Comment 1 Sune Kloppenborg Jeppesen (RETIRED) 2005-05-03 13:49:30 UTC

Created attachment 57960 [details, diff]
info2html-xss.diff

Suse patch against 1.1

Comment 2 Sune Kloppenborg Jeppesen (RETIRED) 2005-05-03 13:50:04 UTC

Tom please advise, I'm not sure we're affected by this one.

Comment 3 Sune Kloppenborg Jeppesen (RETIRED) 2005-05-09 23:04:32 UTC

Auditors/patchers please advise.

Comment 4 Tavis Ormandy (RETIRED) 2005-05-12 07:35:56 UTC

$ QUERY_STRING='(coreutils) <foo bar="baz">foobar</foo>' ./info2html
Expires: Sat, 31 Jan 1970 00:00:00 GMT
Date: Thu, 12 May 2005 14:35:23 GMT
Content-Type: text/html; charset=ISO-8859-1

<head>
<title>Info Files  -  Error Message</title>
<h1>Error</h1>
</head>
<body>
The Info node <em> <foo bar="baz">foobar</foo></em> in Info file <em>/usr/share/info/coreutils.info.gz</em>
does not exist.
</body>

Comment 5 Tom Payne (RETIRED) 2005-05-13 12:04:08 UTC

Thanks for the patch, now in portage as app-text/info2html-1.4-r1 (note no official release). Patch seems to work:

spark info2html-1.4 # QUERY_STRING='(coreutils) <foo bar="baz">foobar</foo>' ./info2html
Expires: Sat, 31 Jan 1970 00:00:00 GMT
Date: Fri, 13 May 2005 19:00:54 GMT
Content-Type: text/html; charset=ISO-8859-1

<head>
<title>Info Files  -  Error Message</title>
<h1>Error</h1>
</head>
<body>
The Info node <em> &lt;foo bar=&quot;baz&quot;&gt;foobar&lt;/foo&gt;</em> in Info file <em>/usr/share/info/coreutils.info.gz</em>
does not exist.
</body>


Arches, please mark stable.

Comment 6 Sune Kloppenborg Jeppesen (RETIRED) 2005-05-13 22:09:43 UTC

Ok, events overtook me there. Contacted reporter to check when on a disclosure date.

Comment 7 Sune Kloppenborg Jeppesen (RETIRED) 2005-05-18 22:43:05 UTC

We're free to release when we're ready. Calling individual arch testers: 
 
alpha -> kloeri 
hppa -> hansmi 
sparc -> gustavoz 
x86 -> tester 
amd64 -> blubb 
 
Please test and report back on this bug. 
 
Security we also need to decide on GLSA status, I tend to vote NO. 

Comment 8 Simon Stelling (RETIRED) 2005-05-19 10:02:00 UTC

the patch and an updated ebuild already are in the tree, shouldn't this bug get
unlocked?

Comment 9 Sune Kloppenborg Jeppesen (RETIRED) 2005-05-19 10:49:32 UTC

We're giving SUSE a few more days to fix it, as they reported it. 

Comment 10 Gustavo Zacarias (RETIRED) 2005-05-19 10:53:46 UTC

I've already tested and stabled 1.4-r1 on sparc previously in one of my usual
"keep the tree up to date" sprees.
So, it's good for sparc and done actually.

Comment 11 Michael Hanselmann (hansmi) (RETIRED) 2005-05-19 11:13:27 UTC

Tested on hppa and it works fine. Should I mark it stable too?

Comment 12 Sune Kloppenborg Jeppesen (RETIRED) 2005-05-19 12:38:47 UTC

hansmi/arches just mark it stable. 

Comment 13 Michael Hanselmann (hansmi) (RETIRED) 2005-05-20 02:43:21 UTC

Marked stable on hppa.

Comment 14 Bryan Østergaard (RETIRED) 2005-05-20 11:58:03 UTC

Stable on alpha.

Comment 15 Simon Stelling (RETIRED) 2005-05-20 14:47:15 UTC

amd64 stable

Comment 16 Thierry Carrez (RETIRED) 2005-05-27 07:00:02 UTC

jaervosz: I would go ahead and release it, SuSE said to go when we are ready.

Comment 17 Sune Kloppenborg Jeppesen (RETIRED) 2005-05-27 14:59:08 UTC

Woops, as previously stated I tend to vote NO. 

Comment 18 Thierry Carrez (RETIRED) 2005-05-28 01:36:53 UTC

Voting NO too. Persistent XSS issues (like one that allows to post a comment on
a site for everyone to unwittingly load) justify a GLSA, but link-based XSS
issues (like this one, requiring tricking someone into following a very strange
looking link) I tend to vote NO, except on very-widely-Internet-deployed software.

jaervosz: I guess we should open it before closing ?

Comment 19 Sune Kloppenborg Jeppesen (RETIRED) 2005-05-30 08:16:01 UTC

Closing without GLSA and opening bug.