Bug 27781 - mediawiki new security issues fixed upstream in 1.31.11
Summary: mediawiki new security issues fixed upstream in 1.31.11
Status: NEW
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 7
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard:
Keywords: has_procedure
Depends on:
Blocks:
 
Reported: 2020-12-08 03:30 CET by Zombie Ryushu
Modified: 2021-01-13 12:57 CET (History)
3 users (show)

See Also:
Source RPM: mediawiki-1.31.10-1.mga7.src.rpm
CVE:
Status comment:


Attachments

Description Zombie Ryushu 2020-12-08 03:30:52 CET
The PollNY extension for MediaWiki through 1.35 allows XSS via an answer option for a poll question, entered during Special:CreatePoll or Special:UpdatePoll.
Zombie Ryushu 2020-12-08 03:31:09 CET

CVE: (none) => CVE-2020-29003

Comment 1 David Walser 2020-12-08 04:23:35 CET
No fixed version available yet.  Will push when there is.

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-29003

Version: 7 => Cauldron
Source RPM: mediawiki-1.31.10-1.mga7.src => mediawiki-1.35.0-2.mga8.src.rpm
Summary: [Update Request] mediawiki CVE-2020-29003 => mediawiki new security issue CVE-2020-29003

Comment 2 Aurelien Oudelet 2020-12-08 16:45:00 CET
Hi, thanks for reporting this.
As there is no maintainer for this package I added the committers in CC.

(Please set the status to 'assigned' if you are working on it)

Assignee: bugsquad => pkg-bugs
CC: (none) => luigiwalser, tmb

Comment 3 David Walser 2020-12-18 20:10:42 CET
Upstream has announced versions 1.31.11 and 1.31.12 on December 17 and 18 (today):
https://lists.wikimedia.org/pipermail/mediawiki-announce/2020-December/000268.html
https://lists.wikimedia.org/pipermail/mediawiki-announce/2020-December/000269.html

They fix several security issues (1.31.12 is a regression fix).

Debian has issued an advisory for this today (December 18):
https://www.debian.org/security/2020/dsa-4816

Updated packages uploaded for Mageia 7 and Cauldron.

Advisory:
========================

Updated mediawiki packages fix security vulnerabilities:

In MediaWiki before 1.31.11, the messages userrights-expiry-current and
userrights-expiry-none can contain raw HTML. XSS can happen when a user visits
Special:UserRights but does not have rights to change all userrights, and the
table on the left side has unchangeable groups in it. The right column with
the changeable groups is not affected and is escaped correctly
(CVE-2020-35475).

MediaWiki before 1.31.11 blocks legitimate attempts to hide log entries in
some situations. If one sets MediaWiki:Mainpage to Special:MyLanguage/Main
Page, visits a log entry on Special:Log, and toggles the "Change visibility of
selected log entries" checkbox (or a tags checkbox) next to it, there is a
redirection to the main page's action=historysubmit instead of the desired
behavior in which a revision-deletion form appears (CVE-2020-35477).

MediaWiki before 1.31.11 allows XSS via BlockLogFormatter.php.
Language::translateBlockExpiry itself does not escape in all code paths. For
example, the return of Language::userTimeAndDate is is always unsafe for HTML
in a month value (CVE-2020-35479).

An issue was discovered in MediaWiki before 1.31.11. Missing users (accounts
that don't exist) and hidden users (accounts that have been explicitly hidden
due to being abusive, or similar) that the viewer cannot see are handled
differently, exposing sensitive information about the hidden status to
unprivileged viewers. This exists on various code paths (CVE-2020-35480).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-35475
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-35477
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-35479
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-35480
https://lists.wikimedia.org/pipermail/mediawiki-announce/2020-December/000268.html
https://lists.wikimedia.org/pipermail/mediawiki-announce/2020-December/000269.html
https://www.debian.org/security/2020/dsa-4816
========================

Updated packages in core/updates_testing:
========================
mediawiki-1.31.12-1.mga7
mediawiki-mysql-1.31.12-1.mga7
mediawiki-pgsql-1.31.12-1.mga7
mediawiki-sqlite-1.31.12-1.mga7

from mediawiki-1.31.12-1.mga7.src.rpm

URL: https://nvd.nist.gov/vuln/detail/CVE-2020-29003 => (none)
Version: Cauldron => 7
Assignee: pkg-bugs => qa-bugs
Source RPM: mediawiki-1.35.0-2.mga8.src.rpm => mediawiki-1.31.10-1.mga7.src.rpm
CVE: CVE-2020-29003 => (none)
Summary: mediawiki new security issue CVE-2020-29003 => mediawiki new security issues fixed upstream in 1.31.11

Comment 4 David Walser 2020-12-18 20:11:21 CET
As for CVE-2020-29003, upstream says it's Resolved.  Not sure why it wasn't listed in the release announcement, or if 1.31.x was affected.
Comment 5 David Walser 2020-12-18 20:11:45 CET
Testing procedure:
https://wiki.mageia.org/en/QA_procedure:Mediawiki

