Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 836430 (CVE-2022-28202, CVE-2022-28205, CVE-2022-28206, CVE-2022-28209) - <www-apps/mediawiki-{1.36.4,1.37.2}: multiple vulnerabilities
Summary: <www-apps/mediawiki-{1.36.4,1.37.2}: multiple vulnerabilities
Status: IN_PROGRESS
Alias: CVE-2022-28202, CVE-2022-28205, CVE-2022-28206, CVE-2022-28209
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B3 [glsa?]
Keywords:
Depends on: 836579
Blocks:
  Show dependency tree
 
Reported: 2022-03-30 14:34 UTC by John Helmert III
Modified: 2022-04-01 23:40 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-03-30 14:34:14 UTC
CVE-2022-28205 (https://gerrit.wikimedia.org/r/q/Ic6ba1a37b78df5b342ceeba4c1493dbde583b81f):
https://phabricator.wikimedia.org/T302215

An issue was discovered in MediaWiki through 1.37.1. The CentralAuth extension mishandles a ttl issue for groups expiring in the future.

CVE-2022-28206 (https://phabricator.wikimedia.org/T294256):
https://gerrit.wikimedia.org/r/q/I84be9cd3639b8ab0e037a4ec2d3f2f478f0989c5

An issue was discovered in MediaWiki through 1.37.1. ImportPlanValidator.php in the FileImporter extension mishandles the check for edit rights.

CVE-2022-28209 (https://phabricator.wikimedia.org/T304126):
https://gerrit.wikimedia.org/r/q/Id8c4e2e336695ce70ccdf8a51ad729bf4a99f8f7

An issue was discovered in Mediawiki through 1.37.1. The check for the override-antispoof permission in the AntiSpoof extension is incorrect.

CVE-2022-28202 (https://phabricator.wikimedia.org/T297543):

An XSS issue was discovered in MediaWiki before 1.35.6, 1.36.x before 1.36.4, and 1.37.x before 1.37.2. The widthheight, widthheightpage, and nbytes properties of messages are not escaped when used in galleries or Special:RevisionDelete.


I can't discern a fixed version for all of these.
Comment 1 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-03-31 02:32:38 UTC
Seems like these might be the CVEs in the upcoming security releases?

https://lists.wikimedia.org/hyperkitty/list/mediawiki-announce@lists.wikimedia.org/thread/5FGCLGPOTRWEJOCTPZ7BF3X6SV43WVXM/
Comment 3 Larry the Git Cow gentoo-dev 2022-04-01 06:54:08 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=e8e8b065191f9b3dcc3de5afcb61fd94f59d2726

commit e8e8b065191f9b3dcc3de5afcb61fd94f59d2726
Author:     Miroslav Šulc <fordfrog@gentoo.org>
AuthorDate: 2022-04-01 06:52:25 +0000
Commit:     Miroslav Šulc <fordfrog@gentoo.org>
CommitDate: 2022-04-01 06:54:06 +0000

    www-apps/mediawiki: security bump to 1.36.4 + eapi8
    
    Bug: https://bugs.gentoo.org/836430
    Signed-off-by: Miroslav Šulc <fordfrog@gentoo.org>

 www-apps/mediawiki/Manifest                |  1 +
 www-apps/mediawiki/mediawiki-1.36.4.ebuild | 86 ++++++++++++++++++++++++++++++
 2 files changed, 87 insertions(+)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=fdcb60d50be5c81d0f7f6833d4d531d9a6275ca8

commit fdcb60d50be5c81d0f7f6833d4d531d9a6275ca8
Author:     Miroslav Šulc <fordfrog@gentoo.org>
AuthorDate: 2022-04-01 06:50:42 +0000
Commit:     Miroslav Šulc <fordfrog@gentoo.org>
CommitDate: 2022-04-01 06:54:05 +0000

    www-apps/mediawiki: security bump to 1.37.2 + eapi8
    
    Bug: https://bugs.gentoo.org/836430
    Signed-off-by: Miroslav Šulc <fordfrog@gentoo.org>

 www-apps/mediawiki/Manifest                |  1 +
 www-apps/mediawiki/mediawiki-1.37.2.ebuild | 86 ++++++++++++++++++++++++++++++
 2 files changed, 87 insertions(+)
Comment 4 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-04-01 14:40:22 UTC
Thanks fordfrog!
Comment 5 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-04-01 15:12:07 UTC
Please cleanup
Comment 6 Larry the Git Cow gentoo-dev 2022-04-01 16:05:40 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=7a122138a8df9545d0e7e7ddd7b0ca80339ad05d

commit 7a122138a8df9545d0e7e7ddd7b0ca80339ad05d
Author:     Miroslav Šulc <fordfrog@gentoo.org>
AuthorDate: 2022-04-01 16:05:29 +0000
Commit:     Miroslav Šulc <fordfrog@gentoo.org>
CommitDate: 2022-04-01 16:05:29 +0000

    www-apps/mediawiki: security cleanup (1.36.3 & 1.37.1)
    
    Bug: https://bugs.gentoo.org/show_bug.cgi?id=836430
    Signed-off-by: Miroslav Šulc <fordfrog@gentoo.org>

 www-apps/mediawiki/Manifest                |  2 -
 www-apps/mediawiki/mediawiki-1.36.3.ebuild | 86 ------------------------------
 www-apps/mediawiki/mediawiki-1.37.1.ebuild | 86 ------------------------------
 3 files changed, 174 deletions(-)
Comment 7 Miroslav Šulc gentoo-dev 2022-04-01 16:06:09 UTC
the tree is clean now, you can proceed.