Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 532920 (CVE-2014-9475)

Summary: <www-apps/mediawiki-{1.19.23,1.22.15,1.23.8,1.24.1}: multiple vulnerabilities (CVE-2014-{9276,9277,9475,9476,9477,9478,9479,9480,9481,9487,9507})
Product: Gentoo Security Reporter: Hanno Böck <hanno>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: web-apps
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://lists.wikimedia.org/pipermail/mediawiki-announce/2014-December/000173.html
Whiteboard: B4 [glsa]
Package list:
Runtime testing required: ---

Description Hanno Böck gentoo-dev 2014-12-18 11:23:11 UTC 
Upstream changelog mentions a whole bunch of vulnerabilities fixed in latest releases:
* (bug T76686) [SECURITY] thumb.php outputs wikitext message as raw HTML,
  which could lead to xss. Permission to edit MediaWiki namespace is required
  to exploit this.
* (bug T77028) [SECURITY] Malicious site can bypass CORS restrictions in
  $wgCrossSiteAJAXdomains in API calls if it only included an allowed domain as
  part of its name.

== Security fixes in extensions ==
* (bug T77624) [SECURITY] Extension:Listings: missing validation in the 
  'name' and 'url' parameters.
* (bug T73111) [SECURITY] Extension:ExpandTemplates: parses user input
  as wikitext and shows a preview, yet it fails to add an edit token to
  the form and check it. This can be exploited as an XSS when 
  $wgRawHtml = true. Note this only affects the 1.19/1.22 branches.
* (bug T76195) [SECURITY] Extension:TemplateSandbox: 
  Special:TemplateSandbox needs edit token when raw HTML is allowed
* (bug T69180) [SECURITY] Extension:Hovercards: XSS in text extracts.
* (bug T73167) [SECURITY] Extension:Scribunto allows cross-origin 
  leakage of data from a wiki through timing
* (bug T71209) [SECURITY] Extension:TimedMediaHandler: Patch getid3 
  library for CVE-2014-2053.
Comment 1 Tim Harder gentoo-dev 2014-12-19 03:48:34 UTC 
All four versions added to the tree. Feel free to start the stabilization process for the currently stable series.
Comment 2 Sean Amoss (RETIRED) gentoo-dev Security 2014-12-26 00:33:22 UTC 
Thanks, Tim!

Arches, please stabilize:

=www-apps/mediawiki-1.19.23
=www-apps/mediawiki-1.22.15
=www-apps/mediawiki-1.23.8
Comment 3 Agostino Sarubbo gentoo-dev 2015-01-02 13:40:35 UTC 
amd64 stable
Comment 4 Agostino Sarubbo gentoo-dev 2015-01-02 13:48:52 UTC 
x86 stable
Comment 5 Agostino Sarubbo gentoo-dev 2015-01-09 08:39:14 UTC 
ppc stable.

Maintainer(s), please cleanup.
Security, please vote.
Comment 6 GLSAMaker/CVETool Bot gentoo-dev 2015-01-10 16:47:43 UTC 
CVE-2014-9507 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-9507):
  MediaWiki before 1.19.22, 1.20.x through 1.22.x before 1.22.14, and 1.23.x
  before 1.23.7, when $wgContentHandlerUseDB is enabled, allows remote
  attackers to conduct cross-site scripting (XSS) attacks by setting the
  content model for a revision to JS.

CVE-2014-9277 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-9277):
  The wfMangleFlashPolicy function in OutputHandler.php in MediaWiki before
  1.19.22, 1.20.x through 1.22.x before 1.22.14, and 1.23.x before 1.23.7
  allows remote attackers to conduct PHP object injection attacks via a
  crafted string containing <cross-domain-policy> in a PHP format request,
  which causes the string length to change when converting the request to
  <NOT-cross-domain-policy>.

CVE-2014-9276 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-9276):
  Cross-site request forgery (CSRF) vulnerability in the
  Special:ExpandedTemplates page in MediaWiki before 1.19.22, 1.20.x through
  1.22.x before 1.22.14, and 1.23.x before 1.23.7, when $wgRawHTML is set to
  true, allows remote attackers to hijack the authentication of users with
  edit permissions for requests that cross-site scripting (XSS) attacks via
  the wpInput parameter, which is not properly handled in the preview.
Comment 7 Yury German Gentoo Infrastructure gentoo-dev 2015-01-15 23:02:26 UTC 
Arches and Maintainer(s), Thank you for your work.

GLSA Vote: No
Comment 8 Sean Amoss (RETIRED) gentoo-dev Security 2015-01-17 20:45:20 UTC 
This is already on an existing GLSA draft.
Comment 9 GLSAMaker/CVETool Bot gentoo-dev 2015-01-17 21:01:23 UTC 
CVE-2014-9476 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-9476):
  MediaWiki 1.2x before 1.22.15, 1.23.x before 1.23.8, and 1.24.x before
  1.24.1 allows remote attackers to bypass CORS restrictions in
  $wgCrossSiteAJAXdomains via a domain that has a partial match to an allowed
  origin, as demonstrated by "http://en.wikipedia.org.evilsite.example/."

CVE-2014-9475 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-9475):
  Cross-site scripting (XSS) vulnerability in thumb.php in MediaWiki before
  1.19.23, 1.2x before 1.22.15, 1.23.x before 1.23.8, and 1.24.x before 1.24.1
  allows remote authenticated users to inject arbitrary web script or HTML via
  a wikitext message.
Comment 10 GLSAMaker/CVETool Bot gentoo-dev 2015-02-07 17:54:36 UTC 
This issue was resolved and addressed in
 GLSA 201502-04 at http://security.gentoo.org/glsa/glsa-201502-04.xml
by GLSA coordinator Kristian Fiskerstrand (K_F).