Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 118302 - www-apps/trac 0.9.3 is out - fixes XSS vulnerability
Summary: www-apps/trac 0.9.3 is out - fixes XSS vulnerability
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High minor (vote)
Assignee: Gentoo Security
Whiteboard: B4 [glsa] DerCorny
Depends on:
Reported: 2006-01-08 09:00 UTC by Milton YATES
Modified: 2006-01-26 05:58 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Milton YATES 2006-01-08 09:00:06 UTC
Trac 0.9.3 is out and fixes a number of bugs and security vulnerabilities. It would be nice to have it in portage quickly.

Comment 1 Jakub Moc (RETIRED) gentoo-dev 2006-01-08 09:06:29 UTC
Secunia Advisory:	SA18048	Print Advisory  
Release Date:	2005-12-16

Less critical
Impact:	Cross Site Scripting
Where:	From remote
Solution Status:	Unpatched

Software:	Trac 0.x

	Select a product and view a complete list of all Patched/Unpatched Secunia advisories affecting it.

Christophe Truc has reported a vulnerability in Trac, which can be exploited by malicious people to conduct cross-site scripting attacks.

Input passed to the URL path isn't properly sanitised before being returned to the user after accessing a missing page. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.

The vulnerability has been reported in versions 0.9, 0.9.1, and 0.9.2. Other versions may also be affected.

Edit the source code to ensure that input is properly sanitised.

Provided and/or discovered by:
Christophe Truc
Comment 2 Stefan Cornelius (RETIRED) gentoo-dev 2006-01-08 09:12:04 UTC
web-apps, pls do your magic. thanks
Comment 3 Julien Allanos (RETIRED) gentoo-dev 2006-01-08 10:37:24 UTC
In CVS, thanks.
Comment 4 Stefan Cornelius (RETIRED) gentoo-dev 2006-01-08 10:41:46 UTC
arches, please test and stable, thx
Comment 5 Julien Allanos (RETIRED) gentoo-dev 2006-01-08 11:45:32 UTC
No need to stable, these bugs only affect 0.9.x ebuilds which were never marked stable. See previous security issue with 0.9.x :
Comment 6 Stefan Cornelius (RETIRED) gentoo-dev 2006-01-08 11:52:55 UTC
Oh, ok then, thanks a lot for the headsup, closing without GLSA.
Comment 7 Julien Allanos (RETIRED) gentoo-dev 2006-01-08 15:21:59 UTC
Reopening, as it appears that Trac-0.8.x versions are affected by one vulnerability, but upstream hasn't planned to backport the fix ( to 0.8.x (too much work).

That's why we have to mark 0.9.3 stable for x86 and ppc (only arches where trac-0.8.x is marked stable), as well as its currently unstable dependencies:

* dev-python/pysqlite-2.0.4 and/or 2.0.5
* app-text/pytextile-2.0.10

It would also be nice if dev-libs/clearsilver-0.10.1 was marked stable in the same breath, though this isn't mandatory.
Comment 8 Mark Loeser (RETIRED) gentoo-dev 2006-01-10 12:29:10 UTC
x86 done
Comment 9 Tobias Scherbaum (RETIRED) gentoo-dev 2006-01-11 06:29:36 UTC
ppc stable
Comment 10 Stefan Cornelius (RETIRED) gentoo-dev 2006-01-11 06:32:06 UTC
Ready for glsa vote. Tend to say no.
Comment 11 Thierry Carrez (RETIRED) gentoo-dev 2006-01-12 08:29:37 UTC
I vote yes, as for all XSS things on a typically Internet-facing, open-to-anyone-for-posting thing.
Comment 12 Kurt Lieber (RETIRED) gentoo-dev 2006-01-18 06:22:32 UTC
I vote yes as well 
Comment 13 Thierry Carrez (RETIRED) gentoo-dev 2006-01-18 07:05:36 UTC
Then we go
Comment 14 Stefan Cornelius (RETIRED) gentoo-dev 2006-01-26 05:58:18 UTC
GLSA 200601-12

Thanks everybody.