Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 512354 (CVE-2014-3966)

Summary: <www-apps/mediawiki-{1.19.16,1.21.10,1.22.7}: XSS flaw due to improper parsing of Special:PasswordReset (CVE-2014-3966)
Product: Gentoo Security Reporter: Agostino Sarubbo <ago>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: cyberbat83, web-apps
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://bugzilla.redhat.com/show_bug.cgi?id=1104222
Whiteboard: B4 [noglsa]
Package list:
Runtime testing required: ---

Description Agostino Sarubbo gentoo-dev 2014-06-04 08:13:00 UTC
From ${URL} :

New versions of MediaWiki have been announced [1] to fix the following flaw [2]:

XSS vulnerability in MediaWiki before 1.22.7, due to usernames on
Special:PasswordReset being parsed as wikitext.  The username on
Special:PasswordReset can be supplied by anyone and will be parsed with
wgRawHtml enabled.  Since Special:PasswordReset is whitelisted by default on
private wikis, this could potentially lead to an XSS crossing a privilege
boundary.

This is corrected [3] in upstream versions 1.19.16, 1.21.10, and 1.22.7.  A CVE has been requested [4].

[1] http://lists.wikimedia.org/pipermail/mediawiki-announce/2014-May/000151.html
[2] https://bugzilla.wikimedia.org/show_bug.cgi?id=65501
[3] https://gerrit.wikimedia.org/r/#/c/136131/
[4] http://openwall.com/lists/oss-security/2014/06/03/7


@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Tim Harder gentoo-dev 2014-06-10 18:51:00 UTC
Arches please stabilize:

=www-apps/mediawiki-1.19.16
=www-apps/mediawiki-1.21.10
Comment 2 Agostino Sarubbo gentoo-dev 2014-06-13 21:45:15 UTC
amd64 stable
Comment 3 Agostino Sarubbo gentoo-dev 2014-06-13 21:45:37 UTC
x86 stable
Comment 4 Agostino Sarubbo gentoo-dev 2014-07-05 12:54:40 UTC
ppc stable.

Maintainer(s), please cleanup.
Security, please vote.
Comment 5 GLSAMaker/CVETool Bot gentoo-dev 2014-07-06 20:13:19 UTC
CVE-2014-3966 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-3966):
  Cross-site scripting (XSS) vulnerability in Special:PasswordReset in
  MediaWiki before 1.19.16, 1.21.x before 1.21.10, and 1.22.x before 1.22.7,
  when wgRawHtml is enabled, allows remote attackers to inject arbitrary web
  script or HTML via an invalid username.
Comment 6 Yury German Gentoo Infrastructure gentoo-dev 2014-07-06 20:33:12 UTC
no GLSA for Cross Site Scripting

Maintainer(s), please drop the vulnerable version.
Comment 7 Yury German Gentoo Infrastructure gentoo-dev 2014-08-25 21:00:28 UTC
Maintainer(s), please drop the vulnerable version - we would love to close this bug.
Comment 8 Chris Reffett (RETIRED) gentoo-dev Security 2014-08-25 22:42:56 UTC
Maintainer timeout, cleanup done, closing noglsa.