Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 916517 (CVE-2023-29197, CVE-2023-3550, CVE-2023-36674, CVE-2023-36675, CVE-2023-45360, CVE-2023-45362, CVE-2023-45363, CVE-2023-45364) - <www-apps/mediawiki-{1.39.5,1.40.1}: multiple vulnerabilities
Summary: <www-apps/mediawiki-{1.39.5,1.40.1}: multiple vulnerabilities
Status: IN_PROGRESS
Alias: CVE-2023-29197, CVE-2023-3550, CVE-2023-36674, CVE-2023-36675, CVE-2023-45360, CVE-2023-45362, CVE-2023-45363, CVE-2023-45364
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B3 [glsa?]
Keywords:
Depends on:
Blocks:
 
Reported: 2023-10-30 00:09 UTC by John Helmert III
Modified: 2023-12-03 21:31 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2023-10-30 00:09:30 UTC 
CVE-2023-29197 (https://github.com/guzzle/psr7/security/advisories/GHSA-wxmh-65f7-jcvw):

guzzlehttp/psr7 is a PSR-7 HTTP message library implementation in PHP. Affected versions are subject to improper header parsing. An attacker could sneak in a newline (\n) into both the header names and values. While the specification states that \r\n\r\n is used to terminate the header list, many servers in the wild will also accept \n\n. This is a follow-up to CVE-2022-24775 where the fix was incomplete. The issue has been patched in versions 1.9.1 and 2.4.5. There are no known workarounds for this vulnerability. Users are advised to upgrade.

CVE-2023-36674 (https://phabricator.wikimedia.org/T335612):

An issue was discovered in MediaWiki before 1.35.11, 1.36.x through 1.38.x before 1.38.7, 1.39.x before 1.39.4, and 1.40.x before 1.40.1. It is possible to bypass the Bad image list (aka badFile) by using the thumb parameter (aka Manualthumb) of the File syntax.

CVE-2023-36675 (https://phabricator.wikimedia.org/T332889):

An issue was discovered in MediaWiki before 1.35.11, 1.36.x through 1.38.x before 1.38.7, and 1.39.x before 1.39.4. BlockLogFormatter.php in BlockLogFormatter allows XSS in the partial blocks feature.

These are all fixed in 1.39.4. Including in this bug for tracking.

A number of vulnerabilities have also been fixed in 1.39.5 and 1.40.1.

From https://lists.wikimedia.org/hyperkitty/list/mediawiki-announce@lists.wikimedia.org/thread/BRWOWACCHMYRIS7JRTT6XD44X3362MVL/:

* (T264765, CVE-2023-PENDING) SECURITY: Users without correct permission
are incorrectly shown MediaWiki:Missing-revision-permission.
* (T333050, CVE-2023-PENDING) SECURITY: Fix infinite loop for
self-redirects with variants conversion.
* (T340217, CVE-2023-PENDING) SECURITY: Vector 2022: Numerous unescaped
messages leading to potential XSS.
* (T340220, CVE-2023-PENDING) SECURITY: Vector 2022: vector-intro-page
message is assumed to yield a valid title.
* (T340221, CVE-2023-PENDING) SECURITY: XSS via
'youhavenewmessagesmanyusers' and 'youhavenewmessages' messages.
* (T341529, CVE-2023-PENDING) SECURITY: diff-multi-sameuser ("X
intermediate revisions by the same user not shown") ignores username
suppression.
* (T341565, CVE-2023-3550) SECURITY: Stored XSS when uploading crafted XML
file to Special:Upload (non-standard configuration).

Not all vulnerabilities affect all release lines, see the above
release announcement for details. Please stabilize 1.39.5/1.40.1.
Comment 1 Larry the Git Cow gentoo-dev 2023-10-30 08:10:51 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=685a494536d37c47f4b8eade997d9dcb1b277016

commit 685a494536d37c47f4b8eade997d9dcb1b277016
Author:     Miroslav Šulc <fordfrog@gentoo.org>
AuthorDate: 2023-10-30 08:10:37 +0000
Commit:     Miroslav Šulc <fordfrog@gentoo.org>
CommitDate: 2023-10-30 08:10:37 +0000

    www-apps/mediawiki: dropped obsolete 1.39.4-r1 & 1.40.0-r1
    
    Bug: https://bugs.gentoo.org/916517
    Bug: https://bugs.gentoo.org/916472
    Signed-off-by: Miroslav Šulc <fordfrog@gentoo.org>

 www-apps/mediawiki/Manifest                   |  2 -
 www-apps/mediawiki/mediawiki-1.39.4-r1.ebuild | 90 --------------------------
 www-apps/mediawiki/mediawiki-1.40.0-r1.ebuild | 92 ---------------------------
 3 files changed, 184 deletions(-)
Comment 2 Miroslav Šulc gentoo-dev 2023-10-30 08:12:07 UTC 
the latest versions are stable now and the tree is clean now, you can proceed.
Comment 3 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2023-12-03 21:31:08 UTC 
> * (T264765, CVE-2023-PENDING) SECURITY: Users without correct permission are incorrectly shown MediaWiki:Missing-revision-permission.

This is CVE-2023-45364.

> * (T333050, CVE-2023-PENDING) SECURITY: Fix infinite loop for self-redirects with variants conversion.

CVE-2023-45363.

> * (T340217, CVE-2023-PENDING) SECURITY: Vector 2022: Numerous unescaped messages leading to potential XSS.
> * (T340220, CVE-2023-PENDING) SECURITY: Vector 2022: vector-intro-page message is assumed to yield a valid title.

These two are still private in upstream's phabricator.

> * (T340221, CVE-2023-PENDING) SECURITY: XSS via 'youhavenewmessagesmanyusers' and 'youhavenewmessages' messages.

CVE-2023-45360.

> * (T341529, CVE-2023-PENDING) SECURITY: diff-multi-sameuser ("X intermediate revisions by the same user not shown") ignores username suppression.

CVE-2023-45362.