorsten Glaser <tg@mirbsd.de>
Description: 
 mediawiki-extensions - Extensions for MediaWiki -- Meta package
 mediawiki-extensions-base - Extensions for MediaWiki -- Base package
 mediawiki-extensions-collection - Extensions for MediaWiki -- Collection extension
 mediawiki-extensions-confirmedit - Extensions for MediaWiki -- ConfirmEdit extension
 mediawiki-extensions-geshi - Extensions for MediaWiki -- SyntaxHighlight_GeSHi extension
 mediawiki-extensions-graphviz - Extensions for MediaWiki -- GraphViz extension
 mediawiki-extensions-ldapauth - Extensions for MediaWiki -- LdapAuthentication extension
 mediawiki-extensions-openid - Extensions for MediaWiki -- OpenID extension
Closes: 696179
Changes: 
 mediawiki-extensions (2.11) unstable; urgency=medium
 .
   * RSS_Reader: correctly sanitise the message body as well,
     fixes another injection and HTML validity (the bodies are
     not normally shown though, so only medium urgency); same
     as 2.10; no CVE identifier yet (Closes: #696179)
Checksums-Sha1: 
 2e4aa5b065c37781583a78d681d6ca36c5a97759 2329 mediawiki-extensions_2.11.dsc
 1cba3672e5b5faab4938124748456e2c86bc6a23 1642780 mediawiki-extensions_2.11.tar.gz
 3d60b5c7be3177a62cd86eb4a8be4f8bbcc8db9b 829190 mediawiki-extensions-base_2.11_all.deb
 bee102379695d99b45aa0d2b21d36b1f28726996 33624 mediawiki-extensions-geshi_2.11_all.deb
 5934b988d6764193e8bb9a1e521e978ebda6bb46 26586 mediawiki-extensions-ldapauth_2.11_all.deb
 7b53dae58e714effe03a679ba0d82e5fe7dd114f 197068 mediawiki-extensions-openid_2.11_all.deb
 24769b8248f1a1af8c658ce264008fd433895db7 246412 mediawiki-extensions-confirmedit_2.11_all.deb
 fa83277b18643f79dd3eea45b2f8a40379ac1e01 332524 mediawiki-extensions-collection_2.11_all.deb
 4281f743d72c800b87e9e02769a0019501e5bdf5 16754 mediawiki-extensions-graphviz_2.11_all.deb
 075d91d5478eda9daf7640d80d53f609aff44093 7188 mediawiki-extensions_2.11_all.deb
Checksums-Sha256: 
 f3c79c95123e0d9537c038ec7cd3880e71d6de26c0a0dd91730242ab0c176340 2329 mediawiki-extensions_2.11.dsc
 84dd0847ece8a4404185252dbf38e4b751caa4c14d0da4028e86512ab88d8c54 1642780 mediawiki-extensions_2.11.tar.gz
 b60ad7b05db3d0b654ee4a2d473636c62386ac94da01210783e2ce8c2a939551 829190 mediawiki-extensions-base_2.11_all.deb
 c45ec5c7af12b9b31acd2e4c359ac9c2eef7081c273af6f832ca380515136470 33624 mediawiki-extensions-geshi_2.11_all.deb
 65a609222fb50c1ce4110fd9fe0752739f03d43fd63e77ed123b1f7580795147 26586 mediawiki-extensions-ldapauth_2.11_all.deb
 913509c12fbfa371d8e1a1c3dbe20bda86e259c7055c5f5380ff0ca4e7b034e8 197068 mediawiki-extensions-openid_2.11_all.deb
 5dfd07d0658b80dcedfb4f05aedd365d516fd57596283956570b0e0cefb43522 246412 mediawiki-extensions-confirmedit_2.11_all.deb
 7a237637fa2a441adcc3003bb0855e42ad7dc9f9c9762b13533c588b5711e3b3 332524 mediawiki-extensions-collection_2.11_all.deb
 48f4bd96f14603a0c3937c8a0cfc64e14f355fe3aa6366ab5f0e47d3d9159d44 16754 mediawiki-extensions-graphviz_2.11_all.deb
 4c94a3a580fabe5d1a8dfdb88ab1f65006197e88ef5f1eddc71c0f419f02f728 7188 mediawiki-extensions_2.11_all.deb
Files: 
 b3306944d25b48de4860852f9963add4 2329 web optional mediawiki-extensions_2.11.dsc
 448ae5a2a3ce73b587de1512a5f99ff7 1642780 web optional mediawiki-extensions_2.11.tar.gz
 1db393f52ff7f908b311303664ec30d9 829190 web optional mediawiki-extensions-base_2.11_all.deb
 3f09362f8325c3a41e64608fa678b162 33624 web optional mediawiki-extensions-geshi_2.11_all.deb
 66507e7af8866610e6eb3e9b0c622fc2 26586 web optional mediawiki-extensions-ldapauth_2.11_all.deb
 307dad0e7a17d8c5ecd9555650d4d43e 197068 web optional mediawiki-extensions-openid_2.11_all.deb
 cf9620209e1cbbab2ffc33f1d505400d 246412 web optional mediawiki-extensions-confirmedit_2.11_all.deb
 77ee9c994073e7a3ba358fa49d2a6dca 332524 web optional mediawiki-extensions-collection_2.11_all.deb
 e01a06999b8f4c273e1361f3d08a069f 16754 web optional mediawiki-extensions-graphviz_2.11_all.deb
 b45b877cb5b23170f4bc76ff2790051e 7188 web optional mediawiki-extensions_2.11_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MirBSD)

