Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 868141 (CVE-2022-39194)

Summary: www-apps/mediawiki: global DoS via site admin
Product: Gentoo Security Reporter: John Helmert III <ajak>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED INVALID    
Severity: minor CC: fordfrog, web-apps
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://phabricator.wikimedia.org/T313205
See Also: https://bugs.gentoo.org/show_bug.cgi?id=873385
Whiteboard: B3 [??]
Package list:
Runtime testing required: ---

Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-09-03 02:06:20 UTC 
CVE-2022-39194:

An issue was discovered in the MediaWiki through 1.38.2. The community configuration pages for the GrowthExperiments extension could cause a site to become unavailable due to insufficient validation when certain actions (including page moves) were performed.

Unsure if this is in any release, not really sure how to work phabricator
Comment 1 Larry the Git Cow gentoo-dev 2022-09-30 03:40:23 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=27a7cc9d97b1a12cf5c6e6464f2349d7c9823230

commit 27a7cc9d97b1a12cf5c6e6464f2349d7c9823230
Author:     Miroslav Šulc <fordfrog@gentoo.org>
AuthorDate: 2022-09-30 03:40:14 +0000
Commit:     Miroslav Šulc <fordfrog@gentoo.org>
CommitDate: 2022-09-30 03:40:14 +0000

    www-apps/mediawiki: bump to 1.37.6
    
    Bug: https://bugs.gentoo.org/868141
    Bug: https://bugs.gentoo.org/873385
    Signed-off-by: Miroslav Šulc <fordfrog@gentoo.org>

 www-apps/mediawiki/Manifest                |  1 +
 www-apps/mediawiki/mediawiki-1.37.6.ebuild | 86 ++++++++++++++++++++++++++++++
 2 files changed, 87 insertions(+)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=5ebe28034a2a04865a9601f4b9356cbf4b211537

commit 5ebe28034a2a04865a9601f4b9356cbf4b211537
Author:     Miroslav Šulc <fordfrog@gentoo.org>
AuthorDate: 2022-09-30 03:38:53 +0000
Commit:     Miroslav Šulc <fordfrog@gentoo.org>
CommitDate: 2022-09-30 03:38:53 +0000

    www-apps/mediawiki: bump to 1.38.4
    
    Bug: https://bugs.gentoo.org/868141
    Bug: https://bugs.gentoo.org/873385
    Signed-off-by: Miroslav Šulc <fordfrog@gentoo.org>

 www-apps/mediawiki/Manifest                |  1 +
 www-apps/mediawiki/mediawiki-1.38.4.ebuild | 86 ++++++++++++++++++++++++++++++
 2 files changed, 87 insertions(+)
Comment 2 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-09-30 14:26:45 UTC 
Do we have any idea if patches for this issue made it into the releases?
Comment 3 Miroslav Šulc gentoo-dev 2022-10-01 04:19:31 UTC 
(In reply to John Helmert III from comment #2)
> Do we have any idea if patches for this issue made it into the releases?

i was searching the installed sources of mediawiki and i found GrowthExperiments only in comments, so my conclusion is that this extension is not part of the standard distribution.
Comment 4 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-10-03 21:40:32 UTC 
Ah, sorry! Totally missed that this only affected an extension.