Advisories » MGASA-2014-0113

Updated mediawiki packages fix security vulnerabilities

Publication date: 02 Mar 2014
Modification date: 02 Mar 2014
Type: security
Affected Mageia releases : 3 , 4
CVE: CVE-2013-6451 , CVE-2013-6452 , CVE-2013-6453 , CVE-2013-6472 , CVE-2014-1610

Description

MediaWiki user Michael M reported that the fix for CVE-2013-4568 allowed
insertion of escaped CSS values which could pass the CSS validation checks,
resulting in XSS (CVE-2013-6451).

Chris from RationalWiki reported that SVG files could be uploaded that
include external stylesheets, which could lead to XSS when an XSL was used
to include JavaScript (CVE-2013-6452).

During internal review, it was discovered that MediaWiki's SVG sanitization
could be bypassed when the XML was considered invalid (CVE-2013-6453).

During internal review, it was discovered that MediaWiki displayed some
information about deleted pages in the log API, enhanced RecentChanges, and
user watchlists (CVE-2013-6472).

Netanel Rubin from Check Point discovered a remote code execution
vulnerability in MediaWiki's thumbnail generation for DjVu files. Internal
review also discovered similar logic in the PdfHandler extension, which
could be exploited in a similar way (CVE-2014-1610).

MediaWiki has been updated to version 1.22.2, which fixes these issues, as
well as several others.

Also, the mediawiki-ldapauthentication and mediawiki-math extensions have
been updated to newer versions that are compatible with MediaWiki 1.22.

Additionally, the mediawiki-graphviz extension has been obsoleted, due to
the fact that it is unmaintained upstream and is vulnerable to cross-site
scripting attacks.

Note: if you were using the "instances" feature in these packages to
support multiple wiki instances, this feature has now been removed.  You
will need to maintain separate wiki instances manually.
                

References

• https://bugs.mageia.org/show_bug.cgi?id=12337
• http://lists.wikimedia.org/pipermail/mediawiki-announce/2014-January/000138.html
• http://lists.wikimedia.org/pipermail/mediawiki-announce/2014-January/000140.html
• https://lists.fedoraproject.org/pipermail/package-announce/2014-January/127027.html
• https://lists.fedoraproject.org/pipermail/package-announce/2014-February/127948.html
• http://www.mediawiki.org/wiki/Extension:GraphViz
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6451
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6452
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6453
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6472
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1610

SRPMS

4/core

• mediawiki-1.22.2-1.1.mga4
• mediawiki-ldapauthentication-2.0f-1.1.mga4
• mediawiki-math-1.1-1.1.mga4

3/core

• mediawiki-1.22.2-1.1.mga3
• mediawiki-ldapauthentication-2.0f-1.1.mga3
• mediawiki-math-1.1-1.1.mga3