iQIcBAEBCQAGBQJQ32bRAAoJEHa1NLLpkAfgIOkP/jULo/DsFXJJBeAOHzEVQDSr
TlWZ3LoGTDkWwck5YKGoOiG07GLRoNw4eqrWb4sSAIrE4liqvBba06y4gKUnXlE/
Mnh99AHah5oPGqlxnozIzSqJoiFq6s0yht0oKhwt2XQPEGMiH9XXMa4c4YDJn5Nj
3E2lW2SsmgBxkLOz18+QWBX121XYtQBXsVkkB9w1kHrb2eQI++igbWTeb/yxDDgs
DaoWl/fx95c7fEuDz9xzvy9Y5Ax3Vz0S8CxD6vxWhpiR8KHKjygAmLz/Wzt9w+pD
otYzunrP7xMkNPpG94qdzbbWSeV/2Vrq3W9pGiI2UuNAd5yYuL7uAwrdCFD3SecL
HDVdAaOkGu7HSg8LyrN8xhnKtgqPaoJ3FJUZMqcn0bT0LDwPWC0PlD7SXkUHobzI
PAjx0WeJxelcfNrHQ3fz78TcRpOF+gZ0bqFHZeb2kc64m/RfCPOMkzTrAtGP6kLd
2rcMI3jK5T/HmmjM448T4mp88Evje+cjWFGRTVpZ1Hfk0IOklGbCfUE3hACp9Q/A
6z/d5mQXczSAEOV1/hQaJFmX27Vwr4q0XJbTeilfL/GCvBqqOmYgm6MOMycYXcq1
rapMR+xBRXc9NJQwlDY9RH584dmFisoq/k9TBKUTIM5/E2Jh8tTBdzl7/QZy65e0
AEIfh1rZQ8r6bu8cgyrp
=mj9T
-----END PGP SIGNATURE-----




Reply sent to Thorsten Glaser <tg@mirbsd.de>:
You have taken responsibility. (Sat, 29 Dec 2012 23:06:09 GMT) Full text and rfc822 format available.

Notification sent to Thorsten Glaser <tg@mirbsd.de>:
Bug acknowledged by developer. (Sat, 29 Dec 2012 23:06:09 GMT) Full text and rfc822 format available.

