Bug 1071135 (CVE-2014-2242)
| Summary: | CVE-2014-2242 mediawiki: cross-site scripting flaw when handling SVG images | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Murray McAllister <mmcallis> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED ERRATA | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | unspecified | CC: | extras-orphan, gwync, ian, jrusnack, mike, orion, puiterwijk, vdanen |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | mediawiki 1.22.3, mediawiki 1.21.6, mediawiki 1.19.12 | Doc Type: | Bug Fix |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2014-04-28 16:31:57 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1071142, 1071143, 1071157, 1091963 | ||
| Bug Blocks: | |||
|
Description
Murray McAllister
2014-02-28 06:53:55 UTC
Created mediawiki tracking bugs for this issue: Affects: fedora-all [bug 1071142] Created mediawiki119 tracking bugs for this issue: Affects: epel-6 [bug 1071143] Created mediawiki tracking bugs for this issue: Affects: epel-5 [bug 1071157] MITRE assigned CVE-2014-2242 to this issue: http://www.openwall.com/lists/oss-security/2014/03/01/2 "" Use CVE-2014-2242. The root cause is, roughly, "does not block unsafe namespaces such as a W3C XHTML namespace." This qualifies for a CVE because there is known client software that uses this namespace in a way that results in XSS. MediaWiki is obviously free to make an announcement of a security fix for this type of issue, independent of the question of who is at fault for the underlying problem. > Also disallow iframe elements. There is no CVE assignment for this change because there is no known client software that uses any of the $validNamespaces namespaces in a way that results in XSS. A third party who "owns" one of these namespaces, or anyone else, could modify its role tomorrow and (for example) release a browser extension that's vulnerable to this IFRAME XSS attack when the namespace is used. However, defending against that is essentially the same as defending against any other attack requiring not-known-to-exist client software. It can only be interpreted as security hardening. For example, MediaWiki conceivably could validate uploaded .jpg files by looking for photos of the word "IFRAME" because, well, you can't be too careful. "" mediawiki-1.21.6-1.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report. mediawiki-1.21.6-1.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report. mediawiki119-1.19.13-1.el6 has been pushed to the Fedora EPEL 6 stable repository. If problems still persist, please make note of it in this bug report. Created mediawiki119 tracking bugs for this issue: Affects: epel-5 [bug 1091963] (In reply to Murray McAllister from comment #9) > Created mediawiki119 tracking bugs for this issue: > > Affects: epel-5 [bug 1091963] For all the mediawiki bugs I have filed, I have missed there is a "epel-5/mediawiki119" package. Should it just be bumped to the latest version to cover everything? mediawiki119-1.19.15-1.el6 has been pushed to the Fedora EPEL 6 stable repository. If problems still persist, please make note of it in this bug report. |