Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 503012 (CVE-2014-2242) - <www-apps/mediawiki-{1.19.14,1.21.8,1.22.5}: multiple vulnerabilities (CVE-2014-{2242,2243,2244})
Summary: <www-apps/mediawiki-{1.19.14,1.21.8,1.22.5}: multiple vulnerabilities (CVE-20...
Alias: CVE-2014-2242
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
Whiteboard: B4 [glsa]
: 504290 (view as bug list)
Depends on:
Reported: 2014-02-28 02:26 UTC by Alex Xu (Hello71)
Modified: 2015-02-07 17:53 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Alex Xu (Hello71) 2014-02-28 02:26:04 UTC
* (bug 60771) SECURITY: Disallow uploading SVG files using non-whitelisted
  namespaces. Also disallow iframe elements. User will get an error
  including the namespace name if they use a non- whitelisted namespace.
* (bug 61346) SECURITY: Make token comparison use constant time. It seems like
  our token comparison would be vulnerable to timing attacks. This will take
  constant time.
* (bug 61362) SECURITY: API: Don't find links in the middle of api.php links.
Comment 1 Alex Xu (Hello71) 2014-02-28 02:27:08 UTC
I'm actually not sure that these qualify as security issues at our level.

Upstream claims that they are though.
Comment 2 Alex Xu (Hello71) 2014-03-12 02:37:27 UTC
*** Bug 504290 has been marked as a duplicate of this bug. ***
Comment 3 Alex Xu (Hello71) 2014-03-27 01:21:31 UTC
Ping, 27 days since release; target delay is 30 days.
Comment 4 Samuel Damashek (RETIRED) gentoo-dev 2014-03-27 20:54:34 UTC
Fixed versions already in the tree, but unstable.

Arches, please test and stable:
Target arches:
amd64 ppc x86
Comment 5 Agostino Sarubbo gentoo-dev 2014-03-28 18:32:12 UTC
does not make sense stabilize here, since exist bug 506018
Comment 6 GLSAMaker/CVETool Bot gentoo-dev 2014-04-29 21:25:22 UTC
CVE-2014-2244 (
  Cross-site scripting (XSS) vulnerability in the formatHTML function in
  includes/api/ApiFormatBase.php in MediaWiki before 1.19.12, 1.20.x and
  1.21.x before 1.21.6, and 1.22.x before 1.22.3 allows remote attackers to
  inject arbitrary web script or HTML via a crafted string located after
  http:// in the text parameter to api.php.

CVE-2014-2243 (
  includes/User.php in MediaWiki before 1.19.12, 1.20.x and 1.21.x before
  1.21.6, and 1.22.x before 1.22.3 terminates validation of a user token upon
  encountering the first incorrect character, which makes it easier for remote
  attackers to obtain access via a brute-force attack that relies on timing
  differences in responses to incorrect token guesses.

CVE-2014-2242 (
  includes/upload/UploadBase.php in MediaWiki before 1.19.12, 1.20.x and
  1.21.x before 1.21.6, and 1.22.x before 1.22.3 does not prevent use of
  invalid namespaces in SVG files, which allows remote attackers to conduct
  cross-site scripting (XSS) attacks via an SVG upload, as demonstrated by use
  of a W3C XHTML namespace in conjunction with an IFRAME element.
Comment 7 Yury German Gentoo Infrastructure gentoo-dev 2014-06-10 01:48:13 UTC
Comment 8 Yury German Gentoo Infrastructure gentoo-dev 2014-06-16 04:32:46 UTC
GLSA already in progress, adding to existing GLSA
Comment 9 GLSAMaker/CVETool Bot gentoo-dev 2015-02-07 17:53:40 UTC
This issue was resolved and addressed in
 GLSA 201502-04 at
by GLSA coordinator Kristian Fiskerstrand (K_F).