Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 606114 - <www-apps/novnc-0.6.2: XSS allowing remote VNC servers to inject arbitrary HTML into the noVNC display page.
Summary: <www-apps/novnc-0.6.2: XSS allowing remote VNC servers to inject arbitrary HT...
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B4 [noglsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2017-01-17 20:38 UTC by Matthew Thode ( prometheanfire )
Modified: 2017-01-19 08:09 UTC (History)
0 users

See Also:
Package list:
=www-apps/novnc-0.6.2 amd64 x86
Runtime testing required: ---
stable-bot: sanity-check+

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Matthew Thode ( prometheanfire ) archtester Gentoo Infrastructure gentoo-dev Security 2017-01-17 20:38:21 UTC 
The diff between 0.6.1 and 0.6.2 is only the commit that fixes this.  So please stabilize.

Previously, setting `innerHTML` was used to display the statuses.  These
could include content communicated from the remote VNC server, allowing
the remove VNC server to inject HTML into the noVNC page.

This commit switches all uses of `innerHTML` to use `textContent`, which
is not vulnerable to the HTML injection.

Fixes a XSS vulnerability in the noVNC status display which could allow
remote VNC servers to inject arbitrary HTML into the noVNC display page.

Reproducible: Always
Comment 1 Agostino Sarubbo gentoo-dev 2017-01-18 11:29:38 UTC 
amd64 stable
Comment 2 Agostino Sarubbo gentoo-dev 2017-01-18 12:01:02 UTC 
x86 stable.

Maintainer(s), please cleanup.
Comment 3 Aaron Bauman (RETIRED) gentoo-dev 2017-01-18 23:07:52 UTC 
GLSA Vote: No