Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 582528 (CVE-2016-4561)

Summary: <www-apps/ikiwiki-3.20160905: XSS in raised exception via crafted filename (CVE-2016-4561)
Product: Gentoo Security Reporter: Agostino Sarubbo <ago>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: trivial CC: alicef
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://bugzilla.redhat.com/show_bug.cgi?id=1334191
Whiteboard: ~4 [noglsa cve]
Package list:
Runtime testing required: ---

Description Agostino Sarubbo gentoo-dev 2016-05-09 09:44:25 UTC 
From ${URL} :

An XSS vulnerability was found in ikiwiki. The instance in cgierror() is a potential cross-site scripting attack, because an attacker could conceivably cause some module to raise an exception that includes attacker-supplied HTML in its message, for example via a 
crafted filename.

Upstream fix:

http://source.ikiwiki.branchable.com/?p=source.git;a=commitdiff;h=32ef584dc5abb6ddb9f794f94ea0b2934967bba7

References:

http://seclists.org/oss-sec/2016/q2/267


@maintainer(s): since the package or the affected version has never been marked as stable, we don't need to stabilize it. After the bump, please remove the affected versions from the tree.
Comment 1 GLSAMaker/CVETool Bot gentoo-dev 2016-07-04 11:09:13 UTC 
CVE-2016-4561 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-4561):
  Cross-site scripting (XSS) vulnerability in the cgierror function in CGI.pm
  in ikiwiki before 3.20160506 might allow remote attackers to inject
  arbitrary web script or HTML via unspecified vectors involving an error
  message.
Comment 2 Alice Ferrazzi Gentoo Infrastructure gentoo-dev 2016-09-18 10:00:51 UTC 
fixed with Version bump to 3.20160905
https://github.com/gentoo/gentoo/commit/cf6ce29f81b854d58acbafa1749f1621f09c432c
Comment 3 Agostino Sarubbo gentoo-dev 2016-10-10 08:03:58 UTC 
(In reply to Alice Ferrazzi from comment #2)
> fixed with Version bump to 3.20160905
> https://github.com/gentoo/gentoo/commit/
> cf6ce29f81b854d58acbafa1749f1621f09c432c

  www-apps/ikiwiki/ikiwiki-3.20160905.ebuild: x86
  dependency.bad [fatal]        28
   www-apps/ikiwiki/ikiwiki-3.20160905.ebuild: DEPEND: amd64(default/linux/amd64/13.0)
[     'dev-perl/Text-Markdown',
      'dev-perl/YAML-LibYAML',
      'dev-perl/Net-OpenID-Consumer',
      'dev-perl/XML-Feed']
Comment 4 Agostino Sarubbo gentoo-dev 2016-10-19 11:06:00 UTC 
amd64 stable.

Maintainer(s), please cleanup.
Comment 5 Aaron Bauman (RETIRED) gentoo-dev 2016-11-11 12:21:09 UTC 
@maintainer(s), please cleanup.
Comment 6 Alice Ferrazzi Gentoo Infrastructure gentoo-dev 2016-11-11 18:01:30 UTC 
cleaned affected version
Comment 7 Aaron Bauman (RETIRED) gentoo-dev 2016-11-12 00:27:12 UTC 
(In reply to Alice Ferrazzi from comment #6)
> cleaned affected version

Thanks, Alice!