498064 – (CVE-2013-6451) <www-apps/mediawiki-{1.19.10,1.21.4,1.22.1}: Multiple vulnerabilities (CVE-2013-{6451,6452,6453,6454,6472})

Bug 498064 (CVE-2013-6451) - <www-apps/mediawiki-{1.19.10,1.21.4,1.22.1}: Multiple vulnerabilities (CVE-2013-{6451,6452,6453,6454,6472})

Summary: <www-apps/mediawiki-{1.19.10,1.21.4,1.22.1}: Multiple vulnerabilities (CVE-20...

Status:	RESOLVED FIXED

Alias:	CVE-2013-6451

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal minor (vote)
Assignee:	Gentoo Security

URL:	http://www.gossamer-threads.com/lists...
Whiteboard:	B4 [glsa]
Keywords:

Depends on:
Blocks:	CVE-2014-1610
	Show dependency tree

Reported:	2014-01-14 12:13 UTC by Alex Xu (Hello71)
Modified:	2015-02-07 17:53 UTC (History)
CC List:	1 user (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Alex Xu (Hello71) 2014-01-14 12:13:19 UTC

I think 1.20.8 is also affected since it's not available for download, but waiting for CVE.

Comment 1 Alex Xu (Hello71) 2014-01-14 12:16:47 UTC

* Durign internal review, it was discovered that MediaWiki's CSS sanitization did not filter -o-link attributes, which could be used to execute JavaScript in Opera 12. (CVE-2013-6454) <https://bugzilla.wikimedia.org/show_bug.cgi?id=58472>

Is it stretching it to call this B2? "Remote passive compromise: remote execution of arbitrary code by enticing a user to visit a malicious server or using malicious data"

Comment 2 Chris Reffett (RETIRED) gentoo-dev

2014-01-14 14:18:22 UTC

Web code execution/XSS is B4.

Comment 3 Samuel Damashek (RETIRED) gentoo-dev

2014-01-22 16:31:39 UTC

Bumped. Arches, please test and stabilize:
=www-apps/mediawiki-{1.19.10,1.21.4}
Target arches: amd64 ppc x86

Comment 4 Mikle Kolyada (RETIRED) archtester

2014-01-22 18:16:15 UTC

amd64 stable

Comment 5 Mikle Kolyada (RETIRED) archtester

2014-01-23 09:05:13 UTC

x86 stable

Comment 6 Mikle Kolyada (RETIRED) archtester

2014-01-23 09:47:28 UTC

ppc stable

@security, please vote

@maintainers. please cleanup

Comment 7 Samuel Damashek (RETIRED) gentoo-dev

2014-01-23 16:10:54 UTC

Cleanup complete.

Comment 8 Mikle Kolyada (RETIRED) archtester

2014-01-28 13:53:33 UTC

GLSA vote: yes

Comment 9 GLSAMaker/CVETool Bot gentoo-dev

2014-06-06 13:41:58 UTC

CVE-2013-6454 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-6454):
  Cross-site scripting (XSS) vulnerability in MediaWiki before 1.19.10, 1.2x
  before 1.21.4, and 1.22.x before 1.22.1 allows remote attackers to inject
  arbitrary web script or HTML via a -o-link attribute.

CVE-2013-6453 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-6453):
  MediaWiki before 1.19.10, 1.2x before 1.21.4, and 1.22.x before 1.22.1 does
  not properly sanitize SVG files, which allows remote attackers to have
  unspecified impact via invalid XML.

CVE-2013-6452 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-6452):
  Cross-site scripting (XSS) vulnerability in MediaWiki before 1.19.10, 1.2x
  before 1.21.4, and 1.22.x before 1.22.1 allows remote attackers to inject
  arbitrary web script or HTML via crafted XSL in an SVG file.

Comment 10 Yury German Gentoo Infrastructure

2014-06-16 04:37:29 UTC

Adding to existing GLSA request.

Comment 11 GLSAMaker/CVETool Bot gentoo-dev

2014-06-17 17:43:04 UTC

CVE-2013-6472 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-6472):
  MediaWiki before 1.19.10, 1.2x before 1.21.4, and 1.22.x before 1.22.1
  allows remote attackers to obtain information about deleted page via the (1)
  log API, (2) enhanced RecentChanges, and (3) user watchlists.

Comment 12 GLSAMaker/CVETool Bot gentoo-dev

2015-02-07 17:53:22 UTC

This issue was resolved and addressed in
 GLSA 201502-04 at http://security.gentoo.org/glsa/glsa-201502-04.xml
by GLSA coordinator Kristian Fiskerstrand (K_F).