Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 582234 (CVE-2016-1236)

Summary: <www-apps/websvn-2.3.3-r1: XSS vulnerability (CVE-2016-1236)
Product: Gentoo Security Reporter: Agostino Sarubbo <ago>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Severity: minor CC: web-apps
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: B4 [noglsa cve]
Package list:
Runtime testing required: ---
Bug Depends on: 552684    
Bug Blocks:    

Description Agostino Sarubbo gentoo-dev 2016-05-06 08:43:36 UTC
From ${URL} :

A vulnerability was found in websvn. Having a directory or file in a repository with its filename 
containing a XSS payload will cause it to be executed in various parts of the application.


@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Brian Evans Gentoo Infrastructure gentoo-dev 2016-08-11 18:34:59 UTC
Upstream is dead; Patches come from Debian

commit:     196fa9022f136bcbd82ab6f52a8d4c617b0603d6
Author:     Brian Evans <grknight <AT> gentoo <DOT> org>
AuthorDate: Thu Aug 11 18:21:29 2016 +0000
Commit:     Brian Evans <grknight <AT> gentoo <DOT> org>
CommitDate: Thu Aug 11 18:26:27 2016 +0000

www-apps/websvn: Non-maintainer security revision bump and EAPI cleanup

Remove the deprecated depend.php wrt bug 552838
Include Debian security patches wrt bug 552684, bug 575486, and bug 582234

Package-Manager: portage-2.3.0

 .../websvn/files/13_security_CVE-2013-6892.patch   | 39 ++++++++++++++
 www-apps/websvn/files/30_CVE-2016-2511.patch       | 11 ++++
 www-apps/websvn/files/31_CVE-2016-1236.patch       | 61 ++++++++++++++++++++++
 www-apps/websvn/websvn-2.3.3-r1.ebuild             | 54 +++++++++++++++++++
 4 files changed, 165 insertions(+)
Comment 2 GLSAMaker/CVETool Bot gentoo-dev 2016-10-22 13:36:14 UTC
CVE-2016-1236 (
  Multiple cross-site scripting (XSS) vulnerabilities in (1) revision.php, (2)
  log.php, (3) listing.php, and (4) comp.php in WebSVN allow context-dependent
  attackers to inject arbitrary web script or HTML via the name of a (a) file
  or (b) directory in a repository.
Comment 3 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2017-01-16 04:39:30 UTC
GLSA Vote: No

tree is clean: