Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 582528 (CVE-2016-4561) - <www-apps/ikiwiki-3.20160905: XSS in raised exception via crafted filename (CVE-2016-4561)
Summary: <www-apps/ikiwiki-3.20160905: XSS in raised exception via crafted filename (C...
Alias: CVE-2016-4561
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal trivial (vote)
Assignee: Gentoo Security
Whiteboard: ~4 [noglsa cve]
Depends on:
Reported: 2016-05-09 09:44 UTC by Agostino Sarubbo
Modified: 2016-11-12 00:27 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2016-05-09 09:44:25 UTC
From ${URL} :

An XSS vulnerability was found in ikiwiki. The instance in cgierror() is a potential cross-site scripting attack, because an attacker could conceivably cause some module to raise an exception that includes attacker-supplied HTML in its message, for example via a 
crafted filename.

Upstream fix:;a=commitdiff;h=32ef584dc5abb6ddb9f794f94ea0b2934967bba7


@maintainer(s): since the package or the affected version has never been marked as stable, we don't need to stabilize it. After the bump, please remove the affected versions from the tree.
Comment 1 GLSAMaker/CVETool Bot gentoo-dev 2016-07-04 11:09:13 UTC
CVE-2016-4561 (
  Cross-site scripting (XSS) vulnerability in the cgierror function in
  in ikiwiki before 3.20160506 might allow remote attackers to inject
  arbitrary web script or HTML via unspecified vectors involving an error
Comment 2 Alice Ferrazzi Gentoo Infrastructure gentoo-dev 2016-09-18 10:00:51 UTC
fixed with Version bump to 3.20160905
Comment 3 Agostino Sarubbo gentoo-dev 2016-10-10 08:03:58 UTC
(In reply to Alice Ferrazzi from comment #2)
> fixed with Version bump to 3.20160905
> cf6ce29f81b854d58acbafa1749f1621f09c432c

  www-apps/ikiwiki/ikiwiki-3.20160905.ebuild: x86
  dependency.bad [fatal]        28
   www-apps/ikiwiki/ikiwiki-3.20160905.ebuild: DEPEND: amd64(default/linux/amd64/13.0)
[     'dev-perl/Text-Markdown',
Comment 4 Agostino Sarubbo gentoo-dev 2016-10-19 11:06:00 UTC
amd64 stable.

Maintainer(s), please cleanup.
Comment 5 Aaron Bauman (RETIRED) gentoo-dev 2016-11-11 12:21:09 UTC
@maintainer(s), please cleanup.
Comment 6 Alice Ferrazzi Gentoo Infrastructure gentoo-dev 2016-11-11 18:01:30 UTC
cleaned affected version
Comment 7 Aaron Bauman (RETIRED) gentoo-dev 2016-11-12 00:27:12 UTC
(In reply to Alice Ferrazzi from comment #6)
> cleaned affected version

Thanks, Alice!