Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 888041 (CVE-2022-47927)

Summary: <www-apps/mediawiki-{1.38.5,1.39.1}: sqlite vulnerability (?)
Product: Gentoo Security Reporter: John Helmert III <ajak>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: fordfrog, web-apps
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://lists.wikimedia.org/hyperkitty/list/mediawiki-announce@lists.wikimedia.org/thread/UEMW64LVEH3BEXCJV43CVS6XPYURKWU3/
Whiteboard: B4 [glsa+]
Package list:
Runtime testing required: ---
Bug Depends on: 888489    
Bug Blocks:    

Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-12-22 22:32:39 UTC 
"The security fix included in this release was considered low risk, hence
the lack of a pre-release announcement. It only takes effect on new
installs using SQLite. If you're using SQLite already on a shared host, you
may want to check the file permissions of the database file, and stop them
being readable by "everyone". More information can be found on the linked
task, T322637."

Of course, the bug still seems restricted:

https://phabricator.wikimedia.org/T322637

In any case, please bump to 1.38.5, 1.39.1.
Comment 1 Larry the Git Cow gentoo-dev 2022-12-23 08:57:12 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=192e988860df73eb8fd5f3f584c6c2738a673dde

commit 192e988860df73eb8fd5f3f584c6c2738a673dde
Author:     Miroslav Šulc <fordfrog@gentoo.org>
AuthorDate: 2022-12-23 08:56:59 +0000
Commit:     Miroslav Šulc <fordfrog@gentoo.org>
CommitDate: 2022-12-23 08:57:10 +0000

    www-apps/mediawiki: security bump to 1.38.5 & 1.39.1
    
    Bug: https://bugs.gentoo.org/888041
    Signed-off-by: Miroslav Šulc <fordfrog@gentoo.org>

 www-apps/mediawiki/Manifest                |  2 +
 www-apps/mediawiki/mediawiki-1.38.5.ebuild | 86 ++++++++++++++++++++++++++++++
 www-apps/mediawiki/mediawiki-1.39.1.ebuild | 86 ++++++++++++++++++++++++++++++
 3 files changed, 174 insertions(+)
Comment 2 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-12-24 02:39:30 UTC 
Thanks! Please stabilize when ready.
Comment 3 Larry the Git Cow gentoo-dev 2022-12-26 07:56:09 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=ed3ef2f2544fd199e25bd9a08eb25f5910d4fcf1

commit ed3ef2f2544fd199e25bd9a08eb25f5910d4fcf1
Author:     Miroslav Šulc <fordfrog@gentoo.org>
AuthorDate: 2022-12-26 07:54:43 +0000
Commit:     Miroslav Šulc <fordfrog@gentoo.org>
CommitDate: 2022-12-26 07:56:06 +0000

    www-apps/mediawiki: dropped obsolete & vulnerable 1.39.0
    
    Bug: https://bugs.gentoo.org/888041
    Signed-off-by: Miroslav Šulc <fordfrog@gentoo.org>

 www-apps/mediawiki/Manifest                |  1 -
 www-apps/mediawiki/mediawiki-1.39.0.ebuild | 86 ------------------------------
 2 files changed, 87 deletions(-)
Comment 4 Larry the Git Cow gentoo-dev 2022-12-26 16:28:16 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=7701e36de89bd55fe5cc82f646618ddb1d7d7d74

commit 7701e36de89bd55fe5cc82f646618ddb1d7d7d74
Author:     Miroslav Šulc <fordfrog@gentoo.org>
AuthorDate: 2022-12-26 16:28:01 +0000
Commit:     Miroslav Šulc <fordfrog@gentoo.org>
CommitDate: 2022-12-26 16:28:13 +0000

    www-apps/mediawiki: dropped obsolete & vulnerable 1.38.4
    
    Bug: https://bugs.gentoo.org/888489
    Bug: https://bugs.gentoo.org/888041
    Signed-off-by: Miroslav Šulc <fordfrog@gentoo.org>

 www-apps/mediawiki/Manifest                |  1 -
 www-apps/mediawiki/mediawiki-1.38.4.ebuild | 86 ------------------------------
 2 files changed, 87 deletions(-)
Comment 5 Miroslav Šulc gentoo-dev 2022-12-26 16:28:50 UTC 
the tree is clean now, you can proceed
Comment 6 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-12-26 20:26:33 UTC 
Thanks!
Comment 7 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-12-26 20:39:13 UTC 
GLSA request filed. Still waiting on CVE, I think.
Comment 8 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2023-01-15 04:14:42 UTC 
This is CVE-2022-47927.
Comment 9 Larry the Git Cow gentoo-dev 2023-05-21 19:52:15 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=c162c36dafd4f17b3f87b94d2fefa1a5a3905fc1

commit c162c36dafd4f17b3f87b94d2fefa1a5a3905fc1
Author:     GLSAMaker <glsamaker@gentoo.org>
AuthorDate: 2023-05-21 19:43:14 +0000
Commit:     John Helmert III <ajak@gentoo.org>
CommitDate: 2023-05-21 19:51:29 +0000

    [ GLSA 202305-24 ] MediaWiki: Multiple Vulnerabilities
    
    Bug: https://bugs.gentoo.org/815376
    Bug: https://bugs.gentoo.org/829302
    Bug: https://bugs.gentoo.org/836430
    Bug: https://bugs.gentoo.org/855965
    Bug: https://bugs.gentoo.org/873385
    Bug: https://bugs.gentoo.org/888041
    Signed-off-by: GLSAMaker <glsamaker@gentoo.org>
    Signed-off-by: John Helmert III <ajak@gentoo.org>

 glsa-202305-24.xml | 67 ++++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 67 insertions(+)
Comment 10 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2023-05-21 19:53:55 UTC 
GLSA released, all done!