Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 523852 (CVE-2014-7199)

Summary: <www-apps/mediawiki--{1.19.20,1.22.12,1.23.5}: CSS filtering in SVG files (CVE-2014-7199)
Product: Gentoo Security Reporter: Agostino Sarubbo <ago>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: web-apps
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://www.openwall.com/lists/oss-security/2014/09/26/12
Whiteboard: B4 [glsa]
Package list:
Runtime testing required: ---

Description Agostino Sarubbo gentoo-dev 2014-09-27 09:35:34 UTC
From ${URL} :

https://lists.wikimedia.org/pipermail/mediawiki-announce/2014-September/000161.html

* (bug 69008) SECURITY: Enhance CSS filtering in SVG files. Filter
  <style> elements; normalize style elements and attributes before
  filtering; add checks for attributes that contain css; add unit tests
  for html5sec and reported bugs.



@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Tim Harder gentoo-dev 2014-10-02 16:32:25 UTC
Newer releases fixing another security issue are in the tree.

Arches, please stabilize:

=www-apps/mediawiki-1.19.20
=www-apps/mediawiki-1.22.12
=www-apps/mediawiki-1.23.5
Comment 2 Agostino Sarubbo gentoo-dev 2014-10-05 07:23:04 UTC
amd64 stable
Comment 3 Agostino Sarubbo gentoo-dev 2014-10-05 07:25:21 UTC
x86 stable
Comment 4 Agostino Sarubbo gentoo-dev 2014-10-05 15:12:08 UTC
ppc stable.

Maintainer(s), please cleanup.
Security, please vote.
Comment 5 Sean Amoss (RETIRED) gentoo-dev Security 2014-12-15 00:25:01 UTC
Adding to existing GLSA draft.
Comment 6 GLSAMaker/CVETool Bot gentoo-dev 2014-12-15 01:09:46 UTC
CVE-2014-7199 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-7199):
  Cross-site scripting (XSS) vulnerability in MediaWiki before 1.19.19, 1.22.x
  before 1.22.11, and 1.23.x before 1.23.4 allows remote attackers to inject
  arbitrary web script or HTML via a crafted SVG file.
Comment 7 GLSAMaker/CVETool Bot gentoo-dev 2015-02-07 17:54:15 UTC
This issue was resolved and addressed in
 GLSA 201502-04 at http://security.gentoo.org/glsa/glsa-201502-04.xml
by GLSA coordinator Kristian Fiskerstrand (K_F).