Message #124 received at 696179-close@bugs.debian.org (full text, mbox):

From: Thorsten Glaser <tg@mirbsd.de>
To: 696179-close@bugs.debian.org
Subject: Bug#696179: fixed in mediawiki-extensions 3.2
Date: Sat, 29 Dec 2012 23:02:38 +0000
Source: mediawiki-extensions
Source-Version: 3.2

We believe that the bug you reported is fixed in the latest version of
mediawiki-extensions, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 696179@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Thorsten Glaser <tg@mirbsd.de> (supplier of updated mediawiki-extensions package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA384

Format: 1.8
Date: Sat, 29 Dec 2012 23:39:12 +0100
Source: mediawiki-extensions
Binary: mediawiki-extensions-base mediawiki-extensions-geshi mediawiki-extensions-ldapauth mediawiki-extensions-openid mediawiki-extensions-confirmedit mediawiki-extensions-collection mediawiki-extensions-graphviz mediawiki-extensions
Architecture: source all
Version: 3.2
Distribution: experimental
Urgency: medium
Maintainer: Mediawiki Maintenance Team <pkg-mediawiki-devel@lists.alioth.debian.org>
Changed-By: Thorsten Glaser <tg@mirbsd.de>
Description: 
 mediawiki-extensions - Extensions for MediaWiki -- Meta package
 mediawiki-extensions-base - Extensions for MediaWiki -- Base package
 mediawiki-extensions-collection - Extensions for MediaWiki -- Collection extension
 mediawiki-extensions-confirmedit - Extensions for MediaWiki -- ConfirmEdit extension
 mediawiki-extensions-geshi - Extensions for MediaWiki -- SyntaxHighlight_GeSHi extension
 mediawiki-extensions-graphviz - Extensions for MediaWiki -- GraphViz extension
 mediawiki-extensions-ldapauth - Extensions for MediaWiki -- LdapAuthentication extension
 mediawiki-extensions-openid - Extensions for MediaWiki -- OpenID extension
Closes: 696179
Changes: 
 mediawiki-extensions (3.2) experimental; urgency=medium
 .
   * Merge mediawiki-extensions (2.11) upload (Closes: #696179)
   * Rebase RSS_Reader extension against new upstream version
Checksums-Sha1: 
 083ccf36460246c7b9d8469aa731a4103578581b 2325 mediawiki-extensions_3.2.dsc
 3548b73088e1682e17da68bed8aaf3e62e401992 1642278 mediawiki-extensions_3.2.tar.gz
 9ec08899dbeaf64e9ca0ca15ed83019523ee4ff5 829396 mediawiki-extensions-base_3.2_all.deb
 ae01764d9161fa31ad9ff77ea2819aa12a04257a 33824 mediawiki-extensions-geshi_3.2_all.deb
 eb62d3cab2f64762a7b9a0a255bd55cd4decabfe 26824 mediawiki-extensions-ldapauth_3.2_all.deb
 360b7e87144e710c0cf8944d85b0b625fc260faa 197352 mediawiki-extensions-openid_3.2_all.deb
 e3eca1796b16f8713210479d4bd44c4bf386a25a 246644 mediawiki-extensions-confirmedit_3.2_all.deb
 117793fab79571d1391511e08b3d5c0b08130b93 332726 mediawiki-extensions-collection_3.2_all.deb
 62dfed14ce8ce18089132425620a7cf95cad4fac 16968 mediawiki-extensions-graphviz_3.2_all.deb
 cc6a29807c6e8ba9a2e250193b812ddf48b01225 7378 mediawiki-extensions_3.2_all.deb
Checksums-Sha256: 
 1198b9035b2a4acde757b0e9371e0fcaeb526c37bad3b0ab4b8f2f02c09ba842 2325 mediawiki-extensions_3.2.dsc
 339cafad840f110ae4e97dc6aa305222094c1e416534dd937d606df9ee52927c 1642278 mediawiki-extensions_3.2.tar.gz
 9138469669f77a33155c094546937cbdf184f83bfc6d55e9252aac2c8273d30b 829396 mediawiki-extensions-base_3.2_all.deb
 a9b4f6e9dfe6273a04399379ec2a8c089350d63af89a5b95bd2db6092b73a968 33824 mediawiki-extensions-geshi_3.2_all.deb
 af2aad3f8de41361ac0ef4e93108b247589c3976832d03cf0e1eddec3a27eef4 26824 mediawiki-extensions-ldapauth_3.2_all.deb
 ebea50979b95c5fa91c836869cd82e6bc25741c759df69e01f471a1685a8a08c 197352 mediawiki-extensions-openid_3.2_all.deb
 24cb65dc3436e463a7f22b3fb84f4e548e2de5baafd7ef29b119fa03008f174f 246644 mediawiki-extensions-confirmedit_3.2_all.deb
 bc93b6572c5d91be097bb39e0a93aa6bcd907bca7616eebd707dedceee8ff23b 332726 mediawiki-extensions-collection_3.2_all.deb
 05796a131dd56dc87b674ae65e8fb11845c13fdaa6034439debb9dbfa75a077b 16968 mediawiki-extensions-graphviz_3.2_all.deb
 257ba45849084ec26737ce58acd6538a824d6a3f6a813e5ed746fa299645d62d 7378 mediawiki-extensions_3.2_all.deb
Files: 
 081c43e894341fd62a8fcafe56ea4292 2325 web optional mediawiki-extensions_3.2.dsc
 0be56a670d99cc800aaa559362dbaff3 1642278 web optional mediawiki-extensions_3.2.tar.gz
 f6f2dba77745907bc7426215ad18923e 829396 web optional mediawiki-extensions-base_3.2_all.deb
 4fe9b5e3fca61478c3f1a20cfcc3708a 33824 web optional mediawiki-extensions-geshi_3.2_all.deb
 bcf808614751e3f59e28d4e6d91caf8c 26824 web optional mediawiki-extensions-ldapauth_3.2_all.deb
 311995dcee09712704daf3e40b0790f9 197352 web optional mediawiki-extensions-openid_3.2_all.deb
 c09a1bf89046a6507bf501b62c7bddbe 246644 web optional mediawiki-extensions-confirmedit_3.2_all.deb
 3c11818f7aaece5f298e64bbea9beedf 332726 web optional mediawiki-extensions-collection_3.2_all.deb
 48b4d8ccc3063760f9673c32d0af1bb7 16968 web optional mediawiki-extensions-graphviz_3.2_all.deb
 5e81e1b929fb860e02f0c6c2e6f44e65 7378 web optional mediawiki-extensions_3.2_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MirBSD)

