Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 503012 (CVE-2014-2242)

Summary: <www-apps/mediawiki-{1.19.14,1.21.8,1.22.5}: multiple vulnerabilities (CVE-2014-{2242,2243,2244})
Product: Gentoo Security Reporter: Alex Xu (Hello71) <alex_y_xu>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: web-apps
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://openwall.com/lists/oss-security/2014/02/28/1
Whiteboard: B4 [glsa]
Package list:
Runtime testing required: ---

Description Alex Xu (Hello71) 2014-02-28 02:26:04 UTC
* (bug 60771) SECURITY: Disallow uploading SVG files using non-whitelisted
  namespaces. Also disallow iframe elements. User will get an error
  including the namespace name if they use a non- whitelisted namespace.
* (bug 61346) SECURITY: Make token comparison use constant time. It seems like
  our token comparison would be vulnerable to timing attacks. This will take
  constant time.
* (bug 61362) SECURITY: API: Don't find links in the middle of api.php links.
Comment 1 Alex Xu (Hello71) 2014-02-28 02:27:08 UTC
I'm actually not sure that these qualify as security issues at our level.

Upstream claims that they are though.
Comment 2 Alex Xu (Hello71) 2014-03-12 02:37:27 UTC
*** Bug 504290 has been marked as a duplicate of this bug. ***
Comment 3 Alex Xu (Hello71) 2014-03-27 01:21:31 UTC
Ping, 27 days since release; target delay is 30 days.
Comment 4 Samuel Damashek (RETIRED) gentoo-dev 2014-03-27 20:54:34 UTC
Fixed versions already in the tree, but unstable.

Arches, please test and stable:
=www-apps/mediawiki-{1.19.13,1.21.7}
Target arches:
amd64 ppc x86
Comment 5 Agostino Sarubbo gentoo-dev 2014-03-28 18:32:12 UTC
does not make sense stabilize here, since exist bug 506018
Comment 6 GLSAMaker/CVETool Bot gentoo-dev 2014-04-29 21:25:22 UTC
CVE-2014-2244 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-2244):
  Cross-site scripting (XSS) vulnerability in the formatHTML function in
  includes/api/ApiFormatBase.php in MediaWiki before 1.19.12, 1.20.x and
  1.21.x before 1.21.6, and 1.22.x before 1.22.3 allows remote attackers to
  inject arbitrary web script or HTML via a crafted string located after
  http:// in the text parameter to api.php.

CVE-2014-2243 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-2243):
  includes/User.php in MediaWiki before 1.19.12, 1.20.x and 1.21.x before
  1.21.6, and 1.22.x before 1.22.3 terminates validation of a user token upon
  encountering the first incorrect character, which makes it easier for remote
  attackers to obtain access via a brute-force attack that relies on timing
  differences in responses to incorrect token guesses.

CVE-2014-2242 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-2242):
  includes/upload/UploadBase.php in MediaWiki before 1.19.12, 1.20.x and
  1.21.x before 1.21.6, and 1.22.x before 1.22.3 does not prevent use of
  invalid namespaces in SVG files, which allows remote attackers to conduct
  cross-site scripting (XSS) attacks via an SVG upload, as demonstrated by use
  of a W3C XHTML namespace in conjunction with an IFRAME element.
Comment 7 Yury German Gentoo Infrastructure gentoo-dev 2014-06-10 01:48:13 UTC
GLSA VOTE: YES
Comment 8 Yury German Gentoo Infrastructure gentoo-dev 2014-06-16 04:32:46 UTC
GLSA already in progress, adding to existing GLSA
Comment 9 GLSAMaker/CVETool Bot gentoo-dev 2015-02-07 17:53:40 UTC
This issue was resolved and addressed in
 GLSA 201502-04 at http://security.gentoo.org/glsa/glsa-201502-04.xml
by GLSA coordinator Kristian Fiskerstrand (K_F).