Bug 14182 - mediawiki new security issues fixed upstream in 1.23.5
Summary: mediawiki new security issues fixed upstream in 1.23.5
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 4
Hardware: i586 Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL: http://lwn.net/Vulnerabilities/613456/
Whiteboard: MGA3TOO has_procedure advisory MGA4-3...
Keywords: validated_update
: 14212 (view as bug list)
Depends on:
Blocks:
 
Reported: 2014-09-26 21:51 CEST by David Walser
Modified: 2014-10-07 11:23 CEST (History)
4 users (show)

See Also:
Source RPM: mediawiki-1.23.3-1.mga4.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2014-09-26 21:51:06 CEST
Upstream has announced version 1.23.4 on September 24:
https://lists.wikimedia.org/pipermail/mediawiki-announce/2014-September/000161.html

A CVE has been requested:
http://openwall.com/lists/oss-security/2014/09/26/12

Once that message receives a response I'll post an actual advisory.  For now, see the upstream release announcement.

I've checked it into SVN for Mageia 3, Mageia 4, and Cauldron, and sent a freeze push request.

Reproducible: 

Steps to Reproduce:
Comment 1 David Walser 2014-09-26 21:52:03 CEST
Debian has issued an advisory for this today (September 26):
https://www.debian.org/security/2014/dsa-3036

URL: (none) => http://lwn.net/Vulnerabilities/613456/
Whiteboard: (none) => MGA3TOO

Comment 2 David Walser 2014-09-30 03:07:33 CEST
This has been assigned CVE-2014-7199:
http://openwall.com/lists/oss-security/2014/09/27/2

Updated packages uploaded for Mageia 3, Mageia 4, and Cauldron.

Advisory:
========================

Updated mediawiki packages fix security vulnerability:

MediaWiki before 1.23.4 is vulnerable to cross-site scripting due to
JavaScript injection via CSS in uploaded SVG files (CVE-2014-7199).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7199
https://lists.wikimedia.org/pipermail/mediawiki-announce/2014-September/000161.html
https://www.debian.org/security/2014/dsa-3036
========================

Updated packages in core/updates_testing:
========================
mediawiki-1.23.4-1.mga3
mediawiki-mysql-1.23.4-1.mga3
mediawiki-pgsql-1.23.4-1.mga3
mediawiki-sqlite-1.23.4-1.mga3
mediawiki-1.23.4-1.mga4
mediawiki-mysql-1.23.4-1.mga4
mediawiki-pgsql-1.23.4-1.mga4
mediawiki-sqlite-1.23.4-1.mga4

from SRPMS:
mediawiki-1.23.4-1.mga3.src.rpm
mediawiki-1.23.4-1.mga4.src.rpm

Assignee: bugsquad => qa-bugs

Comment 3 Rémi Verschelde 2014-09-30 13:57:09 CEST
Procedure: https://wiki.mageia.org/en/QA_procedure:Mediawiki

CC: (none) => remi
Whiteboard: MGA3TOO => MGA3TOO has_procedure

Comment 4 olivier charles 2014-09-30 19:06:09 CEST
Testing in Mageia4-64 H/W

Followed procedure as in Comment 3

- tested mediawiki with mediawiki-1.23.3 first

In procedure, I just had to replace:
# service httpd start
by
# systemctl enable httpd.service
# systemctl start httpd.service

and did the same with mysqld.service

I set up a new wiki, made some changes and created two pages.

All went well


Then I installed testing update : mediawiki-1.23.4-1.mga4 from MCC

Deleted the previous wiki
-to delete wiki database, I had to give my MariaDb password 
(# mysql -uroot -pxxxxx)

and reproduced the wiki set up, modifying and adding two new pages.

All went well with updated package.

CC: (none) => olchal

olivier charles 2014-09-30 21:51:37 CEST

Whiteboard: MGA3TOO has_procedure => MGA3TOO has_procedure MGA4-64-OK

Comment 5 David Walser 2014-09-30 21:57:15 CEST
Working fine on our production wiki at work (Mageia 4 i586).

Whiteboard: MGA3TOO has_procedure MGA4-64-OK => MGA3TOO has_procedure MGA4-64-OK MGA4-32-OK

Comment 6 William Murphy 2014-09-30 23:10:46 CEST
Testing on Mageia3 (and Mageia4) 32 & 64 bit using mysql, postgresql and sqlite backends.

Updated and tested using each backend without problems for both archs.
After testing updated MediaWiki, removed databases and tested web installs.

