Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 466090 - www-apps/mediawiki : Two XML External Entities Vulnerabilities
Summary: www-apps/mediawiki : Two XML External Entities Vulnerabilities
Status: RESOLVED DUPLICATE of bug 466124
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: https://secunia.com/advisories/53054/
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2013-04-16 12:37 UTC by Agostino Sarubbo
Modified: 2013-04-17 08:55 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2013-04-16 12:37:57 UTC
From ${URL} :

Description
Two vulnerabilities have been reported in MediaWiki, which can be exploited by malicious people to 
potentially disclose sensitive information and compromise a vulnerable system.

1) An error during SVG parsing can be exploited to disclose contents of certain local files.

This vulnerability can be exploited to execute arbitrary commands if expect:// handling is enabled. 

2) An error within Special:Import and Extension:RSS when parsing XML entities can potentially be 
exploited to e.g. disclose contents of certain local files.

The vulnerabilities are reported in versions prior to 1.20.4 and 1.19.5.


Solution
Update to version 1.20.4 or 1.19.5.

Provided and/or discovered by
1) The vendor credits Daniel Franke.
2) Reported by the vendor.

Original Advisory
http://www.gossamer-threads.com/lists/wiki/mediawiki-announce/350229


@maintainer(s): after the bump, please say explicitly if the package is ready for the stabilization or not
Comment 1 Alex Legler (RETIRED) archtester gentoo-dev Security 2013-04-17 08:52:47 UTC
Again, do NOT mark things CONFIRMED when your script doesn't set a whiteboard.

*** This bug has been marked as a duplicate of bug 466124 ***
Comment 2 Alex Legler (RETIRED) archtester gentoo-dev Security 2013-04-17 08:55:39 UTC
(In reply to comment #1)
> Again, do NOT mark things CONFIRMED when your script doesn't set a
> whiteboard.
> 
> *** This bug has been marked as a duplicate of bug 466124 ***

strike that. new bugzilla statuses--