Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 545944 - <www-apps/mediawiki-{1.23.10,1.24.3,1.25.2}: multiple vulnerabilities (CVE-2015-{2931,2932,2933,2934,2935,2936,2937,2938,2939,2940,2941,2942})
Summary: <www-apps/mediawiki-{1.23.10,1.24.3,1.25.2}: multiple vulnerabilities (CVE-20...
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: https://lists.wikimedia.org/pipermail...
Whiteboard: B3 [glsa cve]
Keywords:
Depends on: 557844
Blocks:
  Show dependency tree
 
Reported: 2015-04-08 10:01 UTC by Agostino Sarubbo
Modified: 2015-10-31 15:20 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2015-04-08 10:01:39 UTC
From ${URL} :

== Security fixes ==

* iSEC Partners discovered a way to circumvent the SVG MIME blacklist for
embedded resources (iSEC-WMF1214-11). This allowed an attacker to embed
JavaScript in the SVG. The issue was additionally identified by Mario
Heiderich / Cure53. MIME types are now whitelisted.
<https://phabricator.wikimedia.org/T85850>

* MediaWiki user Bawolff pointed out that the SVG filter to prevent
injecting JavaScript using animate elements was incorrect.
<https://phabricator.wikimedia.org/T86711>

* MediaWiki user Bawolff reported a stored XSS vulnerability due to the way
attributes were expanded in MediaWiki's Html class, in combination with
LanguageConverter substitutions.
<https://phabricator.wikimedia.org/T73394>

* Internal review discovered that MediaWiki's SVG filtering could be
bypassed with entity encoding under the Zend interpreter. This could be
used to inject JavaScript. This issue was also discovered by Mario Gomes
from Beyond Security.
<https://phabricator.wikimedia.org/T88310>

* iSEC Partners discovered a XSS vulnerability in the way api errors were
reflected when running under HHVM versions before 3.6.1 (iSEC-WMF1214-8).
MediaWiki now detects and mitigates this issue on older versions of HHVM.
<https://phabricator.wikimedia.org/T85851>

* Internal review and iSEC Partners discovered (iSEC-WMF1214-1) that
MediaWiki versions using PBKDF2 for password hashing (the default since
1.24) are vulnerable to DoS attacks using extremely long passwords.
<https://phabricator.wikimedia.org/T64685>

* iSEC Partners discovered that MediaWiki's SVG and XMP parsing, running
under HHVM, was susceptible to "Billion Laughs" DoS attacks
(iSEC-WMF1214-13).
<https://phabricator.wikimedia.org/T85848>

* Internal review found that MediaWiki is vulnerable to "Quadratic Blowup"
DoS attacks, under both HHVM and Zend PHP.
<https://phabricator.wikimedia.org/T71210>

* iSEC Partners discovered a way to bypass the style filtering for SVG
files (iSEC-WMF1214-3). This could violate the anonymity of users viewing
the SVG.
<https://phabricator.wikimedia.org/T85349>

* iSEC Partners reported that the MediaWiki feature allowing a user to
preview another user's custom JavaScript could be abused for privilege
escalation (iSEC-WMF1214-10). This feature has been removed.
<https://phabricator.wikimedia.org/T85855>


Additionally, the following extensions have been updated to fix security
issues:

* Extension:Scribunto - MediaWiki user Jackmcbarn discovered that function
names were not sanitized in Lua error backtraces, which could lead to XSS.
<https://phabricator.wikimedia.org/T85113>

* Extension:CheckUser - iSEC Partners discovered that the CheckUser
extension did not prevent CSRF attacks on the form allowing checkusers to
look up sensitive information about other users (iSEC-WMF1214-6). Since the
use of CheckUser is logged, the CSRF could be abused to defame a trusted
user or flood the logs with noise.
<https://phabricator.wikimedia.org/T85858>



@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 GLSAMaker/CVETool Bot gentoo-dev 2015-04-26 13:49:12 UTC
CVE-2015-2942 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-2942):
  MediaWiki before 1.19.24, 1.2x before 1.23.9, and 1.24.x before 1.24.2, when
  using HHVM, allows remote attackers to cause a denial of service (CPU and
  memory consumption) via a large number of nested entity references in an (1)
  SVG file or (2) XMP metadata in a PDF file, aka a "billion laughs attack," a
  different vulnerability than CVE-2015-2937.

