Bug#427156: CVE-2007-2808: gnatsweb
Hi, I intend to NMU this bug. The attached patch fixes this issue. It will be also archived on: http://people.debian.org/~nion/nmu-diff/gnatsweb_4.00-1_4.00-1.1.patch Kind regards Nico -- Nico Golde - http://ngolde.de - [EMAIL PROTECTED] - GPG: 0x73647CFF For security reasons, all text in this mail is double-rot13 encrypted. diff -u gnatsweb-4.00/debian/changelog gnatsweb-4.00/debian/changelog --- gnatsweb-4.00/debian/changelog +++ gnatsweb-4.00/debian/changelog @@ -1,3 +1,12 @@ +gnatsweb (4.00-1.1) unstable; urgency=high + + * Non-maintainer upload by testing security team. + * Fixed missing escaping of the database parameter which leads +to a cross-site scripting vulnerability (XSS) via this +parameter (CVE-2007-2808) (Closes: # 427156). + + -- Nico Golde [EMAIL PROTECTED] Sat, 06 Oct 2007 15:03:47 +0200 + gnatsweb (4.00-1) unstable; urgency=low * New upstream release. only in patch2: unchanged: --- gnatsweb-4.00.orig/gnatsweb.pl +++ gnatsweb-4.00/gnatsweb.pl @@ -1312,6 +1312,7 @@ { my($cmd, $pr, $include_return_url) = @_; my $url = $q-url() . ?cmd=$cmddatabase=$global_prefs{'database'}; + $global_prefs{'database'}=$q-escapeHTML($global_prefs{'database'}); $url .= pr=$pr if $pr; $url .= return_url= . $q-escape($q-self_url()) if $include_return_url; pgpREFCCZ6c48.pgp Description: PGP signature
Bug#427156: CVE-2007-2808: gnatsweb
Hi, I accidently included the wrong patch. Here is the correct one. Kind regards Nico -- Nico Golde - http://ngolde.de - [EMAIL PROTECTED] - GPG: 0x73647CFF For security reasons, all text in this mail is double-rot13 encrypted. diff -u gnatsweb-4.00/debian/changelog gnatsweb-4.00/debian/changelog --- gnatsweb-4.00/debian/changelog +++ gnatsweb-4.00/debian/changelog @@ -1,3 +1,12 @@ +gnatsweb (4.00-1.1) unstable; urgency=high + + * Non-maintainer upload by testing security team. + * Fixed missing escaping of the database parameter which leads +to a cross-site scripting vulnerability (XSS) via this +parameter (CVE-2007-2808) (Closes: # 427156). + + -- Nico Golde [EMAIL PROTECTED] Sat, 06 Oct 2007 15:03:47 +0200 + gnatsweb (4.00-1) unstable; urgency=low * New upstream release. only in patch2: unchanged: --- gnatsweb-4.00.orig/gnatsweb.pl +++ gnatsweb-4.00/gnatsweb.pl @@ -3977,7 +3977,7 @@ $$cval_hashref{$pref_name} ); - $$pref_hashref{$pref_name} = $val + $$pref_hashref{$pref_name} = $q-escapeHTML($val) if defined($val); } pgpsB4HGzuUYs.pgp Description: PGP signature
Bug#427156: CVE-2007-2808: gnatsweb
Hi, here is again a new patch (should be the last update) because the last one would escape passwords as well which should not be the case. Kind regards Nico -- Nico Golde - http://ngolde.de - [EMAIL PROTECTED] - GPG: 0x73647CFF For security reasons, all text in this mail is double-rot13 encrypted. diff -u gnatsweb-4.00/debian/changelog gnatsweb-4.00/debian/changelog --- gnatsweb-4.00/debian/changelog +++ gnatsweb-4.00/debian/changelog @@ -1,3 +1,12 @@ +gnatsweb (4.00-1.1) unstable; urgency=high + + * Non-maintainer upload by testing security team. + * Fixed missing escaping of the database parameter which leads +to a cross-site scripting vulnerability (XSS) via this +parameter (CVE-2007-2808) (Closes: # 427156). + + -- Nico Golde [EMAIL PROTECTED] Sat, 06 Oct 2007 15:03:47 +0200 + gnatsweb (4.00-1) unstable; urgency=low * New upstream release. only in patch2: unchanged: --- gnatsweb-4.00.orig/gnatsweb.pl +++ gnatsweb-4.00/gnatsweb.pl @@ -3981,6 +3981,19 @@ if defined($val); } +sub set_pref_esc +{ + my($pref_name, $pref_hashref, $cval_hashref) = @_; + my $val = $q-param($pref_name) || ($pref_name eq password ? + uncamouflage($$cval_hashref{$pref_name}) : + $$cval_hashref{$pref_name} + ); + + $$pref_hashref{$pref_name} = $q-escapeHTML($val) +if defined($val); +} + + # init_prefs - # Initialize global_prefs and db_prefs from cookies and params. # @@ -4008,10 +4021,10 @@ } %global_prefs = (); - set_pref('database', \%global_prefs, \%cvals); - set_pref('email', \%global_prefs, \%cvals); - set_pref($ORIGINATOR_FIELD, \%global_prefs, \%cvals); - set_pref($SUBMITTER_ID_FIELD, \%global_prefs, \%cvals); + set_pref_esc('database', \%global_prefs, \%cvals); + set_pref_esc('email', \%global_prefs, \%cvals); + set_pref_esc($ORIGINATOR_FIELD, \%global_prefs, \%cvals); + set_pref_esc($SUBMITTER_ID_FIELD, \%global_prefs, \%cvals); # columns is treated differently because it's an array which is stored # in the cookie as a joined string. @@ -4041,7 +4054,7 @@ %cvals = $q-cookie(gnatsweb-db-$database); } %db_prefs = (); - set_pref('user', \%db_prefs, \%cvals); + set_pref_esc('user', \%db_prefs, \%cvals); set_pref('password', \%db_prefs, \%cvals); # Debug. pgpmv4TzzflYR.pgp Description: PGP signature
Bug#427156: CVE-2007-2808: gnatsweb
Package: gnatsweb Severity: important Tags: security A cross-site scripting vulnerability has been disclosed in gnatsweb: http://pridels-team.blogspot.com/2007/05/blog-post.html Please mention the name CVE-2007-2808 in the changelog when fixing this bug. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]