Verifying security fix for MediaWiki bug 69008
  https://bugzilla.wikimedia.org/show_bug.cgi?id=69008

Added svg to $wgFileExtensions and tried to upload the svg image listed in the bug:
  http://upload.wikimedia.org/wikipedia/test/e/e3/Webplatform.svg

Before the update this image never fully loads, but other svg images, not refering to external urls, load fine. 

After the update the upload for the above image is refused with a warning:
  "This file contains HTML or script code that may be 
   erroneously interpreted by a web browser."


------------------------------------------
Update validated.
Thanks.

Advisory:
Enhance CSS filtering of third-party content in SVG files. Possible CVEs pending.

SRPMS: 
mediawiki-1.23.4-1.mga3.src.rpm
mediawiki-1.23.4-1.mga4.src.rpm

Could sysadmin please push from core/updates_testing to core/updates.

Thank you!
------------------------------------------

CC: (none) => sysadmin-bugs, warrendiogenese
Keywords: (none) => validated_update
Whiteboard: MGA3TOO has_procedure MGA4-64-OK MGA4-32-OK => MGA3TOO has_procedure MGA4-64-OK MGA4-32-OK MGA3-64-OK MGA3-32-OK

Comment 7 David Walser 2014-09-30 23:53:19 CEST
Note the actual advisory is in Comment 2, and still needs to be uploaded to SVN.
David Walser 2014-10-02 14:35:41 CEST

Blocks: (none) => 14212

Comment 8 David Walser 2014-10-02 14:43:09 CEST
Upstream has announced version 1.23.5 on October 1:
https://lists.wikimedia.org/pipermail/mediawiki-announce/2014-October/000163.html

CVE request:
http://www.openwall.com/lists/oss-security/2014/10/02/29

Updated packages uploaded for Mageia 3, Mageia 4, and Cauldron.

The new issue fixed in 1.23.5 is another XSS through CSS issue just like the issue fixed in 1.23.4.

Please note this is a *preliminary* advisory, pending the CVE request (we'll replace the XXXX with the real CVE identifier once it's available).

Advisory:
========================

Updated mediawiki packages fix security vulnerability:

MediaWiki before 1.23.4 is vulnerable to cross-site scripting due to
JavaScript injection via CSS in uploaded SVG files (CVE-2014-7199).

MediaWiki before 1.23.5 is vulnerable to cross-site scripting due to
JavaScript injection via user-specificed CSS in certain special pages
(CVE-2014-XXXX).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7199
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-XXXX
https://lists.wikimedia.org/pipermail/mediawiki-announce/2014-September/000161.html
https://lists.wikimedia.org/pipermail/mediawiki-announce/2014-October/000163.html
https://www.debian.org/security/2014/dsa-3036
========================

Updated packages in core/updates_testing:
========================
mediawiki-1.23.5-1.mga3
mediawiki-mysql-1.23.5-1.mga3
mediawiki-pgsql-1.23.5-1.mga3
mediawiki-sqlite-1.23.5-1.mga3
mediawiki-1.23.5-1.mga4
mediawiki-mysql-1.23.5-1.mga4
mediawiki-pgsql-1.23.5-1.mga4
mediawiki-sqlite-1.23.5-1.mga4

from SRPMS:
mediawiki-1.23.5-1.mga3.src.rpm
mediawiki-1.23.5-1.mga4.src.rpm

Keywords: validated_update => (none)
Blocks: 14212 => (none)
Summary: mediawiki new security issue fixed upstream in 1.23.4 => mediawiki new security issues fixed upstream in 1.23.5
Whiteboard: MGA3TOO has_procedure MGA4-64-OK MGA4-32-OK MGA3-64-OK MGA3-32-OK => MGA3TOO has_procedure

Comment 9 David Walser 2014-10-02 14:43:41 CEST
*** Bug 14212 has been marked as a duplicate of this bug. ***
Comment 10 David Walser 2014-10-02 17:45:43 CEST
Working fine on our production wiki at work (Mageia 4 i586).

Whiteboard: MGA3TOO has_procedure => MGA3TOO has_procedure MGA4-32-OK

Comment 11 David Walser 2014-10-02 19:14:54 CEST
CVE-2014-7295 has been assigned:
http://openwall.com/lists/oss-security/2014/10/02/36

Advisory:
========================

Updated mediawiki packages fix security vulnerability:

MediaWiki before 1.23.4 is vulnerable to cross-site scripting due to
JavaScript injection via CSS in uploaded SVG files (CVE-2014-7199).

