Bug 11854

Summary: mediawiki new security issues fixed upstream in 1.20.8
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: major    
Priority: Normal CC: davidwhodgins, sysadmin-bugs, tmb
Version: 3Keywords: validated_update
Target Milestone: ---   
Hardware: i586   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/575400/
Whiteboard: advisory MGA3-64-OK MGA3-32-OK
Source RPM: mediawiki-1.20.7-1.mga3.src.rpm CVE:
Status comment:
Attachments: image of page created with the prior version of mediawiki
Image of page created with the updates testing version of mediawiki

Description David Walser 2013-12-02 17:22:05 CET 
MediaWiki has announced the release of version 1.20.8 on November 14:
http://lists.wikimedia.org/pipermail/mediawiki-announce/2013-November/000135.html

It fixes a few security issues and a few bugs.

Mageia 3 is also affected.

The update has been committed in SVN and a freeze push has been requested.

Fedora has issued an advisory for this on November 23:
https://lists.fedoraproject.org/pipermail/package-announce/2013-December/123011.html

Reproducible: 

Steps to Reproduce:
David Walser 2013-12-02 17:22:11 CET

Whiteboard: (none) => MGA3TOO

David Walser 2013-12-02 19:36:18 CET

URL: (none) => http://lwn.net/Vulnerabilities/575400/

Comment 1 David Walser 2013-12-03 23:48:53 CET 
Updated packages uploaded for Mageia 3 and Cauldron.

Assigning to QA now.  Does anyone know if the extra CVEs for the extensions mentioned in the upstream advisory are relevant?  Are they part of the core mediawiki package?  Due to this question, advisory to come later.

----------------------------------------
Updated packages in core/updates_testing:
----------------------------------------
mediawiki-1.20.8-1.mga3
mediawiki-mysql-1.20.8-1.mga3
mediawiki-pgsql-1.20.8-1.mga3
mediawiki-sqlite-1.20.8-1.mga3

from mediawiki-1.20.8-1.mga3.src.rpm

Version: Cauldron => 3
Assignee: bugsquad => qa-bugs
Whiteboard: MGA3TOO => (none)

Comment 2 Dave Hodgins 2013-12-04 12:39:27 CET 
The poc from https://bugzilla.wikimedia.org/show_bug.cgi?id=55332#c0
is not working here, so will just be testing that the updated version works.

CC: (none) => davidwhodgins

Comment 3 Dave Hodgins 2013-12-04 12:58:50 CET 
Created attachment 4574 [details]
image of page created with the prior version of mediawiki
Comment 4 Dave Hodgins 2013-12-04 13:04:13 CET 
Created attachment 4575 [details]
Image of page created with the updates testing version of mediawiki

Both pages were created by pasting in
<p style="font-size: 100px; background-image:
url\b(https://www.google.com/images/srpr/logo6w.png)">A</p>
taken from https://bugzilla.wikimedia.org/show_bug.cgi?id=55332#c0

As shown, with a page created with the updates testing version, the
font-size is now being ignored. Is this intended?

Note that both images are being displayed with the updates testing version.

Identical results on both i586 and x86_64.
Dave Hodgins 2013-12-04 13:04:32 CET

Whiteboard: (none) => feedback

Comment 5 Dave Hodgins 2013-12-04 13:08:14 CET 
Ignore comment 4. If I just put in
<p style="font-size: 100px;">A</p>
the font size is respected.

Whiteboard: feedback => MGA3-64-OK MGA3-32-OK

Comment 6 claire robinson 2013-12-11 15:43:33 CET 
Just need an advisory for this one please David
Comment 7 David Walser 2013-12-11 16:51:56 CET 
Looking at the file list in the package, I don't believe those extensions are part of the package.

Advisory:
========================

Updated mediawiki packages fix security vulnerabilities:

Kevin Israel (Wikipedia user PleaseStand) identified and reported two
vectors for injecting Javascript in CSS that bypassed MediaWiki's blacklist
(CVE-2013-4567, CVE-2013-4568).

Internal review while debugging a site issue discovered that MediaWiki
and the CentralNotice extension were incorrectly setting cache headers when
a user was autocreated, causing the user's session cookies to be cached,
and returned to other users (CVE-2013-4572).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4567
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4568
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4572
http://lists.wikimedia.org/pipermail/mediawiki-announce/2013-November/000135.html
https://lists.fedoraproject.org/pipermail/package-announce/2013-December/123011.html
========================

Updated packages in core/updates_testing:
========================
mediawiki-1.20.8-1.mga3
mediawiki-mysql-1.20.8-1.mga3
mediawiki-pgsql-1.20.8-1.mga3
mediawiki-sqlite-1.20.8-1.mga3

from mediawiki-1.20.8-1.mga3.src.rpm
Comment 8 claire robinson 2013-12-11 17:03:17 CET 
Thanks David. Advisory uploaded.

Validating

Could sysadmin please push from 3 core/updates_testing to updates

Thanks!

Keywords: (none) => validated_update
Whiteboard: MGA3-64-OK MGA3-32-OK => advisory MGA3-64-OK MGA3-32-OK
CC: (none) => sysadmin-bugs

Comment 9 Thomas Backlund 2013-12-12 23:25:44 CET 
Update pushed:
http://advisories.mageia.org/MGASA-2013-0368.html

Status: NEW => RESOLVED
CC: (none) => tmb
Resolution: (none) => FIXED