Gentoo Bug 80602 - www-misc/htdig: Unspecified Input Validation Hole Permits Cross-Site Scripting Attacks

Flags:

Requestee:

Pending

Approved

Assigned_To

()

Filename

Description

Type

Creator

Created

Size

Actions

htdig-3.2.0b6-unescaped_output.patch

patch

Thierry Carrez (RETIRED)

2005-02-04 00:52 0000

837 bytes

Details | Diff

Create a New Attachment (proposed patch, testcase, etc.)

View All

Bug 80602 depends on:

Show dependency tree

Bug 80602 blocks:

Description:

Opened: 2005-02-03 09:44 0000

Description:  An input validation vulnerability was reported in ht://dig. A
remote user can conduct cross-site scripting attacks.

SuSE reported that a cross-site scripting vulnerability was discovered by
Michael Krax. A remote user can cause arbitrary scripting code to be executed
by the target user's browser. The code will originate from the site running the
ht://dig software and will run in the security context of that site. As a
result, the code will be able to access the target user's cookies (including
authentication cookies), if any, associated with the site, access data recently
submitted by the target user via web form to the site, or take actions on the
site acting as the target user.

Impact:  A remote user can access the target user's cookies (including
authentication cookies), if any, associated with the site running the ht://dig
software, access data recently submitted by the target user via web form to the
site, or take actions on the site acting as the target user.

------- Comment #1 From Thierry Carrez (RETIRED) 2005-02-04 00:52:10 0000 -------

Created an attachment (id=50309) [details]
htdig-3.2.0b6-unescaped_output.patch

Patch from RedHat

------- Comment #3 From Thierry Carrez (RETIRED) 2005-02-04 00:53:37 0000 -------

*** Bug 79691 has been marked as a duplicate of this bug. ***

------- Comment #4 From Aaron Walker (RETIRED) 2005-02-10 08:36:19 0000 -------

I've backported the patch to 3.1.6; qtest.cc doesn't exist in this release, so
I've only patched htsearch.cc.

3.1.6-r7 is stable on x86.  amd64, ppc, and sparc, please mark stable.

------- Comment #7 From Karl Hakimian 2005-02-11 09:52:31 0000 -------

htdig-3.1.6-r4.ebuild has SLOT="0" and htdig-3.1.6-r7.ebuild does not. This is
causing both version to want to be installed simultaneously. Shouldn't the new
ebuild set the slot as well?

------- Comment #8 From Aaron Walker (RETIRED) 2005-02-11 10:04:02 0000 -------

> htdig-3.1.6-r4.ebuild has SLOT="0" and htdig-3.1.6-r7.ebuild does not. This is causing both version to want to be installed simultaneously. Shouldn't the new ebuild set the slot as well?

Karl, no and actually it's not even possible to set SLOT in ebuilds that
inherit webapp.eclass.  SLOT is handled by webapps.eclass which r4 doesn't use
(it uses the older deprecated webapp-apache).

Bugzilla Bug 80602

www-misc/htdig: Unspecified Input Validation Hole Permits Cross-Site Scripting Attacks

Last modified: 2005-02-13 12:58:03 0000