Bug 10784 - mediawiki new security issue CVE-2013-2114
: mediawiki new security issue CVE-2013-2114
Status: RESOLVED FIXED
Product: Mageia
Classification: Unclassified
Component: Security
: 3
: i586 Linux
: Normal Severity: major
: ---
Assigned To: QA Team
: Sec team
: http://lwn.net/Vulnerabilities/553299/
: MGA3-32-OK MGA3-64-OK
: validated_update
:
: 3448
  Show dependency treegraph
 
Reported: 2013-07-17 02:07 CEST by David Walser
Modified: 2014-05-08 18:05 CEST (History)
3 users (show)

See Also:
Source RPM: mediawiki-1.20.5-1.mga3.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2013-07-17 02:07:08 CEST
Fedora has issued an advisory on May 30:
https://lists.fedoraproject.org/pipermail/package-announce/2013-June/107961.html

The issue is fixed upstream in 1.20.6.

Updated packages uploaded for Mageia 3 and Cauldron.

I have also fixed a couple other issues I found in the package, noted here:
https://bugs.mageia.org/show_bug.cgi?id=3448#c31
https://bugs.mageia.org/show_bug.cgi?id=3448#c34

I added the suhosin setting and changed the access restrictions so that when you install the package, /mediawiki itself should be accessible from a remote host, but the installer should only be accessible from localhost.

I did not move LocalSettings.php or extensions out of /usr/share/mediawiki in the Mageia 3 package.  Since all useful extensions should really be packaged anyway, I decided it wasn't necessary to move extensions.  In the Cauldron package I did move LocalSettings.php to /etc/mediawiki and the "images" file uploads directory to /var/www/mediawiki.  I considered these changes to not be appropriate for the stable release at this time.

I also updated the LdapAuthentication extension package to a version meant for MediaWiki 1.20 (rather than the current one, which is for 1.19).  I'll file a separate bug for that.

Note: the security issue is upstream bug 48306.

Advisory:
========================

Updated mediawiki packages fix security vulnerability:

MediaWiki user Marco discovered that security checks for file uploads were
not being run when the file was uploaded in chunks through the API. This
option has been available to users who can upload files since MediaWiki
1.19 (CVE-2013-2114).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2114
http://lists.wikimedia.org/pipermail/mediawiki-announce/2013-May/000131.html
https://www.mediawiki.org/wiki/Release_notes/1.20#MediaWiki_1.20.6
========================

Updated packages in core/updates_testing:
========================
mediawiki-1.20.6-1.1.mga3
mediawiki-mysql-1.20.6-1.1.mga3
mediawiki-pgsql-1.20.6-1.1.mga3
mediawiki-sqlite-1.20.6-1.1.mga3

from mediawiki-1.20.6-1.1.mga3.src.rpm

Reproducible: 

Steps to Reproduce:
Comment 1 David Walser 2013-07-17 02:07:46 CEST
Bug 10785 filed for the mediawiki-ldapauthentication update.
Comment 2 Thomas Backlund 2013-07-18 19:18:12 CEST
This one need to obsolete mediawiki-renameuser to prowide clean upgrades

see: https://bugs.mageia.org/show_bug.cgi?id=10785
and: https://bugs.mageia.org/show_bug.cgi?id=10794
Comment 3 David Walser 2013-07-18 20:30:34 CEST
Thanks Thomas, I saw your note on 10794.  Fixed now.

Advisory:
========================

Updated mediawiki packages fix security vulnerability:

MediaWiki user Marco discovered that security checks for file uploads were
not being run when the file was uploaded in chunks through the API. This
option has been available to users who can upload files since MediaWiki
1.19 (CVE-2013-2114).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2114
http://lists.wikimedia.org/pipermail/mediawiki-announce/2013-May/000131.html
https://www.mediawiki.org/wiki/Release_notes/1.20#MediaWiki_1.20.6
========================

Updated packages in core/updates_testing:
========================
mediawiki-1.20.6-1.2.mga3
mediawiki-mysql-1.20.6-1.2.mga3
mediawiki-pgsql-1.20.6-1.2.mga3
mediawiki-sqlite-1.20.6-1.2.mga3

from mediawiki-1.20.6-1.2.mga3.src.rpm
Comment 4 Dave Hodgins 2013-07-19 04:11:23 CEST
Advisory uploaded, and testing complete on Mageia 3 i586.

I'll test x86_64 shortly.
Comment 5 Dave Hodgins 2013-07-19 04:32:46 CEST
Testing complete on Mageia 3 x86_64.

For both tests, installed and setup mediawiki, created a wiki page, then
installed the update, and created another page.

Could someone from the sysadmin team push 10784.adv to updates.
Comment 6 Nicolas Vigier 2013-07-21 12:01:18 CEST
http://advisories.mageia.org/MGASA-2013-0221.html

Note You need to log in before you can comment on or make changes to this bug.