Bug 80602 - www-misc/htdig: Unspecified Input Validation Hole Permits Cross-Site Scripting Attacks
Bug#: 80602 Product:  Gentoo Security Version: unspecified Platform: All
OS/Version: All Status: RESOLVED Severity: minor Priority: P2
Resolution: FIXED Assigned To: security@gentoo.org Reported By: formula7@gentoo.org
Component: Vulnerabilities
URL:  http://securitytracker.com/alerts/2005/Feb/1013078.html
Summary: www-misc/htdig: Unspecified Input Validation Hole Permits Cross-Site Scripting Attacks
Keywords:  
Status Whiteboard: B4 [glsa]
Opened: 2005-02-03 09:44 0000
Description:   Opened: 2005-02-03 09:44 0000 
Description:  An input validation vulnerability was reported in ht://dig. A
remote user can conduct cross-site scripting attacks.

SuSE reported that a cross-site scripting vulnerability was discovered by
Michael Krax. A remote user can cause arbitrary scripting code to be executed
by the target user's browser. The code will originate from the site running the
ht://dig software and will run in the security context of that site. As a
result, the code will be able to access the target user's cookies (including
authentication cookies), if any, associated with the site, access data recently
submitted by the target user via web form to the site, or take actions on the
site acting as the target user.

Impact:  A remote user can access the target user's cookies (including
authentication cookies), if any, associated with the site running the ht://dig
software, access data recently submitted by the target user via web form to the
site, or take actions on the site acting as the target user.

------- Comment #1 From Thierry Carrez (RETIRED) 2005-02-04 00:52:10 0000 ------- 
Created an attachment (id=50309) [details]
htdig-3.2.0b6-unescaped_output.patch

Patch from RedHat

------- Comment #2 From Thierry Carrez (RETIRED) 2005-02-04 00:53:17 0000 ------- 
web-apps: please apply and bump

------- Comment #3 From Thierry Carrez (RETIRED) 2005-02-04 00:53:37 0000 ------- 
*** Bug 79691 has been marked as a duplicate of this bug. ***

------- Comment #4 From Aaron Walker (RETIRED) 2005-02-10 08:36:19 0000 ------- 
I've backported the patch to 3.1.6; qtest.cc doesn't exist in this release, so
I've only patched htsearch.cc.

3.1.6-r7 is stable on x86.  amd64, ppc, and sparc, please mark stable.

------- Comment #5 From Jan Brinkmann (RETIRED) 2005-02-10 09:14:42 0000 ------- 
stable on amd64

------- Comment #6 From Michael Hanselmann (hansmi) (RETIRED) 2005-02-10 12:28:00 0000 ------- 
Stable on ppc.

------- Comment #7 From Karl Hakimian 2005-02-11 09:52:31 0000 ------- 
htdig-3.1.6-r4.ebuild has SLOT="0" and htdig-3.1.6-r7.ebuild does not. This is
causing both version to want to be installed simultaneously. Shouldn't the new
ebuild set the slot as well?

------- Comment #8 From Aaron Walker (RETIRED) 2005-02-11 10:04:02 0000 ------- 
> htdig-3.1.6-r4.ebuild has SLOT="0" and htdig-3.1.6-r7.ebuild does not. This is causing both version to want to be installed simultaneously. Shouldn't the new ebuild set the slot as well?

Karl, no and actually it's not even possible to set SLOT in ebuilds that
inherit webapp.eclass.  SLOT is handled by webapps.eclass which r4 doesn't use
(it uses the older deprecated webapp-apache).

------- Comment #9 From Jason Wever (RETIRED) 2005-02-12 17:59:53 0000 ------- 
Stable on SPARC.

------- Comment #10 From Thierry Carrez (RETIRED) 2005-02-13 05:21:19 0000 ------- 
Security please vote on GLSA.

------- Comment #11 From Sune Kloppenborg Jeppesen 2005-02-13 05:51:57 0000 ------- 
I vote for a GLSA on this one.

------- Comment #12 From Matthias Geerdsen 2005-02-13 09:16:47 0000 ------- 
dito

------- Comment #13 From Luke Macken (RETIRED) 2005-02-13 12:58:03 0000 ------- 
GLSA 200502-16