Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 251044 (CVE-2008-5249)

Summary: www-apps/mediawiki <1.13.3, <1.12.2 and <1.6.11 Multiple XSS and information disclosure (CVE-2008-{5249,5250,5252,5687})
Product: Gentoo Security Reporter: Bruno Buss <bruno.buss>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: mail, web-apps
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://lists.wikimedia.org/pipermail/mediawiki-announce/2008-December/000080.html
Whiteboard: B4 [noglsa]
Package list:
Runtime testing required: ---

Description Bruno Buss 2008-12-15 16:16:30 UTC 
Description:
* An XSS vulnerability affecting all MediaWiki installations between
1.13.0 and 1.13.2. [CVE-2008-5249]
* A local script injection vulnerability affecting Internet Explorer
clients for all MediaWiki installations with uploads enabled.
[CVE-2008-5250]
* A local script injection vulnerability affecting clients with SVG
scripting capability (such as Firefox 1.5+), for all MediaWiki
installations with SVG uploads enabled. [CVE-2008-5250]
* A CSRF vulnerability affecting the Special:Import feature, for all
MediaWiki installations since the feature was introduced in 1.3.0.
[CVE-2008-5252]

Also from Secunia:
http://secunia.com/Advisories/33133/
Comment 1 Bruno Buss 2008-12-15 16:20:31 UTC 
Ops, changing from ~4 to B4 cause 1.11.2 is also vulnerable.
Comment 2 Patrick 2008-12-24 03:09:29 UTC 
Version bump please.

Version 1.12.2 had a packaging problem (see http://marc.info/?l=mediawiki-l&m=122956897708135&w=2) - it's 1.12.3 now.
Comment 3 Stefan Behte (RETIRED) gentoo-dev Security 2008-12-24 16:21:03 UTC 
Name:      CVE-2008-5687
URL:       http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5687
Published: 2008-12-19
Severity:  Medium
Description:

MediaWiki 1.11 through 1.13.3 does not properly protect against the
download of backups of deleted images, which might allow remote
attackers to obtain sensitive information via requests for files in
images/deleted/.
Comment 4 Peter Volkov (RETIRED) gentoo-dev 2008-12-26 08:37:45 UTC 
1.12.3 and 1.13.3 are in the tree and 1.11.x has no fixed release as I see. So we need to stabilize something. I'd suggested to stabilize 1.12.3 has QA issue:

 * QA Notice: file does not exist:
 *      doins: skins/htmldump/* does not exist

which I fixed for 1.13 and actually I don't want to spent more time to incorporate fix into 1.12. So, please, stabilize 1.13.3.
Comment 5 Bruno Buss 2008-12-26 12:35:26 UTC 
(In reply to comment #4)
> 1.12.3 and 1.13.3 are in the tree and 1.11.x has no fixed release as I see. So
> we need to stabilize something. I'd suggested to stabilize 1.12.3 has QA issue:
> 
>  * QA Notice: file does not exist:
>  *      doins: skins/htmldump/* does not exist
> 
> which I fixed for 1.13 and actually I don't want to spent more time to
> incorporate fix into 1.12. So, please, stabilize 1.13.3.
> 

MediaWiki don't support 1.11.x anymore.

I agree with 1.13.3 stabilization and after that, may we remove 1.11.2?
Comment 6 Robert Buchholz (RETIRED) gentoo-dev 2008-12-26 21:07:45 UTC 
Arches, please test and mark stable:
=www-apps/mediawiki-1.13.3
Target keywords : "amd64 ppc sparc x86"
Comment 7 Friedrich Oslage (RETIRED) gentoo-dev 2008-12-28 14:24:27 UTC 
sparc stable
Comment 8 Tobias Scherbaum (RETIRED) gentoo-dev 2008-12-28 14:44:56 UTC 
ppc stable
Comment 9 Raúl Porcel (RETIRED) gentoo-dev 2008-12-31 16:26:59 UTC 
x86 stable
Comment 10 Tobias Heinlein (RETIRED) gentoo-dev 2009-01-01 23:13:47 UTC 
amd64 stable
Comment 11 Tobias Heinlein (RETIRED) gentoo-dev 2009-01-01 23:16:08 UTC 
Ready for vote, I vote NO.
Comment 12 Stefan Behte (RETIRED) gentoo-dev Security 2009-01-05 22:05:33 UTC 
No, too. Closing.