close 335997 0.9.8-4 tags 335997 patch thanks > Multiple Cross-Site-Scripting vulnerabilties have been found in > Flyspray. Have a look at > http://lostmon.blogspot.com/2005/10/flyspray-bug-killer-multiple-variable.html > for more details. This has been assigned CVE-2005-3334, please mention so in > the changelog when fixing this.
This RC bug has been open for >50 days without response from the maintainer, so I've taken the liberty to work towards a fix. For unstable: This has already been addressed in the current unstable version by an update from the upstream repository in version 0.9.8-4, uploaded by the maintainer on 2005-10-26. I'm marking the bug as fixed in that version with this mail. For testing: The current unstable version just has to migrate to testing, and that will happen soon because I'm now marking the RC bug as fixed in 0.9.8-4. For stable: I've extracted the right patch from the unstable version (which has been present without any bugreports since the end of October), and that is attached. I've also prepared updated packages here: http://www.a-eskwadraat.nl/~kink/flyspray/ For oldstable: Does not contain flyspray. Bye, Thijs
diff -ur flyspray-0.9.7.orig/debian/changelog flyspray-0.9.7/debian/changelog
--- flyspray-0.9.7.orig/debian/changelog 2005-12-19 13:20:01.858900424 +0100
+++ flyspray-0.9.7/debian/changelog 2005-12-19 13:17:44.847729288 +0100
@@ -1,3 +1,11 @@
+flyspray (0.9.7-2.1) stable-security; urgency=high
+
+ * NMU for security bug
+ * CVE-2005-3334: Sanitize incoming GET parameters in index.php.
+ Patch from unstable package (Closes: #335997).
+
+ -- Thijs Kinkhorst <[EMAIL PROTECTED]> Mon, 19 Dec 2005 13:15:26 +0100
+
flyspray (0.9.7-2) unstable; urgency=high
* Let the user know how to perform database upgrade when mysql is down.
diff -ur flyspray-0.9.7.orig/index.php flyspray-0.9.7/index.php
--- flyspray-0.9.7.orig/index.php 2005-01-17 11:57:24.000000000 +0100
+++ flyspray-0.9.7/index.php 2005-12-19 13:22:13.374906952 +0100
@@ -20,6 +20,18 @@
$lang = $flyspray_prefs['lang_code'];
get_language_pack($lang, 'main');
+// Run all user-submitted variables through a filter
+if (isset($_GET))
+{
+ foreach ($_GET as $key => $val)
+ $_GET[$key] = htmlspecialchars($val);
+}
+if (isset($_POST))
+{
+ foreach ($_POST as $key => $val)
+ $_POST[$key] = htmlspecialchars($val);
+}
+
// Set the page to include
if (isset($_REQUEST['do'])) {
$do = $_REQUEST['do'];
signature.asc
Description: This is a digitally signed message part
