Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 477458 (CVE-2013-4158) - <net-analyzer/smokeping-2.6.9 : XSS flaw (incomplete fix for CVE-2012-0790) (CVE-2013-4158)
Summary: <net-analyzer/smokeping-2.6.9 : XSS flaw (incomplete fix for CVE-2012-0790) (...
Status: RESOLVED FIXED
Alias: CVE-2013-4158
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: https://bugzilla.redhat.com/show_bug....
Whiteboard: B4 [noglsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2013-07-20 08:03 UTC by Agostino Sarubbo
Modified: 2014-01-29 11:13 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2013-07-20 08:03:00 UTC
From ${URL} :

Seth Arnold (seth.arnold@canonical.com) reports:

Hello Kurt, Steve, all,

I am requesting a 2012 CVE for an incomplete security fix in smokeping,
fixed in version 2.6.9.

CVE-2012-0790 was assigned to smokeping for XSS flaws.

The fix for CVE-2012-0790 in smokeping 2.6.7 was incomplete. The
filtering used this blacklist:

    $mode =~ s/[<>&%]/./g;

The version in 2.6.9 uses the following blacklist:

    my $xssBadRx = qr/[<>%&'";]/;

(', ", and ; have been added. When it is used, blacklist chars are now
turned to _ rather than . ) The 2.6.9 version prevents escaping <html
attribute="..."> via " characters.

The incomplete fix is in 2.6.7 and 2.6.8.

This flaw was discovered by Florian Weimer [1] in 2012 and brought to
our attention [2] in 2013.

The upstream CHANGES [3] file includes, in part:

--------------------------------------------------

2013/03/04 - released version 2.6.9

*  be more careful about preventing xss attacks, re http://bugs.debian.org/659899 (tobi)

--------------------------------------------------

I have not found an up-to-date online browsable source.

Thanks

1: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=659899#37
2: https://bugs.launchpad.net/ubuntu/+source/smokeping/+bug/1203061
3: http://oss.oetiker.ch/smokeping/pub/CHANGES


@maintainer(s): after the bump, in case we need to stabilize the package, please say explicitly if it is ready for the stabilization or not.
Comment 1 Chris Reffett (RETIRED) gentoo-dev Security 2013-07-20 11:54:01 UTC
2.6.9 is already the only version in tree and is a stable package. GLSA?
Comment 2 Agostino Sarubbo gentoo-dev 2013-07-20 14:32:40 UTC
(In reply to Chris Reffett from comment #1)
> 2.6.9 is already the only version in tree and is a stable package. GLSA?

Usually the security team do not send glsa for the XSS.
Comment 3 Jeroen Roovers (RETIRED) gentoo-dev 2013-07-20 14:41:17 UTC
(In reply to Agostino Sarubbo from comment #2)
> (In reply to Chris Reffett from comment #1)
> > 2.6.9 is already the only version in tree and is a stable package. GLSA?
> 
> Usually the security team do not send glsa for the XSS.

And by "[u]sually" you intend to except some 57 cases? I guess there is more to it than that...
Comment 4 Chris Reffett (RETIRED) gentoo-dev Security 2013-07-20 23:30:52 UTC
Yeah, uh, I'll leave it for a vote and the security team can yell at me if this was supposed to stay closed :)
Comment 5 Sergey Popov gentoo-dev 2013-08-22 12:52:44 UTC
GLSA vote: no
Comment 6 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2014-01-29 11:13:04 UTC
GLSA vote: no.

Closing as [noglsa]