303745 – (CVE-2009-4422) <dev-php/jpgraph-3.0.7-r1: multiple XSS vulnerabilities (CVE-2009-4422)

Bug 303745 (CVE-2009-4422) - <dev-php/jpgraph-3.0.7-r1: multiple XSS vulnerabilities (CVE-2009-4422)

Summary: <dev-php/jpgraph-3.0.7-r1: multiple XSS vulnerabilities (CVE-2009-4422)

Status:	RESOLVED FIXED

Alias:	CVE-2009-4422

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	High minor (vote)
Assignee:	Gentoo Security

URL:
Whiteboard:	B4 [noglsa]
Keywords:

Depends on:
Blocks:

Reported:	2010-02-06 15:19 UTC by Stefan Behte (RETIRED)
Modified:	2012-08-21 14:39 UTC (History)
CC List:	1 user (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Stefan Behte (RETIRED) gentoo-dev

2010-02-06 15:19:56 UTC

CVE-2009-4422 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-4422):
  Multiple cross-site scripting (XSS) vulnerabilities in the
  GetURLArguments function in jpgraph.php in Aditus Consulting JpGraph
  3.0.6 allow remote attackers to inject arbitrary web script or HTML
  via a key to csim_in_html_ex1.php, and other unspecified vectors.

Comment 1 Alex Legler (RETIRED) archtester

2010-05-09 11:00:22 UTC

Rerating.

php: ping. Patch is available at http://seclists.org/bugtraq/2009/Dec/285

Comment 2 Ole Markus With (RETIRED) gentoo-dev

2010-05-09 13:40:03 UTC

Find ebuilds for 3.0.7 and 2.3 in the php overlay

Comment 3 Matti Bickel (RETIRED) gentoo-dev

2010-12-19 15:13:45 UTC

jpgraph-3.0.7 has been in the tree since April. Leaving stable decision to security.

Comment 4 Alex Legler (RETIRED) archtester

2010-12-19 15:44:50 UTC

The issue is not fixed in version 3.0.7.

A patch is available at http://archives.neohapsis.com/archives/fulldisclosure/2009-12/0428.html, I would prefer using htmlspecialchars() instead of urlencode() though.

Comment 5 Matti Bickel (RETIRED) gentoo-dev

2012-06-11 15:15:28 UTC

Wow, this is ancient. And upstream hasn't released a new stable version.. So I've taken the liberty to provide my own patch, using htmlentities() instead of urlencode as suggested.

Clear to go stable with jpgraph-3.0.7-r1?

Comment 6 Tim Sammut (RETIRED) gentoo-dev

2012-06-16 23:13:03 UTC

(In reply to comment #5)
> 
> Clear to go stable with jpgraph-3.0.7-r1?

We're good if you are. ;)

Arches, please test and mark stable:
=dev-php/jpgraph-3.0.7-r1
Target keywords : "alpha amd64 hppa ppc sparc x86"

Comment 7 Agostino Sarubbo gentoo-dev

2012-06-17 15:00:48 UTC

amd64 stable

Comment 8 Jeff (JD) Horelick (RETIRED) gentoo-dev

2012-06-17 17:47:12 UTC

x86 stable

Comment 9 Jeroen Roovers (RETIRED) gentoo-dev

2012-06-18 23:22:23 UTC

Stable for HPPA.

Comment 10 Raúl Porcel (RETIRED) gentoo-dev

2012-07-15 16:58:37 UTC

alpha/sparc stable

Comment 11 Michael Weber (RETIRED) gentoo-dev

2012-08-21 07:40:14 UTC

ppc stable, last arch, not closing due security marking.

Comment 12 Tim Sammut (RETIRED) gentoo-dev

2012-08-21 14:39:07 UTC

Thanks everyone.

Closing noglsa for XSS.