Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 563636

Summary: <www-apps/mediawiki-1.25.6: multiple vulnerabilities
Product: Gentoo Security Reporter: Agostino Sarubbo <ago>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: web-apps
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://bugzilla.redhat.com/show_bug.cgi?id=1273353
Whiteboard: B3 [noglsa]
Package list:
Runtime testing required: ---
Bug Depends on: 600190    
Bug Blocks:    

Description Agostino Sarubbo gentoo-dev 2015-10-21 07:15:09 UTC
From ${URL} :

Several flaws were found in Mediawiki:

* Wikipedia user RobinHood70 reported that the API failed to correctly stop
adding new chunks to the upload when the reported size was exceeded,
allowing a malicious users to upload add an infinite number of chunks for a
single file upload.
<https://phabricator.wikimedia.org/T91203>

* Wikipedia user RobinHood70 also reported that a malicious user could
upload chunks of 1 byte for very large files, potentially creating a very
large number of files on the server's filesystem.
<https://phabricator.wikimedia.org/T91205>

* Internal review discovered that it is not possible to throttle file
uploads.
<https://phabricator.wikimedia.org/T91850>

* Internal review discovered a missing authorization check when removing
suppression from a revision. This allowed users with the 'viewsuppressed'
user right but not the appropriate 'suppressrevision' user right to
unsuppress revisions.
<https://phabricator.wikimedia.org/T95589>

* Richard Stanway from teamliquid.net reported that thumbnails of PNG files
generated with ImageMagick contained the local file path in the image
metadata.
<https://phabricator.wikimedia.org/T108616>

* Extension:PageTriage - MediaWiki user Grunny discovered a DOM-based XSS in
the way the extension handled page titles.
<https://phabricator.wikimedia.org/T111029>

* Extension:Echo - Internal review discovered that Echo could display
deleted
or suppressed usernames when the username was previously used to Thank
users.
<https://phabricator.wikimedia.org/T110553>

* Extension:OAuth - Wikipedia user Sitic discovered that the OAuth
extension did not correctly enforce the IP restrictions of a Consumer when
using previously negotiated credentials.
<https://phabricator.wikimedia.org/T103022>

* Extension:OAuth - Wikipedia user Sitic discovered that OAuth would accept
a valid signature from any Consumer when checking the authorization
signature. This allowed a registered Consumer who gained access to another
Consumer's users' access tokens and secrets to use those credentials.
<https://phabricator.wikimedia.org/T103023>


@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Thomas Deutschmann (RETIRED) gentoo-dev 2016-11-29 00:27:16 UTC
Upstream fixed the reported issues with security release v1.25.3. First version containing the fixes which appeared in Gentoo repository was v1.25.6.
Comment 2 Aaron Bauman (RETIRED) gentoo-dev 2017-01-16 03:43:02 UTC
GLSA Vote: No

Tree is clean:

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=f923da46172598149d2f5b74b9667e92f957e532