Keywords: (none) => has_procedure

Comment 6 PC LX 2021-01-13 12:57:45 CET
After installing mediawiki and restarting the apache's httpd service, I get the following error messages:

#########################
jan 13 11:28:47 marte systemd[1]: Starting The Apache HTTP Server...
jan 13 11:28:47 marte httpd[29188]: AH00526: Syntax error on line 20 of /etc/httpd/conf/sites.d/mediawiki.conf:
jan 13 11:28:47 marte httpd[29188]: Invalid command 'php_admin_flag', perhaps misspelled or defined by a module not included in the server configuration
jan 13 11:28:47 marte systemd[1]: httpd.service: Main process exited, code=exited, status=1/FAILURE
jan 13 11:28:47 marte systemd[1]: httpd.service: Failed with result 'exit-code'.
jan 13 11:28:47 marte systemd[1]: Failed to start The Apache HTTP Server.
#########################

After commenting the "line 20 of /etc/httpd/conf/sites.d/mediawiki.conf" and restarting the httpd service, I get the following error messages:

#########################
jan 13 11:29:35 marte systemd[1]: Starting The Apache HTTP Server...
jan 13 11:29:35 marte httpd[29201]: AH00526: Syntax error on line 33 of /etc/httpd/conf/sites.d/mediawiki.conf:
jan 13 11:29:35 marte httpd[29201]: Invalid command 'php_value', perhaps misspelled or defined by a module not included in the server configuration
jan 13 11:29:35 marte systemd[1]: httpd.service: Main process exited, code=exited, status=1/FAILURE
jan 13 11:29:35 marte systemd[1]: httpd.service: Failed with result 'exit-code'.
jan 13 11:29:35 marte systemd[1]: Failed to start The Apache HTTP Server.
#########################

After commenting the "line 33 of /etc/httpd/conf/sites.d/mediawiki.conf" and restarting the httpd service, the httpd server starts without errors.

After a search, it seems php_* are only supported if mod_php is loaded. This system is using php-fpm, hence the errors.

I suggest wrapping those lines in IfModule directives, like the following:

#########################
<IfModule mod_php.c>
      php_admin_flag engine off
</IfModule>
#########################


$ uname -a
Linux marte 5.10.6-desktop-1.mga7 #1 SMP Sat Jan 9 20:09:55 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux
$ rpm -qa | grep mediawiki | sort
mediawiki-1.31.10-1.mga7
mediawiki-mysql-1.31.10-1.mga7
$ systemctl status httpd.socket httpd.service php-fpm.socket php-fpm.service 
● httpd.socket - httpd server activation socket
   Loaded: loaded (/usr/local/lib/systemd/system/httpd.socket; enabled; vendor preset: disabled)
   Active: active (running) since Wed 2021-01-13 09:18:35 WET; 2h 13min ago
   Listen: [::]:80 (Stream)
           [::]:443 (Stream)
    Tasks: 0 (limit: 4695)
   Memory: 8.0K
   CGroup: /system.slice/httpd.socket

jan 13 09:18:35 marte systemd[1]: Listening on httpd server activation socket.

● httpd.service - The Apache HTTP Server
   Loaded: loaded (/usr/lib/systemd/system/httpd.service; disabled; vendor preset: disabled)
   Active: active (running) since Wed 2021-01-13 11:29:56 WET; 2min 13s ago
 Main PID: 29212 (httpd)
   Status: "Total requests: 0; Idle/Busy workers 100/0;Requests/sec: 0; Bytes served/sec:   0 B/sec"
    Tasks: 66 (limit: 4695)
   Memory: 28.4M
   CGroup: /system.slice/httpd.service
           ├─29212 /usr/sbin/httpd -DFOREGROUND
           ├─29214 /usr/sbin/httpd -DFOREGROUND
           └─29215 /usr/sbin/httpd -DFOREGROUND

jan 13 11:29:56 marte systemd[1]: Starting The Apache HTTP Server...
jan 13 11:29:56 marte systemd[1]: Started The Apache HTTP Server.

● php-fpm.socket - php-fpm Server Socket
   Loaded: loaded (/usr/local/lib/systemd/system/php-fpm.socket; enabled; vendor preset: disabled)
   Active: active (listening) since Wed 2021-01-13 09:18:35 WET; 2h 13min ago
   Listen: /var/lib/php-fpm/php-fpm.sock (Stream)
   CGroup: /system.slice/php-fpm.socket

jan 13 09:18:35 marte systemd[1]: Listening on php-fpm Server Socket.

● php-fpm.service - The PHP FastCGI Process Manager
   Loaded: loaded (/usr/lib/systemd/system/php-fpm.service; disabled; vendor preset: disabled)
   Active: inactive (dead)

CC: (none) => mageia


Note You need to log in before you can comment on or make changes to this bug.