Bug 836430 (CVE-2022-28202, CVE-2022-28205, CVE-2022-28206, CVE-2022-28209)

Summary:	<www-apps/mediawiki-{1.36.4,1.37.2}: multiple vulnerabilities
Product:	Gentoo Security	Reporter:	John Helmert III <ajak>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	RESOLVED FIXED
Severity:	minor	CC:	fordfrog, web-apps
Priority:	Normal
Version:	unspecified
Hardware:	All
OS:	Linux
Whiteboard:	B3 [glsa+]
Package list:		Runtime testing required:	---
Bug Depends on:	836579
Bug Blocks:

Description John Helmert III archtester

2022-03-30 14:34:14 UTC

CVE-2022-28205 (https://gerrit.wikimedia.org/r/q/Ic6ba1a37b78df5b342ceeba4c1493dbde583b81f):
https://phabricator.wikimedia.org/T302215

An issue was discovered in MediaWiki through 1.37.1. The CentralAuth extension mishandles a ttl issue for groups expiring in the future.

CVE-2022-28206 (https://phabricator.wikimedia.org/T294256):
https://gerrit.wikimedia.org/r/q/I84be9cd3639b8ab0e037a4ec2d3f2f478f0989c5

An issue was discovered in MediaWiki through 1.37.1. ImportPlanValidator.php in the FileImporter extension mishandles the check for edit rights.

CVE-2022-28209 (https://phabricator.wikimedia.org/T304126):
https://gerrit.wikimedia.org/r/q/Id8c4e2e336695ce70ccdf8a51ad729bf4a99f8f7

An issue was discovered in Mediawiki through 1.37.1. The check for the override-antispoof permission in the AntiSpoof extension is incorrect.

CVE-2022-28202 (https://phabricator.wikimedia.org/T297543):

An XSS issue was discovered in MediaWiki before 1.35.6, 1.36.x before 1.36.4, and 1.37.x before 1.37.2. The widthheight, widthheightpage, and nbytes properties of messages are not escaped when used in galleries or Special:RevisionDelete.


I can't discern a fixed version for all of these.

Comment 1 John Helmert III archtester

2022-03-31 02:32:38 UTC

Seems like these might be the CVEs in the upcoming security releases?

https://lists.wikimedia.org/hyperkitty/list/mediawiki-announce@lists.wikimedia.org/thread/5FGCLGPOTRWEJOCTPZ7BF3X6SV43WVXM/

Comment 2 John Helmert III archtester

2022-03-31 22:19:10 UTC

They have been released: https://lists.wikimedia.org/hyperkitty/list/mediawiki-announce@lists.wikimedia.org/thread/YJNXKPV5Z56NSUQ4G3SXPDUIZG5EQ7UR/

Comment 3 Larry the Git Cow gentoo-dev

2022-04-01 06:54:08 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=e8e8b065191f9b3dcc3de5afcb61fd94f59d2726

commit e8e8b065191f9b3dcc3de5afcb61fd94f59d2726
Author:     Miroslav Šulc <fordfrog@gentoo.org>
AuthorDate: 2022-04-01 06:52:25 +0000
Commit:     Miroslav Šulc <fordfrog@gentoo.org>
CommitDate: 2022-04-01 06:54:06 +0000

    www-apps/mediawiki: security bump to 1.36.4 + eapi8
    
    Bug: https://bugs.gentoo.org/836430
    Signed-off-by: Miroslav Šulc <fordfrog@gentoo.org>

 www-apps/mediawiki/Manifest                |  1 +
 www-apps/mediawiki/mediawiki-1.36.4.ebuild | 86 ++++++++++++++++++++++++++++++
 2 files changed, 87 insertions(+)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=fdcb60d50be5c81d0f7f6833d4d531d9a6275ca8

commit fdcb60d50be5c81d0f7f6833d4d531d9a6275ca8
Author:     Miroslav Šulc <fordfrog@gentoo.org>
AuthorDate: 2022-04-01 06:50:42 +0000
Commit:     Miroslav Šulc <fordfrog@gentoo.org>
CommitDate: 2022-04-01 06:54:05 +0000

    www-apps/mediawiki: security bump to 1.37.2 + eapi8
    
    Bug: https://bugs.gentoo.org/836430
    Signed-off-by: Miroslav Šulc <fordfrog@gentoo.org>

 www-apps/mediawiki/Manifest                |  1 +
 www-apps/mediawiki/mediawiki-1.37.2.ebuild | 86 ++++++++++++++++++++++++++++++
 2 files changed, 87 insertions(+)

Comment 4 John Helmert III archtester

2022-04-01 14:40:22 UTC

Thanks fordfrog!

Comment 5 John Helmert III archtester

2022-04-01 15:12:07 UTC

Please cleanup

Comment 6 Larry the Git Cow gentoo-dev

2022-04-01 16:05:40 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=7a122138a8df9545d0e7e7ddd7b0ca80339ad05d

commit 7a122138a8df9545d0e7e7ddd7b0ca80339ad05d
Author:     Miroslav Šulc <fordfrog@gentoo.org>
AuthorDate: 2022-04-01 16:05:29 +0000
Commit:     Miroslav Šulc <fordfrog@gentoo.org>
CommitDate: 2022-04-01 16:05:29 +0000

    www-apps/mediawiki: security cleanup (1.36.3 & 1.37.1)
    
    Bug: https://bugs.gentoo.org/show_bug.cgi?id=836430
    Signed-off-by: Miroslav Šulc <fordfrog@gentoo.org>

 www-apps/mediawiki/Manifest                |  2 -
 www-apps/mediawiki/mediawiki-1.36.3.ebuild | 86 ------------------------------
 www-apps/mediawiki/mediawiki-1.37.1.ebuild | 86 ------------------------------
 3 files changed, 174 deletions(-)

Comment 7 Miroslav Šulc gentoo-dev

2022-04-01 16:06:09 UTC

the tree is clean now, you can proceed.

Comment 8 John Helmert III archtester

2022-12-26 20:39:40 UTC

GLSA request filed.

Comment 9 Larry the Git Cow gentoo-dev

2023-05-21 19:52:11 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=c162c36dafd4f17b3f87b94d2fefa1a5a3905fc1

commit c162c36dafd4f17b3f87b94d2fefa1a5a3905fc1
Author:     GLSAMaker <glsamaker@gentoo.org>
AuthorDate: 2023-05-21 19:43:14 +0000
Commit:     John Helmert III <ajak@gentoo.org>
CommitDate: 2023-05-21 19:51:29 +0000

    [ GLSA 202305-24 ] MediaWiki: Multiple Vulnerabilities
    
    Bug: https://bugs.gentoo.org/815376
    Bug: https://bugs.gentoo.org/829302
    Bug: https://bugs.gentoo.org/836430
    Bug: https://bugs.gentoo.org/855965
    Bug: https://bugs.gentoo.org/873385
    Bug: https://bugs.gentoo.org/888041
    Signed-off-by: GLSAMaker <glsamaker@gentoo.org>
    Signed-off-by: John Helmert III <ajak@gentoo.org>

 glsa-202305-24.xml | 67 ++++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 67 insertions(+)

Comment 10 John Helmert III archtester

2023-05-21 19:53:41 UTC

GLSA released, all done!