oss-sec mailing list archives
Re: CVE Request: smokeping incomplete fix for CVE-2012-0790
From: Kurt Seifried <kseifried () redhat com>
Date: Fri, 19 Jul 2013 23:58:53 -0600
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 07/19/2013 06:34 PM, Seth Arnold wrote:
Hello Kurt, Steve, all, I am requesting a 2012 CVE for an incomplete security fix in smokeping, fixed in version 2.6.9. CVE-2012-0790 was assigned to smokeping for XSS flaws. The fix for CVE-2012-0790 in smokeping 2.6.7 was incomplete. The filtering used this blacklist: $mode =~ s/[<>&%]/./g; The version in 2.6.9 uses the following blacklist: my $xssBadRx = qr/[<>%&'";]/; (', ", and ; have been added. When it is used, blacklist chars are now turned to _ rather than . ) The 2.6.9 version prevents escaping <html attribute="..."> via " characters. The incomplete fix is in 2.6.7 and 2.6.8. This flaw was discovered by Florian Weimer [1] in 2012 and brought to our attention [2] in 2013. The upstream CHANGES [3] file includes, in part: -------------------------------------------------- 2013/03/04 - released version 2.6.9 * be more careful about preventing xss attacks, re http://bugs.debian.org/659899 (tobi) -------------------------------------------------- I have not found an up-to-date online browsable source. Thanks 1: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=659899#37 2: https://bugs.launchpad.net/ubuntu/+source/smokeping/+bug/1203061 3: http://oss.oetiker.ch/smokeping/pub/CHANGES
Perfect CVE request. Please use CVE-2013-4158 for this issue. - -- Kurt Seifried Red Hat Security Response Team (SRT) PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.13 (GNU/Linux) iQIcBAEBAgAGBQJR6icdAAoJEBYNRVNeJnmT/OYP/1jPhcrEMasq08oEE4zlne0h Ax+BAv+RioPNadydOoqd+0Xj6ReT0Zz92q0sL5Pig2kdPo2QkmUX3p+wWjXNTDMS HsWb2zjnghKUFfAWCfOHdJpXUsAU///8PCQqETfOTxm4RmAZGHbvbRkC9a8C4STu GaVPSwZvOArjfg30w7q6g2AYuiE3xHHTgKiZR6W1KD6t17kHGj2foRfQ417x2DCP EDS3n2BPQk8Cujy+epySC89FnOn4EvdJ3NLXSStvlYMTFORzOXN74ZyNxUNWAkax AXw8xf46mgEPyoxrEz3WSe3QERTFt/Hc6ALD4WHhe91v9Lf+QSndQ7dG1+o64jD7 itRPhu6Zs52YxEZ3Ii8MA3TIaRL1tEd6laMcBIKcAfZs7WlRsdg76F5AfICVpiqj DLz0wkfuvvOdUzKA4UPB8klr/j0vbw4KjRrG9hA15T5aNZT5c9U3GHwMV4g7X94n jzQrE0Hi2pRlaNUhfhGVsJdyDRAUYwF1UdXaoZaKG3e0FBbZYLphTPnL350xmQDU vLiMgi/WDwI0ql+ZvziuKSOYEbufefP3CnqP8gEePm9o6xng/cgK9nKKB67ljhVC OMP2Y3QjUzNCV6w2JO6nsEUc63sLeRta7o509cryEXV9J8Wns5AfZAMufNv8yWfA iIWmeqk+laVdZDU5HSe/ =y8JO -----END PGP SIGNATURE-----
Current thread:
- CVE Request: smokeping incomplete fix for CVE-2012-0790 Seth Arnold (Jul 19)
- Re: CVE Request: smokeping incomplete fix for CVE-2012-0790 Kurt Seifried (Jul 19)