[Pkg-mediawiki-devel] Bug#696179: mediawiki-extensions-base: RSS_Reader Javascript injection

Thorsten Glaser tg at mirbsd.de
Mon Dec 17 16:21:15 UTC 2012

Package: mediawiki-extensions-base
Version: 2.9
Severity: grave
Justification: user security hole

Thanks to Joey Hess, who put
into his feed, and our FusionForge “pink popup”
which displays invalid XHTML immediately, a user
security hole could be identified today during
MediaWiki validation at tarent solutions GmbH
in mediawiki-extensions-base (RSS_Reader) and
gforge-base (Codendi RSS widget).

In mediawiki-extensions-base, this is an actual
user security hole: JavaScript placed, properly
escaped, into an RSS feed item’s title is executed
on the page. (In FusionForge, <script> tags are
stripped, but the invalid </yurt> is still emitted.
I will not file a security bug against FusionForge
because I do not believe it a user security hole
there, but still commit a fix into FF’s git repo.)

I will upload a fixed src:mediawiki-extensions ASAP.

-- System Information:
Debian Release: wheezy/sid
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: i386 (i686)

Kernel: Linux 3.2.0-4-686-pae (SMP w/1 CPU core)
Locale: LANG=C, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/mksh-static

mediawiki-extensions-base depends on no packages.

Versions of packages mediawiki-extensions-base recommends:
ii  mediawiki  1:1.19.3-1tarent1

mediawiki-extensions-base suggests no packages.

-- no debconf information

More information about the Pkg-mediawiki-devel mailing list