499632 – (CVE-2014-1610) <www-apps/mediawiki-{1.19.11,1.21.5,1.22.2}: remote code execution if file upload support for DjVu or PDF files is enabled (CVE-2014-1610)

Bug 499632 (CVE-2014-1610) - <www-apps/mediawiki-{1.19.11,1.21.5,1.22.2}: remote code execution if file upload support for DjVu or PDF files is enabled (CVE-2014-1610)

Summary: <www-apps/mediawiki-{1.19.11,1.21.5,1.22.2}: remote code execution if file up...

Status:	RESOLVED FIXED

Alias:	CVE-2014-1610

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal major
Assignee:	Gentoo Security

URL:
Whiteboard:	C1 [glsa]
Keywords:

Depends on:	CVE-2013-6451
Blocks:
	Show dependency tree

Reported:	2014-01-28 21:46 UTC by Alex Xu (Hello71)
Modified:	2015-02-07 17:53 UTC (History)
CC List:	1 user (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Alex Xu (Hello71) 2014-01-28 21:46:11 UTC

I am almost entirely sure that www-apps/mediawiki:1.20* is also affected, due to the wording of the announce mail and its non-existence on the official download list. https://www.mediawiki.org/wiki/Download

> I would like to announce the release of MediaWiki 1.22.2, 1.21.5 and
> 1.19.11.
> 
> Your MediaWiki installation is affected by a remote code execution
> vulnerability if you have enabled file upload support for DjVu (natively
> supported by MediaWiki) or PDF files (in combination with the PdfHandler
> extension). Neither file type is enabled by default in MediaWiki
> installations. If you are affected, we strongly urge you to update
> immediately.
> 
> Affected supported versions: All
> 
> == Security fixes ==
> 
> * Netanel Rubin from Check Point discovered a remote code execution
> vulnerability in MediaWiki's thumbnail generation for DjVu files. Internal
> review also discovered similar logic in the PdfHandler extension, which
> could be exploited in a similar way. (CVE-2014-1610)
> <https://bugzilla.wikimedia.org/show_bug.cgi?id=60339>

Comment 1 Samuel Damashek (RETIRED) gentoo-dev

2014-01-29 01:02:05 UTC

Bumped. 1.20.x was EOL'd, and was pruned from the tree due to a previous security issue.

Arches, please test and stable:
=www-apps/mediawiki-{1.19.11,1.21.5}
Target arches:
amd64 ppc x86

Comment 2 Agostino Sarubbo gentoo-dev

2014-02-01 22:46:01 UTC

amd64 stable

Comment 3 Agostino Sarubbo gentoo-dev

2014-02-01 22:47:59 UTC

x86 stable

Comment 4 GLSAMaker/CVETool Bot gentoo-dev

2014-02-04 14:07:16 UTC

CVE-2014-1610 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1610):
  MediaWiki 1.22.x before 1.22.2, 1.21.x before 1.21.5 and 1.19.x before
  1.19.11, when DjVu or PDF file upload support is enabled, allows remote
  authenticated users to execute arbitrary commands via shell metacharacters
  in (1) the page parameter to includes/media/DjVu.php; unspecified vectors in
  (2) includes/media/PdfHandler_body.php; and possibly unspecified vectors in
  (3) includes/media/Bitmap.php and (4) includes/media/ImageHandler.php.

Comment 5 Agostino Sarubbo gentoo-dev

2014-02-09 08:19:16 UTC

ppc stable.

Maintainer(s), please cleanup.
Security, please add it to the existing request, or file a new one.

Comment 6 Mikle Kolyada (RETIRED) archtester

2014-02-09 10:34:57 UTC

glsa request filed.

Comment 7 Yury German Gentoo Infrastructure

2014-05-21 03:42:37 UTC

Arches and Mainter(s), Thank you for your work.

Comment 8 GLSAMaker/CVETool Bot gentoo-dev

2015-02-07 17:53:32 UTC

This issue was resolved and addressed in
 GLSA 201502-04 at http://security.gentoo.org/glsa/glsa-201502-04.xml
by GLSA coordinator Kristian Fiskerstrand (K_F).