Multiple security problems found: [CVE-2008-5249] [CVE-2008-5250] [CVE-2008-5252]

Bug #323842 reported by Andreas Wenning
260
Affects Status Importance Assigned to Milestone
mediawiki (Ubuntu)
Invalid
Undecided
Unassigned
Dapper
Won't Fix
Undecided
Unassigned
Gutsy
Won't Fix
Undecided
Unassigned
Hardy
Fix Released
Undecided
Unassigned
Intrepid
Fix Released
Undecided
Unassigned
Jaunty
Invalid
Undecided
Unassigned

Bug Description

Binary package hint: mediawiki

Multiple security problems found and fixed by upstream[0]:
* An XSS vulnerability affecting all MediaWiki installations between
1.13.0 and 1.13.2. [CVE-2008-5249]
* A local script injection vulnerability affecting Internet Explorer
clients for all MediaWiki installations with uploads enabled.
[CVE-2008-5250]
* A local script injection vulnerability affecting clients with SVG
scripting capability (such as Firefox 1.5+), for all MediaWiki
installations with SVG uploads enabled. [CVE-2008-5250]
* A CSRF vulnerability affecting the Special:Import feature, for all
MediaWiki installations since the feature was introduced in 1.3.0.
[CVE-2008-5252]
* Since 1.11, by default, MediaWiki stores a backup of deleted images
in the images/deleted directory. If you do not want these images to be publically
accessible, make sure this directory is not accessible from the web. MediaWiki takes
some steps to avoid leaking these images, but these measures are not perfect.

[0] http://lists.wikimedia.org/pipermail/mediawiki-announce/2008-December/000080.html

The version in jaunty (1.13.3) already addresses these issues.

CVE References

Changed in mediawiki:
assignee: nobody → andreas-wenning
status: New → In Progress
Revision history for this message
Andreas Wenning (andreas-wenning) wrote :

Here is a debdiff for intrepid addressing these issues.

Revision history for this message
Andreas Wenning (andreas-wenning) wrote :

And for hardy as well.

Revision history for this message
Andreas Wenning (andreas-wenning) wrote :

The patches touches import of pages and uploads, both have been tested to work in general. I'm sorry I don't have a testcase to verify the security problems.

The package in gutsy is done in a way making it impossible to patch.

The package in dapper is ancient, and already misses a huge amount of security patches, so don't think it is worth it.

Changed in mediawiki:
assignee: andreas-wenning → nobody
status: In Progress → New
Changed in mediawiki:
status: New → In Progress
Changed in mediawiki:
status: In Progress → Fix Committed
Changed in mediawiki:
status: New → Confirmed
status: New → Confirmed
status: New → Fix Committed
status: New → Fix Committed
Changed in mediawiki:
status: Fix Committed → Invalid
Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

Packages for Hardy and Intrepid were published.

Changed in mediawiki:
status: Fix Committed → Fix Released
status: Fix Committed → Fix Released
Revision history for this message
Sergio Zanchetta (primes2h) wrote :

The 18 month support period for Gutsy Gibbon 7.10 has reached its end of life -
http://www.ubuntu.com/news/ubuntu-7.10-eol . As a result, we are closing the
Gutsy task.

Changed in mediawiki (Ubuntu Gutsy):
status: Confirmed → Won't Fix
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Thank you for reporting this bug to Ubuntu. dapper has reached EOL
(End of Life) and is no longer supported. As a result, this bug
against dapper is being marked "Won't Fix". Please see
https://wiki.ubuntu.com/Releases for currently supported Ubuntu
releases.

Please feel free to report any other bugs you may find.

Changed in mediawiki (Ubuntu Dapper):
status: Confirmed → Won't Fix
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.