Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 233562 (CVE-2008-3422)

Summary: <dev-lang/mono-2.0.1-r1 ASP.net XSS, Sys.Web Header injection (CVE-2008-3422, CVE-2008-3906)
Product: Gentoo Security Reporter: Robert Buchholz (RETIRED) <rbu>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: dotnet
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://thread.gmane.org/gmane.comp.gnome.mono.devel/28500
Whiteboard: B4 [noglsa]
Package list:
Runtime testing required: ---
Bug Depends on: 234305    
Bug Blocks:    

Description Robert Buchholz (RETIRED) gentoo-dev 2008-08-01 08:51:00 UTC 
CVE-2008-3422 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-3422):
  Multiple cross-site scripting (XSS) vulnerabilities in the ASP.net class
  libraries in Mono 2.0 and earlier allow remote attackers to inject arbitrary
  web script or HTML via crafted attributes related to (1) HtmlControl.cs
  (PreProcessRelativeReference), (2) HtmlForm.cs (RenderAttributes), (3)
  HtmlInputButton (RenderAttributes), (4) HtmlInputRadioButton
  (RenderAttributes), and (5) HtmlSelect (RenderChildren).
Comment 1 Robert Buchholz (RETIRED) gentoo-dev 2008-08-06 22:36:25 UTC 
Patches @ svn://anonsvn.mono-project.com/source
mono-1-9 : 109358
mono-2-0 : 109348
trunk : 109349
Comment 2 Robert Buchholz (RETIRED) gentoo-dev 2008-08-28 14:55:12 UTC 
There is also a header injection issue, see here:
https://bugzilla.novell.com/show_bug.cgi?id=418620

Quote:
Fixes for the following Mono branches have been committed:

branches/mono-1-1-7 (r111116)
branches/mono-1-1-18 (r111117)
branches/mono-1-2-2 (r111118)
branches/mono-1-2-5 (r111119)
branches/mono-1-9 (r111120)

Second part of the fix (implementation for 1.1) committed to the following
branches:
trunk (r111122)
branches/mono-2-0 (r111123)
branches/mono-1-1-7 (r111125)
branches/mono-1-1-18 (r111126)
branches/mono-1-2-2 (r111127)
branches/mono-1-2-5 (r111128)
branches/mono-1-9 (r111129)
Comment 3 Robert Buchholz (RETIRED) gentoo-dev 2008-09-12 13:47:07 UTC 
CVE-2008-3906 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-3906):
  CRLF injection vulnerability in Sys.Web in Mono 2.0 and earlier
  allows remote attackers to inject arbitrary HTTP headers and conduct
  HTTP response splitting attacks via CRLF sequences in the query
  string.
Comment 4 Peter Alfredsen (RETIRED) gentoo-dev 2009-04-04 15:03:55 UTC 
2.0 stable, GLSA-ready.
Comment 5 Pierre-Yves Rofes (RETIRED) gentoo-dev 2009-04-09 21:58:14 UTC 
GLSA decision, i vote NO.
Comment 6 Robert Buchholz (RETIRED) gentoo-dev 2009-04-12 16:23:54 UTC 
confirmed that dev-lang/mono-2.0.1-r1 carries all fixes.

voting NO.