200285 2007-11-25 15:14 0000 www-misc/htdig <=3.2.0_beta6-r2 Cross-Site-Scripting (CVE-2007-6110) 2008-03-06 09:51:25 0000 1 1 1 Unclassified Gentoo Security Vulnerabilities unspecified All Linux RESOLVED FIXED http://sourceforge.net/mailarchive/forum.php?thread_name=200709251310.55835.mskibbe%40suse.de&forum_name=htdig-dev B4 [noglsa] P2 minor --- 1 rbu@gentoo.org security@gentoo.org rbu@gentoo.org 2007-11-25 15:14:06 0000 CVE-2007-6110 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-6110): Cross-site scripting (XSS) vulnerability in htsearch in htdig 3.2.0b6 allows remote attackers to inject arbitrary web script or HTML via the sort parameter. rbu@gentoo.org 2007-11-25 15:17:50 0000 Web-apps, please advise. wrobel@gentoo.org 2007-12-02 15:44:12 0000 Hrm, looks like no upstream activity since 2004. The bug has been reported by SuSE but what I assume is their latest package (htdig-3.2.0b6-123) does not seem to provide a fix for the issue. The application is currently marked stable on these architectures: alpha amd64 hppa ia64 ppc ppc64 sparc x86 We'll probably have to mask it if there is no way to get a fix for this. rbu@gentoo.org 2007-12-03 00:59:09 0000 Created an attachment (id=137588) htdig-quoting.patch rbu@gentoo.org 2007-12-03 01:00:58 0000 Suse provides an updated package in their 10.2 testing repository, I attached the patch above. It actually removes the output rather than quoting it, but in the end, that error message would not come from links inside the application anyway. wrobel@gentoo.org 2007-12-03 08:15:12 0000 Sorry, I obviously didn't know where I had to check. Thanks for the hint. No I found it too and applied the patch. htdig-3.2.0_beta6-r3 is in the tree and needs to be marked stable by alpha amd64 hppa ia64 ppc ppc64 sparc x86 wrobel@gentoo.org 2007-12-03 08:18:46 0000 added arches maekke@gentoo.org 2007-12-03 12:20:43 0000 x86 stable armin76@gentoo.org 2007-12-04 10:59:45 0000 alpha/ia64/sparc stable and beandog did amd64 jer@gentoo.org 2007-12-04 16:05:40 0000 Stable for HPPA. corsair@gentoo.org 2007-12-04 17:58:46 0000 ppc64 stable dertobi123@gentoo.org 2007-12-04 19:46:20 0000 ppc stable, ready for glsa voting rbu@gentoo.org 2007-12-04 23:17:28 0000 non-persistent xss, voting NO. wrobel@gentoo.org 2007-12-05 05:21:57 0000 Removed insecure ebuild. weapps done here. py@gentoo.org 2007-12-05 08:45:07 0000 no too, closing. pva@gentoo.org 2008-03-06 09:51:25 0000 Does not affect current (2008.0) release. Removing release. 137588 2007-12-03 00:59 0000 htdig-quoting.patch htdig-quoting.patch text/plain SW5kZXg6IGh0ZGlnLTMuMi4wYjYvaHRzZWFyY2gvRGlzcGxheS5jYwo9PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09Ci0tLSBo dGRpZy0zLjIuMGI2Lm9yaWcvaHRzZWFyY2gvRGlzcGxheS5jYworKysgaHRkaWctMy4yLjBiNi9o dHNlYXJjaC9EaXNwbGF5LmNjCkBAIC0xMzcsNyArMTM3LDcgQEAgRGlzcGxheTo6ZGlzcGxheShp bnQgcGFnZU51bWJlcikKICAgICAgIC8vIE11c3QgdGVtcG9yYXJpbHkgc3Rhc2ggdGhlIG1lc3Nh Z2UgaW4gYSBTdHJpbmcsIHNpbmNlCiAgICAgICAvLyBkaXNwbGF5U3ludGF4RXJyb3Igd2lsbCBv dmVyd3JpdGUgdGhlIHN0YXRpYyB0ZW1wIHVzZWQgaW4gZm9ybS4KIAotICAgICAgU3RyaW5nIHMo Zm9ybSgiTm8gc3VjaCBzb3J0IG1ldGhvZDogYCVzJyIsIChjb25zdCBjaGFyKiljb25maWctPkZp bmQoInNvcnQiKSkpOworICAgICAgU3RyaW5nIHMoImludmFsaWQgc29ydCBtZXRob2QiKTsKIAog ICAgICAgZGlzcGxheVN5bnRheEVycm9yKHMpOwogICAgICAgcmV0dXJuOwpJbmRleDogaHRkaWct My4yLjBiNi9saWJodGRpZy9SZXN1bHRGZXRjaC5jYwo9PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09Ci0tLSBodGRpZy0zLjIu MGI2Lm9yaWcvbGliaHRkaWcvUmVzdWx0RmV0Y2guY2MKKysrIGh0ZGlnLTMuMi4wYjYvbGliaHRk aWcvUmVzdWx0RmV0Y2guY2MKQEAgLTE0Miw3ICsxNDIsNyBAQCBSZXN1bHRGZXRjaDo6ZmV0Y2go KQogICAgICAgICAvLyBNdXN0IHRlbXBvcmFyaWx5IHN0YXNoIHRoZSBtZXNzYWdlIGluIGEgU3Ry aW5nLCBzaW5jZQogICAgICAgICAvLyBkaXNwbGF5U3ludGF4RXJyb3Igd2lsbCBvdmVyd3JpdGUg dGhlIHN0YXRpYyB0ZW1wIHVzZWQgaW4gZm9ybS4KIAotICAgICAgICBTdHJpbmcgcyhmb3JtKCJO byBzdWNoIHNvcnQgbWV0aG9kOiBgJXMnIiwgKGNvbnN0IGNoYXIgKikgY29uZmlnLT5GaW5kKCJz b3J0IikpKTsKKyAgICAgICAgU3RyaW5nIHMoImludmFsaWQgc29ydCBtZXRob2QiKTsKIAogICAg ICAgICBkaXNwbGF5U3ludGF4RXJyb3Iocyk7CiAgICAgICAgIC8vcmV0dXJuOwo=