Page MenuHomePhabricator

CVE-2022-39193: Special:Investigate can expose supressed information in check results
Closed, ResolvedPublicSecurity

Description

Split from T311337: CVE-2022-39193: Edits with the performer suppressed still show the performer in results from the CheckUser extension which was after talking to @Dreamy_Jazz as code is slightly different and they aren't as comfortable with it

Steps:

Tested on a local instance running CheckUser and other extensions.

Followed the following steps:

  • Gave myself suppressor rights
  • Suppressed a test edit so that the edit had the following restrictions:

image.png (177×828 px, 11 KB)

  • Removed suppressor rights from myself
  • Investigate the IP

Related Objects

StatusSubtypeAssignedTask
OpenNone
ResolvedSecurityZabe
ResolvedSecurityDreamy_Jazz
OpenDreamy_Jazz
OpenFeatureDreamy_Jazz
ResolvedLadsgroup
ResolvedMilimetric
OpenNone
OpenNone
OpenNone
OpenDreamy_Jazz
OpenNone
ResolvedDreamy_Jazz
ResolvedDreamy_Jazz
ResolvedDreamy_Jazz
ResolvedMarostegui
ResolvedPRODUCTION ERRORDreamy_Jazz
ResolvedMarostegui
ResolvedDreamy_Jazz
ResolvedDreamy_Jazz
ResolvedBUG REPORTDreamy_Jazz
ResolvedDreamy_Jazz
ResolvedDreamy_Jazz
ResolvedDreamy_Jazz
ResolvedDreamy_Jazz
ResolvedDreamy_Jazz
ResolvedBUG REPORTDreamy_Jazz
ResolvedBUG REPORTDreamy_Jazz
OpenDreamy_Jazz
ResolvedDreamy_Jazz
ResolvedDreamy_Jazz
ResolvedDreamy_Jazz
ResolvedPRODUCTION ERRORpmiazga
OpenNone
ResolvedDreamy_Jazz
OpenNone
ResolvedDreamy_Jazz
OpenNone

Event Timeline

RhinosF1 added a subscriber: Niharika.

@Niharika: Would Anti-Harassment be able to pick this up and have a look before the 6th when the security release is due?

Dreamy_Jazz renamed this task from Special:Investigate can exposed supressed information in check results to Special:Investigate can expose supressed information in check results.Aug 27 2022, 10:15 AM
Dreamy_Jazz moved this task from General / Unsorted to Investigate on the CheckUser board.
mmartorana changed the task status from Open to In Progress.Aug 31 2022, 10:05 AM
mmartorana triaged this task as Medium priority.
mmartorana changed Risk Rating from N/A to Low.
RhinosF1 renamed this task from Special:Investigate can expose supressed information in check results to CVE-2022-39193: Special:Investigate can expose supressed information in check results.Sep 2 2022, 5:58 PM
RhinosF1 attached a referenced file: F35274252: image.png. (Show Details)

Just a friendly note that this has not been fixed within Wikimedia production yet. I would like to get the related patch for T311337 deployed next week as it has been lingering. Monday, September 5th is a US holiday, but sometime Tuesday morning before the train could work.

Hey @Dreamy_Jazz and @Zabe - somebody has to take the patch: T311337#8178549 and port it over to Special:Investigate as well, and then we can proceed to deploy like we did for the CheckUser one.

Hi there @mmartorana. While I'm happy to review simpler patches for Investigate, security patches and more complicated patches are really outside my knowledge of Investigate. I would suggest pinging the Anti-Harrassment team for this as they primarily maintain and manage Investigate. While I suspect Investigate will have a relatively similar fix, there are some major differences which make porting the patch into Investigate probably more involved than copying code from that patch into designated locations.

Hi Anti-Harassment team, do you have any interest in working on the porting of this patch?

Mstyles added a subscriber: Mstyles.

this is now deployed in production on php-1.40.0-wmf.8. @Dreamy_Jazz do you think you could test this when you get a chance?

I can see if I can get someone to help.

I can see if I can get someone to help.

Thanks!

Been unable to find anyone who wants to help so far. I'm thinking I could do this on the testwiki as I could probably get rights additions and removals done easier there than on enwiki.

Tested on testwiki using wmf.8 following the steps:

  • Made a test edit
  • Got granted OS and CU by steward on testwiki
  • Suppressed the test edit
  • Opened Special:Invesigate
  • Ran a check on Dreamy Jazz (myself)
  • Switched to the timeline mode
  • Verified that I could see my username
  • Had OS removed from me on testwiki
  • Switched to the user agent tab and then back to the timeline tab
  • Verified that I could not see my username (instead showing username hidden)
  • Had OS granted again to remove the test suppression
  • Had CU and OS removed.

I can provide screenshots of the results (these results were designed to only include my edits) but will leave them not published here because this will go public eventually. The test was successful and so the patch worked.

Updated patch for 1.40.0-wmf.18:

Thanks. I'm working on making log events store their log ID but it will be slow progress as there is a lot to do to migrate tables.

Thanks. I'm working on making log events store their log ID but it will be slow progress as there is a lot to do to migrate tables.

No problem. Ideally we should get some of these outstanding CU security patches backported, particularly T315123. I had thought that some of the bugs under the umbrella CVE CVE-2022-39193 hadn't been patched yet, but it looks like maybe they have now? If so, we should get those backported for sure.

They have been all partly addressed as all have been fixed for edits but not logged actions. I wouldn't oppose backporting these changes, but it would make public a fix before logged actions can also be fixed.

Mstyles changed the visibility from "Custom Policy" to "Public (No Login Required)".Jan 12 2023, 2:37 AM
Mstyles changed the edit policy from "Custom Policy" to "All Users".

Change 879166 merged by jenkins-bot:

[mediawiki/extensions/CheckUser@master] SECURITY: Respect revision deletion status for the performer in Investigate

https://gerrit.wikimedia.org/r/879166

This isn't resolved. Edits are fixed but not log actions.

Re-closing as separate tickets filed.

Re-closing as separate tickets filed.

Thanks!