CVE-2022-41767: reassignEdits doesn't update results in an IP range check on Special:Contributions
Closed, ResolvedPublicSecurity
Actions

Assigned To

Authored By

	Reedy
	Aug 26 2022, 12:12 AM

Description

I reassigned the edits on https://www.wikidata.org/wiki/Special:Contributions/2001:B07:6462:512A:8:6B2F:A067:426A/64 but that page still shows those commits, but attributed to the user they were reassigned to.

After reassigning, it shouldn't show any results.

Details

Risk Rating: Low
Author Affiliation: WMF Technology Dept

Subject	Repo	Branch	Lines +/-
SECURITY: reassignEdits: Delete rows from ip_changes	mediawiki/core	REL1_38	+15 -0
SECURITY: reassignEdits: Delete rows from ip_changes	mediawiki/core	master	+15 -0
SECURITY: reassignEdits: Delete rows from ip_changes	mediawiki/core	REL1_37	+15 -0
SECURITY: reassignEdits: Delete rows from ip_changes	mediawiki/core	REL1_39	+15 -0
SECURITY: reassignEdits: Delete rows from ip_changes	mediawiki/core	REL1_35	+16 -0

Customize query in gerrit

Related Objects
Search...

Status	Subtype	Assigned	Task
Resolved		Reedy	T311775 Release MediaWiki 1.35.8/1.37.5/1.38.3
Resolved		Reedy	T311776 Tracking bug for MediaWiki 1.35.8/1.37.5/1.38.3
Resolved	Security	Reedy	T316304 CVE-2022-41767: reassignEdits doesn't update results in an IP range check on Special:Contributions

Event Timeline

Reedy created this task.Aug 26 2022, 12:12 AM

Restricted Application added a subscriber: Aklapper. · View Herald TranscriptAug 26 2022, 12:12 AM

Reedy renamed this task from reassignEdits doesn't seem to update a range check on Special:Contributions to reassignEdits doesn't seem to update results in an IP range check on Special:Contributions.Aug 26 2022, 12:13 AM

Reedy changed Author Affiliation from N/A to WMF Technology Dept.

Reedy added projects: Vuln-Infoleak, MediaWiki-General.

Reedy updated the task description. (Show Details)

If the "from user" is an IP, it would look like we just want to delete the rows in ip_changes for the hex(ipaddress) is probably enough to fix this edge case...

~~If the "to user" is an IP, we probably want to be inserting rows...~~ We can't move a users edits to an IP.

Ignoring the report only modes etc... Something like this should be sufficient.

		if ( !$from->isRegistered() ) {
			$dbw->delete(
				'ip_changes',
				[
					'ipc_hex' => IPUtils::toHex( $from->getName() )
				]
			);
		}

Reedy added projects: MW-1.35-release, MW-1.37-release, MW-1.38-release.Aug 26 2022, 1:18 AM

0001-SECURITY-reassignEdits-Delete-rows-from-ip_changes.patch1 KBDownload

Reedy triaged this task as Low priority.Aug 26 2022, 1:28 AM

In T316304#8187411, @Reedy wrote:

0001-SECURITY-reassignEdits-Delete-rows-from-ip_changes.patch1 KBDownload

I'm proposing we just ship this through Gerrit, unless anyone objects

In T316304#8188575, @Reedy wrote:

I'm proposing we just ship this through Gerrit, unless anyone objects

Is the only risk here that the reassigned edits potentially link a username to one of their actual IPs, if someone's clever enough to understand what happened during the edit reassign process? I feel like a discreet gerrit change set with a benign commit msg that doesn't call that issue out (or any other potential privacy risk) is probably low risk, especially if this bug stays private until it goes out with the next train.

In T316304#8188871, @sbassett wrote:

In T316304#8188575, @Reedy wrote:

I'm proposing we just ship this through Gerrit, unless anyone objects

Is the only risk here that the reassigned edits potentially link a username to one of their actual IPs, if someone's clever enough to understand what happened during the edit reassign process? I feel like a discreet gerrit change set with a benign commit msg that doesn't call that issue out (or any other potential privacy risk) is probably low risk, especially if this bug stays private until it goes out with the next train.

Yeah. The script is very seldom run in Wikimedia projects anyway... But I would propose to clean up those 3 ip_changes rows manually (which can be done at any time) first

sbassett assigned this task to Reedy.Aug 30 2022, 3:59 PM

sbassett moved this task from Incoming to In Progress on the Security-Team board.Sep 6 2022, 4:22 PM

sbassett added a project: SecTeam-Processed.

sbassett changed Risk Rating from N/A to Low.

Reedy changed the task status from Open to In Progress.Sep 25 2022, 6:40 PM

Reedy added a parent task: T311776: Tracking bug for MediaWiki 1.35.8/1.37.5/1.38.3.

Reedy added a project: MW-1.39-release.Sep 25 2022, 6:44 PM

I've cleaned up the affected rows from the task description.

Reedy mentioned this in T311776: Tracking bug for MediaWiki 1.35.8/1.37.5/1.38.3.Sep 25 2022, 7:05 PM

Reedy mentioned this in T311777: Obtain CVEs for 1.35.8/1.37.5/1.38.3 security releases.Sep 25 2022, 7:11 PM

Reedy renamed this task from reassignEdits doesn't seem to update results in an IP range check on Special:Contributions to reassignEdits doesn't update results in an IP range check on Special:Contributions.Sep 28 2022, 2:30 PM

Reedy renamed this task from reassignEdits doesn't update results in an IP range check on Special:Contributions to CVE-2022-41767: reassignEdits doesn't update results in an IP range check on Special:Contributions.Sep 29 2022, 5:29 PM

Reedy closed this task as Resolved.Sep 29 2022, 5:39 PM

Change 836891 had a related patch set uploaded (by Reedy; author: Reedy):

[mediawiki/core@REL1_35] SECURITY: reassignEdits: Delete rows from ip_changes

https://gerrit.wikimedia.org/r/836891

Change 836895 had a related patch set uploaded (by Reedy; author: Reedy):

[mediawiki/core@REL1_37] SECURITY: reassignEdits: Delete rows from ip_changes

https://gerrit.wikimedia.org/r/836895

Change 836899 had a related patch set uploaded (by Reedy; author: Reedy):

[mediawiki/core@REL1_38] SECURITY: reassignEdits: Delete rows from ip_changes

https://gerrit.wikimedia.org/r/836899

Change 836904 had a related patch set uploaded (by Reedy; author: Reedy):

[mediawiki/core@REL1_39] SECURITY: reassignEdits: Delete rows from ip_changes