Bug 203193 (CVE-2007-6306)

Summary:	dev-java/jfreechart < 1.0.9 Multiple XSS vulnerabilities (CVE-2007-6306)
Product:	Gentoo Security	Reporter:	Robert Buchholz (RETIRED) <rbu>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	RESOLVED FIXED
Severity:	minor	CC:	java
Priority:	High
Version:	unspecified
Hardware:	All
OS:	Linux
URL:	http://jfreechart.svn.sourceforge.net/viewvc/jfreechart?view=rev&revision=680
Whiteboard:	B4/~4? [noglsa]
Package list:		Runtime testing required:	---
Bug Depends on:	201306
Bug Blocks:

Description Robert Buchholz (RETIRED) gentoo-dev

2007-12-23 22:59:24 UTC

CVE-2007-6306 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-6306):
  Multiple cross-site scripting (XSS) vulnerabilities in the image map feature
  in JFreeChart 1.0.8 allow remote attackers to inject arbitrary web script or
  HTML via the (1) chart name or (2) chart tool tip text; or the (3) href, (4)
  shape, or (5) coords attribute of a chart area.

Comment 1 Robert Buchholz (RETIRED) gentoo-dev

2007-12-23 23:02:50 UTC

See $URL for a patch. Java, please advise.

Comment 2 Petteri Räty (RETIRED) gentoo-dev

2007-12-23 23:19:20 UTC

(In reply to comment #1)
> See $URL for a patch. Java, please advise.
> 

I think this is the issue that 1.0.8a fixes. I already added it a while ago.

Comment 3 Robert Buchholz (RETIRED) gentoo-dev

2007-12-24 00:35:00 UTC

I probably should "cvs up" more often, you are of course right.

Question is now whether the (stable) 0.9* versions are also affected by this. If so, we should get a non-vulnerable version stable. If not, this bug is fixed already.

Comment 4 Petteri Räty (RETIRED) gentoo-dev

2007-12-24 01:38:59 UTC

(In reply to comment #3)
> 
> Question is now whether the (stable) 0.9* versions are also affected by this.
> If so, we should get a non-vulnerable version stable. If not, this bug is fixed
> already.
> 

Well I am just waiting for a patch from upstream to request this version stable. currently the unit tests fail.

https://sourceforge.net/tracker/?func=detail&atid=115494&aid=1851416&group_id=15494

Comment 5 Petteri Räty (RETIRED) gentoo-dev

2007-12-25 02:23:28 UTC

(In reply to comment #4)
> 
> Well I am just waiting for a patch from upstream to request this version
> stable. currently the unit tests fail.
> 

Found out they had a 1.0 branch. Pulled the patch from there and asked arches to mark this stable in bug 201306.

Comment 6 Robert Buchholz (RETIRED) gentoo-dev

2007-12-26 12:04:12 UTC

This is ready for GLSA vote.

I vote NO.

Comment 7 Pierre-Yves Rofes (RETIRED) gentoo-dev

2007-12-28 23:30:28 UTC

no too, closing

Comment 8 Robert Buchholz (RETIRED) gentoo-dev

2007-12-29 00:59:28 UTC

According to comments here, there were regressions introduced in the update: 
  http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=456148#37

Petteri, what do you think?

Comment 9 Petteri Räty (RETIRED) gentoo-dev

2007-12-29 02:37:48 UTC

(In reply to comment #8)
> According to comments here, there were regressions introduced in the update: 
>   http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=456148#37
> 
> Petteri, what do you think?
> 

Hopefully upstream will get 1.0.9 out soon and fixes the regressions.

Comment 10 Petteri Räty (RETIRED) gentoo-dev

2008-01-07 16:45:22 UTC

(In reply to comment #9)
> 
> Hopefully upstream will get 1.0.9 out soon and fixes the regressions.
> 

1.0.9 out, let's get it stable

Comment 11 Brent Baude (RETIRED) gentoo-dev

2008-01-08 02:12:51 UTC

ppc done

Comment 12 Christian Faulhammer (RETIRED) gentoo-dev

2008-01-08 09:21:29 UTC

x86 stable

Comment 13 Peter Weller (RETIRED) gentoo-dev

2008-01-17 14:32:16 UTC

amd64 done.

Comment 14 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2008-01-17 14:57:41 UTC

Closing with NO GLSA as per previous vote.