CVE-2015-2941 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-2941):
  Cross-site scripting (XSS) vulnerability in MediaWiki before 1.19.24, 1.2x
  before 1.23.9, and 1.24.x before 1.24.2, when using HHVM, allows remote
  attackers to inject arbitrary web script or HTML via an invalid parameter in
  a wddx format request to api.php, which is not properly handled in an error
  message, related to unsafe calls to wddx_serialize_value.

CVE-2015-2940 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-2940):
  Cross-site request forgery (CSRF) vulnerability in the CheckUser extension
  for MediaWiki allows remote attackers to hijack the authentication of
  certain users for requests that retrieve sensitive user information via
  unspecified vectors.

CVE-2015-2939 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-2939):
  Cross-site scripting (XSS) vulnerability in the Scribunto extension for
  MediaWiki allows remote attackers to inject arbitrary web script or HTML via
  a function name, which is not properly handled in a Lua error backtrace.

CVE-2015-2938 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-2938):
  Cross-site scripting (XSS) vulnerability in MediaWiki before 1.19.24, 1.2x
  before 1.23.9, and 1.24.x before 1.24.2 allows remote attackers to inject
  arbitrary web script or HTML via a custom JavaScript file, which is not
  properly handled when previewing the file.

CVE-2015-2937 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-2937):
  MediaWiki before 1.19.24, 1.2x before 1.23.9, and 1.24.x before 1.24.2, when
  using HHVM or Zend PHP, allows remote attackers to cause a denial of service
  ("quadratic blowup" and memory consumption) via an XML file containing an
  entity declaration with long replacement text and many references to this
  entity, a different vulnerability than CVE-2015-2942.

CVE-2015-2936 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-2936):
  MediaWiki 1.24.x before 1.24.2, when using PBKDF2 for password hashing,
  allows remote attackers to cause a denial of service (CPU consumption) via a
  long password.

CVE-2015-2935 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-2935):
  MediaWiki before 1.19.24, 1.2x before 1.23.9, and 1.24.x before 1.24.2
  allows remote attackers to bypass the SVG filtering and obtain sensitive
  user information via a mixed case @import in a style element in an SVG file,
  as demonstrated by "@imporT."

CVE-2015-2934 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-2934):
  MediaWiki before 1.19.24, 1.2x before 1.23.9, and 1.24.x before 1.24.2 does
  not properly handle when the Zend interpreter xml_parse function does not
  expand entities, which allows remote attackers to inject arbitrary web
  script or HTML via a crafted SVG file.

CVE-2015-2933 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-2933):
  Cross-site scripting (XSS) vulnerability in the Html class in MediaWiki
  before 1.19.24, 1.2x before 1.23.9, and 1.24.x before 1.24.2 allows remote
  attackers to inject arbitrary web script or HTML via a LanguageConverter
  substitution string when using a language variant.

CVE-2015-2932 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-2932):
  Incomplete blacklist vulnerability in MediaWiki before 1.19.24, 1.2x before
  1.23.9, and 1.24.x before 1.24.2 allows remote attackers to inject arbitrary
  web script or HTML via an animated href XLink element.

CVE-2015-2931 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-2931):
  Incomplete blacklist vulnerability in includes/upload/UploadBase.php in
  MediaWiki before 1.19.24, 1.2x before 1.23.9, and 1.24.x before 1.24.2
  allows remote attackers to inject arbitrary web script or HTML via an
  application/xml MIME type for a nested SVG with a data: URI.
Comment 2 Tiziano Müller (RETIRED) gentoo-dev 2015-05-24 07:06:03 UTC
Versions 1.24.2, 1.23.9, and 1.19.24 are now in the tree, 1.22.x is eol.
Comment 3 Yury German Gentoo Infrastructure gentoo-dev 2015-08-15 16:48:38 UTC
More vulnerabilities found, continuing in Bug #557844
Comment 4 Yury German Gentoo Infrastructure gentoo-dev 2015-09-19 04:23:08 UTC
GLSA Vote: Yes
Comment 5 Kristian Fiskerstrand (RETIRED) gentoo-dev 2015-10-07 07:57:03 UTC
(In reply to Yury German from comment #4)
> GLSA Vote: Yes

GLSA Vote: Yes
Comment 6 GLSAMaker/CVETool Bot gentoo-dev 2015-10-31 15:20:26 UTC
This issue was resolved and addressed in
 GLSA 201510-05 at https://security.gentoo.org/glsa/201510-05
by GLSA coordinator Kristian Fiskerstrand (K_F).