There is a potential XSS vulnerability on the /help webpage. http://fossil-scm.org/index.html/doc/trunk/www/changes.wiki#v2_3 http://www.fossil-scm.org/xfer/info/db482f1675d5d084 http://www.fossil-scm.org/xfer/info/8e27a5a084a55f18 @Maintainer(s), this vulnerability has been fixed in 2.3, please provide a updated ebuild.
commit 86c9dd9719d58f940d0eb6f5c0c0974ad7e0ab50 (HEAD -> master, origin/master, origin/HEAD) Author: Aaron W. Swenson <titanofold@gentoo.org> Date: Sat Aug 12 08:01:33 2017 -0400 dev-vcs/fossil: Security Bump to 2.3 Version 2.3 fixes a potential XSS vulnerability on the /help webpage. Gentoo-Bug: 627674 Package-Manager: Portage-2.3.6, Repoman-2.3.1
Stabilization target: =dev-vcs/fossil-2.3 ~amd64 ~x86
2.x branch was never stabilised, why should we stabilize this now?
(In reply to Mikle Kolyada from comment #3) > 2.x branch was never stabilised, why should we stabilize this now? (rather than just drop old unstable)
(In reply to Mikle Kolyada from comment #3) > 2.x branch was never stabilised, why should we stabilize this now? From what I can tell, all versions prior to 2.3 are affected [1], and dispatch.c is a split from main.c. The lines that are modified by c4135c158e049ba8 [2] in dispatch.c exist further back in main.c. In short, the /help page was not added with 2.0. And, calling it a branch is a bit strong as Fossil isn't maintaining a 1.x branch. It's just the latest, tagged version. [1]: https://www.fossil-scm.org/xfer/finfo?name=src/dispatch.c [2]: https://www.fossil-scm.org/xfer/fdiff?sbs=1&v1=4e634c0cf22b7dd6&v2=c4135c158e049ba8
amd64 tested, ok. Also tested dev-db/sqlite-3.20.1 to enable system-sqlite USE flag
I am a bit confused .... Are you stabilizing fossil-2.3? if so it would be: =dev-vcs/fossil-2.3 amd64 x86 If you are just bumping to the next version and nothing is stable that means that no stabilization is needed. Please advise what you meant to do.
(In reply to Yury German from comment #7) > I am a bit confused .... > Are you stabilizing fossil-2.3? if so it would be: > =dev-vcs/fossil-2.3 amd64 x86 The format of the list with the tildes is something Agostino "ago" Sarubbo encouraged several years ago as it made it easy to just copy and paste the list into package.accept_keywords. If you and others are getting hung up on it, I can present the list in a different manner. > If you are just bumping to the next version and nothing is stable that means > that no stabilization is needed. > > Please advise what you meant to do. There is a stable version in the tree: 1.35. All versions in the tree earlier than 2.3 are affected by this potential vulnerability. If we don't want to consider 1.35 as having something stable in the tree, I'm fine with removing all versions prior to 2.3 so we can close this bug, and I'll open a separate stabilization bug in 3 days. On a separate note, dev-vcs/fossil-2.3 requires >=dev-db/sqlite-3.20.0. Bug 630738 covers this requirement.
x86 stable
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=b037661b68a36a80fd76db911a266430374fb2a5 commit b037661b68a36a80fd76db911a266430374fb2a5 Author: Aaron W. Swenson <titanofold@gentoo.org> AuthorDate: 2018-01-22 10:48:56 +0000 Commit: Aaron W. Swenson <titanofold@gentoo.org> CommitDate: 2018-01-22 10:48:56 +0000 dev-vcs/fossil: Clean old, insecure Bug: https://bugs.gentoo.org/627674 Bug: https://bugs.gentoo.org/640208 Package-Manager: Portage-2.3.19, Repoman-2.3.6 dev-vcs/fossil/Manifest | 2 -- dev-vcs/fossil/fossil-1.35.ebuild | 52 ------------------------------------ dev-vcs/fossil/fossil-2.3.ebuild | 55 --------------------------------------- 3 files changed, 109 deletions(-)}
(In reply to Larry the Git Cow from comment #10) > The bug has been referenced in the following commit(s): > > https://gitweb.gentoo.org/repo/gentoo.git/commit/ > ?id=b037661b68a36a80fd76db911a266430374fb2a5 > > commit b037661b68a36a80fd76db911a266430374fb2a5 > Author: Aaron W. Swenson <titanofold@gentoo.org> > AuthorDate: 2018-01-22 10:48:56 +0000 > Commit: Aaron W. Swenson <titanofold@gentoo.org> > CommitDate: 2018-01-22 10:48:56 +0000 > > dev-vcs/fossil: Clean old, insecure > > Bug: https://bugs.gentoo.org/627674 > Bug: https://bugs.gentoo.org/640208 > Package-Manager: Portage-2.3.19, Repoman-2.3.6 > > dev-vcs/fossil/Manifest | 2 -- > dev-vcs/fossil/fossil-1.35.ebuild | 52 ------------------------------------ > dev-vcs/fossil/fossil-2.3.ebuild | 55 > --------------------------------------- > 3 files changed, 109 deletions(-)} Thanks, Aaron! GLSA Vote: No