Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 80602

Summary: www-misc/htdig: Unspecified Input Validation Hole Permits Cross-Site Scripting Attacks
Product: Gentoo Security Reporter: Jean-François Brunette (RETIRED) <formula7>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: jaervosz, web-apps
Priority: High    
Version: unspecified   
Hardware: All   
OS: All   
URL: http://securitytracker.com/alerts/2005/Feb/1013078.html
Whiteboard: B4 [glsa]
Package list:
Runtime testing required: ---
Attachments:
Description Flags
htdig-3.2.0b6-unescaped_output.patch none

Description Jean-François Brunette (RETIRED) gentoo-dev 2005-02-03 09:44:01 UTC
Description:  An input validation vulnerability was reported in ht://dig. A remote user can conduct cross-site scripting attacks.

SuSE reported that a cross-site scripting vulnerability was discovered by Michael Krax. A remote user can cause arbitrary scripting code to be executed by the target user's browser. The code will originate from the site running the ht://dig software and will run in the security context of that site. As a result, the code will be able to access the target user's cookies (including authentication cookies), if any, associated with the site, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.

Impact:  A remote user can access the target user's cookies (including authentication cookies), if any, associated with the site running the ht://dig software, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.
Comment 1 Thierry Carrez (RETIRED) gentoo-dev 2005-02-04 00:52:10 UTC
Created attachment 50309 [details, diff]
htdig-3.2.0b6-unescaped_output.patch

Patch from RedHat
Comment 2 Thierry Carrez (RETIRED) gentoo-dev 2005-02-04 00:53:17 UTC
web-apps: please apply and bump
Comment 3 Thierry Carrez (RETIRED) gentoo-dev 2005-02-04 00:53:37 UTC
*** Bug 79691 has been marked as a duplicate of this bug. ***
Comment 4 Aaron Walker (RETIRED) gentoo-dev 2005-02-10 08:36:19 UTC
I've backported the patch to 3.1.6; qtest.cc doesn't exist in this release, so I've only patched htsearch.cc.

3.1.6-r7 is stable on x86.  amd64, ppc, and sparc, please mark stable.
Comment 5 Jan Brinkmann (RETIRED) gentoo-dev 2005-02-10 09:14:42 UTC
stable on amd64
Comment 6 Michael Hanselmann (hansmi) (RETIRED) gentoo-dev 2005-02-10 12:28:00 UTC
Stable on ppc.
Comment 7 Karl Hakimian 2005-02-11 09:52:31 UTC
htdig-3.1.6-r4.ebuild has SLOT="0" and htdig-3.1.6-r7.ebuild does not. This is causing both version to want to be installed simultaneously. Shouldn't the new ebuild set the slot as well?
Comment 8 Aaron Walker (RETIRED) gentoo-dev 2005-02-11 10:04:02 UTC
> htdig-3.1.6-r4.ebuild has SLOT="0" and htdig-3.1.6-r7.ebuild does not. This is causing both version to want to be installed simultaneously. Shouldn't the new ebuild set the slot as well?

Karl, no and actually it's not even possible to set SLOT in ebuilds that inherit webapp.eclass.  SLOT is handled by webapps.eclass which r4 doesn't use (it uses the older deprecated webapp-apache).
Comment 9 Jason Wever (RETIRED) gentoo-dev 2005-02-12 17:59:53 UTC
Stable on SPARC.
Comment 10 Thierry Carrez (RETIRED) gentoo-dev 2005-02-13 05:21:19 UTC
Security please vote on GLSA.
Comment 11 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-02-13 05:51:57 UTC
I vote for a GLSA on this one.
Comment 12 Matthias Geerdsen (RETIRED) gentoo-dev 2005-02-13 09:16:47 UTC
dito
Comment 13 Luke Macken (RETIRED) gentoo-dev 2005-02-13 12:58:03 UTC
GLSA 200502-16