868141 – (CVE-2022-39194) www-apps/mediawiki: global DoS via site admin

Bug 868141 (CVE-2022-39194) - www-apps/mediawiki: global DoS via site admin

Summary: www-apps/mediawiki: global DoS via site admin

Status:	RESOLVED INVALID

Alias:	CVE-2022-39194

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal minor (vote)
Assignee:	Gentoo Security

URL:	https://phabricator.wikimedia.org/T31...
Whiteboard:	B3 [??]
Keywords:

Depends on:
Blocks:

Reported:	2022-09-03 02:06 UTC by John Helmert III
Modified:	2022-10-03 21:40 UTC (History)
CC List:	2 users (show)

See Also:	CVE-2022-41765, CVE-2022-41766, CVE-2022-41767
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description John Helmert III archtester

2022-09-03 02:06:20 UTC

CVE-2022-39194:

An issue was discovered in the MediaWiki through 1.38.2. The community configuration pages for the GrowthExperiments extension could cause a site to become unavailable due to insufficient validation when certain actions (including page moves) were performed.

Unsure if this is in any release, not really sure how to work phabricator

Comment 1 Larry the Git Cow gentoo-dev

2022-09-30 03:40:23 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=27a7cc9d97b1a12cf5c6e6464f2349d7c9823230

commit 27a7cc9d97b1a12cf5c6e6464f2349d7c9823230
Author:     Miroslav Šulc <fordfrog@gentoo.org>
AuthorDate: 2022-09-30 03:40:14 +0000
Commit:     Miroslav Šulc <fordfrog@gentoo.org>
CommitDate: 2022-09-30 03:40:14 +0000

    www-apps/mediawiki: bump to 1.37.6
    
    Bug: https://bugs.gentoo.org/868141
    Bug: https://bugs.gentoo.org/873385
    Signed-off-by: Miroslav Šulc <fordfrog@gentoo.org>

 www-apps/mediawiki/Manifest                |  1 +
 www-apps/mediawiki/mediawiki-1.37.6.ebuild | 86 ++++++++++++++++++++++++++++++
 2 files changed, 87 insertions(+)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=5ebe28034a2a04865a9601f4b9356cbf4b211537

commit 5ebe28034a2a04865a9601f4b9356cbf4b211537
Author:     Miroslav Šulc <fordfrog@gentoo.org>
AuthorDate: 2022-09-30 03:38:53 +0000
Commit:     Miroslav Šulc <fordfrog@gentoo.org>
CommitDate: 2022-09-30 03:38:53 +0000

    www-apps/mediawiki: bump to 1.38.4
    
    Bug: https://bugs.gentoo.org/868141
    Bug: https://bugs.gentoo.org/873385
    Signed-off-by: Miroslav Šulc <fordfrog@gentoo.org>

 www-apps/mediawiki/Manifest                |  1 +
 www-apps/mediawiki/mediawiki-1.38.4.ebuild | 86 ++++++++++++++++++++++++++++++
 2 files changed, 87 insertions(+)

Comment 2 John Helmert III archtester

2022-09-30 14:26:45 UTC

Do we have any idea if patches for this issue made it into the releases?

Comment 3 Miroslav Šulc gentoo-dev

2022-10-01 04:19:31 UTC

(In reply to John Helmert III from comment #2)
> Do we have any idea if patches for this issue made it into the releases?

i was searching the installed sources of mediawiki and i found GrowthExperiments only in comments, so my conclusion is that this extension is not part of the standard distribution.

Comment 4 John Helmert III archtester

2022-10-03 21:40:32 UTC

Ah, sorry! Totally missed that this only affected an extension.