Bug 1071135 - (CVE-2014-2242) CVE-2014-2242 mediawiki: cross-site scripting flaw when handling SVG images
CVE-2014-2242 mediawiki: cross-site scripting flaw when handling SVG images
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
impact=moderate,public=20140203,repor...
: Security
Depends On: 1071142 1071143 1071157 1091963
Blocks:
  Show dependency treegraph
 
Reported: 2014-02-28 01:53 EST by Murray McAllister
Modified: 2015-02-04 07:50 EST (History)
8 users (show)

See Also:
Fixed In Version: mediawiki 1.22.3, mediawiki 1.21.6, mediawiki 1.19.12
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2014-04-28 12:31:57 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Murray McAllister 2014-02-28 01:53:55 EST
The MediaWiki 1.22.3, 1.21.6 and 1.19.12 release announcement notes:

* (bug 60771) SECURITY: Disallow uploading SVG files using non-whitelisted
  namespaces. Also disallow iframe elements. User will get an error
  including the namespace name if they use a non- whitelisted namespace.

An attacker could perform cross-site scripting attacks by uploading crafted SVG images.

The versions of MediaWiki in Fedora and EPEL 6 are affected. I have not tested EPEL 5.

References:
http://lists.wikimedia.org/pipermail/mediawiki-announce/2014-February/000141.html
https://bugzilla.wikimedia.org/show_bug.cgi?id=60771
https://gerrit.wikimedia.org/r/#/q/7d923a6b53f7fbcb0cbc3a19797d741bf6f440eb,n,z
Comment 1 Murray McAllister 2014-02-28 02:06:48 EST
Created mediawiki tracking bugs for this issue:

Affects: fedora-all [bug 1071142]
Comment 2 Murray McAllister 2014-02-28 02:06:52 EST
Created mediawiki119 tracking bugs for this issue:

Affects: epel-6 [bug 1071143]
Comment 3 Murray McAllister 2014-02-28 02:19:23 EST
Created mediawiki tracking bugs for this issue:

Affects: epel-5 [bug 1071157]
Comment 4 Murray McAllister 2014-02-28 02:26:36 EST
CVE request: http://www.openwall.com/lists/oss-security/2014/02/28/1
Comment 5 Murray McAllister 2014-03-02 21:05:35 EST
MITRE assigned CVE-2014-2242 to this issue: http://www.openwall.com/lists/oss-security/2014/03/01/2

""
Use CVE-2014-2242. The root cause is, roughly, "does not block unsafe
namespaces such as a W3C XHTML namespace." This qualifies for a CVE
because there is known client software that uses this namespace in a
way that results in XSS. MediaWiki is obviously free to make an
announcement of a security fix for this type of issue, independent of
the question of who is at fault for the underlying problem.

> Also disallow iframe elements.

There is no CVE assignment for this change because there is no known
client software that uses any of the $validNamespaces namespaces in a
way that results in XSS. A third party who "owns" one of these
namespaces, or anyone else, could modify its role tomorrow and (for
example) release a browser extension that's vulnerable to this IFRAME
XSS attack when the namespace is used. However, defending against that
is essentially the same as defending against any other attack
requiring not-known-to-exist client software. It can only be
interpreted as security hardening. For example, MediaWiki conceivably
could validate uploaded .jpg files by looking for photos of the word
"IFRAME" because, well, you can't be too careful.
""
Comment 6 Fedora Update System 2014-03-11 00:08:35 EDT
mediawiki-1.21.6-1.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 7 Fedora Update System 2014-03-11 00:14:48 EDT
mediawiki-1.21.6-1.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 8 Fedora Update System 2014-04-04 16:30:43 EDT
mediawiki119-1.19.13-1.el6 has been pushed to the Fedora EPEL 6 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 9 Murray McAllister 2014-04-28 07:56:02 EDT
Created mediawiki119 tracking bugs for this issue:

Affects: epel-5 [bug 1091963]
Comment 10 Murray McAllister 2014-04-28 07:57:05 EDT
(In reply to Murray McAllister from comment #9)
> Created mediawiki119 tracking bugs for this issue:
> 
> Affects: epel-5 [bug 1091963]

For all the mediawiki bugs I have filed, I have missed there is a "epel-5/mediawiki119" package. Should it just be bumped to the latest version to cover everything?
Comment 11 Fedora Update System 2014-05-15 23:04:26 EDT
mediawiki119-1.19.15-1.el6 has been pushed to the Fedora EPEL 6 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.