118302 – www-apps/trac 0.9.3 is out - fixes XSS vulnerability

Bug 118302 - www-apps/trac 0.9.3 is out - fixes XSS vulnerability

Summary: www-apps/trac 0.9.3 is out - fixes XSS vulnerability

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	High minor (vote)
Assignee:	Gentoo Security

URL:	http://secunia.com/advisories/18048/
Whiteboard:	B4 [glsa] DerCorny
Keywords:

Depends on:
Blocks:

Reported:	2006-01-08 09:00 UTC by Milton YATES
Modified:	2006-01-26 05:58 UTC (History)
CC List:	1 user (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Milton YATES 2006-01-08 09:00:06 UTC

Trac 0.9.3 is out and fixes a number of bugs and security vulnerabilities. It would be nice to have it in portage quickly.
Thanks.

see: http://projects.edgewall.com/trac/wiki/ChangeLog

Comment 1 Jakub Moc (RETIRED) gentoo-dev

2006-01-08 09:06:29 UTC

Secunia Advisory:	SA18048	Print Advisory  
Release Date:	2005-12-16

Critical:	
Less critical
Impact:	Cross Site Scripting
Where:	From remote
Solution Status:	Unpatched

Software:	Trac 0.x

	Select a product and view a complete list of all Patched/Unpatched Secunia advisories affecting it.

Description:
Christophe Truc has reported a vulnerability in Trac, which can be exploited by malicious people to conduct cross-site scripting attacks.

Input passed to the URL path isn't properly sanitised before being returned to the user after accessing a missing page. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.

The vulnerability has been reported in versions 0.9, 0.9.1, and 0.9.2. Other versions may also be affected.

Solution:
Edit the source code to ensure that input is properly sanitised.

Provided and/or discovered by:
Christophe Truc

Comment 2 Stefan Cornelius (RETIRED) gentoo-dev

2006-01-08 09:12:04 UTC

web-apps, pls do your magic. thanks

Comment 3 Julien Allanos (RETIRED) gentoo-dev

2006-01-08 10:37:24 UTC

In CVS, thanks.

Comment 4 Stefan Cornelius (RETIRED) gentoo-dev

2006-01-08 10:41:46 UTC

arches, please test and stable, thx

Comment 5 Julien Allanos (RETIRED) gentoo-dev

2006-01-08 11:45:32 UTC

No need to stable, these bugs only affect 0.9.x ebuilds which were never marked stable. See previous security issue with 0.9.x : http://bugs.gentoo.org/show_bug.cgi?id=114205

Comment 6 Stefan Cornelius (RETIRED) gentoo-dev

2006-01-08 11:52:55 UTC

Oh, ok then, thanks a lot for the headsup, closing without GLSA.

Comment 7 Julien Allanos (RETIRED) gentoo-dev

2006-01-08 15:21:59 UTC

Reopening, as it appears that Trac-0.8.x versions are affected by one vulnerability, but upstream hasn't planned to backport the fix (http://projects.edgewall.com/trac/changeset/2724) to 0.8.x (too much work).

That's why we have to mark 0.9.3 stable for x86 and ppc (only arches where trac-0.8.x is marked stable), as well as its currently unstable dependencies:

* dev-python/pysqlite-2.0.4 and/or 2.0.5
* app-text/pytextile-2.0.10

It would also be nice if dev-libs/clearsilver-0.10.1 was marked stable in the same breath, though this isn't mandatory.

Comment 8 Mark Loeser (RETIRED) gentoo-dev

2006-01-10 12:29:10 UTC

x86 done

Comment 9 Tobias Scherbaum (RETIRED) gentoo-dev

2006-01-11 06:29:36 UTC

ppc stable

Comment 10 Stefan Cornelius (RETIRED) gentoo-dev

2006-01-11 06:32:06 UTC

Ready for glsa vote. Tend to say no.

Comment 11 Thierry Carrez (RETIRED) gentoo-dev

2006-01-12 08:29:37 UTC

I vote yes, as for all XSS things on a typically Internet-facing, open-to-anyone-for-posting thing.

Comment 12 Kurt Lieber (RETIRED) gentoo-dev

2006-01-18 06:22:32 UTC

I vote yes as well

Comment 13 Thierry Carrez (RETIRED) gentoo-dev

2006-01-18 07:05:36 UTC

Then we go

Comment 14 Stefan Cornelius (RETIRED) gentoo-dev

2006-01-26 05:58:18 UTC

GLSA 200601-12

Thanks everybody.