426688 – (CVE-2012-3382) <dev-lang/mono-2.10.9-r1: XSS in ProcessRequest function (CVE-2012-3382)

Bug 426688 (CVE-2012-3382) - <dev-lang/mono-2.10.9-r1: XSS in ProcessRequest function (CVE-2012-3382)

Summary: <dev-lang/mono-2.10.9-r1: XSS in ProcessRequest function (CVE-2012-3382)

Status:	RESOLVED FIXED

Alias:	CVE-2012-3382

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal minor (vote)
Assignee:	Gentoo Security

URL:	http://www.openwall.com/lists/oss-sec...
Whiteboard:	B4 [noglsa]
Keywords:

Depends on:
Blocks:

Reported:	2012-07-15 10:31 UTC by the_eccentric
Modified:	2012-08-24 14:05 UTC (History)
CC List:	1 user (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description the_eccentric 2012-07-15 10:31:19 UTC

Common Vulnerabilities and Exposures assigned an identifier CVE-2012-3382 to the following vulnerability:

Cross-site scripting (XSS) vulnerability in the ProcessRequest function in mcs/class/System.Web/System.Web/HttpForbiddenHandler.cs in Mono 2.10.8 and earlier allows remote attackers to inject arbitrary web script or HTML via a file with a crafted name and a forbidden extension, which is not properly handled in an error message.

References:
[1] http://www.openwall.com/lists/oss-security/2012/07/06/11
[2] https://bugzilla.novell.com/show_bug.cgi?id=769799

Upstream patch:
[3] https://github.com/mono/mono/commit/d16d4623edb210635bec3ca3786481b82cde25a2

Comment 1 GLSAMaker/CVETool Bot gentoo-dev

2012-07-19 00:06:29 UTC

CVE-2012-3382 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3382):
  Cross-site scripting (XSS) vulnerability in the ProcessRequest function in
  mcs/class/System.Web/System.Web/HttpForbiddenHandler.cs in Mono 2.10.8 and
  earlier allows remote attackers to inject arbitrary web script or HTML via a
  file with a crafted name and a forbidden extension, which is not properly
  handled in an error message.

Comment 2 Pacho Ramos gentoo-dev

2012-07-19 19:38:18 UTC

Is 2.10.9 affected too?

Comment 3 Sean Amoss (RETIRED) gentoo-dev

2012-07-19 20:34:38 UTC

(In reply to comment #2)
> Is 2.10.9 affected too?

Yes.

Comment 4 Pacho Ramos gentoo-dev

2012-07-21 11:02:36 UTC

+*mono-2.10.9-r1 (21 Jul 2012)
+
+  21 Jul 2012; Pacho Ramos <pacho@gentoo.org>
+  +files/mono-2.10.9-CVE-2012-3382.patch, +mono-2.10.9-r1.ebuild,
+  -mono-2.10.9.ebuild:
+  Fix CVE-2012-3382 (#426688), drop old.
+

Feel free to stabilize it

Comment 5 Sean Amoss (RETIRED) gentoo-dev

2012-07-21 11:14:00 UTC

(In reply to comment #4)
> +*mono-2.10.9-r1 (21 Jul 2012)
> +
> +  21 Jul 2012; Pacho Ramos <pacho@gentoo.org>
> +  +files/mono-2.10.9-CVE-2012-3382.patch, +mono-2.10.9-r1.ebuild,
> +  -mono-2.10.9.ebuild:
> +  Fix CVE-2012-3382 (#426688), drop old.
> +
> 
> Feel free to stabilize it

Thanks, Pacho.

Arches, please test and mark stable:
=dev-lang/mono-2.10.9-r1
Target Keywords: "amd64 ppc x86"

Comment 6 Jeff (JD) Horelick (RETIRED) gentoo-dev

2012-07-22 11:56:12 UTC

x86 stable

Comment 7 Agostino Sarubbo gentoo-dev

2012-07-28 16:56:46 UTC

amd64 stable

Comment 8 Michael Weber (RETIRED) gentoo-dev

2012-08-24 12:08:04 UTC

ppc stable.

Comment 9 Tim Sammut (RETIRED) gentoo-dev

2012-08-24 14:05:08 UTC

Thanks, folks. Closing noglsa for XSS.