Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 523852 (CVE-2014-7199) - <www-apps/mediawiki--{1.19.20,1.22.12,1.23.5}: CSS filtering in SVG files (CVE-2014-7199)
Summary: <www-apps/mediawiki--{1.19.20,1.22.12,1.23.5}: CSS filtering in SVG files (CV...
Alias: CVE-2014-7199
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
Whiteboard: B4 [glsa]
Depends on:
Reported: 2014-09-27 09:35 UTC by Agostino Sarubbo
Modified: 2015-02-07 17:54 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2014-09-27 09:35:34 UTC
From ${URL} :

* (bug 69008) SECURITY: Enhance CSS filtering in SVG files. Filter
  <style> elements; normalize style elements and attributes before
  filtering; add checks for attributes that contain css; add unit tests
  for html5sec and reported bugs.

@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Tim Harder gentoo-dev 2014-10-02 16:32:25 UTC
Newer releases fixing another security issue are in the tree.

Arches, please stabilize:

Comment 2 Agostino Sarubbo gentoo-dev 2014-10-05 07:23:04 UTC
amd64 stable
Comment 3 Agostino Sarubbo gentoo-dev 2014-10-05 07:25:21 UTC
x86 stable
Comment 4 Agostino Sarubbo gentoo-dev 2014-10-05 15:12:08 UTC
ppc stable.

Maintainer(s), please cleanup.
Security, please vote.
Comment 5 Sean Amoss (RETIRED) gentoo-dev Security 2014-12-15 00:25:01 UTC
Adding to existing GLSA draft.
Comment 6 GLSAMaker/CVETool Bot gentoo-dev 2014-12-15 01:09:46 UTC
CVE-2014-7199 (
  Cross-site scripting (XSS) vulnerability in MediaWiki before 1.19.19, 1.22.x
  before 1.22.11, and 1.23.x before 1.23.4 allows remote attackers to inject
  arbitrary web script or HTML via a crafted SVG file.
Comment 7 GLSAMaker/CVETool Bot gentoo-dev 2015-02-07 17:54:15 UTC
This issue was resolved and addressed in
 GLSA 201502-04 at
by GLSA coordinator Kristian Fiskerstrand (K_F).