Page MenuHomePhabricator
Create Task
Maniphest T158689

Parameters injection in SyntaxHighlight results in multiple vulnerabilities
Closed, ResolvedPublic
Actions

Assigned To
Reedy
Authored By
dpatrick
Feb 21 2017, 7:06 PM
Tags
Referenced Files
F5744839: T158689-REL1_27.patch
Feb 21 2017, 7:36 PM
F5744840: T158689-REL1_28.patch
Feb 21 2017, 7:36 PM
F5744793: T158689-master.patch
Feb 21 2017, 7:25 PM
F5744653: syntaxhighlight_mediawiki_extension_allows_injection_of_arbitrary_pygments_options.html
Feb 21 2017, 7:06 PM
F5744651: syntaxhighlight_mediawiki_extension_allows_injection_of_arbitrary_pygments_options.pdf
Feb 21 2017, 7:06 PM
Subscribers
Aklapper
Bawolff
demon
dpatrick
EddieGP
gerritbot
Jdforrester-WMF
View All 12 Subscribers

Description

As reported by Yorick Koster:

To: security@wikimedia.org
From: Yorick Koster 
Subject: SyntaxHighlight MediaWiki exension allows injection of arbitrary Pygments options
Organization: Securify B.V.

Hi,

I've found a security vulnerability in the SyntaxHighlight extension. 
The details are attached. A quick fix would be to cast the start 
parameter to int.

// Starting line number
if ( isset( $args['start'] ) ) {
    $options['linenostart'] = (int)$args['start'];
}

Cheers,

Yorick

-- 

Yorick Koster
Co-founder
Securify

Original e-mail attachments:

syntaxhighlight_mediawiki_extension_allows_injection_of_arbitrary_pygments_options.pdf56 KBDownload

syntaxhighlight_mediawiki_extension_allows_injection_of_arbitrary_pygments_options.html117 KBDownload

Details

SubjectRepoBranchLines +/-
SECURITY: Escape start argument before passing to pygmentsmediawiki/extensions/SyntaxHighlight_GeSHiwmf/1.29.0-wmf.19+2 -2
SECURITY: Escape start argument before passing to pygmentsmediawiki/extensions/SyntaxHighlight_GeSHimaster+2 -2
SECURITY: Escape start argument before passing to pygmentsmediawiki/extensions/SyntaxHighlight_GeSHiREL1_27+2 -2
SECURITY: Escape start argument before passing to pygmentsmediawiki/extensions/SyntaxHighlight_GeSHiREL1_28+2 -2
Customize query in gerrit

Related Objects
Search...

Event Timeline

dpatrick created this task.Feb 21 2017, 7:06 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptFeb 21 2017, 7:06 PM
dpatrick added a project: Vuln-XSS.Feb 21 2017, 7:07 PM
dpatrick updated the task description. (Show Details)Feb 21 2017, 7:10 PM
Reedy mentioned this in T140591: MediaWiki 1.28.1/1.27.2/1.23.16 security release.Feb 21 2017, 7:17 PM
Reedy added a subscriber: Reedy.Feb 21 2017, 7:25 PM

T158689-master.patch926 BDownload

Jdforrester-WMF added a subscriber: Jdforrester-WMF.Feb 21 2017, 7:31 PM
Reedy added a comment.Feb 21 2017, 7:36 PM

T158689-REL1_28.patch926 BDownload

T158689-REL1_27.patch926 BDownload

Reedy triaged this task as Medium priority.Feb 21 2017, 7:37 PM
Reedy moved this task from Backlog / Other to Pending deployment / release on the acl*security board.
Reedy added a parent task: T140591: MediaWiki 1.28.1/1.27.2/1.23.16 security release.
Reedy added a subscriber: Yorick.Feb 22 2017, 1:02 AM
dpatrick added a comment.Feb 22 2017, 4:26 AM

Thanks @Reedy. Is there a SAL entry associated with this deployment?

Reedy added a subscriber: demon.Feb 22 2017, 10:42 AM
In T158689#3045509, @dpatrick wrote:

Thanks @Reedy. Is there a SAL entry associated with this deployment?

Not exactly. I got it staged in time so that it went out with @demon's scaps for .13

Reedy closed this task as Resolved.Mar 30 2017, 6:02 PM
Reedy claimed this task.

Closing for ease of tracking progress. Patches attached to parent bug, due for next release

Reedy changed the visibility from "Custom Policy" to "Public (No Login Required)".Apr 6 2017, 8:57 PM
gerritbot added a subscriber: gerritbot.Apr 6 2017, 9:00 PM

Change 346868 had a related patch set uploaded (by Chad; owner: Reedy):
[mediawiki/extensions/SyntaxHighlight_GeSHi@master] SECURITY: Escape start argument before passing to pygments

https://gerrit.wikimedia.org/r/346868

gerritbot added a project: Patch-For-Review.Apr 6 2017, 9:00 PM

Change 346870 had a related patch set uploaded (by Chad; owner: Reedy):
[mediawiki/extensions/SyntaxHighlight_GeSHi@REL1_28] SECURITY: Escape start argument before passing to pygments

https://gerrit.wikimedia.org/r/346870

gerritbot added a comment.Apr 6 2017, 9:01 PM

Change 346871 had a related patch set uploaded (by Chad; owner: Reedy):
[mediawiki/extensions/SyntaxHighlight_GeSHi@REL1_27] SECURITY: Escape start argument before passing to pygments

https://gerrit.wikimedia.org/r/346871

gerritbot added a comment.Apr 6 2017, 10:21 PM

Change 346868 merged by jenkins-bot:
[mediawiki/extensions/SyntaxHighlight_GeSHi@master] SECURITY: Escape start argument before passing to pygments