MediaWiki before 1.23.5 is vulnerable to cross-site scripting due to
JavaScript injection via user-specificed CSS in certain special pages
(CVE-2014-7295).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7199
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7295
https://lists.wikimedia.org/pipermail/mediawiki-announce/2014-September/000161.html
https://lists.wikimedia.org/pipermail/mediawiki-announce/2014-October/000163.html
https://www.debian.org/security/2014/dsa-3036
http://openwall.com/lists/oss-security/2014/10/02/36
Comment 12 olivier charles 2014-10-02 20:53:52 CEST
Testing on Mageia4-64 real H/W

mediawiki                      1.23.5       1.mga4        noarch  
mediawiki-pgsql                1.23.5       1.mga4        noarch  

Using procedure procedure found in Comment 3.

Everything works as expected.

Whiteboard: MGA3TOO has_procedure MGA4-32-OK => MGA3TOO has_procedure MGA4-32-OK MGA4-64-OK

Comment 13 William Murphy 2014-10-03 07:01:42 CEST
Testing on Mageia3 (and Mageia4) 32 & 64 bit using mysql, postgresql and sqlite backends... again.

Updated and tested using each backend without problems for both archs.
After testing updated MediaWiki, removed databases and tested web installs.

No PoC available, so only tried creating new pages and uploading images with no problems.

Small note on the sqlite install: 
The mediawiki-sqlite package creates a directory for it's database, /var/lib/mediawiki, which is owned by apache, but the default given by the web installer is /var/www/data, which normally doesn't exist. I've been setting it to /var/lib/mediawiki, but the average user might not know to do this. 

We could patch the getGlobalDefaults function in /usr/share/mediawiki/includes/installer/SqliteInstaller.php so it points to /var/lib/mediawiki, change the mediawiki-sqlite spec file so it uses /var/www/data or just leave it like it is. 

Sorry for not mentioning this versions ago.

------------------------------------------
Update validated.
Thanks.

Advisory:
See comment 8 above.

SRPMS: 
mediawiki-1.23.5-1.mga3.src.rpm
mediawiki-1.23.5-1.mga4.src.rpm

Could sysadmin please push from core/updates_testing to core/updates.

Thank you!
------------------------------------------
Comment 14 William Murphy 2014-10-03 07:05:33 CEST
Forgot to update whiteboard and add validated_update keyword.

Keywords: (none) => validated_update
Whiteboard: MGA3TOO has_procedure MGA4-32-OK MGA4-64-OK => MGA3TOO has_procedure MGA4-32-OK MGA4-64-OK MGA3-32-OK MGA3-64-OK

Comment 15 claire robinson 2014-10-03 14:07:09 CEST
I would say patch it William.
Comment 16 claire robinson 2014-10-06 18:56:31 CEST
Advisory from comment 11 uploaded.

Whiteboard: MGA3TOO has_procedure MGA4-32-OK MGA4-64-OK MGA3-32-OK MGA3-64-OK => MGA3TOO has_procedure advisory MGA4-32-OK MGA4-64-OK MGA3-32-OK MGA3-64-OK

Comment 17 David Walser 2014-10-06 19:16:09 CEST
Debian has issued an advsiory for this on October 5:
https://www.debian.org/security/2014/dsa-3046

LWN references for the CVEs:
http://lwn.net/Vulnerabilities/615070/
http://lwn.net/Vulnerabilities/615069/

Updating the advisory with the DSA.

Advisory:
========================

Updated mediawiki packages fix security vulnerability:

MediaWiki before 1.23.4 is vulnerable to cross-site scripting due to
JavaScript injection via CSS in uploaded SVG files (CVE-2014-7199).

MediaWiki before 1.23.5 is vulnerable to cross-site scripting due to
JavaScript injection via user-specificed CSS in certain special pages
(CVE-2014-7295).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7199
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7295
https://lists.wikimedia.org/pipermail/mediawiki-announce/2014-September/000161.html
https://lists.wikimedia.org/pipermail/mediawiki-announce/2014-October/000163.html
https://www.debian.org/security/2014/dsa-3036
https://www.debian.org/security/2014/dsa-3046
Comment 18 claire robinson 2014-10-06 19:25:22 CEST
Advisory updated on svn.
Comment 19 Mageia Robot 2014-10-07 11:23:38 CEST
An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2014-0400.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED


Note You need to log in before you can comment on or make changes to this bug.