503012 – (CVE-2014-2242) <www-apps/mediawiki-{1.19.14,1.21.8,1.22.5}: multiple vulnerabilities (CVE-2014-{2242,2243,2244})

Bug 503012 (CVE-2014-2242) - <www-apps/mediawiki-{1.19.14,1.21.8,1.22.5}: multiple vulnerabilities (CVE-2014-{2242,2243,2244})

Summary: <www-apps/mediawiki-{1.19.14,1.21.8,1.22.5}: multiple vulnerabilities (CVE-20...

Status:	RESOLVED FIXED

Alias:	CVE-2014-2242

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal minor (vote)
Assignee:	Gentoo Security

URL:	http://openwall.com/lists/oss-securit...
Whiteboard:	B4 [glsa]
Keywords:

Duplicates (1):	504290 (view as bug list)
Depends on:
Blocks:

Reported:	2014-02-28 02:26 UTC by Alex Xu (Hello71)
Modified:	2015-02-07 17:53 UTC (History)
CC List:	1 user (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Alex Xu (Hello71) 2014-02-28 02:26:04 UTC

* (bug 60771) SECURITY: Disallow uploading SVG files using non-whitelisted
  namespaces. Also disallow iframe elements. User will get an error
  including the namespace name if they use a non- whitelisted namespace.
* (bug 61346) SECURITY: Make token comparison use constant time. It seems like
  our token comparison would be vulnerable to timing attacks. This will take
  constant time.
* (bug 61362) SECURITY: API: Don't find links in the middle of api.php links.

Comment 1 Alex Xu (Hello71) 2014-02-28 02:27:08 UTC

I'm actually not sure that these qualify as security issues at our level.

Upstream claims that they are though.

Comment 2 Alex Xu (Hello71) 2014-03-12 02:37:27 UTC

*** Bug 504290 has been marked as a duplicate of this bug. ***

Comment 3 Alex Xu (Hello71) 2014-03-27 01:21:31 UTC

Ping, 27 days since release; target delay is 30 days.

Comment 4 Samuel Damashek (RETIRED) gentoo-dev

2014-03-27 20:54:34 UTC

Fixed versions already in the tree, but unstable.

Arches, please test and stable:
=www-apps/mediawiki-{1.19.13,1.21.7}
Target arches:
amd64 ppc x86

Comment 5 Agostino Sarubbo gentoo-dev

2014-03-28 18:32:12 UTC

does not make sense stabilize here, since exist bug 506018

Comment 6 GLSAMaker/CVETool Bot gentoo-dev

2014-04-29 21:25:22 UTC

CVE-2014-2244 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-2244):
  Cross-site scripting (XSS) vulnerability in the formatHTML function in
  includes/api/ApiFormatBase.php in MediaWiki before 1.19.12, 1.20.x and
  1.21.x before 1.21.6, and 1.22.x before 1.22.3 allows remote attackers to
  inject arbitrary web script or HTML via a crafted string located after
  http:// in the text parameter to api.php.

CVE-2014-2243 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-2243):
  includes/User.php in MediaWiki before 1.19.12, 1.20.x and 1.21.x before
  1.21.6, and 1.22.x before 1.22.3 terminates validation of a user token upon
  encountering the first incorrect character, which makes it easier for remote
  attackers to obtain access via a brute-force attack that relies on timing
  differences in responses to incorrect token guesses.

CVE-2014-2242 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-2242):
  includes/upload/UploadBase.php in MediaWiki before 1.19.12, 1.20.x and
  1.21.x before 1.21.6, and 1.22.x before 1.22.3 does not prevent use of
  invalid namespaces in SVG files, which allows remote attackers to conduct
  cross-site scripting (XSS) attacks via an SVG upload, as demonstrated by use
  of a W3C XHTML namespace in conjunction with an IFRAME element.

Comment 7 Yury German Gentoo Infrastructure

2014-06-10 01:48:13 UTC

GLSA VOTE: YES

Comment 8 Yury German Gentoo Infrastructure

2014-06-16 04:32:46 UTC

GLSA already in progress, adding to existing GLSA

Comment 9 GLSAMaker/CVETool Bot gentoo-dev

2015-02-07 17:53:40 UTC

This issue was resolved and addressed in
 GLSA 201502-04 at http://security.gentoo.org/glsa/glsa-201502-04.xml
by GLSA coordinator Kristian Fiskerstrand (K_F).