iQIcBAEBCQAGBQJQ33KfAAoJEHa1NLLpkAfgjDsQALQbbpuGsPejfC3cIHLmwtAv
qu066C4P+qUmJfnp+pUVcq9Yio+nAP8NemwWOeCYGRoqb5Wpi8UdPT+LTgcwgcaC
gPexe6+mvCT7Etwm5Xf7ByjdKOBoAAONnHPcxFI6NxpxZm3KGhGHT6A4+9troPun
xsiT6PxqIQ9da1Zq3IjJ1F7I+sX+jngntPeuca8BGo38uZZ0gACLwUrLmxbroIm1
5dW6F/KA1YvfpKR8f3hdk3teUWrH+aNwTWxiDOGVQlbUi3qrwirpCe/ykYv2wcm4
rdd2ECy08KBGEzTcKktsjk/hUChEMpscGG6pOewB4av2OM/WvMruMhlRYG8btbRW
wLrpZmXY1hZm0Et3jhdKyhlowDFVnM/uPNjkQ2h5lsXajnEdbjEAjODQTnmYAzBH
dtQhRpBMGMhwQbwqzni2VYH3U18hEzR9TJRXoEo2+FjOC42TqWKTX3GCSdbmd84P
roGmAv67e4qhSUe3pvfjBcb2MPii51kI+BGgzt8WW/sZo/Zb6bujzPGW9eftixiE
hxN2MUTsVSHQaNWGFVEwey1cfXyaNvGHxOmo5v4qyTIV0UKJoUONFDqA8pv2upH5
VdgTpUqyWzgl20DP16Ky5f51j58wp0H+b+gsgF14f3tDRb60gtZnACdVtr0XJCGe
x4X56yiqlkuFxIZyiWSx
=2nar
-----END PGP SIGNATURE-----




Marked as fixed in versions mediawiki-extensions/2.3squeeze2. Request was from Jonathan Wiltshire <jmw@debian.org> to control@bugs.debian.org. (Sun, 30 Dec 2012 16:45:03 GMT) Full text and rfc822 format available.

