Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 563636

Summary: <www-apps/mediawiki-1.25.6: multiple vulnerabilities
Product: Gentoo Security Reporter: Agostino Sarubbo <ago>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Severity: minor CC: web-apps
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: B3 [noglsa]
Package list:
Runtime testing required: ---
Bug Depends on: 600190    
Bug Blocks:    

Description Agostino Sarubbo gentoo-dev 2015-10-21 07:15:09 UTC
From ${URL} :

Several flaws were found in Mediawiki:

* Wikipedia user RobinHood70 reported that the API failed to correctly stop
adding new chunks to the upload when the reported size was exceeded,
allowing a malicious users to upload add an infinite number of chunks for a
single file upload.

* Wikipedia user RobinHood70 also reported that a malicious user could
upload chunks of 1 byte for very large files, potentially creating a very
large number of files on the server's filesystem.

* Internal review discovered that it is not possible to throttle file

* Internal review discovered a missing authorization check when removing
suppression from a revision. This allowed users with the 'viewsuppressed'
user right but not the appropriate 'suppressrevision' user right to
unsuppress revisions.

* Richard Stanway from reported that thumbnails of PNG files
generated with ImageMagick contained the local file path in the image

* Extension:PageTriage - MediaWiki user Grunny discovered a DOM-based XSS in
the way the extension handled page titles.

* Extension:Echo - Internal review discovered that Echo could display
or suppressed usernames when the username was previously used to Thank

* Extension:OAuth - Wikipedia user Sitic discovered that the OAuth
extension did not correctly enforce the IP restrictions of a Consumer when
using previously negotiated credentials.

* Extension:OAuth - Wikipedia user Sitic discovered that OAuth would accept
a valid signature from any Consumer when checking the authorization
signature. This allowed a registered Consumer who gained access to another
Consumer's users' access tokens and secrets to use those credentials.

@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Thomas Deutschmann (RETIRED) gentoo-dev 2016-11-29 00:27:16 UTC
Upstream fixed the reported issues with security release v1.25.3. First version containing the fixes which appeared in Gentoo repository was v1.25.6.
Comment 2 Aaron Bauman (RETIRED) gentoo-dev 2017-01-16 03:43:02 UTC
GLSA Vote: No

Tree is clean: