diff -Nru mediawiki-1.31.7/debian/changelog mediawiki-1.31.7/debian/changelog --- mediawiki-1.31.7/debian/changelog 2020-03-26 15:30:16.000000000 -0700 +++ mediawiki-1.31.7/debian/changelog 2021-12-19 12:56:25.000000000 -0800 @@ -1,3 +1,11 @@ +mediawiki (1:1.31.7-1ubuntu0.1) focal-security; urgency=high + + * SECURITY UPDATE: Information leak and editing permissions bypass + through various actions (LP: #1955352) + - CVE-2021-44858 + + -- Kunal Mehta Sun, 19 Dec 2021 12:56:25 -0800 + mediawiki (1:1.31.7-1) unstable; urgency=medium * New upstream version 1.31.7, fixing CVE-2020-10960. diff -Nru mediawiki-1.31.7/debian/patches/0002-SECURITY-Fix-permissions-checks-in-undo-action-CVE-2.patch mediawiki-1.31.7/debian/patches/0002-SECURITY-Fix-permissions-checks-in-undo-action-CVE-2.patch --- mediawiki-1.31.7/debian/patches/0002-SECURITY-Fix-permissions-checks-in-undo-action-CVE-2.patch 1969-12-31 16:00:00.000000000 -0800 +++ mediawiki-1.31.7/debian/patches/0002-SECURITY-Fix-permissions-checks-in-undo-action-CVE-2.patch 2021-12-19 12:56:23.000000000 -0800 @@ -0,0 +1,40 @@ +From: Kunal Mehta +Date: Fri, 10 Dec 2021 22:27:08 -0800 +Subject: SECURITY: Fix permissions checks in undo action (CVE-2021-44858) + +The traditional action=edit&undo= endpoint suffers from a flaw that +allows for leaking entire private wikis by enumerating through revision +IDs when at least one page was publicly accessible via $wgWhitelistRead. + +05f06286f4def removed the restriction that user-supplied undo IDs belong +ot the same page. This check has been restored by using +RevisionLookup::getRevisionByTitle(), which returns null if the revid is +on a different page. This will break the workflow outlined in T58184, +but that could be restored in the future with better access control +checks. + +Kudos to Dylsss for the identification and report. + +Bug: T297322 +Change-Id: I496093adfcf5a0e30774d452b650b751518370ce +--- + includes/EditPage.php | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/includes/EditPage.php b/includes/EditPage.php +index 5c37c42..91b75d6 100644 +--- a/includes/EditPage.php ++++ b/includes/EditPage.php +@@ -1190,8 +1190,10 @@ class EditPage { + $undo = $request->getInt( 'undo' ); + + if ( $undo > 0 && $undoafter > 0 ) { +- $undorev = Revision::newFromId( $undo ); +- $oldrev = Revision::newFromId( $undoafter ); ++ // The use of newFromTitle() is intentional, as allowing access to ++ // arbitrary revisions on arbitrary pages bypass partial visibility restrictions (T297322). ++ $undorev = Revision::newFromTitle( $this->mTitle, $undo ); ++ $oldrev = Revision::newFromTitle( $this->mTitle, $undoafter ); + + # Sanity check, make sure it's the right page, + # the revisions exist and they were not deleted. diff -Nru mediawiki-1.31.7/debian/patches/0003-SECURITY-Require-read-right-for-most-actions.patch mediawiki-1.31.7/debian/patches/0003-SECURITY-Require-read-right-for-most-actions.patch --- mediawiki-1.31.7/debian/patches/0003-SECURITY-Require-read-right-for-most-actions.patch 1969-12-31 16:00:00.000000000 -0800 +++ mediawiki-1.31.7/debian/patches/0003-SECURITY-Require-read-right-for-most-actions.patch 2021-12-19 12:56:23.000000000 -0800 @@ -0,0 +1,76 @@ +From: Kunal Mehta +Date: Mon, 13 Dec 2021 22:30:16 -0800 +Subject: SECURITY: Require 'read' right for most actions + +As a security hardening measure to limit exposure on private wikis from +actions on $wgWhitelistRead pages, require an explicit 'read' right on +actions by default. Currently only ViewAction disables this check since +it does its own permissions checking. + +This is somewhat duplicative of the permissions check in +MediaWiki::performRequest() but we'll call it defense in depth. It also +matches similar logic in the Action and REST APIs. + +Bug: T34716 +Bug: T297416 +Change-Id: Ib2a6c08dc50c69c3ed6e5708ab72441a90fcd3e1 +--- + includes/MediaWiki.php | 5 +++++ + includes/actions/Action.php | 10 ++++++++++ + includes/actions/ViewAction.php | 6 ++++++ + 3 files changed, 21 insertions(+) + +diff --git a/includes/MediaWiki.php b/includes/MediaWiki.php +index b3abe7c..c406907 100644 +--- a/includes/MediaWiki.php ++++ b/includes/MediaWiki.php +@@ -478,6 +478,11 @@ class MediaWiki { + $action = Action::factory( $act, $page, $this->context ); + + if ( $action instanceof Action ) { ++ // Check read permissions ++ if ( $action->needsReadRights() && !$user->isAllowed( 'read' ) ) { ++ throw new PermissionsError( 'read' ); ++ } ++ + // Narrow DB query expectations for this HTTP request + $trxLimits = $this->config->get( 'TrxProfilerLimits' ); + $trxProfiler = Profiler::instance()->getTransactionProfiler(); +diff --git a/includes/actions/Action.php b/includes/actions/Action.php +index e8d9a3e..a92df87 100644 +--- a/includes/actions/Action.php ++++ b/includes/actions/Action.php +@@ -294,6 +294,16 @@ abstract class Action implements MessageLocalizer { + return null; + } + ++ /** ++ * Indicates whether this action requires read rights ++ * @since 1.35.5 ++ * @stable to override ++ * @return bool ++ */ ++ public function needsReadRights() { ++ return true; ++ } ++ + /** + * Checks if the given user (identified by an object) can perform this action. Can be + * overridden by sub-classes with more complicated permissions schemes. Failures here +diff --git a/includes/actions/ViewAction.php b/includes/actions/ViewAction.php +index 134b8a4..99affad 100644 +--- a/includes/actions/ViewAction.php ++++ b/includes/actions/ViewAction.php +@@ -40,6 +40,12 @@ class ViewAction extends FormlessAction { + return null; + } + ++ public function needsReadRights() { ++ // Pages in $wgWhitelistRead can be viewed without having the 'read' ++ // right. We rely on Article::view() to properly check read access. ++ return false; ++ } ++ + public function show() { + $config = $this->context->getConfig(); + diff -Nru mediawiki-1.31.7/debian/patches/series mediawiki-1.31.7/debian/patches/series --- mediawiki-1.31.7/debian/patches/series 2019-12-19 13:20:49.000000000 -0800 +++ mediawiki-1.31.7/debian/patches/series 2021-12-19 12:56:23.000000000 -0800 @@ -1 +1,3 @@ pear-phail-fail-shebang.diff +0002-SECURITY-Fix-permissions-checks-in-undo-action-CVE-2.patch +0003-SECURITY-Require-read-right-for-most-actions.patch