Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 518304 (CVE-2014-5027) - <dev-util/reviewboard-1.7.28: Multiple Vulnerabilities (CVE-2014-{3994,5027,5028})
Summary: <dev-util/reviewboard-1.7.28: Multiple Vulnerabilities (CVE-2014-{3994,5027,5...
Status: RESOLVED FIXED
Alias: CVE-2014-5027
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: https://www.reviewboard.org/docs/rele...
Whiteboard: ~3 [noglsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2014-07-27 03:14 UTC by Yury German
Modified: 2014-10-05 18:50 UTC (History)
0 users

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Yury German Gentoo Infrastructure gentoo-dev 2014-07-27 03:14:57 UTC
This includes versions: 1.7.22 to 1.7.27

Please upgrade to Version 1.7.27

Inclues the following Vulnerabilities:

Review Board - 1.7.22
An XSS vulnerability was found in the Search field’s auto-complete.

If a user had a first or last name with HTML in it, the HTML would be interpreted by the browser. This allowed crafting short scripts (up to 13 characters in length per field, due to the field length limits).

This release fixes the vulnerability.

The vulnerability was made public on multiple channels, and we decided to fast-track a release in order to allow administrators to quickly patch their systems.

---

Review Board - 1.7.25

This release requires Django 1.4.11, which was announced today (April 22nd) and fixes a number of security-related issues. We strongly recommend that everyone, particularly those with public installations, upgrade to this release.

---

Review Board - 1.7.26
This release requires Django 1.4.13, which fixes a small handful of security issues. See Django’s announcement for more information.


Fixed an XSS issue in the diff viewer and file attachments with user real names.
A user could set their real name to text including </script> to take advantage of an XSS bug on the diff viewer and file attachment pages. This is related to the fixes in Djblets 0.7.30 and 0.8.3.

This is CVE-2014-3994 (discovered by “Uchida”).

---

Review Board - 1.7.27
Fixed a vulnerability where a URL to a diff fragment could be crafted that would inject custom HTML into the page. An attacker could send such a URL to another user and execute code in their browser session.

This was reported by Uchida. A CVE number is pending.


The Original File and Patched File resources could be used to access files on a private review request that the user did not have access to, if they knew the approciate database IDs.

A CVE number is pending.
Comment 1 GLSAMaker/CVETool Bot gentoo-dev 2014-07-27 03:43:52 UTC
CVE-2014-5027 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-5027):
  Cross-site scripting (XSS) vulnerability in Review Board 1.7.x before 1.7.27
  and 2.0.x before 2.0.4 allows remote attackers to inject arbitrary web
  script or HTML via a query parameter to a diff fragment page.
Comment 2 GLSAMaker/CVETool Bot gentoo-dev 2014-07-30 04:21:29 UTC
CVE-2014-3994 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-3994):
  Cross-site scripting (XSS) vulnerability in util/templatetags/djblets_js.py
  in Djblets before 0.7.30 and 0.8.x before 0.8.3 for Django, as used in
  Review Board, allows remote attackers to inject arbitrary web script or HTML
  via a JSON object, as demonstrated by the name field when changing a user
  name.
Comment 3 Yury German Gentoo Infrastructure gentoo-dev 2014-09-10 03:22:57 UTC
Please upgrade in bug 522472 to Version 1.7.27 or above.
Comment 4 Yury German Gentoo Infrastructure gentoo-dev 2014-10-05 18:45:56 UTC
Maintainer(s), Thank you for your work. 

No GLSA needed as there are no stable versions.