Bug 13477

Summary: mediawiki new security issue fixed upstream in 1.22.7
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: sysadmin-bugs, tmb, warrendiogenese
Version: 4Keywords: validated_update
Target Milestone: ---   
Hardware: i586   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/601574/
Whiteboard: MGA3TOO MGA3-64-OK MGA3-32-OK MGA4-64-OK MGA4-32-OK advisory
Source RPM: mediawiki-1.22.6-1.mga4.src.rpm CVE:
Status comment:

Description David Walser 2014-06-03 15:53:52 CEST 
Upstream has announced MediaWiki 1.22.7 on May 27:
http://lists.wikimedia.org/pipermail/mediawiki-announce/2014-May/000151.html

It fixes one security issue.  A CVE has been requested for this:
http://openwall.com/lists/oss-security/2014/06/03/7

I'll update the advisory when a CVE is issued.

Updated packages uploaded for Mageia 3, Mageia 4, and Cauldron.

Advisory:
========================

Updated mediawiki packages fix security vulnerability:

XSS vulnerability in MediaWiki before 1.22.7, due to usernames on
Special:PasswordReset being parsed as wikitext.  The username on
Special:PasswordReset can be supplied by anyone and will be parsed with
wgRawHtml enabled.  Since Special:PasswordReset is whitelisted by default on
private wikis, this could potentially lead to an XSS crossing a privilege
boundary.

References:
https://bugzilla.wikimedia.org/show_bug.cgi?id=65501
http://lists.wikimedia.org/pipermail/mediawiki-announce/2014-May/000151.html
========================

Updated packages in core/updates_testing:
========================
mediawiki-1.22.7-1.mga3
mediawiki-mysql-1.22.7-1.mga3
mediawiki-pgsql-1.22.7-1.mga3
mediawiki-sqlite-1.22.7-1.mga3
mediawiki-1.22.7-1.mga4
mediawiki-mysql-1.22.7-1.mga4
mediawiki-pgsql-1.22.7-1.mga4
mediawiki-sqlite-1.22.7-1.mga4

from SRPMS:
mediawiki-1.22.7-1.mga3.src.rpm
mediawiki-1.22.7-1.mga4.src.rpm

Reproducible: 

Steps to Reproduce:
David Walser 2014-06-03 15:53:58 CEST

Whiteboard: (none) => MGA3TOO

Comment 1 David Walser 2014-06-03 17:04:59 CEST 
Running fine on our production wiki at work (Mageia 4 i586).
Comment 2 David Walser 2014-06-04 17:23:59 CEST 
CVE-2014-3966 assigned:
http://openwall.com/lists/oss-security/2014/06/04/15

Advisory:
========================

Updated mediawiki packages fix security vulnerability:

XSS vulnerability in MediaWiki before 1.22.7, due to usernames on
Special:PasswordReset being parsed as wikitext.  The username on
Special:PasswordReset can be supplied by anyone and will be parsed with
wgRawHtml enabled.  Since Special:PasswordReset is whitelisted by default on
private wikis, this could potentially lead to an XSS crossing a privilege
boundary (CVE-2014-3966).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3966
https://bugzilla.wikimedia.org/show_bug.cgi?id=65501
http://lists.wikimedia.org/pipermail/mediawiki-announce/2014-May/000151.html
http://openwall.com/lists/oss-security/2014/06/04/15
Comment 3 William Murphy 2014-06-06 02:01:30 CEST 
updated to mediawiki 1.22.7 on Mageia 3 i586, Mageia 3 x86_64, Mageia 4 i586 and Mageia 4 x86_64.

Before updating, followed these steps:
  * added '$wgRawHtml = 1;' to LocalSettings.php
  * loaded the Special:PasswordReset page as an anonymous user.
  * Entered into the Username field:
    <html><script>alert('gotcha');</script></html>
  * Clicked on 'Email new password'.

The javascript was executed when the error message was displayed, since it tries to include the username and the alert popped up for each release.

After updating to 1.22.7 on each, no more alerts and the html is safely displayed as the user name in the error message.

Normal functions like file uploads, edit/add pages still work as they should.

------------------------------------------
Update validated.
Thanks.

Advisory:

CVE-2014-3966: See Comment 2.
SRPM: mediawiki-1.22.6-1.mga4.src.rpm

Could sysadmin please push from core/updates_testing to core/updates.

Thank you!
------------------------------------------

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs, warrendiogenese
Whiteboard: MGA3TOO => MGA3TOO MGA3-64-OK MGA3-32-OK MGA4-64-OK MGA4-32-OK

Comment 4 Thomas Backlund 2014-06-06 08:29:36 CEST 
advisory added.

Update pushed:
http://advisories.mageia.org/MGASA-2014-0253.html

Status: NEW => RESOLVED
CC: (none) => tmb
Resolution: (none) => FIXED
Whiteboard: MGA3TOO MGA3-64-OK MGA3-32-OK MGA4-64-OK MGA4-32-OK => MGA3TOO MGA3-64-OK MGA3-32-OK MGA4-64-OK MGA4-32-OK advisory

David Walser 2014-06-07 15:53:17 CEST

URL: (none) => http://lwn.net/Vulnerabilities/601574/