200285 – www-misc/htdig <=3.2.0_beta6-r2 Cross-Site-Scripting (CVE-2007-6110)

Bug 200285 - www-misc/htdig <=3.2.0_beta6-r2 Cross-Site-Scripting (CVE-2007-6110)

Summary: www-misc/htdig <=3.2.0_beta6-r2 Cross-Site-Scripting (CVE-2007-6110)

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	High minor (vote)
Assignee:	Gentoo Security

URL:	http://sourceforge.net/mailarchive/fo...
Whiteboard:	B4 [noglsa]
Keywords:

Depends on:
Blocks:

Reported:	2007-11-25 15:14 UTC by Robert Buchholz (RETIRED)
Modified:	2008-03-06 09:51 UTC (History)
CC List:	0 users

See Also:
Package list:
Runtime testing required:	---

Attachments
htdig-quoting.patch (htdig-quoting.patch,1.10 KB, patch) 2007-12-03 00:59 UTC, Robert Buchholz (RETIRED)	no flags	Details \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Robert Buchholz (RETIRED) gentoo-dev

2007-11-25 15:14:06 UTC

CVE-2007-6110 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-6110):
  Cross-site scripting (XSS) vulnerability in htsearch in htdig 3.2.0b6 allows
  remote attackers to inject arbitrary web script or HTML via the sort
  parameter.

Comment 1 Robert Buchholz (RETIRED) gentoo-dev

2007-11-25 15:17:50 UTC

Web-apps, please advise.

Comment 2 Gunnar Wrobel (RETIRED) gentoo-dev

2007-12-02 15:44:12 UTC

Hrm, looks like no upstream activity since 2004. The bug has been reported by SuSE but what I assume is their latest package (htdig-3.2.0b6-123) does not seem to provide a fix for the issue. 

The application is currently marked stable on these architectures:

alpha amd64 hppa ia64 ppc ppc64 sparc x86

We'll probably have to mask it if there is no way to get a fix for this.

Comment 3 Robert Buchholz (RETIRED) gentoo-dev

2007-12-03 00:59:09 UTC

Created attachment 137588 [details, diff]
htdig-quoting.patch

Comment 4 Robert Buchholz (RETIRED) gentoo-dev

2007-12-03 01:00:58 UTC

Suse provides an updated package in their 10.2 testing repository, I attached the patch above.

It actually removes the output rather than quoting it, but in the end, that error message would not come from links inside the application anyway.

Comment 5 Gunnar Wrobel (RETIRED) gentoo-dev

2007-12-03 08:15:12 UTC

Sorry, I obviously didn't know where I had to check. Thanks for the hint. No I found it too and applied the patch. 

htdig-3.2.0_beta6-r3 is in the tree and needs to be marked stable by

 alpha amd64 hppa ia64 ppc ppc64 sparc x86

Comment 6 Gunnar Wrobel (RETIRED) gentoo-dev

2007-12-03 08:18:46 UTC

added arches

Comment 7 Markus Meier gentoo-dev

2007-12-03 12:20:43 UTC

x86 stable

Comment 8 Raúl Porcel (RETIRED) gentoo-dev

2007-12-04 10:59:45 UTC

alpha/ia64/sparc stable and beandog did amd64

Comment 9 Jeroen Roovers (RETIRED) gentoo-dev

2007-12-04 16:05:40 UTC

Stable for HPPA.

Comment 10 Markus Rothe (RETIRED) gentoo-dev

2007-12-04 17:58:46 UTC

ppc64 stable

Comment 11 Tobias Scherbaum (RETIRED) gentoo-dev

2007-12-04 19:46:20 UTC

ppc stable, ready for glsa voting

Comment 12 Robert Buchholz (RETIRED) gentoo-dev

2007-12-04 23:17:28 UTC

non-persistent xss, voting NO.

Comment 13 Gunnar Wrobel (RETIRED) gentoo-dev

2007-12-05 05:21:57 UTC

Removed insecure ebuild. weapps done here.

Comment 14 Pierre-Yves Rofes (RETIRED) gentoo-dev

2007-12-05 08:45:07 UTC

no too, closing.

Comment 15 Peter Volkov (RETIRED) gentoo-dev

2008-03-06 09:51:25 UTC

Does not affect current (2008.0) release. Removing release.