Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 303745 (CVE-2009-4422) - <dev-php/jpgraph-3.0.7-r1: multiple XSS vulnerabilities (CVE-2009-4422)
Summary: <dev-php/jpgraph-3.0.7-r1: multiple XSS vulnerabilities (CVE-2009-4422)
Status: RESOLVED FIXED
Alias: CVE-2009-4422
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High minor (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B4 [noglsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2010-02-06 15:19 UTC by Stefan Behte (RETIRED)
Modified: 2012-08-21 14:39 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Stefan Behte (RETIRED) gentoo-dev Security 2010-02-06 15:19:56 UTC
CVE-2009-4422 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-4422):
  Multiple cross-site scripting (XSS) vulnerabilities in the
  GetURLArguments function in jpgraph.php in Aditus Consulting JpGraph
  3.0.6 allow remote attackers to inject arbitrary web script or HTML
  via a key to csim_in_html_ex1.php, and other unspecified vectors.
Comment 1 Alex Legler (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2010-05-09 11:00:22 UTC
Rerating.

php: ping. Patch is available at http://seclists.org/bugtraq/2009/Dec/285
Comment 2 Ole Markus With (RETIRED) gentoo-dev 2010-05-09 13:40:03 UTC
Find ebuilds for 3.0.7 and 2.3 in the php overlay
Comment 3 Matti Bickel (RETIRED) gentoo-dev 2010-12-19 15:13:45 UTC
jpgraph-3.0.7 has been in the tree since April. Leaving stable decision to security.
Comment 4 Alex Legler (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2010-12-19 15:44:50 UTC
The issue is not fixed in version 3.0.7.

A patch is available at http://archives.neohapsis.com/archives/fulldisclosure/2009-12/0428.html, I would prefer using htmlspecialchars() instead of urlencode() though.
Comment 5 Matti Bickel (RETIRED) gentoo-dev 2012-06-11 15:15:28 UTC
Wow, this is ancient. And upstream hasn't released a new stable version.. So I've taken the liberty to provide my own patch, using htmlentities() instead of urlencode as suggested.

Clear to go stable with jpgraph-3.0.7-r1?
Comment 6 Tim Sammut (RETIRED) gentoo-dev 2012-06-16 23:13:03 UTC
(In reply to comment #5)
> 
> Clear to go stable with jpgraph-3.0.7-r1?

We're good if you are. ;)

Arches, please test and mark stable:
=dev-php/jpgraph-3.0.7-r1
Target keywords : "alpha amd64 hppa ppc sparc x86"
Comment 7 Agostino Sarubbo gentoo-dev 2012-06-17 15:00:48 UTC
amd64 stable
Comment 8 Jeff (JD) Horelick (RETIRED) gentoo-dev 2012-06-17 17:47:12 UTC
x86 stable
Comment 9 Jeroen Roovers (RETIRED) gentoo-dev 2012-06-18 23:22:23 UTC
Stable for HPPA.
Comment 10 Raúl Porcel (RETIRED) gentoo-dev 2012-07-15 16:58:37 UTC
alpha/sparc stable
Comment 11 Michael Weber (RETIRED) gentoo-dev 2012-08-21 07:40:14 UTC
ppc stable, last arch, not closing due security marking.
Comment 12 Tim Sammut (RETIRED) gentoo-dev 2012-08-21 14:39:07 UTC
Thanks everyone.

Closing noglsa for XSS.