Reply sent to Jonathan Wiltshire <jmw@debian.org>:
You have taken responsibility. (Sun, 30 Dec 2012 18:51:09 GMT) Full text and rfc822 format available.

Notification sent to Thorsten Glaser <tg@mirbsd.de>:
Bug acknowledged by developer. (Sun, 30 Dec 2012 18:51:09 GMT) Full text and rfc822 format available.

Message #131 received at 696179-close@bugs.debian.org (full text, mbox):

From: Jonathan Wiltshire <jmw@debian.org>
To: 696179-close@bugs.debian.org
Subject: Bug#696179: fixed in mediawiki-extensions 2.3squeeze2
Date: Sun, 30 Dec 2012 18:47:04 +0000
Source: mediawiki-extensions
Source-Version: 2.3squeeze2

We believe that the bug you reported is fixed in the latest version of
mediawiki-extensions, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 696179@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Jonathan Wiltshire <jmw@debian.org> (supplier of updated mediawiki-extensions package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Sun, 30 Dec 2012 14:15:58 +0000
Source: mediawiki-extensions
Binary: mediawiki-extensions-base mediawiki-extensions-geshi mediawiki-extensions-ldapauth mediawiki-extensions-openid mediawiki-extensions-confirmedit mediawiki-extensions-fckeditor mediawiki-extensions-collection mediawiki-extensions-graphviz mediawiki-extensions
Architecture: source all
Version: 2.3squeeze2
Distribution: stable-security
Urgency: high
Maintainer: Mediawiki Maintenance Team <pkg-mediawiki-devel@lists.alioth.debian.org>
Changed-By: Jonathan Wiltshire <jmw@debian.org>
Description: 
 mediawiki-extensions - Extensions for MediaWiki -- Meta package
 mediawiki-extensions-base - Extensions for MediaWiki -- Base package
 mediawiki-extensions-collection - Extensions for MediaWiki -- Collection extension
 mediawiki-extensions-confirmedit - Extensions for MediaWiki -- ConfirmEdit extension
 mediawiki-extensions-fckeditor - Extensions for MediaWiki -- FCKeditor extension
 mediawiki-extensions-geshi - Extensions for MediaWiki -- SyntaxHighlight_GeSHi extension
 mediawiki-extensions-graphviz - Extensions for MediaWiki -- GraphViz extension
 mediawiki-extensions-ldapauth - Extensions for MediaWiki -- LdapAuthentication extension
 mediawiki-extensions-openid - Extensions for MediaWiki -- OpenID extension
Closes: 696179
Changes: 
 mediawiki-extensions (2.3squeeze2) stable-security; urgency=high
 .
   * RSSReader: Protect against an injection attack by malicious
     feeds (CLoses: #696179)
Checksums-Sha1: 
 f9cc747e8084ef25e40574469273189a82eb7351 2440 mediawiki-extensions_2.3squeeze2.dsc
 c9a5646d94d81b6800d644e88b5c91ff79c36518 1123127 mediawiki-extensions_2.3squeeze2.tar.gz
 374c355cd90a0b0914de777afe96af919804e8cb 460192 mediawiki-extensions-base_2.3squeeze2_all.deb
 e0181a86130a0ac2599857ec2c1139595569acc7 29106 mediawiki-extensions-geshi_2.3squeeze2_all.deb
 f030fbe1039c3e7638a33f2b18d20327fa2d0794 23038 mediawiki-extensions-ldapauth_2.3squeeze2_all.deb
 5f905915363cf35784577aa84f1aa67bb447f8cf 108672 mediawiki-extensions-openid_2.3squeeze2_all.deb
 9b22f35c37289aad480578d30ab9cfe9eb110639 145472 mediawiki-extensions-confirmedit_2.3squeeze2_all.deb
 80776c48b225c42dd1e2455fd845168abb07bec8 123848 mediawiki-extensions-fckeditor_2.3squeeze2_all.deb
 7b4f1352d681b8f251a6d43b717a3913190f7bd2 279354 mediawiki-extensions-collection_2.3squeeze2_all.deb
 644e1eb8f9e293f89597f9455333f571d3ffbe88 9178 mediawiki-extensions-graphviz_2.3squeeze2_all.deb
