Bug#427156: CVE-2007-2808: gnatsweb

2007-10-06 Thread Nico Golde 
Hi,
I intend to NMU this bug.
The attached patch fixes this issue.
It will be also archived on:
http://people.debian.org/~nion/nmu-diff/gnatsweb_4.00-1_4.00-1.1.patch

Kind regards
Nico

-- 
Nico Golde - http://ngolde.de - [EMAIL PROTECTED] - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
diff -u gnatsweb-4.00/debian/changelog gnatsweb-4.00/debian/changelog
--- gnatsweb-4.00/debian/changelog
+++ gnatsweb-4.00/debian/changelog
@@ -1,3 +1,12 @@
+gnatsweb (4.00-1.1) unstable; urgency=high
+
+  * Non-maintainer upload by testing security team.
+  * Fixed missing escaping of the database parameter which leads
+to a cross-site scripting vulnerability (XSS) via this
+parameter (CVE-2007-2808) (Closes: # 427156).
+
+ -- Nico Golde [EMAIL PROTECTED]  Sat, 06 Oct 2007 15:03:47 +0200
+
 gnatsweb (4.00-1) unstable; urgency=low
 
   * New upstream release.
only in patch2:
unchanged:
--- gnatsweb-4.00.orig/gnatsweb.pl
+++ gnatsweb-4.00/gnatsweb.pl
@@ -1312,6 +1312,7 @@
 {
   my($cmd, $pr, $include_return_url) = @_;
   my $url = $q-url() . ?cmd=$cmddatabase=$global_prefs{'database'};
+  $global_prefs{'database'}=$q-escapeHTML($global_prefs{'database'});
   $url .= pr=$pr if $pr;
   $url .= return_url= . $q-escape($q-self_url())
 if $include_return_url;


pgpREFCCZ6c48.pgp
Description: PGP signature

Bug#427156: CVE-2007-2808: gnatsweb

2007-10-06 Thread Nico Golde 
Hi,
I accidently included the wrong patch.
Here is the correct one.
Kind regards
Nico

-- 
Nico Golde - http://ngolde.de - [EMAIL PROTECTED] - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
diff -u gnatsweb-4.00/debian/changelog gnatsweb-4.00/debian/changelog
--- gnatsweb-4.00/debian/changelog
+++ gnatsweb-4.00/debian/changelog
@@ -1,3 +1,12 @@
+gnatsweb (4.00-1.1) unstable; urgency=high
+
+  * Non-maintainer upload by testing security team.
+  * Fixed missing escaping of the database parameter which leads
+to a cross-site scripting vulnerability (XSS) via this
+parameter (CVE-2007-2808) (Closes: # 427156).
+
+ -- Nico Golde [EMAIL PROTECTED]  Sat, 06 Oct 2007 15:03:47 +0200
+
 gnatsweb (4.00-1) unstable; urgency=low
 
   * New upstream release.
only in patch2:
unchanged:
--- gnatsweb-4.00.orig/gnatsweb.pl
+++ gnatsweb-4.00/gnatsweb.pl
@@ -3977,7 +3977,7 @@
   $$cval_hashref{$pref_name}
   );
 
-  $$pref_hashref{$pref_name} = $val
+  $$pref_hashref{$pref_name} = $q-escapeHTML($val)
 if defined($val);
 }
 


pgpsB4HGzuUYs.pgp
Description: PGP signature

Bug#427156: CVE-2007-2808: gnatsweb

2007-10-06 Thread Nico Golde 
Hi,
here is again a new patch (should be the last update)
because the last one would escape passwords as well which 
should not be the case.
Kind regards
Nico

-- 
Nico Golde - http://ngolde.de - [EMAIL PROTECTED] - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
diff -u gnatsweb-4.00/debian/changelog gnatsweb-4.00/debian/changelog
--- gnatsweb-4.00/debian/changelog
+++ gnatsweb-4.00/debian/changelog
@@ -1,3 +1,12 @@
+gnatsweb (4.00-1.1) unstable; urgency=high
+
+  * Non-maintainer upload by testing security team.
+  * Fixed missing escaping of the database parameter which leads
+to a cross-site scripting vulnerability (XSS) via this
+parameter (CVE-2007-2808) (Closes: # 427156).
+
+ -- Nico Golde [EMAIL PROTECTED]  Sat, 06 Oct 2007 15:03:47 +0200
+
 gnatsweb (4.00-1) unstable; urgency=low
 
   * New upstream release.
only in patch2:
unchanged:
--- gnatsweb-4.00.orig/gnatsweb.pl
+++ gnatsweb-4.00/gnatsweb.pl
@@ -3981,6 +3981,19 @@
 if defined($val);
 }
 
+sub set_pref_esc
+{
+  my($pref_name, $pref_hashref, $cval_hashref) = @_;
+  my $val = $q-param($pref_name) || ($pref_name eq password ?
+  uncamouflage($$cval_hashref{$pref_name}) :
+  $$cval_hashref{$pref_name}
+  );
+
+  $$pref_hashref{$pref_name} = $q-escapeHTML($val)
+if defined($val);
+}
+
+
 # init_prefs -
 # Initialize global_prefs and db_prefs from cookies and params.
 #
@@ -4008,10 +4021,10 @@
   }
 
   %global_prefs = ();
-  set_pref('database', \%global_prefs, \%cvals);
-  set_pref('email', \%global_prefs, \%cvals);
-  set_pref($ORIGINATOR_FIELD, \%global_prefs, \%cvals);
-  set_pref($SUBMITTER_ID_FIELD, \%global_prefs, \%cvals);
+  set_pref_esc('database', \%global_prefs, \%cvals);
+  set_pref_esc('email', \%global_prefs, \%cvals);
+  set_pref_esc($ORIGINATOR_FIELD, \%global_prefs, \%cvals);
+  set_pref_esc($SUBMITTER_ID_FIELD, \%global_prefs, \%cvals);
 
   # columns is treated differently because it's an array which is stored
   # in the cookie as a joined string.
@@ -4041,7 +4054,7 @@
%cvals = $q-cookie(gnatsweb-db-$database);
   }
   %db_prefs = ();
-  set_pref('user', \%db_prefs, \%cvals);
+  set_pref_esc('user', \%db_prefs, \%cvals);
   set_pref('password', \%db_prefs, \%cvals);
 
   # Debug.


pgpmv4TzzflYR.pgp
Description: PGP signature

Bug#427156: CVE-2007-2808: gnatsweb

2007-06-02 Thread Florian Weimer 
Package: gnatsweb
Severity: important
Tags: security

A cross-site scripting vulnerability has been disclosed in gnatsweb:

http://pridels-team.blogspot.com/2007/05/blog-post.html

Please mention the name CVE-2007-2808 in the changelog when fixing
this bug.


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]