Bug 1815173 (CVE-2020-10534)

Summary: CVE-2020-10534 mediawiki: IP range evaluation issue allows blocked users regain escalated privileges
Product: [Other] Security Response Reporter: Guilherme de Almeida Suckevicz <gsuckevi>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: aos-bugs, Axel.Thimm, bmontgom, eparis, jburrell, jokerman, mike, nstielau, puiterwijk, shurley, sponnaga
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-04-02 10:31:57 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1815174    
Bug Blocks: 1815175    

Description Guilherme de Almeida Suckevicz 2020-03-19 17:19:24 UTC 
In the GlobalBlocking extension before 2020-03-10 for MediaWiki through 1.34.0, an issue related to IP range evaluation resulted in blocked users re-gaining escalated privileges. This is related to the case in which an IP address is contained in two ranges, one of which is locally disabled.

Reference:
https://phabricator.wikimedia.org/T229731

Upstream commit:
https://gerrit.wikimedia.org/r/#/q/I9cc5fb2c08c78bbd797a5fc6d89f4577c8cc118b
Comment 1 Guilherme de Almeida Suckevicz 2020-03-19 17:20:21 UTC 
Created mediawiki tracking bugs for this issue:

Affects: fedora-all [bug 1815174]
Comment 2 Michael Cronenworth 2020-03-20 17:40:01 UTC 
This issue is for the *extension* GlobalBlocking. It is not shipped as a bundled extension and the patch is *not* in the core of mediawiki. This bug should not have been opened.
Comment 3 Mark Cooper 2020-04-02 06:00:56 UTC 
Agreed, seems strange. 

Setting OpenShift 3 and 4 to not affected. 

Whilst MediaWiki does include extensions by default GlobalBlocking is not one of them. Not even sure the status of the extension given that it's been in beta for several years: 
    - https://www.mediawiki.org/wiki/Extension:GlobalBlocking
    - https://www.mediawiki.org/wiki/Extension_talk:GlobalBlocking

Confirmed the following OpenShift images don't include GlobalBlocking. 
     - openshift3/mediawiki
     - openshift4/mediawiki
Comment 4 Product Security DevOps Team 2020-04-02 10:31:57 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-10534