Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 466124 (CVE-2013-1951)

Summary: <www-apps/mediawiki-{1.19.5,1.20.4} XSS/XXE (CVE-2013-1951)
Product: Gentoo Security Reporter: Enno Gröper <enno+gentoo>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: web-apps
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://lists.wikimedia.org/pipermail/mediawiki-announce/2013-April/000127.html
See Also: https://bugzilla.wikimedia.org/show_bug.cgi?id=46084
https://bugzilla.wikimedia.org/show_bug.cgi?id=46859
https://bugzilla.wikimedia.org/show_bug.cgi?id=47251
Whiteboard: B4 [glsa]
Package list:
Runtime testing required: ---

Description Enno Gröper 2013-04-16 17:04:05 UTC 
Yesterday Mediawiki published security releases, that fix 3 security issues:

* An internal review discovered that specially crafted Lua function
names could lead to XSS.
<https://bugzilla.wikimedia.org/show_bug.cgi?id=46084>

* Daniel Franke reported that during SVG parsing, MediaWiki failed to
prevent XML external entity (XXE) processing. This could lead to local
file disclosure, or potentially remote command execution in
environments that have enabled expect:// handling.
<https://bugzilla.wikimedia.org/show_bug.cgi?id=46859>

* Internal review also discovered that Special:Import, and
Extension:RSS failed to prevent XML external entity (XXE) processing.
<https://bugzilla.wikimedia.org/show_bug.cgi?id=47251>

Reproducible: Always
Comment 1 Tim Harder gentoo-dev 2013-04-17 00:28:46 UTC 
Arches, please stabilize:
=www-apps/mediawiki-1.19.5
=www-apps/mediawiki-1.20.4
Comment 2 Alex Legler (RETIRED) archtester gentoo-dev Security 2013-04-17 08:52:47 UTC 
*** Bug 466090 has been marked as a duplicate of this bug. ***
Comment 3 Agostino Sarubbo gentoo-dev 2013-04-17 09:12:53 UTC 
amd64 stable
Comment 4 Agostino Sarubbo gentoo-dev 2013-04-17 09:13:08 UTC 
x86 stable
Comment 5 Agostino Sarubbo gentoo-dev 2013-04-17 09:13:23 UTC 
ppc stable
Comment 6 Sergey Popov gentoo-dev 2013-08-23 10:18:59 UTC 
Thanks for your work

Possible remote code execution

GLSA vote: yes
Comment 7 GLSAMaker/CVETool Bot gentoo-dev 2013-10-28 17:08:35 UTC 
This issue was resolved and addressed in
 GLSA 201310-21 at http://security.gentoo.org/glsa/glsa-201310-21.xml
by GLSA coordinator Sergey Popov (pinkbyte).