Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <51EA271D.4030904@redhat.com>
Date: Fri, 19 Jul 2013 23:58:53 -0600
From: Kurt Seifried <kseifried@...hat.com>
To: coley@...us.mitre.org, oss-security@...ts.openwall.com,
        security@...ntu.com
Subject: Re: CVE Request: smokeping incomplete fix for CVE-2012-0790

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 07/19/2013 06:34 PM, Seth Arnold wrote:
> Hello Kurt, Steve, all,
> 
> I am requesting a 2012 CVE for an incomplete security fix in
> smokeping, fixed in version 2.6.9.
> 
> CVE-2012-0790 was assigned to smokeping for XSS flaws.
> 
> The fix for CVE-2012-0790 in smokeping 2.6.7 was incomplete. The 
> filtering used this blacklist:
> 
> $mode =~ s/[<>&%]/./g;
> 
> The version in 2.6.9 uses the following blacklist:
> 
> my $xssBadRx = qr/[<>%&'";]/;
> 
> (', ", and ; have been added. When it is used, blacklist chars are
> now turned to _ rather than . ) The 2.6.9 version prevents escaping
> <html attribute="..."> via " characters.
> 
> The incomplete fix is in 2.6.7 and 2.6.8.
> 
> This flaw was discovered by Florian Weimer [1] in 2012 and brought
> to our attention [2] in 2013.
> 
> The upstream CHANGES [3] file includes, in part:
> 
> 
> --------------------------------------------------
> 
> 2013/03/04 - released version 2.6.9
> 
> *  be more careful about preventing xss attacks, re
> http://bugs.debian.org/659899 (tobi)
> 
> --------------------------------------------------
> 
> 
> I have not found an up-to-date online browsable source.
> 
> Thanks
> 
> 
> 1: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=659899#37 2:
> https://bugs.launchpad.net/ubuntu/+source/smokeping/+bug/1203061 3:
> http://oss.oetiker.ch/smokeping/pub/CHANGES
> 

Perfect CVE request.

Please use CVE-2013-4158 for this issue.

- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)

iQIcBAEBAgAGBQJR6icdAAoJEBYNRVNeJnmT/OYP/1jPhcrEMasq08oEE4zlne0h
Ax+BAv+RioPNadydOoqd+0Xj6ReT0Zz92q0sL5Pig2kdPo2QkmUX3p+wWjXNTDMS
HsWb2zjnghKUFfAWCfOHdJpXUsAU///8PCQqETfOTxm4RmAZGHbvbRkC9a8C4STu
GaVPSwZvOArjfg30w7q6g2AYuiE3xHHTgKiZR6W1KD6t17kHGj2foRfQ417x2DCP
EDS3n2BPQk8Cujy+epySC89FnOn4EvdJ3NLXSStvlYMTFORzOXN74ZyNxUNWAkax
AXw8xf46mgEPyoxrEz3WSe3QERTFt/Hc6ALD4WHhe91v9Lf+QSndQ7dG1+o64jD7
itRPhu6Zs52YxEZ3Ii8MA3TIaRL1tEd6laMcBIKcAfZs7WlRsdg76F5AfICVpiqj
DLz0wkfuvvOdUzKA4UPB8klr/j0vbw4KjRrG9hA15T5aNZT5c9U3GHwMV4g7X94n
jzQrE0Hi2pRlaNUhfhGVsJdyDRAUYwF1UdXaoZaKG3e0FBbZYLphTPnL350xmQDU
vLiMgi/WDwI0ql+ZvziuKSOYEbufefP3CnqP8gEePm9o6xng/cgK9nKKB67ljhVC
OMP2Y3QjUzNCV6w2JO6nsEUc63sLeRta7o509cryEXV9J8Wns5AfZAMufNv8yWfA
iIWmeqk+laVdZDU5HSe/
=y8JO
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.