Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 498064 (CVE-2013-6451) - <www-apps/mediawiki-{1.19.10,1.21.4,1.22.1}: Multiple vulnerabilities (CVE-2013-{6451,6452,6453,6454,6472})
Summary: <www-apps/mediawiki-{1.19.10,1.21.4,1.22.1}: Multiple vulnerabilities (CVE-20...
Status: RESOLVED FIXED
Alias: CVE-2013-6451
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: http://www.gossamer-threads.com/lists...
Whiteboard: B4 [glsa]
Keywords:
Depends on:
Blocks: CVE-2014-1610
  Show dependency tree
 
Reported: 2014-01-14 12:13 UTC by Alex Xu (Hello71)
Modified: 2015-02-07 17:53 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Alex Xu (Hello71) 2014-01-14 12:13:19 UTC
I think 1.20.8 is also affected since it's not available for download, but waiting for CVE.
Comment 1 Alex Xu (Hello71) 2014-01-14 12:16:47 UTC
* Durign internal review, it was discovered that MediaWiki's CSS sanitization did not filter -o-link attributes, which could be used to execute JavaScript in Opera 12. (CVE-2013-6454) <https://bugzilla.wikimedia.org/show_bug.cgi?id=58472>

Is it stretching it to call this B2? "Remote passive compromise: remote execution of arbitrary code by enticing a user to visit a malicious server or using malicious data"
Comment 2 Chris Reffett gentoo-dev Security 2014-01-14 14:18:22 UTC
Web code execution/XSS is B4.
Comment 3 Samuel Damashek (RETIRED) gentoo-dev 2014-01-22 16:31:39 UTC
Bumped. Arches, please test and stabilize:
=www-apps/mediawiki-{1.19.10,1.21.4}
Target arches: amd64 ppc x86
Comment 4 Mikle Kolyada archtester Gentoo Infrastructure gentoo-dev Security 2014-01-22 18:16:15 UTC
amd64 stable
Comment 5 Mikle Kolyada archtester Gentoo Infrastructure gentoo-dev Security 2014-01-23 09:05:13 UTC
x86 stable
Comment 6 Mikle Kolyada archtester Gentoo Infrastructure gentoo-dev Security 2014-01-23 09:47:28 UTC
ppc stable

@security, please vote

@maintainers. please cleanup
Comment 7 Samuel Damashek (RETIRED) gentoo-dev 2014-01-23 16:10:54 UTC
Cleanup complete.
Comment 8 Mikle Kolyada archtester Gentoo Infrastructure gentoo-dev Security 2014-01-28 13:53:33 UTC
GLSA vote: yes
Comment 9 GLSAMaker/CVETool Bot gentoo-dev 2014-06-06 13:41:58 UTC
CVE-2013-6454 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-6454):
  Cross-site scripting (XSS) vulnerability in MediaWiki before 1.19.10, 1.2x
  before 1.21.4, and 1.22.x before 1.22.1 allows remote attackers to inject
  arbitrary web script or HTML via a -o-link attribute.

CVE-2013-6453 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-6453):
  MediaWiki before 1.19.10, 1.2x before 1.21.4, and 1.22.x before 1.22.1 does
  not properly sanitize SVG files, which allows remote attackers to have
  unspecified impact via invalid XML.

CVE-2013-6452 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-6452):
  Cross-site scripting (XSS) vulnerability in MediaWiki before 1.19.10, 1.2x
  before 1.21.4, and 1.22.x before 1.22.1 allows remote attackers to inject
  arbitrary web script or HTML via crafted XSL in an SVG file.
Comment 10 Yury German Gentoo Infrastructure gentoo-dev Security 2014-06-16 04:37:29 UTC
Adding to existing GLSA request.
Comment 11 GLSAMaker/CVETool Bot gentoo-dev 2014-06-17 17:43:04 UTC
CVE-2013-6472 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-6472):
  MediaWiki before 1.19.10, 1.2x before 1.21.4, and 1.22.x before 1.22.1
  allows remote attackers to obtain information about deleted page via the (1)
  log API, (2) enhanced RecentChanges, and (3) user watchlists.
Comment 12 GLSAMaker/CVETool Bot gentoo-dev 2015-02-07 17:53:22 UTC
This issue was resolved and addressed in
 GLSA 201502-04 at http://security.gentoo.org/glsa/glsa-201502-04.xml
by GLSA coordinator Kristian Fiskerstrand (K_F).