 0a6c5e0ea191034933edf97b7aace639cdd873bf 7862 mediawiki-extensions_2.3squeeze2_all.deb
Checksums-Sha256: 
 dcbfaac9c14288cb283ad111a2de70e097bfc0d12ae3cad04191b894c8d1fbaf 2440 mediawiki-extensions_2.3squeeze2.dsc
 b4e49155256a5b8e0c4764cc93ea3b465265b0ec5c84c0ab10e4880eb52b731e 1123127 mediawiki-extensions_2.3squeeze2.tar.gz
 b261108e9c615c7337ca7840b81695b25247c27834cdaa14b8e0b3e9a0206511 460192 mediawiki-extensions-base_2.3squeeze2_all.deb
 cd9dcf3c4fe3c3048a51d1e1b5275cc225b3f5a273d9ebbe739dad55c2ab9f1e 29106 mediawiki-extensions-geshi_2.3squeeze2_all.deb
 0650fb5e98d22a86352d561d8ffc960b695c6c5fb431130fb132a8d6d5df8c03 23038 mediawiki-extensions-ldapauth_2.3squeeze2_all.deb
 4566b8d2f0ade144d6850ac28527c6e5552a386f68ae19eabc9c76f71691255c 108672 mediawiki-extensions-openid_2.3squeeze2_all.deb
 994d7bf4616bebcb49e695be87d628d6fefba15f8be6317e9da7fa88609bf07e 145472 mediawiki-extensions-confirmedit_2.3squeeze2_all.deb
 1e7f16316882797ab09de9dc0a507f27a07ec8cccd207c41bb00ca0a02e2e77e 123848 mediawiki-extensions-fckeditor_2.3squeeze2_all.deb
 9b0bea0e8f8bedacb35450b9634e9bf74b3b50f3f604270ff325965a0902daef 279354 mediawiki-extensions-collection_2.3squeeze2_all.deb
 c2e7e355b66939fb83089fe6c54385283e89bc30a555b9bf5651a50b5f580b09 9178 mediawiki-extensions-graphviz_2.3squeeze2_all.deb
 56eb1939c40227334605016a6a9d76544fc20a3e6ad5e18956fa26b8433666d7 7862 mediawiki-extensions_2.3squeeze2_all.deb
Files: 
 3b1559409ebb269f774f0870e33f5fd6 2440 web optional mediawiki-extensions_2.3squeeze2.dsc
 8feab4cb83a91018b0c64f495f933782 1123127 web optional mediawiki-extensions_2.3squeeze2.tar.gz
 ef94dd318db9b905d0e46aa96a71c20f 460192 web optional mediawiki-extensions-base_2.3squeeze2_all.deb
 31937ffa2d4a603b0ca390ae4b8c90eb 29106 web optional mediawiki-extensions-geshi_2.3squeeze2_all.deb
 3d74c65fadad86180be5390c35231efb 23038 web optional mediawiki-extensions-ldapauth_2.3squeeze2_all.deb
 84233d92ec4a9269e86efbe6c660bfea 108672 web optional mediawiki-extensions-openid_2.3squeeze2_all.deb
 c7ae756a7c3defd013e4894c09628b33 145472 web optional mediawiki-extensions-confirmedit_2.3squeeze2_all.deb
 6504c4697efd1b374dda1ddfe4220338 123848 web optional mediawiki-extensions-fckeditor_2.3squeeze2_all.deb
 9240a8a2fd3d761c8538a3c07b717028 279354 web optional mediawiki-extensions-collection_2.3squeeze2_all.deb
 d202315f08d4b56cc7a24fdd72f9c565 9178 web optional mediawiki-extensions-graphviz_2.3squeeze2_all.deb
 bbdad2002708ea8ebd4642cb266e0c3a 7862 web optional mediawiki-extensions_2.3squeeze2_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQIcBAEBAgAGBQJQ4FFlAAoJEFC7AtTIpr9hJw0P/2VFnr7cEa3+C/dEp7Evj+/1
qHBHAC/o3v6sBevhemQRE2pEz8nNH11CEA/62CK9U3eH2fjcAJKrKsPWukMKV+Wl
WvRAqhK1E8aL5z1UnI4Yta/ggWfrMRqdf0uTHHzCxqvxEbZT5JM50L0hOuV1jbY8
y1HybjtVIaxNICm92pfuO6R/rbGZXR30HlVHNOlOXfmxao81ZJTZDzGt0w6txTOf
BCGqJC6C77UmIBYbhiyOj/WFx5ap2UVFWCUs35w9gUzo4tdOkdUMKoKUHB9kqSLq
r0gtiEhsV+6+oMnZmgjWgkAyuWYspuj7EgK1G3n8ykKLEvQrHNI7ziFqYsTYnh/Q
5N4IGmSORAL8M6NQYdNZTEd2cTC2y68ntn6sx++U1HYzT4rzIVKKffWZRpq2sKLc
50d6J3bK9w6DLQvBKFjm/6IWOccn3Tg+WrHIWST3F/NsuYc+XOE06unFXhLEzys0
py1lj+hByB6LubXOFV7/CAKuoUomIi89D8+m8xk93b5QqehEBQ5+KaYWyl81YxbH
AvfZIOkyOfxYDmdzUohITWeAcfuupNSKfB3vARxgAE8NbmwyNNbnHdPUwqBdYxGH
Uet1KdasehY9B7/oppDEHj3cu/UVsnL+UDrgX3bTSKPZXeBCfDzW29YhZwxehQll
FnOmevhv48uYnCKIu9+C
=+qmw
-----END PGP SIGNATURE-----




