close 335997 0.9.8-4 tags 335997 patch thanks > Multiple Cross-Site-Scripting vulnerabilties have been found in > Flyspray. Have a look at > http://lostmon.blogspot.com/2005/10/flyspray-bug-killer-multiple-variable.html > for more details. This has been assigned CVE-2005-3334, please mention so in > the changelog when fixing this.
This RC bug has been open for >50 days without response from the maintainer, so I've taken the liberty to work towards a fix. For unstable: This has already been addressed in the current unstable version by an update from the upstream repository in version 0.9.8-4, uploaded by the maintainer on 2005-10-26. I'm marking the bug as fixed in that version with this mail. For testing: The current unstable version just has to migrate to testing, and that will happen soon because I'm now marking the RC bug as fixed in 0.9.8-4. For stable: I've extracted the right patch from the unstable version (which has been present without any bugreports since the end of October), and that is attached. I've also prepared updated packages here: http://www.a-eskwadraat.nl/~kink/flyspray/ For oldstable: Does not contain flyspray. Bye, Thijs
diff -ur flyspray-0.9.7.orig/debian/changelog flyspray-0.9.7/debian/changelog --- flyspray-0.9.7.orig/debian/changelog 2005-12-19 13:20:01.858900424 +0100 +++ flyspray-0.9.7/debian/changelog 2005-12-19 13:17:44.847729288 +0100 @@ -1,3 +1,11 @@ +flyspray (0.9.7-2.1) stable-security; urgency=high + + * NMU for security bug + * CVE-2005-3334: Sanitize incoming GET parameters in index.php. + Patch from unstable package (Closes: #335997). + + -- Thijs Kinkhorst <[EMAIL PROTECTED]> Mon, 19 Dec 2005 13:15:26 +0100 + flyspray (0.9.7-2) unstable; urgency=high * Let the user know how to perform database upgrade when mysql is down. diff -ur flyspray-0.9.7.orig/index.php flyspray-0.9.7/index.php --- flyspray-0.9.7.orig/index.php 2005-01-17 11:57:24.000000000 +0100 +++ flyspray-0.9.7/index.php 2005-12-19 13:22:13.374906952 +0100 @@ -20,6 +20,18 @@ $lang = $flyspray_prefs['lang_code']; get_language_pack($lang, 'main'); +// Run all user-submitted variables through a filter +if (isset($_GET)) +{ + foreach ($_GET as $key => $val) + $_GET[$key] = htmlspecialchars($val); +} +if (isset($_POST)) +{ + foreach ($_POST as $key => $val) + $_POST[$key] = htmlspecialchars($val); +} + // Set the page to include if (isset($_REQUEST['do'])) { $do = $_REQUEST['do'];
signature.asc
Description: This is a digitally signed message part