Bug 30231

Summary: mediawiki new security issues fixed upstream in 1.35.6
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: andrewsfarm, davidwhodgins, herman.viaene, sysadmin-bugs
Version: 8Keywords: advisory, has_procedure, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA8-64-OK
Source RPM: mediawiki-1.35.5-1.mga8.src.rpm CVE:
Status comment:
Bug Depends on: 30283    
Bug Blocks:    

Description David Walser 2022-04-01 00:51:11 CEST 
Upstream has announced version 1.35.6 today (March 31):
https://lists.wikimedia.org/hyperkitty/list/mediawiki-announce@lists.wikimedia.org/thread/YJNXKPV5Z56NSUQ4G3SXPDUIZG5EQ7UR/

It fixes several security issues.

Updated packages uploaded for Mageia 8 and Cauldron.

Advisory:
========================

Updated mediawiki packages fix security vulnerabilities:

Title::newMainPage() goes into an infinite recursion loop if it points to a
local interwiki (CVE-2022-28201).

Messages widthheight/widthheightpage/nbytes not escaped when used in galleries
or Special:RevisionDelete (CVE-2022-28202).

Requesting Special:NewFiles on a wiki with many file uploads with actor as a
condition can result in a DoS (CVE-2022-28203).

Special:WhatLinksHere can result in a DoS when a page is used on a extremely
large number of other pages (CVE-2022-28204).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-28201
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-28202
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-28203
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-28204
https://lists.wikimedia.org/hyperkitty/list/mediawiki-announce@lists.wikimedia.org/thread/YJNXKPV5Z56NSUQ4G3SXPDUIZG5EQ7UR/
========================

Updated packages in core/updates_testing:
========================
mediawiki-1.35.6-1.mga8
mediawiki-mysql-1.35.6-1.mga8
mediawiki-pgsql-1.35.6-1.mga8
mediawiki-sqlite-1.35.6-1.mga8

from mediawiki-1.35.6-1.mga8.src.rpm
Comment 1 David Walser 2022-04-01 00:51:31 CEST 
Testing procedure:
https://wiki.mageia.org/en/QA_procedure:Mediawiki

Keywords: (none) => has_procedure

Comment 2 Herman Viaene 2022-04-04 14:58:21 CEST 
MGA8-64 Plasma on Lenovo B50 in Dutch.
First had to clean up the mess of php-8.0.1 backport packages, made sure the backport repos are disabled, and then found out I had to use urpmi at the CLI to install the mediawiki packages, because MCC would draw in the php-8.0.1 again.
Now continuing testing mediawiki.

CC: (none) => herman.viaene

Comment 3 Herman Viaene 2022-04-04 15:29:01 CEST 
Hmmmmm, followed the wiki, created the database in mysql and then on to http://localhost/mediawiki/ and get error 404.
Looked at the installation command and found after successfull installation:
"A copy of your installation's LocalSettings.php must exist and be readable in the source directory."
Supposing this installation's LocalSettings.php meaans the one in /usr/share/mediawiki/, but there is no such file, just a link LocalSettings.php -> ../../../etc/mediawiki/LocalSettings.php, but this directory is empty, so the error is correct, but it blocks following the wiki.
Comment 4 David Walser 2022-04-04 16:00:32 CEST 
IIRC there's supposed to be some installer thing that runs the first time you connect to it that lets you download LocalSettings.php, and then you have to upload it to the server.
Comment 5 Herman Viaene 2022-04-04 16:19:05 CEST 
And it is precisely on trying to run "some installer thing" that the error occurs.
Comment 6 David Walser 2022-04-04 16:22:01 CEST 
I guess make sure it isn't trying to use an old database.
Comment 7 Herman Viaene 2022-04-04 16:24:37 CEST 
No, I deleted the old files and the old database in mysql. I'll give it another try tomorrow.
Comment 8 Herman Viaene 2022-04-05 16:27:49 CEST 
Reinstalled this testsetup completeley from scratch, brought it up to the latest official updates, installed phpmyadmin and the mediawiki updates and get to the same problem as in Comment 3.
Comment 9 Thomas Andrews 2022-04-16 20:33:03 CEST 
Don't know a thing about this, or databases in general, but I tried anyway, except that I attempted to use postgresql. This was in a Vbox Plasma guest, with no old databases that I know anything about.

As I misunderstand it, the wiki instructs the tester to create the test wiki before installing the updates. I did this, getting just as far as Herman did, and coming up with the same problem.

CC: (none) => andrewsfarm

Comment 10 Dave Hodgins 2022-04-17 20:49:54 CEST 
Starting in a vb install with postgresql-jdbc already installed as it's required
for libreoffice-base.

Installed postgresql13-server and apache, and their required packages accepting
the default selections.
# systemctl start postgresql.service
Created the postgresql user as per https://wiki.mageia.org/en/QA_procedure:Mediawiki
Installed mediawiki selecting mediawiki-pgsql and their required packages.
Edited /etc/php.d/05_date.ini to reflect my timezone.
# systemctl start httpd.service

Used http://localhost/mediawiki/ in firefox to create a wiki.
Saved the settings and copied them as root ...
# cp /home/dave/Downloads/LocalSettings.php /etc/mediawiki/

Installed the update, restarted httpd.service, and reloaded
http://localhost/mediawiki/ in firefox.

No regressions noticed.

I chose to install the postgresql update at the same time, to simplify testing
needed for both, so tying the two updates together.

Both updates validated.

Whiteboard: (none) => MGA8-64-OK
Depends on: (none) => 30283
CC: (none) => davidwhodgins, sysadmin-bugs
Keywords: (none) => validated_update

Dave Hodgins 2022-04-17 20:55:04 CEST

Keywords: (none) => advisory

Comment 11 Mageia Robot 2022-04-18 09:43:12 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2022-0145.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED