Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 426688 (CVE-2012-3382) - <dev-lang/mono-2.10.9-r1: XSS in ProcessRequest function (CVE-2012-3382)
Summary: <dev-lang/mono-2.10.9-r1: XSS in ProcessRequest function (CVE-2012-3382)
Status: RESOLVED FIXED
Alias: CVE-2012-3382
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor
Assignee: Gentoo Security
URL: http://www.openwall.com/lists/oss-sec...
Whiteboard: B4 [noglsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2012-07-15 10:31 UTC by the_eccentric
Modified: 2012-08-24 14:05 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description the_eccentric 2012-07-15 10:31:19 UTC
Common Vulnerabilities and Exposures assigned an identifier CVE-2012-3382 to the following vulnerability:

Cross-site scripting (XSS) vulnerability in the ProcessRequest function in mcs/class/System.Web/System.Web/HttpForbiddenHandler.cs in Mono 2.10.8 and earlier allows remote attackers to inject arbitrary web script or HTML via a file with a crafted name and a forbidden extension, which is not properly handled in an error message.

References:
[1] http://www.openwall.com/lists/oss-security/2012/07/06/11
[2] https://bugzilla.novell.com/show_bug.cgi?id=769799

Upstream patch:
[3] https://github.com/mono/mono/commit/d16d4623edb210635bec3ca3786481b82cde25a2
Comment 1 GLSAMaker/CVETool Bot gentoo-dev 2012-07-19 00:06:29 UTC
CVE-2012-3382 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3382):
  Cross-site scripting (XSS) vulnerability in the ProcessRequest function in
  mcs/class/System.Web/System.Web/HttpForbiddenHandler.cs in Mono 2.10.8 and
  earlier allows remote attackers to inject arbitrary web script or HTML via a
  file with a crafted name and a forbidden extension, which is not properly
  handled in an error message.
Comment 2 Pacho Ramos gentoo-dev 2012-07-19 19:38:18 UTC
Is 2.10.9 affected too?
Comment 3 Sean Amoss (RETIRED) gentoo-dev Security 2012-07-19 20:34:38 UTC
(In reply to comment #2)
> Is 2.10.9 affected too?

Yes.
Comment 4 Pacho Ramos gentoo-dev 2012-07-21 11:02:36 UTC
+*mono-2.10.9-r1 (21 Jul 2012)
+
+  21 Jul 2012; Pacho Ramos <pacho@gentoo.org>
+  +files/mono-2.10.9-CVE-2012-3382.patch, +mono-2.10.9-r1.ebuild,
+  -mono-2.10.9.ebuild:
+  Fix CVE-2012-3382 (#426688), drop old.
+

Feel free to stabilize it
Comment 5 Sean Amoss (RETIRED) gentoo-dev Security 2012-07-21 11:14:00 UTC
(In reply to comment #4)
> +*mono-2.10.9-r1 (21 Jul 2012)
> +
> +  21 Jul 2012; Pacho Ramos <pacho@gentoo.org>
> +  +files/mono-2.10.9-CVE-2012-3382.patch, +mono-2.10.9-r1.ebuild,
> +  -mono-2.10.9.ebuild:
> +  Fix CVE-2012-3382 (#426688), drop old.
> +
> 
> Feel free to stabilize it

Thanks, Pacho.

Arches, please test and mark stable:
=dev-lang/mono-2.10.9-r1
Target Keywords: "amd64 ppc x86"
Comment 6 Jeff (JD) Horelick (RETIRED) gentoo-dev 2012-07-22 11:56:12 UTC
x86 stable
Comment 7 Agostino Sarubbo gentoo-dev 2012-07-28 16:56:46 UTC
amd64 stable
Comment 8 Michael Weber (RETIRED) gentoo-dev 2012-08-24 12:08:04 UTC
ppc stable.
Comment 9 Tim Sammut (RETIRED) gentoo-dev 2012-08-24 14:05:08 UTC
Thanks, folks. Closing noglsa for XSS.