Bug 10784

Summary: mediawiki new security issue CVE-2013-2114
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: major    
Priority: Normal CC: davidwhodgins, sysadmin-bugs, tmb
Version: 3Keywords: validated_update
Target Milestone: ---   
Hardware: i586   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/553299/
Whiteboard: MGA3-32-OK MGA3-64-OK
Source RPM: mediawiki-1.20.5-1.mga3.src.rpm CVE:
Status comment:
Bug Depends on:    
Bug Blocks: 3448    

Description David Walser 2013-07-17 02:07:08 CEST 
Fedora has issued an advisory on May 30:
https://lists.fedoraproject.org/pipermail/package-announce/2013-June/107961.html

The issue is fixed upstream in 1.20.6.

Updated packages uploaded for Mageia 3 and Cauldron.

I have also fixed a couple other issues I found in the package, noted here:
https://bugs.mageia.org/show_bug.cgi?id=3448#c31
https://bugs.mageia.org/show_bug.cgi?id=3448#c34

I added the suhosin setting and changed the access restrictions so that when you install the package, /mediawiki itself should be accessible from a remote host, but the installer should only be accessible from localhost.

I did not move LocalSettings.php or extensions out of /usr/share/mediawiki in the Mageia 3 package.  Since all useful extensions should really be packaged anyway, I decided it wasn't necessary to move extensions.  In the Cauldron package I did move LocalSettings.php to /etc/mediawiki and the "images" file uploads directory to /var/www/mediawiki.  I considered these changes to not be appropriate for the stable release at this time.

I also updated the LdapAuthentication extension package to a version meant for MediaWiki 1.20 (rather than the current one, which is for 1.19).  I'll file a separate bug for that.

Note: the security issue is upstream bug 48306.

Advisory:
========================

Updated mediawiki packages fix security vulnerability:

MediaWiki user Marco discovered that security checks for file uploads were
not being run when the file was uploaded in chunks through the API. This
option has been available to users who can upload files since MediaWiki
1.19 (CVE-2013-2114).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2114
http://lists.wikimedia.org/pipermail/mediawiki-announce/2013-May/000131.html
https://www.mediawiki.org/wiki/Release_notes/1.20#MediaWiki_1.20.6
========================

Updated packages in core/updates_testing:
========================
mediawiki-1.20.6-1.1.mga3
mediawiki-mysql-1.20.6-1.1.mga3
mediawiki-pgsql-1.20.6-1.1.mga3
mediawiki-sqlite-1.20.6-1.1.mga3

from mediawiki-1.20.6-1.1.mga3.src.rpm

Reproducible: 

Steps to Reproduce:
Comment 1 David Walser 2013-07-17 02:07:46 CEST 
Bug 10785 filed for the mediawiki-ldapauthentication update.

Blocks: (none) => 3448

Comment 2 Thomas Backlund 2013-07-18 19:18:12 CEST 
This one need to obsolete mediawiki-renameuser to prowide clean upgrades

see: https://bugs.mageia.org/show_bug.cgi?id=10785
and: https://bugs.mageia.org/show_bug.cgi?id=10794

CC: (none) => tmb

Comment 3 David Walser 2013-07-18 20:30:34 CEST 
Thanks Thomas, I saw your note on 10794.  Fixed now.

Advisory:
========================

Updated mediawiki packages fix security vulnerability:

MediaWiki user Marco discovered that security checks for file uploads were
not being run when the file was uploaded in chunks through the API. This
option has been available to users who can upload files since MediaWiki
1.19 (CVE-2013-2114).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2114
http://lists.wikimedia.org/pipermail/mediawiki-announce/2013-May/000131.html
https://www.mediawiki.org/wiki/Release_notes/1.20#MediaWiki_1.20.6
========================

Updated packages in core/updates_testing:
========================
mediawiki-1.20.6-1.2.mga3
mediawiki-mysql-1.20.6-1.2.mga3
mediawiki-pgsql-1.20.6-1.2.mga3
mediawiki-sqlite-1.20.6-1.2.mga3

from mediawiki-1.20.6-1.2.mga3.src.rpm
Comment 4 Dave Hodgins 2013-07-19 04:11:23 CEST 
Advisory uploaded, and testing complete on Mageia 3 i586.

I'll test x86_64 shortly.

CC: (none) => davidwhodgins
Whiteboard: (none) => MGA3-32-OK

Comment 5 Dave Hodgins 2013-07-19 04:32:46 CEST 
Testing complete on Mageia 3 x86_64.

For both tests, installed and setup mediawiki, created a wiki page, then
installed the update, and created another page.

Could someone from the sysadmin team push 10784.adv to updates.

Keywords: (none) => validated_update
Whiteboard: MGA3-32-OK => MGA3-32-OK MGA3-64-OK
CC: (none) => sysadmin-bugs

Comment 6 Nicolas Vigier 2013-07-21 12:01:18 CEST 
http://advisories.mageia.org/MGASA-2013-0221.html

Status: NEW => RESOLVED
CC: (none) => boklm
Resolution: (none) => FIXED

Nicolas Vigier 2014-05-08 18:05:32 CEST

CC: boklm => (none)