Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 563636 - <www-apps/mediawiki-1.25.6: multiple vulnerabilities
Summary: <www-apps/mediawiki-1.25.6: multiple vulnerabilities
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: https://bugzilla.redhat.com/show_bug....
Whiteboard: B3 [noglsa]
Keywords:
Depends on: CVE-2016-6331, CVE-2016-6332, CVE-2016-6333, CVE-2016-6334, CVE-2016-6335, CVE-2016-6336, CVE-2016-6337
Blocks:
  Show dependency tree
 
Reported: 2015-10-21 07:15 UTC by Agostino Sarubbo
Modified: 2017-01-16 03:43 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2015-10-21 07:15:09 UTC 
From ${URL} :

Several flaws were found in Mediawiki:

* Wikipedia user RobinHood70 reported that the API failed to correctly stop
adding new chunks to the upload when the reported size was exceeded,
allowing a malicious users to upload add an infinite number of chunks for a
single file upload.
<https://phabricator.wikimedia.org/T91203>

* Wikipedia user RobinHood70 also reported that a malicious user could
upload chunks of 1 byte for very large files, potentially creating a very
large number of files on the server's filesystem.
<https://phabricator.wikimedia.org/T91205>

* Internal review discovered that it is not possible to throttle file
uploads.
<https://phabricator.wikimedia.org/T91850>

* Internal review discovered a missing authorization check when removing
suppression from a revision. This allowed users with the 'viewsuppressed'
user right but not the appropriate 'suppressrevision' user right to
unsuppress revisions.
<https://phabricator.wikimedia.org/T95589>

* Richard Stanway from teamliquid.net reported that thumbnails of PNG files
generated with ImageMagick contained the local file path in the image
metadata.
<https://phabricator.wikimedia.org/T108616>

* Extension:PageTriage - MediaWiki user Grunny discovered a DOM-based XSS in
the way the extension handled page titles.
<https://phabricator.wikimedia.org/T111029>

* Extension:Echo - Internal review discovered that Echo could display
deleted
or suppressed usernames when the username was previously used to Thank
users.
<https://phabricator.wikimedia.org/T110553>

* Extension:OAuth - Wikipedia user Sitic discovered that the OAuth
extension did not correctly enforce the IP restrictions of a Consumer when
using previously negotiated credentials.
<https://phabricator.wikimedia.org/T103022>

* Extension:OAuth - Wikipedia user Sitic discovered that OAuth would accept
a valid signature from any Consumer when checking the authorization
signature. This allowed a registered Consumer who gained access to another
Consumer's users' access tokens and secrets to use those credentials.
<https://phabricator.wikimedia.org/T103023>


@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Thomas Deutschmann (RETIRED) gentoo-dev 2016-11-29 00:27:16 UTC 
Upstream fixed the reported issues with security release v1.25.3. First version containing the fixes which appeared in Gentoo repository was v1.25.6.
Comment 2 Aaron Bauman (RETIRED) gentoo-dev 2017-01-16 03:43:02 UTC 
GLSA Vote: No

Tree is clean:

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=f923da46172598149d2f5b74b9667e92f957e532