oss-sec mailing list archives
CVE Request: smokeping incomplete fix for CVE-2012-0790
From: Seth Arnold <seth.arnold () canonical com>
Date: Fri, 19 Jul 2013 17:34:22 -0700
Hello Kurt, Steve, all, I am requesting a 2012 CVE for an incomplete security fix in smokeping, fixed in version 2.6.9. CVE-2012-0790 was assigned to smokeping for XSS flaws. The fix for CVE-2012-0790 in smokeping 2.6.7 was incomplete. The filtering used this blacklist: $mode =~ s/[<>&%]/./g; The version in 2.6.9 uses the following blacklist: my $xssBadRx = qr/[<>%&'";]/; (', ", and ; have been added. When it is used, blacklist chars are now turned to _ rather than . ) The 2.6.9 version prevents escaping <html attribute="..."> via " characters. The incomplete fix is in 2.6.7 and 2.6.8. This flaw was discovered by Florian Weimer [1] in 2012 and brought to our attention [2] in 2013. The upstream CHANGES [3] file includes, in part: -------------------------------------------------- 2013/03/04 - released version 2.6.9 * be more careful about preventing xss attacks, re http://bugs.debian.org/659899 (tobi) -------------------------------------------------- I have not found an up-to-date online browsable source. Thanks 1: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=659899#37 2: https://bugs.launchpad.net/ubuntu/+source/smokeping/+bug/1203061 3: http://oss.oetiker.ch/smokeping/pub/CHANGES
Attachment:
signature.asc
Description: Digital signature
Current thread:
- CVE Request: smokeping incomplete fix for CVE-2012-0790 Seth Arnold (Jul 19)
- Re: CVE Request: smokeping incomplete fix for CVE-2012-0790 Kurt Seifried (Jul 19)