CVE Request: smokeping incomplete fix for CVE-2012-0790

[Seth Arnold <seth.arnold () canonical com>]

Hello Kurt, Steve, all,

I am requesting a 2012 CVE for an incomplete security fix in smokeping,
fixed in version 2.6.9.

CVE-2012-0790 was assigned to smokeping for XSS flaws.

The fix for CVE-2012-0790 in smokeping 2.6.7 was incomplete. The
filtering used this blacklist:

    $mode =~ s/[<>&%]/./g;

The version in 2.6.9 uses the following blacklist:

    my $xssBadRx = qr/[<>%&'";]/;

(', ", and ; have been added. When it is used, blacklist chars are now
turned to _ rather than . ) The 2.6.9 version prevents escaping <html
attribute="..."> via " characters.

The incomplete fix is in 2.6.7 and 2.6.8.

This flaw was discovered by Florian Weimer [1] in 2012 and brought to
our attention [2] in 2013.

The upstream CHANGES [3] file includes, in part:


--------------------------------------------------

2013/03/04 - released version 2.6.9

*  be more careful about preventing xss attacks, re http://bugs.debian.org/659899 (tobi)

--------------------------------------------------


I have not found an up-to-date online browsable source.

Thanks


1: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=659899#37
2: https://bugs.launchpad.net/ubuntu/+source/smokeping/+bug/1203061
3: http://oss.oetiker.ch/smokeping/pub/CHANGES

Attachment: signature.asc
Description: Digital signature