Control: fixed -1 2.6.7-1
Hi Steven
On Sat, Mar 16, 2013 at 12:40:04PM +0000, Steven Chamberlain wrote:
> Control: reopen -1
Hmm, as Adam wrote, was this intentional? Because this way we lost the
version tracking for already fixed version. BTS handles fixed versions
already.
Btw, it's a nice timing, since I just yesterday uploaded also the fix
for smokeping to stable to security-master which is not to be
reviewed.
Thank you furthermore for your analysis of further issues! If
possible, could you bring these further possible issues to upstream
(Tobias Oetiker is already in CC list however).
Attached is the debdiff which I uploaded yesterday.
Thank you and regards,
Salvatore
diff -u smokeping-2.3.6/debian/changelog smokeping-2.3.6/debian/changelog
--- smokeping-2.3.6/debian/changelog
+++ smokeping-2.3.6/debian/changelog
@@ -1,3 +1,14 @@
+smokeping (2.3.6-5+squeeze1) stable-security; urgency=high
+
+ * Non-maintainer upload by the Security Team.
+ * CVE-2012-0790: Fix cross-site scripting vulnerability allowing a
+ remote attacker to inject arbitrary web script or html via the
+ displaymode parameter. Initial patch prepared by Antoine Beaupré.
+ Add an adjustment to the patterns to exclude more special
+ characters. (Closes: #659899)
+
+ -- Salvatore Bonaccorso <car...@debian.org> Fri, 15 Mar 2013 22:46:57 +0100
+
smokeping (2.3.6-5) unstable; urgency=medium
* debian/patches/20_html-parser.dpatch: fix an incompatibility with
diff -u smokeping-2.3.6/debian/patches/00list
smokeping-2.3.6/debian/patches/00list
--- smokeping-2.3.6/debian/patches/00list
+++ smokeping-2.3.6/debian/patches/00list
@@ -3,0 +4 @@
+30_cve-2012-0790.dpatch
only in patch2:
unchanged:
--- smokeping-2.3.6.orig/debian/patches/30_cve-2012-0790.dpatch
+++ smokeping-2.3.6/debian/patches/30_cve-2012-0790.dpatch
@@ -0,0 +1,74 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## cve-2012-0790.dpatch by Vincent Danen, ported to 2.3 by Antoine Beaupré
+## add additional fixes on the regexp from smokeping 2.6.9
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: fix for CVE-2012-0790
+
+@DPATCH@
+diff --git a/lib/Smokeping.pm b/lib/Smokeping.pm
+index d29a547..b74c3fc 100644
+--- a/lib/Smokeping.pm
++++ b/lib/Smokeping.pm
+@@ -134,8 +134,10 @@ sub cgiurl {
+ sub hierarchy ($){
+ my $q = shift;
+ my $hierarchy = '';
++ my $h = $q->param('hierarchy');
+ if ($q->param('hierarchy')){
+- $hierarchy = 'hierarchy='.$q->param('hierarchy').';';
++ $h =~ s/[<>%&'";]/./g;
++ $hierarchy = 'hierarchy='.$h.';';
+ };
+ return $hierarchy;
+ }
+@@ -176,6 +178,7 @@ sub update_dynaddr ($$){
+ my $address = $ENV{REMOTE_ADDR};
+ my $targetptr = $cfg->{Targets};
+ foreach my $step (@target){
++ $step =~ s/[<>%&'";]/./g;
+ return "Error: Unknown target $step"
+ unless defined $targetptr->{$step};
+ $targetptr = $targetptr->{$step};
+@@ -979,6 +982,7 @@ sub get_detail ($$$$;$){
+ my $open = shift;
+ my $mode = shift || $q->param('displaymode') || 's';
+
++ $mode =~ s/[<>%&'";]/./g;
+ my $phys_tree = $tree;
+ my $phys_open = $open;
+ if ($tree->{__tree_link}){
+@@ -1376,13 +1380,15 @@ sub get_detail ($$$$;$){
+ } elsif ($mode eq 's') { # classic mode
+ $startstr =~ s/\s/%20/g;
+ $endstr =~ s/\s/%20/g;
++ my $t = $q->param('target');
++ $t =~ s/[<>%&'";]/./g;
+ for my $slave (@slaves){
+ my $s = $slave ? "~$slave" : "";
+ $page .= "<div>";
+ # $page .= (time-$timer_start)."<br/>";
+ # $page .= join " ",map {"'$_'"} @task;
+ $page .= "<br/>";
+- $page .= ( qq{<a
href="}.cgiurl($q,$cfg)."?".hierarchy($q).qq{displaymode=n;start=$startstr;end=now;}."target=".$q->param('target').$s.'">'
++ $page .= ( qq{<a
href="}.cgiurl($q,$cfg)."?".hierarchy($q).qq{displaymode=n;start=$startstr;end=now;}."target=".$t.$s.'">'
+ . qq{<IMG BORDER="0"
SRC="${imghref}${s}_${end}_${start}.png">}."</a>" ); #"
+ $page .= "</div>";
+ }
+@@ -1525,8 +1531,15 @@ sub hierarchy_switcher($$){
+ sub display_webpage($$){
+ my $cfg = shift;
+ my $q = shift;
+- my ($path,$slave) = split(/~/,$q->param('target') || '');
++ my $targ = '';
++ my $t = $q->param('target');
++ if ( $t and $t !~ /\.\./ and $t =~ /(\S+)/){
++ $targ = $1;
++ $targ =~ s/[<>%&'";]/./g;
++ }
++ my ($path,$slave) = split(/~/,$targ);
+ my $hierarchy = $q->param('hierarchy');
++ $hierarchy =~ s/[<>%&'";]/./g;
+ die "ERROR: unknown hierarchy $hierarchy\n"
+ if $hierarchy and not $cfg->{Presentation}{hierarchies}{$hierarchy};
+ my $open = [ (split /\./,$path||'') ];
