80602 2005-02-03 09:44 0000 www-misc/htdig: Unspecified Input Validation Hole Permits Cross-Site Scripting Attacks 2005-02-13 12:58:03 0000 1 1 1 Unclassified Gentoo Security Vulnerabilities unspecified All All RESOLVED FIXED http://securitytracker.com/alerts/2005/Feb/1013078.html B4 [glsa] P2 minor --- 1 formula7@gentoo.org security@gentoo.org jaervosz@gentoo.org web-apps@gentoo.org formula7@gentoo.org 2005-02-03 09:44:01 0000 Description: An input validation vulnerability was reported in ht://dig. A remote user can conduct cross-site scripting attacks. SuSE reported that a cross-site scripting vulnerability was discovered by Michael Krax. A remote user can cause arbitrary scripting code to be executed by the target user's browser. The code will originate from the site running the ht://dig software and will run in the security context of that site. As a result, the code will be able to access the target user's cookies (including authentication cookies), if any, associated with the site, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user. Impact: A remote user can access the target user's cookies (including authentication cookies), if any, associated with the site running the ht://dig software, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user. koon@gentoo.org 2005-02-04 00:52:10 0000 Created an attachment (id=50309) htdig-3.2.0b6-unescaped_output.patch Patch from RedHat koon@gentoo.org 2005-02-04 00:53:17 0000 web-apps: please apply and bump koon@gentoo.org 2005-02-04 00:53:37 0000 *** Bug 79691 has been marked as a duplicate of this bug. *** ka0ttic@gentoo.org 2005-02-10 08:36:19 0000 I've backported the patch to 3.1.6; qtest.cc doesn't exist in this release, so I've only patched htsearch.cc. 3.1.6-r7 is stable on x86. amd64, ppc, and sparc, please mark stable. luckyduck@gentoo.org 2005-02-10 09:14:42 0000 stable on amd64 hansmi@gentoo.org 2005-02-10 12:28:00 0000 Stable on ppc. t4y68ds02@sneakemail.com 2005-02-11 09:52:31 0000 htdig-3.1.6-r4.ebuild has SLOT="0" and htdig-3.1.6-r7.ebuild does not. This is causing both version to want to be installed simultaneously. Shouldn't the new ebuild set the slot as well? ka0ttic@gentoo.org 2005-02-11 10:04:02 0000 > htdig-3.1.6-r4.ebuild has SLOT="0" and htdig-3.1.6-r7.ebuild does not. This is causing both version to want to be installed simultaneously. Shouldn't the new ebuild set the slot as well? Karl, no and actually it's not even possible to set SLOT in ebuilds that inherit webapp.eclass. SLOT is handled by webapps.eclass which r4 doesn't use (it uses the older deprecated webapp-apache). weeve@gentoo.org 2005-02-12 17:59:53 0000 Stable on SPARC. koon@gentoo.org 2005-02-13 05:21:19 0000 Security please vote on GLSA. jaervosz@gentoo.org 2005-02-13 05:51:57 0000 I vote for a GLSA on this one. vorlon@gentoo.org 2005-02-13 09:16:47 0000 dito lewk@gentoo.org 2005-02-13 12:58:03 0000 GLSA 200502-16 50309 2005-02-04 00:52 0000 htdig-3.2.0b6-unescaped_output.patch htdig-3.2.0b6-unescaped_output.patch text/plain LS0tIGh0ZGlnLTMuMi4wYjYvaHRzZWFyY2gvaHRzZWFyY2guY2MudW5lc2NhcGVkX291dHB1dAky MDA1LTAxLTI1IDEyOjUwOjUxLjAwMDAwMDAwMCArMDEwMAorKysgaHRkaWctMy4yLjBiNi9odHNl YXJjaC9odHNlYXJjaC5jYwkyMDA1LTAxLTI1IDEyOjUyOjQ1LjAwMDAwMDAwMCArMDEwMApAQCAt MjExLDggKzIxMSw3IEBACiAJfQogCWlmIChhY2Nlc3MoKGNoYXIqKWNvbmZpZ0ZpbGUsIFJfT0sp IDwgMCkKIAl7Ci0JICAgIHJlcG9ydEVycm9yKGZvcm0oIlVuYWJsZSB0byByZWFkIGNvbmZpZ3Vy YXRpb24gZmlsZSAnJXMnIiwKLQkJCSAgICAgY29uZmlnRmlsZS5nZXQoKSkpOworCSAgICByZXBv cnRFcnJvcigiVW5hYmxlIHRvIHJlYWQgY29uZmlndXJhdGlvbiBmaWxlIik7CiAJfQogCWNvbmZp Zy0+UmVhZChjb25maWdGaWxlKTsKIAotLS0gaHRkaWctMy4yLjBiNi9odHNlYXJjaC9xdGVzdC5j Yy51bmVzY2FwZWRfb3V0cHV0CTIwMDUtMDEtMjUgMTI6NTE6MDAuMDAwMDAwMDAwICswMTAwCisr KyBodGRpZy0zLjIuMGI2L2h0c2VhcmNoL3F0ZXN0LmNjCTIwMDUtMDEtMjUgMTI6NTE6MTkuMDAw MDAwMDAwICswMTAwCkBAIC0xMzIsOCArMTMyLDcgQEAKIAogICAgIGlmIChhY2Nlc3MoKGNoYXIq KWNvbmZpZ0ZpbGUsIFJfT0spIDwgMCkKICAgICB7Ci0JcmVwb3J0RXJyb3IoZm9ybSgiVW5hYmxl IHRvIGZpbmQgY29uZmlndXJhdGlvbiBmaWxlICclcyciLAotCQkJIGNvbmZpZ0ZpbGUuZ2V0KCkp KTsKKwlyZXBvcnRFcnJvcigiVW5hYmxlIHRvIGZpbmQgY29uZmlndXJhdGlvbiBmaWxlIik7CiAg ICAgfQogCQogICAgIGNvbmZpZy0+UmVhZChjb25maWdGaWxlKTsK