Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 468110 (CVE-2013-2031)

Summary: <www-apps/mediawiki-{1.19.6,1.20.5}: Security releases 1.20.5 and 1.19.6 (CVE-2013-{2031,2032})
Product: Gentoo Security Reporter: Agostino Sarubbo <ago>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: web-apps
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://bugzilla.redhat.com/show_bug.cgi?id=958303
Whiteboard: B4 [glsa]
Package list:
Runtime testing required: ---

Description Agostino Sarubbo gentoo-dev 2013-05-01 10:12:38 UTC 
From ${URL} :

Two flaws were corrected in the recently-released MediaWiki 1.20.5 and 1.19.6 releases:

* Jan Schejbal / Hatforce.com reported that SVG script filtering could be bypassed for Chrome and 
Firefox clients by using an encoding that MediaWiki understood, but these browsers interpreted as 
UTF-8. [1]

* Internal review discovered that extensions were not given the opportunity to disable a password 
reset, which could lead to circumvention of two-factor authentication. [2]

[1] https://bugzilla.wikimedia.org/show_bug.cgi?id=47304
[2] https://bugzilla.wikimedia.org/show_bug.cgi?id=46590


@maintainer(s): after the bump, in case we need to stabilize the package, please say explicitly if it is ready for the stabilization or not
Comment 1 Tim Harder gentoo-dev 2013-05-01 16:45:48 UTC 
Arches, please stabilize:
=www-apps/mediawiki-1.19.6
=www-apps/mediawiki-1.20.5
Comment 2 Agostino Sarubbo gentoo-dev 2013-05-02 12:03:30 UTC 
amd64 stable
Comment 3 Agostino Sarubbo gentoo-dev 2013-05-02 12:04:01 UTC 
x86 stable
Comment 4 Agostino Sarubbo gentoo-dev 2013-05-03 13:32:45 UTC 
ppc stable
Comment 5 Chris Reffett (RETIRED) gentoo-dev Security 2013-06-30 12:22:18 UTC 
If this requires a GLSA, it could be combined with bug 471140.
Comment 6 Sergey Popov gentoo-dev 2013-08-23 09:48:07 UTC 
GLSA vote: no
Comment 7 GLSAMaker/CVETool Bot gentoo-dev 2013-10-28 17:08:37 UTC 
This issue was resolved and addressed in
 GLSA 201310-21 at http://security.gentoo.org/glsa/glsa-201310-21.xml
by GLSA coordinator Sergey Popov (pinkbyte).
Comment 8 GLSAMaker/CVETool Bot gentoo-dev 2013-11-19 04:21:45 UTC 
CVE-2013-2032 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2032):
  MediaWiki before 1.19.6 and 1.20.x before 1.20.5 does not allow extensions
  to prevent password changes without using both Special:PasswordReset and
  Special:ChangePassword, which allows remote attackers to bypass the intended
  restrictions of an extension that only implements one of these blocks.

CVE-2013-2031 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2031):
  MediaWiki before 1.19.6 and 1.20.x before 1.20.5 allows remote attackers to
  conduct cross-site scripting (XSS) attacks, as demonstrated by a CDATA
  section containing valid UTF-7 encoded sequences in a SVG file, which is
  then incorrectly interpreted as UTF-8 by Chrome and Firefox.