203193 – (CVE-2007-6306) dev-java/jfreechart < 1.0.9 Multiple XSS vulnerabilities (CVE-2007-6306)

Bug 203193 (CVE-2007-6306) - dev-java/jfreechart < 1.0.9 Multiple XSS vulnerabilities (CVE-2007-6306)

Summary: dev-java/jfreechart < 1.0.9 Multiple XSS vulnerabilities (CVE-2007-6306)

Status:	RESOLVED FIXED

Alias:	CVE-2007-6306

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	High minor (vote)
Assignee:	Gentoo Security

URL:	http://jfreechart.svn.sourceforge.net...
Whiteboard:	B4/~4? [noglsa]
Keywords:

Depends on:	201306
Blocks:
	Show dependency tree

Reported:	2007-12-23 22:59 UTC by Robert Buchholz (RETIRED)
Modified:	2008-01-17 14:57 UTC (History)
CC List:	1 user (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Robert Buchholz (RETIRED) gentoo-dev

2007-12-23 22:59:24 UTC

CVE-2007-6306 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-6306):
  Multiple cross-site scripting (XSS) vulnerabilities in the image map feature
  in JFreeChart 1.0.8 allow remote attackers to inject arbitrary web script or
  HTML via the (1) chart name or (2) chart tool tip text; or the (3) href, (4)
  shape, or (5) coords attribute of a chart area.

Comment 1 Robert Buchholz (RETIRED) gentoo-dev

2007-12-23 23:02:50 UTC

See $URL for a patch. Java, please advise.

Comment 2 Petteri Räty (RETIRED) gentoo-dev

2007-12-23 23:19:20 UTC

(In reply to comment #1)
> See $URL for a patch. Java, please advise.
> 

I think this is the issue that 1.0.8a fixes. I already added it a while ago.

Comment 3 Robert Buchholz (RETIRED) gentoo-dev

2007-12-24 00:35:00 UTC

I probably should "cvs up" more often, you are of course right.

Question is now whether the (stable) 0.9* versions are also affected by this. If so, we should get a non-vulnerable version stable. If not, this bug is fixed already.

Comment 4 Petteri Räty (RETIRED) gentoo-dev

2007-12-24 01:38:59 UTC

(In reply to comment #3)
> 
> Question is now whether the (stable) 0.9* versions are also affected by this.
> If so, we should get a non-vulnerable version stable. If not, this bug is fixed
> already.
> 

Well I am just waiting for a patch from upstream to request this version stable. currently the unit tests fail.

https://sourceforge.net/tracker/?func=detail&atid=115494&aid=1851416&group_id=15494

Comment 5 Petteri Räty (RETIRED) gentoo-dev

2007-12-25 02:23:28 UTC

(In reply to comment #4)
> 
> Well I am just waiting for a patch from upstream to request this version
> stable. currently the unit tests fail.
> 

Found out they had a 1.0 branch. Pulled the patch from there and asked arches to mark this stable in bug 201306.

Comment 6 Robert Buchholz (RETIRED) gentoo-dev

2007-12-26 12:04:12 UTC

This is ready for GLSA vote.

I vote NO.

Comment 7 Pierre-Yves Rofes (RETIRED) gentoo-dev

2007-12-28 23:30:28 UTC

no too, closing

Comment 8 Robert Buchholz (RETIRED) gentoo-dev

2007-12-29 00:59:28 UTC

According to comments here, there were regressions introduced in the update: 
  http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=456148#37

Petteri, what do you think?

Comment 9 Petteri Räty (RETIRED) gentoo-dev

2007-12-29 02:37:48 UTC

(In reply to comment #8)
> According to comments here, there were regressions introduced in the update: 
>   http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=456148#37
> 
> Petteri, what do you think?
> 

Hopefully upstream will get 1.0.9 out soon and fixes the regressions.

Comment 10 Petteri Räty (RETIRED) gentoo-dev

2008-01-07 16:45:22 UTC

(In reply to comment #9)
> 
> Hopefully upstream will get 1.0.9 out soon and fixes the regressions.
> 

1.0.9 out, let's get it stable

Comment 11 Brent Baude (RETIRED) gentoo-dev

2008-01-08 02:12:51 UTC

ppc done

Comment 12 Christian Faulhammer (RETIRED) gentoo-dev

2008-01-08 09:21:29 UTC

x86 stable

Comment 13 Peter Weller (RETIRED) gentoo-dev

2008-01-17 14:32:16 UTC

amd64 done.

Comment 14 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2008-01-17 14:57:41 UTC

Closing with NO GLSA as per previous vote.