Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 582234 (CVE-2016-1236) - <www-apps/websvn-2.3.3-r1: XSS vulnerability (CVE-2016-1236)
Summary: <www-apps/websvn-2.3.3-r1: XSS vulnerability (CVE-2016-1236)
Alias: CVE-2016-1236
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
Whiteboard: B4 [noglsa cve]
Depends on: CVE-2013-6892
  Show dependency tree
Reported: 2016-05-06 08:43 UTC by Agostino Sarubbo
Modified: 2017-01-16 04:39 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2016-05-06 08:43:36 UTC
From ${URL} :

A vulnerability was found in websvn. Having a directory or file in a repository with its filename 
containing a XSS payload will cause it to be executed in various parts of the application.


@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Brian Evans Gentoo Infrastructure gentoo-dev 2016-08-11 18:34:59 UTC
Upstream is dead; Patches come from Debian

commit:     196fa9022f136bcbd82ab6f52a8d4c617b0603d6
Author:     Brian Evans <grknight <AT> gentoo <DOT> org>
AuthorDate: Thu Aug 11 18:21:29 2016 +0000
Commit:     Brian Evans <grknight <AT> gentoo <DOT> org>
CommitDate: Thu Aug 11 18:26:27 2016 +0000

www-apps/websvn: Non-maintainer security revision bump and EAPI cleanup

Remove the deprecated depend.php wrt bug 552838
Include Debian security patches wrt bug 552684, bug 575486, and bug 582234

Package-Manager: portage-2.3.0

 .../websvn/files/13_security_CVE-2013-6892.patch   | 39 ++++++++++++++
 www-apps/websvn/files/30_CVE-2016-2511.patch       | 11 ++++
 www-apps/websvn/files/31_CVE-2016-1236.patch       | 61 ++++++++++++++++++++++
 www-apps/websvn/websvn-2.3.3-r1.ebuild             | 54 +++++++++++++++++++
 4 files changed, 165 insertions(+)
Comment 2 GLSAMaker/CVETool Bot gentoo-dev 2016-10-22 13:36:14 UTC
CVE-2016-1236 (
  Multiple cross-site scripting (XSS) vulnerabilities in (1) revision.php, (2)
  log.php, (3) listing.php, and (4) comp.php in WebSVN allow context-dependent
  attackers to inject arbitrary web script or HTML via the name of a (a) file
  or (b) directory in a repository.
Comment 3 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2017-01-16 04:39:30 UTC
GLSA Vote: No

tree is clean: