Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 466124 (CVE-2013-1951) - <www-apps/mediawiki-{1.19.5,1.20.4} XSS/XXE (CVE-2013-1951)
Summary: <www-apps/mediawiki-{1.19.5,1.20.4} XSS/XXE (CVE-2013-1951)
Status: RESOLVED FIXED
Alias: CVE-2013-1951
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: http://lists.wikimedia.org/pipermail/...
Whiteboard: B4 [glsa]
Keywords:
: 466090 (view as bug list)
Depends on:
Blocks:
 
Reported: 2013-04-16 17:04 UTC by Enno Gröper
Modified: 2013-10-28 17:08 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Enno Gröper 2013-04-16 17:04:05 UTC 
Yesterday Mediawiki published security releases, that fix 3 security issues:

* An internal review discovered that specially crafted Lua function
names could lead to XSS.
<https://bugzilla.wikimedia.org/show_bug.cgi?id=46084>

* Daniel Franke reported that during SVG parsing, MediaWiki failed to
prevent XML external entity (XXE) processing. This could lead to local
file disclosure, or potentially remote command execution in
environments that have enabled expect:// handling.
<https://bugzilla.wikimedia.org/show_bug.cgi?id=46859>

* Internal review also discovered that Special:Import, and
Extension:RSS failed to prevent XML external entity (XXE) processing.
<https://bugzilla.wikimedia.org/show_bug.cgi?id=47251>

Reproducible: Always
Comment 1 Tim Harder gentoo-dev 2013-04-17 00:28:46 UTC 
Arches, please stabilize:
=www-apps/mediawiki-1.19.5
=www-apps/mediawiki-1.20.4
Comment 2 Alex Legler (RETIRED) archtester gentoo-dev Security 2013-04-17 08:52:47 UTC 
*** Bug 466090 has been marked as a duplicate of this bug. ***
Comment 3 Agostino Sarubbo gentoo-dev 2013-04-17 09:12:53 UTC 
amd64 stable
Comment 4 Agostino Sarubbo gentoo-dev 2013-04-17 09:13:08 UTC 
x86 stable
Comment 5 Agostino Sarubbo gentoo-dev 2013-04-17 09:13:23 UTC 
ppc stable
Comment 6 Sergey Popov gentoo-dev 2013-08-23 10:18:59 UTC 
Thanks for your work

Possible remote code execution

GLSA vote: yes
Comment 7 GLSAMaker/CVETool Bot gentoo-dev 2013-10-28 17:08:35 UTC 
This issue was resolved and addressed in
 GLSA 201310-21 at http://security.gentoo.org/glsa/glsa-201310-21.xml
by GLSA coordinator Sergey Popov (pinkbyte).