Bug 1175828 (CVE-2014-9475, CVE-2014-9476, CVE-2014-9477, CVE-2014-9478, CVE-2014-9479, CVE-2014-9480, CVE-2014-9481, CVE-2014-9487)

Summary: CVE-2014-9475 CVE-2014-9476 CVE-2014-9477 CVE-2014-9478 CVE-2014-9479 CVE-2014-9480 CVE-2014-9481 CVE-2014-9487 mediawiki: multiple vulnerabilities
Product: [Other] Security Response Reporter: Vasyl Kaigorodov <vkaigoro>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: carnil, ian, jrusnack, mike, puiterwijk
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: mediawiki 1.24.1, mediawiki 1.23.8, mediawiki 1.22.15, mediawiki 1.19.23 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-05-27 20:53:39 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On: 1175829, 1175830    
Bug Blocks:    

Description Vasyl Kaigorodov 2014-12-18 16:52:27 UTC
Upstream changelog mentions a whole bunch of vulnerabilities fixed in latest releases:
* (bug T76686) [SECURITY] thumb.php outputs wikitext message as raw HTML,
  which could lead to xss. Permission to edit MediaWiki namespace is required
  to exploit this.
* (bug T77028) [SECURITY] Malicious site can bypass CORS restrictions in
  $wgCrossSiteAJAXdomains in API calls if it only included an allowed domain as
  part of its name.

== Security fixes in extensions ==
* (bug T77624) [SECURITY] Extension:Listings: missing validation in the 
  'name' and 'url' parameters.
* (bug T73111) [SECURITY] Extension:ExpandTemplates: parses user input
  as wikitext and shows a preview, yet it fails to add an edit token to
  the form and check it. This can be exploited as an XSS when 
  $wgRawHtml = true. Note this only affects the 1.19/1.22 branches.
* (bug T76195) [SECURITY] Extension:TemplateSandbox: 
  Special:TemplateSandbox needs edit token when raw HTML is allowed
* (bug T69180) [SECURITY] Extension:Hovercards: XSS in text extracts.
* (bug T73167) [SECURITY] Extension:Scribunto allows cross-origin 
  leakage of data from a wiki through timing
* (bug T71209) [SECURITY] Extension:TimedMediaHandler: Patch getid3 
  library for CVE-2014-2053.

Comment 1 Vasyl Kaigorodov 2014-12-18 16:52:49 UTC
Created mediawiki tracking bugs for this issue:

Affects: fedora-all [bug 1175829]

Comment 2 Vasyl Kaigorodov 2014-12-18 16:52:51 UTC
Created mediawiki119 tracking bugs for this issue:

Affects: epel-all [bug 1175830]

Comment 3 Fedora Update System 2014-12-29 10:00:10 UTC
mediawiki-1.24.1-1.fc21 has been pushed to the Fedora 21 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 4 Fedora Update System 2014-12-29 10:04:28 UTC
mediawiki-1.23.8-1.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 5 Fedora Update System 2014-12-29 10:05:09 UTC
mediawiki-1.23.8-1.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 6 Martin Prpič 2015-01-06 09:16:02 UTC
MITRE assigned the following CVEs to these issues (http://seclists.org/oss-sec/2015/q1/19):

> * (bug T76686) [SECURITY] thumb.php outputs wikitext message as raw HTML,
>   which could lead to xss. Permission to edit MediaWiki namespace is required
>   to exploit this.

CVE-2014-9475

> * (bug T77028) [SECURITY] Malicious site can bypass CORS restrictions in
>   $wgCrossSiteAJAXdomains in API calls if it only included an allowed domain
> as part of its name.

CVE-2014-9476

> 
> == Security fixes in extensions ==
> * (bug T77624) [SECURITY] Extension:Listings: missing validation in the 
>   'name' and 'url' parameters.

CVE-2014-9477

> * (bug T73111) [SECURITY] Extension:ExpandTemplates: parses user input
>   as wikitext and shows a preview, yet it fails to add an edit token to
>   the form and check it. This can be exploited as an XSS when 
>   $wgRawHtml = true. Note this only affects the 1.19/1.22 branches.

CVE-2014-9478

> * (bug T76195) [SECURITY] Extension:TemplateSandbox: 
>   Special:TemplateSandbox needs edit token when raw HTML is allowed

CVE-2014-9479

> * (bug T69180) [SECURITY] Extension:Hovercards: XSS in text extracts.

CVE-2014-9480

> * (bug T73167) [SECURITY] Extension:Scribunto allows cross-origin 
>   leakage of data from a wiki through timing

CVE-2014-9481

> * (bug T71209) [SECURITY] Extension:TimedMediaHandler: Patch getid3 
>   library for CVE-2014-2053.

CVE-2014-9487

Comment 7 Patrick Uiterwijk 2015-05-27 20:53:39 UTC
This update was already pushed before this ticket was filed, closing.