Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 711212 (CVE-2019-9673) - <net-p2p/freenet-0.7.5_p1484: Content filter escape (CVE-2019-9673)
Summary: <net-p2p/freenet-0.7.5_p1484: Content filter escape (CVE-2019-9673)
Status: RESOLVED FIXED
Alias: CVE-2019-9673
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal trivial
Assignee: Gentoo Security
URL: https://freenetproject.org/freenet-bu...
Whiteboard: ~2 [noglsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2020-03-01 19:47 UTC by Sam James
Modified: 2020-03-08 18:21 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-03-01 19:47:29 UTC 
Description:
"Thanks to thesnark and operhiem1 we have a fix to a way to circumvent the content filter. This could have resulted in handing an insecure file to an external (and potentially vulnerable) program without showing a warning to the user. Please update ASAP to avoid that. See CVE-2019-9673 for details."

Fixed in 0.7.5_p1484.
Comment 1 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-03-01 19:49:58 UTC 
MITRE: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9673

Alternative description (via MITRE):
"Freenet 1483 has a MIME type bypass that allows arbitrary JavaScript execution via a crafted Freenet URI."


Given that in the context of Freenet, this can be quite serious, changing to B2.
Comment 2 Thomas Sachau gentoo-dev 2020-03-08 09:59:02 UTC 
Versions prior to 0.7.5_p1484 removed.
Comment 3 Thomas Deutschmann (RETIRED) gentoo-dev 2020-03-08 18:21:55 UTC 
Repository is clean. All done.