Information forwarded to debian-bugs-dist@lists.debian.org, Mediawiki Maintenance Team <pkg-mediawiki-devel@lists.alioth.debian.org>:
Bug#696179; Package mediawiki-extensions-base. (Mon, 31 Dec 2012 16:21:06 GMT) Full text and rfc822 format available.

Acknowledgement sent to Thorsten Glaser <tg@debian.org>:
Extra info received and forwarded to list. Copy sent to Mediawiki Maintenance Team <pkg-mediawiki-devel@lists.alioth.debian.org>. (Mon, 31 Dec 2012 16:21:06 GMT) Full text and rfc822 format available.

Message #136 received at 696179@bugs.debian.org (full text, mbox):

From: Thorsten Glaser <tg@debian.org>
To: pkg-mediawiki-devel@lists.alioth.debian.org, fusionforge-general@lists.fusionforge.org, discussions@planetforge.org, 696179@bugs.debian.org, team@security.debian.org
Cc: cve-assign@mitre.org
Subject: Re: [Pkg-mediawiki-devel] Bug#696179: mediawiki-extensions-base: RSS_Reader Javascript injection
Date: Mon, 31 Dec 2012 16:16:05 +0000 (UTC)
cve-assign@mitre.org dixit:

>>See http://bugs.debian.org/696179 for details.
>
>Use CVE-2012-6453.

Ok, thanks!

Forwarding to all parties: this is DSA-2596-1 for mediawiki-extensions.

bye,
//mirabilos
-- 
I want one of these. They cost 720 € though… good they don’t have the HD hole,
which indicates 3½″ floppies with double capacity… still. A tad too much, atm.
‣ http://www.floppytable.com/floppytable-images-1.html



Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Tue, 29 Jan 2013 07:26:51 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Apr 16 23:44:52 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.