oss-sec mailing list archives

Re: CVE Request: smokeping incomplete fix for CVE-2012-0790

From: Kurt Seifried <kseifried () redhat com>
Date: Fri, 19 Jul 2013 23:58:53 -0600

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 07/19/2013 06:34 PM, Seth Arnold wrote:

Hello Kurt, Steve, all,

I am requesting a 2012 CVE for an incomplete security fix in
smokeping, fixed in version 2.6.9.

CVE-2012-0790 was assigned to smokeping for XSS flaws.

The fix for CVE-2012-0790 in smokeping 2.6.7 was incomplete. The 
filtering used this blacklist:

$mode =~ s/[<>&%]/./g;

The version in 2.6.9 uses the following blacklist:

my $xssBadRx = qr/[<>%&'";]/;

(', ", and ; have been added. When it is used, blacklist chars are
now turned to _ rather than . ) The 2.6.9 version prevents escaping
<html attribute="..."> via " characters.

The incomplete fix is in 2.6.7 and 2.6.8.

This flaw was discovered by Florian Weimer [1] in 2012 and brought
to our attention [2] in 2013.

The upstream CHANGES [3] file includes, in part:


--------------------------------------------------

2013/03/04 - released version 2.6.9

*  be more careful about preventing xss attacks, re
http://bugs.debian.org/659899 (tobi)

--------------------------------------------------


I have not found an up-to-date online browsable source.

Thanks


1: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=659899#37 2:
https://bugs.launchpad.net/ubuntu/+source/smokeping/+bug/1203061 3:
http://oss.oetiker.ch/smokeping/pub/CHANGES


Perfect CVE request.

Please use CVE-2013-4158 for this issue.

- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)

iQIcBAEBAgAGBQJR6icdAAoJEBYNRVNeJnmT/OYP/1jPhcrEMasq08oEE4zlne0h
Ax+BAv+RioPNadydOoqd+0Xj6ReT0Zz92q0sL5Pig2kdPo2QkmUX3p+wWjXNTDMS
HsWb2zjnghKUFfAWCfOHdJpXUsAU///8PCQqETfOTxm4RmAZGHbvbRkC9a8C4STu
GaVPSwZvOArjfg30w7q6g2AYuiE3xHHTgKiZR6W1KD6t17kHGj2foRfQ417x2DCP
EDS3n2BPQk8Cujy+epySC89FnOn4EvdJ3NLXSStvlYMTFORzOXN74ZyNxUNWAkax
AXw8xf46mgEPyoxrEz3WSe3QERTFt/Hc6ALD4WHhe91v9Lf+QSndQ7dG1+o64jD7
itRPhu6Zs52YxEZ3Ii8MA3TIaRL1tEd6laMcBIKcAfZs7WlRsdg76F5AfICVpiqj
DLz0wkfuvvOdUzKA4UPB8klr/j0vbw4KjRrG9hA15T5aNZT5c9U3GHwMV4g7X94n
jzQrE0Hi2pRlaNUhfhGVsJdyDRAUYwF1UdXaoZaKG3e0FBbZYLphTPnL350xmQDU
vLiMgi/WDwI0ql+ZvziuKSOYEbufefP3CnqP8gEePm9o6xng/cgK9nKKB67ljhVC
OMP2Y3QjUzNCV6w2JO6nsEUc63sLeRta7o509cryEXV9J8Wns5AfZAMufNv8yWfA
iIWmeqk+laVdZDU5HSe/
=y8JO
-----END PGP SIGNATURE-----

Current thread:

CVE Request: smokeping incomplete fix for CVE-2012-0790 Seth Arnold (Jul 19)
- Re: CVE Request: smokeping incomplete fix for CVE-2012-0790 Kurt Seifried (Jul 19)