https://gerrit.wikimedia.org/r/346868

gerritbot added a comment.Apr 6 2017, 10:24 PM

Change 346870 merged by jenkins-bot:
[mediawiki/extensions/SyntaxHighlight_GeSHi@REL1_28] SECURITY: Escape start argument before passing to pygments

https://gerrit.wikimedia.org/r/346870

gerritbot added a comment.Apr 6 2017, 10:26 PM

Change 346871 merged by jenkins-bot:
[mediawiki/extensions/SyntaxHighlight_GeSHi@REL1_27] SECURITY: Escape start argument before passing to pygments

https://gerrit.wikimedia.org/r/346871

ReleaseTaggerBot added a project: MW-1.29-release (WMF-deploy-2017-04-11_(1.29.0-wmf.20)).Apr 6 2017, 11:00 PM
gerritbot added a comment.Apr 7 2017, 4:22 PM

Change 347015 had a related patch set uploaded (by Chad; owner: Reedy):
[mediawiki/extensions/SyntaxHighlight_GeSHi@wmf/1.29.0-wmf.19] SECURITY: Escape start argument before passing to pygments

https://gerrit.wikimedia.org/r/347015

gerritbot added a comment.Apr 7 2017, 4:27 PM

Change 347015 merged by jenkins-bot:
[mediawiki/extensions/SyntaxHighlight_GeSHi@wmf/1.29.0-wmf.19] SECURITY: Escape start argument before passing to pygments

https://gerrit.wikimedia.org/r/347015

ReleaseTaggerBot edited projects, added MW-1.29-release (WMF-deploy-2017-04-04_(1.29.0-wmf.19)); removed MW-1.29-release (WMF-deploy-2017-04-11_(1.29.0-wmf.20)).Apr 7 2017, 5:00 PM
Yorick added a comment.Apr 18 2017, 8:25 AM

This issue is reported as fixed in 1.28.1 / 1.27.2, but I can't seem to find the fix.

https://lists.wikimedia.org/pipermail/mediawiki-announce/2017-April/000207.html

Reedy added a comment.Apr 18 2017, 10:07 AM
In T158689#3189214, @Yorick wrote:

This issue is reported as fixed in 1.28.1 / 1.27.2, but I can't seem to find the fix.

https://lists.wikimedia.org/pipermail/mediawiki-announce/2017-April/000207.html

https://github.com/wikimedia/mediawiki-extensions-SyntaxHighlight_GeSHi/commits/REL1_28
https://github.com/wikimedia/mediawiki-extensions-SyntaxHighlight_GeSHi/commit/2d5a60a89fb3995b73e17df5901d6f023e41df3d
https://github.com/wikimedia/mediawiki-extensions-SyntaxHighlight_GeSHi/commits/REL1_27
https://github.com/wikimedia/mediawiki-extensions-SyntaxHighlight_GeSHi/commit/a88c5e1dcbdb3e9940c6f55a6744c62a6d62710f

@demon Seems these made it into the git repo, but for 1.28 (at least), they're not in the patch, nor in the AIO bundle, ie https://releases.wikimedia.org/mediawiki/1.28/mediawiki-1.28.1.patch.gz and https://releases.wikimedia.org/mediawiki/1.28/mediawiki-1.28.1.tar.gz

Yorick added a comment.Apr 28 2017, 6:49 AM

@demon @Reedy how to proceed? The details of this issue are now public, yet the fix is not included in 1.28.1 & 1.27.2

Reedy added a comment.Apr 28 2017, 3:58 PM

They're not in the tarballs, but they are in git

The question​ is whether the tarballs for both should be reissued

Yorick added a comment.Apr 28 2017, 4:22 PM

Fair enough, although I kinda got that :). My point is that a lot of people will use the tarball and will not get the fix (if they update at all). The fix is for example also not in Debian's version (https://sources.debian.net/src/mediawiki/1:1.27.2-1/extensions/SyntaxHighlight_GeSHi/SyntaxHighlight_GeSHi.class.php/).

Rgacogne added a subscriber: Rgacogne.Apr 29 2017, 4:16 PM
In T158689#3221285, @Reedy wrote:

The question​ is whether the tarballs for both should be reissued

Please don't do that. I understand the appeal but that would create a world of pain and incomprehension between people having the first and the second version of the tarball, which would be especially bad because we are talking about a fix resolving a security issue. Speaking with my Arch security team hat on, it would also break reproducible builds if the upstream tarball changes. Please consider issuing 1.28.2 and 1.27.3 instead.

Bawolff added a subscriber: Bawolff.Apr 29 2017, 7:59 PM

We should really issue another release for this right away. The syntax highlight bug was by far the most severe of all the bugs last release. To avoid confusion we should probably bump the mediawiki version number (eventhough that version number technically only applies to mediawiki core and not syntaxhighlight)

Bawolff mentioned this in T164155: new minor release needed for syntaxhighlight.Apr 29 2017, 8:02 PM
MZMcBride added a subscriber: MZMcBride.Apr 30 2017, 4:25 AM
Bawolff updated the task description. (Show Details)Apr 30 2017, 6:40 PM
EddieGP added a subscriber: EddieGP.Apr 30 2017, 8:55 PM

New releases for this were created:
https://lists.wikimedia.org/pipermail/mediawiki-announce/2017-April/000209.html

YaniardiyantoWikiz added a subscriber: YaniardiyantoWikiz.Oct 19 2018, 11:27 PM
sbassett moved this task from Pending deployment / release to Done on the acl*security board.Sep 26 2019, 2:33 PM
chasemp added a project: Security.Feb 10 2020, 10:58 PM
chasemp removed a project: acl*security.Feb 20 2020, 8:17 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL