Page MenuHomePhabricator
Create Task
Maniphest T304126

One of the checks for 'override-antispoof' permission is inverted (CVE-2022-28209)
Closed, ResolvedPublicSecurity
Actions

Description

One of the checks for 'override-antispoof' permission in the AntiSpoof extension is inverted, here: https://github.com/wikimedia/mediawiki-extensions-AntiSpoof/blob/7a5fc55dc31a0ab654a80a0fa6293027293c5b7c/includes/AntiSpoofPreAuthenticationProvider.php#L145

This might not be a real security issue – it looks like the faulty code path is only used for displaying UI messages (JS checks on Special:CreateAccount), and not for actually creating accounts. But I didn't go through everything to prove that for sure, so I'm filing as a security task just in case.

It's also not reproducible on Wikimedia wikis, because the anti-spoof checks there are handled by code in CentralAuth, which doesn't have the bug: https://github.com/wikimedia/mediawiki-extensions-CentralAuth/blob/061b493dc96a874bb49e1e67c10e416fce6040be/includes/CentralAuthPrimaryAuthenticationProvider.php#L512

This has been introduced in https://gerrit.wikimedia.org/r/c/mediawiki/extensions/AntiSpoof/+/618623, by accidentally removing a ! to negate a condition.

I discovered the problem while testing a patch for T167163.

Details

SubjectRepoBranchLines +/-
Fix check for 'override-antispoof' permissionmediawiki/extensions/AntiSpoofmaster+1 -1
Fix check for 'override-antispoof' permissionmediawiki/extensions/AntiSpoofREL1_36+1 -1
Fix check for 'override-antispoof' permissionmediawiki/extensions/AntiSpoofREL1_37+1 -1
Fix check for 'override-antispoof' permissionmediawiki/extensions/AntiSpoofREL1_38+1 -1
Customize query in gerrit

Related Objects
Search...

Event Timeline

matmarex created this task.Mar 17 2022, 10:41 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptMar 17 2022, 10:41 PM
matmarex added a project: Patch-For-Review.Mar 17 2022, 10:44 PM

0001-SECURITY-Fix-check-for-override-antispoof-permission.patch1 KBDownload

Reedy added a project: AntiSpoof.Mar 18 2022, 1:07 AM
Reedy added a subscriber: Umherirrender.Mar 18 2022, 1:16 AM
Reedy added a project: SecTeam-Processed.Mar 18 2022, 1:19 AM
Reedy moved this task from Incoming to Security Patch To Deploy on the Security-Team board.
Reedy subscribed.

Patch LGTM.

Should be backported to 1.36 through 1.38, but isn't part of the tarball.

I think this one can probably just be deployed and then pushed through gerrit.

Reedy triaged this task as Low priority.Mar 18 2022, 1:19 AM
Reedy added a subscriber: gerritbot.Mar 21 2022, 10:25 PM
gerritbot added a comment.Mar 21 2022, 10:26 PM

Change 772519 had a related patch set uploaded (by Reedy; author: Bartosz Dziewoński):

[mediawiki/extensions/AntiSpoof@master] Fix check for 'override-antispoof' permission

https://gerrit.wikimedia.org/r/772519

gerritbot added a comment.Mar 21 2022, 10:26 PM

Change 772475 had a related patch set uploaded (by Reedy; author: Bartosz Dziewoński):

[mediawiki/extensions/AntiSpoof@REL1_38] Fix check for 'override-antispoof' permission

https://gerrit.wikimedia.org/r/772475

gerritbot added a comment.Mar 21 2022, 10:26 PM

Change 772476 had a related patch set uploaded (by Reedy; author: Bartosz Dziewoński):

[mediawiki/extensions/AntiSpoof@REL1_37] Fix check for 'override-antispoof' permission

https://gerrit.wikimedia.org/r/772476

gerritbot added a comment.Mar 21 2022, 10:27 PM

Change 772477 had a related patch set uploaded (by Reedy; author: Bartosz Dziewoński):

[mediawiki/extensions/AntiSpoof@REL1_36] Fix check for 'override-antispoof' permission

https://gerrit.wikimedia.org/r/772477

gerritbot added a comment.Mar 21 2022, 10:28 PM

Change 772475 merged by jenkins-bot:

[mediawiki/extensions/AntiSpoof@REL1_38] Fix check for 'override-antispoof' permission

https://gerrit.wikimedia.org/r/772475

gerritbot added a comment.Mar 21 2022, 10:30 PM

Change 772476 merged by jenkins-bot:

[mediawiki/extensions/AntiSpoof@REL1_37] Fix check for 'override-antispoof' permission

https://gerrit.wikimedia.org/r/772476

gerritbot added a comment.Mar 21 2022, 10:30 PM

Change 772477 merged by jenkins-bot:

[mediawiki/extensions/AntiSpoof@REL1_36] Fix check for 'override-antispoof' permission

https://gerrit.wikimedia.org/r/772477

Reedy added a parent task: T297839: Write and send supplementary release announcement for extensions and skins with security patches (1.35.6/1.36.4/1.37.2).Mar 21 2022, 10:31 PM
gerritbot added a comment.Mar 21 2022, 10:41 PM

Change 772519 merged by jenkins-bot:

[mediawiki/extensions/AntiSpoof@master] Fix check for 'override-antispoof' permission

https://gerrit.wikimedia.org/r/772519

matmarex added a comment.Mar 22 2022, 12:51 AM

Thanks for the review.

sbassett mentioned this in T297839: Write and send supplementary release announcement for extensions and skins with security patches (1.35.6/1.36.4/1.37.2).Mar 22 2022, 1:20 AM
sbassett moved this task from Security Patch To Deploy to Our Part Is Done on the Security-Team board.Mar 28 2022, 9:05 PM
Mstyles renamed this task from One of the checks for 'override-antispoof' permission is inverted to One of the checks for 'override-antispoof' permission is inverted (CVE-2022-28209).Mar 31 2022, 5:43 PM
Mstyles closed this task as Resolved.
Mstyles claimed this task.
Mstyles changed the visibility from "Custom Policy" to "Public (No Login Required)".Mar 31 2022, 5:46 PM
Mstyles changed the edit policy from "Custom Policy" to "All Users".
Zabe removed a project: Patch-For-Review.Jul 13 2022, 11:01 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits