Bug#427156: CVE-2007-2808: gnatsweb

Sat, 06 Oct 2007 07:16:12 -0700 

Hi,
here is again a new patch (should be the last update)
because the last one would escape passwords as well which 
should not be the case.
Kind regards
Nico

-- 
Nico Golde - http://ngolde.de - [EMAIL PROTECTED] - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.

diff -u gnatsweb-4.00/debian/changelog gnatsweb-4.00/debian/changelog
--- gnatsweb-4.00/debian/changelog
+++ gnatsweb-4.00/debian/changelog
@@ -1,3 +1,12 @@
+gnatsweb (4.00-1.1) unstable; urgency=high
+
+  * Non-maintainer upload by testing security team.
+  * Fixed missing escaping of the database parameter which leads
+    to a cross-site scripting vulnerability (XSS) via this
+    parameter (CVE-2007-2808) (Closes: # 427156).
+
+ -- Nico Golde <[EMAIL PROTECTED]>  Sat, 06 Oct 2007 15:03:47 +0200
+
 gnatsweb (4.00-1) unstable; urgency=low
 
   * New upstream release.
only in patch2:
unchanged:
--- gnatsweb-4.00.orig/gnatsweb.pl
+++ gnatsweb-4.00/gnatsweb.pl
@@ -3981,6 +3981,19 @@
         if defined($val);
 }
 
+sub set_pref_esc
+{
+  my($pref_name, $pref_hashref, $cval_hashref) = @_;
+  my $val = $q->param($pref_name) || ($pref_name eq "password" ?
+              uncamouflage($$cval_hashref{$pref_name}) :
+              $$cval_hashref{$pref_name}
+      );
+
+  $$pref_hashref{$pref_name} = $q->escapeHTML($val)
+        if defined($val);
+}
+
+
 # init_prefs -
 #     Initialize global_prefs and db_prefs from cookies and params.
 #
@@ -4008,10 +4021,10 @@
   }
 
   %global_prefs = ();
-  set_pref('database', \%global_prefs, \%cvals);
-  set_pref('email', \%global_prefs, \%cvals);
-  set_pref($ORIGINATOR_FIELD, \%global_prefs, \%cvals);
-  set_pref($SUBMITTER_ID_FIELD, \%global_prefs, \%cvals);
+  set_pref_esc('database', \%global_prefs, \%cvals);
+  set_pref_esc('email', \%global_prefs, \%cvals);
+  set_pref_esc($ORIGINATOR_FIELD, \%global_prefs, \%cvals);
+  set_pref_esc($SUBMITTER_ID_FIELD, \%global_prefs, \%cvals);
 
   # columns is treated differently because it's an array which is stored
   # in the cookie as a joined string.
@@ -4041,7 +4054,7 @@
    %cvals = $q->cookie("gnatsweb-db-$database");
   }
   %db_prefs = ();
-  set_pref('user', \%db_prefs, \%cvals);
+  set_pref_esc('user', \%db_prefs, \%cvals);
   set_pref('password', \%db_prefs, \%cvals);
 
   # Debug.

Attachment: pgpmv4TzzflYR.pgp
Description: PGP signature

Reply via email to