diff -Nru mediawiki-1.27.4/debian/changelog mediawiki-1.27.4/debian/changelog --- mediawiki-1.27.4/debian/changelog 2017-12-03 08:20:33.000000000 +0000 +++ mediawiki-1.27.4/debian/changelog 2021-12-19 21:02:33.000000000 +0000 @@ -1,3 +1,13 @@ +mediawiki (1:1.27.4-3ubuntu0.1) bionic-security; urgency=high + + * SECURITY UPDATE: Information leak and editing permissions bypass + through various actions (LP: #1955352) + - d/p/0004-SECURITY-Fix-permissions-checks-in-undo-action-CVE-2.patch: + tighten and require edit checks on undo actions + - CVE-2021-44858 + + -- Kunal Mehta Sun, 19 Dec 2021 13:02:33 -0800 + mediawiki (1:1.27.4-3) unstable; urgency=medium * Add basic tests via autopkgtest diff -Nru mediawiki-1.27.4/debian/control mediawiki-1.27.4/debian/control --- mediawiki-1.27.4/debian/control 2017-11-23 08:40:37.000000000 +0000 +++ mediawiki-1.27.4/debian/control 2021-12-19 21:02:33.000000000 +0000 @@ -1,7 +1,8 @@ Source: mediawiki Section: web Priority: optional -Maintainer: Kunal Mehta +Maintainer: Ubuntu Developers +XSBC-Original-Maintainer: Kunal Mehta Build-Depends: debhelper (>= 10), dh-buildinfo, apache2-dev diff -Nru mediawiki-1.27.4/debian/patches/0004-SECURITY-Fix-permissions-checks-in-undo-action-CVE-2.patch mediawiki-1.27.4/debian/patches/0004-SECURITY-Fix-permissions-checks-in-undo-action-CVE-2.patch --- mediawiki-1.27.4/debian/patches/0004-SECURITY-Fix-permissions-checks-in-undo-action-CVE-2.patch 1970-01-01 00:00:00.000000000 +0000 +++ mediawiki-1.27.4/debian/patches/0004-SECURITY-Fix-permissions-checks-in-undo-action-CVE-2.patch 2021-12-19 21:02:33.000000000 +0000 @@ -0,0 +1,40 @@ +From: Kunal Mehta +Date: Fri, 10 Dec 2021 22:27:08 -0800 +Subject: SECURITY: Fix permissions checks in undo action (CVE-2021-44858) + +The traditional action=edit&undo= endpoint suffers from a flaw that +allows for leaking entire private wikis by enumerating through revision +IDs when at least one page was publicly accessible via $wgWhitelistRead. + +05f06286f4def removed the restriction that user-supplied undo IDs belong +ot the same page. This check has been restored by using +RevisionLookup::getRevisionByTitle(), which returns null if the revid is +on a different page. This will break the workflow outlined in T58184, +but that could be restored in the future with better access control +checks. + +Kudos to Dylsss for the identification and report. + +Bug: T297322 +Change-Id: I496093adfcf5a0e30774d452b650b751518370ce +--- + includes/EditPage.php | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/includes/EditPage.php b/includes/EditPage.php +index ad7e043..c5b9ac3 100644 +--- a/includes/EditPage.php ++++ b/includes/EditPage.php +@@ -1096,8 +1096,10 @@ class EditPage { + $undo = $wgRequest->getInt( 'undo' ); + + if ( $undo > 0 && $undoafter > 0 ) { +- $undorev = Revision::newFromId( $undo ); +- $oldrev = Revision::newFromId( $undoafter ); ++ // The use of newFromTitle() is intentional, as allowing access to ++ // arbitrary revisions on arbitrary pages bypass partial visibility restrictions (T297322). ++ $undorev = Revision::newFromTitle( $this->mTitle, $undo ); ++ $oldrev = Revision::newFromTitle( $this->mTitle, $undoafter ); + + # Sanity check, make sure it's the right page, + # the revisions exist and they were not deleted. diff -Nru mediawiki-1.27.4/debian/patches/series mediawiki-1.27.4/debian/patches/series --- mediawiki-1.27.4/debian/patches/series 2017-11-23 09:11:50.000000000 +0000 +++ mediawiki-1.27.4/debian/patches/series 2021-12-19 21:02:33.000000000 +0000 @@ -1,3 +1,4 @@ debian_installer_overrides.diff pear-phail-fail-shebang.diff php-jwt-fix-shebang.diff +0004-SECURITY-Fix-permissions-checks-in-undo-action-CVE-2.patch