Bug List: (This bug is not in your last search results)   Show last search results      Search page      Enter new bug
Bug#: 200285
Alias:
Product:
Component:
Status: RESOLVED
Resolution: FIXED
Assigned To: Gentoo Security <security@gentoo.org>
Hardware:
OS:
Version:
Priority:
Severity:
Reporter: Robert Buchholz <rbu@gentoo.org>
Add CC:
CC:
URL:
Summary:
Status Whiteboard:
Keywords:
Flags: Requestee:
 
 
  ()

Filename Description Type Creator Created Size Actions
htdig-quoting.patch htdig-quoting.patch patch Robert Buchholz 2007-12-03 00:59 0000 1.10 KB Details | Diff
Create a New Attachment (proposed patch, testcase, etc.) View All

Bug 200285 depends on: Show dependency tree
Bug 200285 blocks:

Additional Comments: (this is where you put emerge --info)


Not eligible to see or edit group visibility for this bug.






View Bug Activity   |   Format For Printing   |   XML   |   Clone This Bug

Description:   Opened: 2007-11-25 15:14 0000 
CVE-2007-6110 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-6110):
  Cross-site scripting (XSS) vulnerability in htsearch in htdig 3.2.0b6 allows
  remote attackers to inject arbitrary web script or HTML via the sort
  parameter.

------- Comment #1 From Robert Buchholz 2007-11-25 15:17:50 0000 ------- 
Web-apps, please advise.

------- Comment #2 From Gunnar Wrobel 2007-12-02 15:44:12 0000 ------- 
Hrm, looks like no upstream activity since 2004. The bug has been reported by
SuSE but what I assume is their latest package (htdig-3.2.0b6-123) does not
seem to provide a fix for the issue. 

The application is currently marked stable on these architectures:

alpha amd64 hppa ia64 ppc ppc64 sparc x86

We'll probably have to mask it if there is no way to get a fix for this.

------- Comment #3 From Robert Buchholz 2007-12-03 00:59:09 0000 ------- 
Created an attachment (id=137588) [details]
htdig-quoting.patch

------- Comment #4 From Robert Buchholz 2007-12-03 01:00:58 0000 ------- 
Suse provides an updated package in their 10.2 testing repository, I attached
the patch above.

It actually removes the output rather than quoting it, but in the end, that
error message would not come from links inside the application anyway.

------- Comment #5 From Gunnar Wrobel 2007-12-03 08:15:12 0000 ------- 
Sorry, I obviously didn't know where I had to check. Thanks for the hint. No I
found it too and applied the patch. 

htdig-3.2.0_beta6-r3 is in the tree and needs to be marked stable by

 alpha amd64 hppa ia64 ppc ppc64 sparc x86

------- Comment #6 From Gunnar Wrobel 2007-12-03 08:18:46 0000 ------- 
added arches

------- Comment #7 From Markus Meier 2007-12-03 12:20:43 0000 ------- 
x86 stable

------- Comment #8 From Raúl Porcel 2007-12-04 10:59:45 0000 ------- 
alpha/ia64/sparc stable and beandog did amd64

------- Comment #9 From Jeroen Roovers 2007-12-04 16:05:40 0000 ------- 
Stable for HPPA.

------- Comment #10 From Markus Rothe 2007-12-04 17:58:46 0000 ------- 
ppc64 stable

------- Comment #11 From Tobias Scherbaum 2007-12-04 19:46:20 0000 ------- 
ppc stable, ready for glsa voting

------- Comment #12 From Robert Buchholz 2007-12-04 23:17:28 0000 ------- 
non-persistent xss, voting NO.

------- Comment #13 From Gunnar Wrobel 2007-12-05 05:21:57 0000 ------- 
Removed insecure ebuild. weapps done here.

------- Comment #14 From Pierre-Yves Rofes 2007-12-05 08:45:07 0000 ------- 
no too, closing.

------- Comment #15 From Peter Volkov 2008-03-06 09:51:25 0000 ------- 
Does not affect current (2008.0) release. Removing release.
Bug List: (This bug is not in your last search results)   Show last search results      Search page      Enter new bug