Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 780654 (CVE-2021-30152, CVE-2021-30154, CVE-2021-30155, CVE-2021-30157, CVE-2021-30158, CVE-2021-30159, CVE-2021-30458) - <www-apps/mediawiki-1.35.2: multiple vulnerabilities
Summary: <www-apps/mediawiki-1.35.2: multiple vulnerabilities
Status: RESOLVED FIXED
Alias: CVE-2021-30152, CVE-2021-30154, CVE-2021-30155, CVE-2021-30157, CVE-2021-30158, CVE-2021-30159, CVE-2021-30458
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B4 [glsa+ cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2021-04-06 17:56 UTC by John Helmert III
Modified: 2021-07-19 01:43 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-04-06 17:56:40 UTC
CVE-2021-30154:

An issue was discovered in MediaWiki before 1.31.12 and 1.32.x through 1.35.x before 1.35.2. On Special:NewFiles, all the mediastatistics-header-* messages are output in HTML unescaped, leading to XSS.

CVE-2021-30157:

An issue was discovered in MediaWiki before 1.31.12 and 1.32.x through 1.35.x before 1.35.2. On ChangesList special pages such as Special:RecentChanges and Special:Watchlist, some of the rcfilters-filter-* label messages are output in HTML unescaped, leading to XSS.

CVE-2021-30158:

An issue was discovered in MediaWiki before 1.31.12 and 1.32.x through 1.35.x before 1.35.2. Blocked users are unable to use Special:ResetTokens. This has security relevance because a blocked user might have accidentally shared a token, or might know that a token has been compromised, and yet is not able to block any potential future use of the token by an unauthorized party.


Fixes in 1.35.2, please bump.
Comment 1 Miroslav Šulc gentoo-dev 2021-04-07 04:53:16 UTC
afaics 1.35.2 is not released yet: https://www.mediawiki.org/wiki/Download
Comment 2 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-04-07 14:11:57 UTC
Ah, my bad.
Comment 3 Larry the Git Cow gentoo-dev 2021-04-09 12:06:09 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=00a3f5e0f74e5975eca1bcc9f63e2db81a1b5548

commit 00a3f5e0f74e5975eca1bcc9f63e2db81a1b5548
Author:     Miroslav Šulc <fordfrog@gentoo.org>
AuthorDate: 2021-04-09 12:05:37 +0000
Commit:     Miroslav Šulc <fordfrog@gentoo.org>
CommitDate: 2021-04-09 12:06:05 +0000

    www-apps/mediawiki: security bump to 1.35.2
    
    Bug: https://bugs.gentoo.org/780654
    Package-Manager: Portage-3.0.18, Repoman-3.0.3
    Signed-off-by: Miroslav Šulc <fordfrog@gentoo.org>

 www-apps/mediawiki/Manifest                |  1 +
 www-apps/mediawiki/mediawiki-1.35.2.ebuild | 86 ++++++++++++++++++++++++++++++
 2 files changed, 87 insertions(+)
Comment 4 Miroslav Šulc gentoo-dev 2021-04-09 12:14:00 UTC
it should be safe to stabilize
Comment 5 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-04-09 14:20:53 UTC
Thanks! From the changelog:

(T277009, CVE-2021-30158) SECURITY: Allow blocked users to access Special:ResetTokens.
(T278014, CVE-2021-30154) SECURITY: Escape mediastatistics-header-* messages on Special:NewFiles.
(T278058, CVE-2021-30157) SECURITY: Escape rcfilters-filter-* messages on ChangesList pages.
(T270713, CVE-2021-30152) SECURITY: Allow user to only apply protection they have right to do so via action=protect.
(T272386, CVE-2021-30159) SECURITY: Non-admin deleted enwiki page in fast double move.
(T270988, CVE-2021-30155) SECURITY: ContentModelChange: Check that user cancreate pages.
(T279451, CVE-2021-30458) SECURITY: Parsoid comment fostering allows for inserting mostly arbitrary <meta> tags.
Comment 6 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-04-10 00:34:11 UTC
amd64 ppc x86 (ALLARCHES) done

all arches done
Comment 7 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-04-10 00:34:57 UTC
Thanks! Please cleanup.
Comment 8 Larry the Git Cow gentoo-dev 2021-04-10 04:43:52 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=c8bf368b3924eb7962008fdd12ea7d3873fda32e

commit c8bf368b3924eb7962008fdd12ea7d3873fda32e
Author:     Miroslav Šulc <fordfrog@gentoo.org>
AuthorDate: 2021-04-10 04:43:35 +0000
Commit:     Miroslav Šulc <fordfrog@gentoo.org>
CommitDate: 2021-04-10 04:43:35 +0000

    www-apps/mediawiki: removed old and vulnerable 1.35.1
    
    Bug: https://bugs.gentoo.org/780654
    Package-Manager: Portage-3.0.18, Repoman-3.0.3
    Signed-off-by: Miroslav Šulc <fordfrog@gentoo.org>

 www-apps/mediawiki/Manifest                |  1 -
 www-apps/mediawiki/mediawiki-1.35.1.ebuild | 86 ------------------------------
 2 files changed, 87 deletions(-)
Comment 9 Miroslav Šulc gentoo-dev 2021-04-10 04:45:14 UTC
we're clean now, you can proceed.
Comment 10 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-04-10 15:39:24 UTC
(In reply to Miroslav Šulc from comment #9)
> we're clean now, you can proceed.

Thanks!
Comment 11 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-07-17 03:41:27 UTC
GLSA request filed.
Comment 12 GLSAMaker/CVETool Bot gentoo-dev 2021-07-19 01:43:41 UTC
This issue was resolved and addressed in
 GLSA 202107-40 at https://security.gentoo.org/glsa/202107-40
by GLSA coordinator John Helmert III (ajak).