Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 518608

Summary: <www-apps/mediawiki-{1.19.20,1.22.12,1.23.5}: Multiple vulnerabilities (CVE-2014-{5241,5242,5243})
Product: Gentoo Security Reporter: Alex Xu (Hello71) <alex_y_xu>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: dev-zero, web-apps
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://lists.wikimedia.org/pipermail/mediawiki-announce/2014-July/000157.html
Whiteboard: B4 [glsa]
Package list:
Runtime testing required: ---
Bug Depends on: 515138    
Bug Blocks:    

Description Alex Xu (Hello71) 2014-07-30 20:22:21 UTC
+++ This bug was initially created as a clone of Bug #515138 +++

+++ This bug was initially created as a clone of Bug #508976 +++

== Security ==
* (bug 65839) SECURITY: Prevent external resources in SVG files.

URLs not yet available.
Comment 1 Alex Xu (Hello71) 2014-07-30 20:22:56 UTC
please ignore description.

* (bug 68187) SECURITY: Prepend jsonp callback with comment.
* (bug 66608) SECURITY: Fix for XSS issue in bug 66608: Generate the URL used for loading a new page in Javascript,instead of relying on the URL in the link that has been clicked.
* (bug 65778) SECURITY: Copy prevent-clickjacking between OutputPage and ParserOutput.
Comment 2 Tiziano Müller (RETIRED) gentoo-dev 2014-08-30 13:49:11 UTC
I've taken the liberty to bump the ebuilds and drop the vulnerable versions.

Stabilization targets:

* www-apps/mediawiki-1.19.18 amd64 ppc x86 (legacy stable)
* www-apps/mediawiki-1.22.10 amd64 ppc x86 (stable, upgrade path from discontinued 1.21)
Comment 3 Sean Amoss (RETIRED) gentoo-dev Security 2014-12-15 01:08:02 UTC
(In reply to Alex Xu (Hello71) from comment #0)
> +++ This bug was initially created as a clone of Bug #515138 +++
> 

Please don't use the cloning feature for security bugs. It has really created a mess with this series of bugs.
Comment 4 GLSAMaker/CVETool Bot gentoo-dev 2014-12-15 01:08:34 UTC
CVE-2014-5243 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-5243):
  MediaWiki before 1.19.18, 1.20.x through 1.22.x before 1.22.9, and 1.23.x
  before 1.23.2 does not enforce an IFRAME protection mechanism for
  transcluded pages, which makes it easier for remote attackers to conduct
  clickjacking attacks via a crafted web site.

CVE-2014-5242 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-5242):
  Cross-site scripting (XSS) vulnerability in
  mediawiki.page.image.pagination.js in MediaWiki 1.22.x before 1.22.9 and
  1.23.x before 1.23.2 allows remote attackers to inject arbitrary web script
  or HTML via vectors involving the multipageimagenavbox class in conjunction
  with an action=raw value.

CVE-2014-5241 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-5241):
  The JSONP endpoint in includes/api/ApiFormatJson.php in MediaWiki before
  1.19.18, 1.20.x through 1.22.x before 1.22.9, and 1.23.x before 1.23.2
  accepts certain long callback values and does not restrict the initial bytes
  of a JSONP response, which allows remote attackers to conduct cross-site
  request forgery (CSRF) attacks, and obtain sensitive information, via a
  crafted OBJECT element with SWF content consistent with a restricted
  character set.
Comment 5 GLSAMaker/CVETool Bot gentoo-dev 2015-02-07 17:54:06 UTC
This issue was resolved and addressed in
 GLSA 201502-04 at http://security.gentoo.org/glsa/glsa-201502-04.xml
by GLSA coordinator Kristian Fiskerstrand (K_F).