TimedMediaHandler doesn't prevent blocked users from restarting transcodes (CVE-2022-28211)
Closed, ResolvedPublic
Actions

Assigned To

Authored By

	Jdforrester-WMF
	Mar 17 2017, 11:05 PM

Description

TMH intentionally won't let bots execute transcodes, but this seems to be a rather bad over-sight.

Reported by @Revent.

Details

Project	Branch	Lines +/-	Subject
mediawiki/extensions/TimedMediaHandler	REL1_35	+5 -3	SECURITY: Disallow blocked users from resetting transcodes
mediawiki/extensions/TimedMediaHandler	REL1_36	+5 -3	SECURITY: Disallow blocked users from resetting transcodes
mediawiki/extensions/TimedMediaHandler	REL1_37	+5 -3	SECURITY: Disallow blocked users from resetting transcodes
mediawiki/extensions/TimedMediaHandler	master	+5 -3	SECURITY: Disallow blocked users from resetting transcodes

Customize query in gerrit

Related Objects

Mentioned In: T297839: Write and send supplementary release announcement for extensions and skins with security patches (1.35.6/1.36.4/1.37.2)
Mentioned Here: T297839: Write and send supplementary release announcement for extensions and skins with security patches (1.35.6/1.36.4/1.37.2)

Event Timeline

Jdforrester-WMF created this task.Mar 17 2017, 11:05 PM

Restricted Application added a subscriber: Aklapper. · View Herald TranscriptMar 17 2017, 11:05 PM

Jdforrester-WMF added a project: Security-Extensions.Mar 17 2017, 11:06 PM

Jdforrester-WMF updated the task description. (Show Details)

Jdforrester-WMF added subscribers: brion, Revent.

I had emailed Brion about this, after a mention on IRC.

A client logged in through the API via a 'botpassword' cannot reset transcodes... it requires a client login.

However, and this is the problem, a blocked user CAN use the API to reset transcodes... this leaves open the potential for a problematic DOS attack, by resetting them en-masse for no reason.

• dpatrick renamed this task from TMH doesn't prevent blocked users from restarting transcodes to TimedMediaHandler doesn't prevent blocked users from restarting transcodes.Mar 21 2017, 8:34 PM

• dpatrick triaged this task as Medium priority.

• dpatrick added a project: Vuln-DoS.

Revent updated the task description. (Show Details)Apr 1 2017, 1:07 PM

Aklapper removed projects: Vuln-DoS, acl*security, TimedMediaHandler-Transcode.Nov 27 2019, 1:30 PM

Restricted Application added a project: acl*security. · View Herald TranscriptNov 27 2019, 1:30 PM

Aklapper edited projects, added Vuln-DoS, TimedMediaHandler-Transcode; removed Security-Extensions.Dec 2 2019, 1:01 PM

• chasemp added a project: Security.Feb 10 2020, 10:58 PM

• chasemp removed a project: acl*security.Feb 20 2020, 8:07 PM

Reedy merged a task: Restricted Task.Dec 6 2021, 4:47 PM

Reedy added subscribers: Dylsss, MarcoAurelio.

From T296764, resetting a transcode creates a public log of that action:

If a user is blocked and suppressed, the user can continue to abusively create public logs with that suppressed username, essentially leaking suppressed data.

Also since the transcode-reset right is part of the implicit autoconfirmed group, I don't think there would be any way for local sysops to prevent possible abuse (by removing the right).

Is the below patch ok?

T160800.patch1 KBDownload

@brion: Could you review the patch (or have an idea who could review the patch)? Thanks.

In T160800#7607309, @Dylsss wrote:

Is the below patch ok?

T160800.patch1 KBDownload

Code-Review-1

The permissions check needs to go after // Make sure we have a valid Title so we know $titleObj isn't null. Otherwise LGTM (though untested so far)

New patch that places the permissions check after the title check per @Legoktm:

01-T160800.patch1 KBDownload

If this looks good, we can get this deployed to wikimedia production and tracked soon.

sbassett moved this task from Incoming to Security Patch To Deploy on the Security-Team board.Jan 20 2022, 3:55 PM

Deployed the following patch (basically the same as the one above, but with some extraneous whitespace removed):

01-T160800.patch1 KBDownload

No obvious errors, not that there would be, right away. Quickly testing with a newly-created account that isn't autoconfirmed, I don't see the Reset Transcodes links for various video media, so I assume this is working. If someone would like to test a bit more that would be great. Anyhow, now tracking at T276237 and T297839.

sbassett moved this task from Security Patch To Deploy to Watching on the Security-Team board.Mar 14 2022, 9:47 PM

sbassett moved this task from Backlog to Transcoder on the TimedMediaHandler-Transcode board.

sbassett mentioned this in T297839: Write and send supplementary release announcement for extensions and skins with security patches (1.35.6/1.36.4/1.37.2).

Mstyles renamed this task from TimedMediaHandler doesn't prevent blocked users from restarting transcodes to TimedMediaHandler doesn't prevent blocked users from restarting transcodes (CVE-2022-28211).Mar 31 2022, 5:42 PM

Mstyles closed this task as Resolved.

Mstyles claimed this task.

Mstyles moved this task from Watching to Our Part Is Done on the Security-Team board.

Mstyles changed the visibility from "Custom Policy" to "Public (No Login Required)".Mar 31 2022, 5:47 PM

Change 776014 had a related patch set uploaded (by Mstyles; author: Dylsss):

[mediawiki/extensions/TimedMediaHandler@master] SECURITY: Disallow blocked users from resetting transcodes

https://gerrit.wikimedia.org/r/776014

Change 775940 had a related patch set uploaded (by Mstyles; author: Dylsss):

[mediawiki/extensions/TimedMediaHandler@REL1_35] SECURITY: Disallow blocked users from resetting transcodes

https://gerrit.wikimedia.org/r/775940

Change 775941 had a related patch set uploaded (by Mstyles; author: Dylsss):

[mediawiki/extensions/TimedMediaHandler@REL1_36] SECURITY: Disallow blocked users from resetting transcodes

https://gerrit.wikimedia.org/r/775941

Change 775942 had a related patch set uploaded (by Mstyles; author: Dylsss):

[mediawiki/extensions/TimedMediaHandler@REL1_37] SECURITY: Disallow blocked users from resetting transcodes

https://gerrit.wikimedia.org/r/775942

Change 776014 merged by jenkins-bot:

[mediawiki/extensions/TimedMediaHandler@master] SECURITY: Disallow blocked users from resetting transcodes

https://gerrit.wikimedia.org/r/776014

Yeah we just plum forgot to fix this. :) It's an irksome DoS vector though, so good to fix! Merged the patch to master; I'm leaving the branch patches until someone's ready to deploy.

ReleaseTaggerBot added a project: MW-1.39-notes (1.39.0-wmf.6; 2022-04-04).Apr 4 2022, 4:00 PM

In T160800#7828992, @brion wrote:

Yeah we just plum forgot to fix this. :) It's an irksome DoS vector though, so good to fix! Merged the patch to master; I'm leaving the branch patches until someone's ready to deploy.

Hey @brion - where were you looking to deploy these? Are there external mediawiki installations we should look at? Per the comment above (T160800#7775935), this patch has been on Wikimedia production releases since March 14th, 2022. And should now fall off for 1.39.0-wmf.6 since it was merged to master. And we'll (re-)announce the issue to the community with the next supplemental security release (T297839), due out, hopefully, tomorrow.

Change 775942 merged by jenkins-bot: