Bug 1166064 (CVE-2012-6662)

Summary: CVE-2012-6662 jquery-ui: XSS vulnerability in default content in Tooltip widget
Product: [Other] Security Response Reporter: Vasyl Kaigorodov <vkaigoro>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED WONTFIX QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: abaron, abokovoy, andrewniemants, andrew, aortega, apatters, apevec, athmanem, ayoung, bazanluis20, bkabrda, bkearney, bleanhar, brett.lentz, bruno, cbillett, ccoleman, chkr, chrisw, cpelland, croberts, dajohnso, dallan, dan, dclarizi, devrim, dmcphers, dridi.boukelmoune, echevemaster, erlang, extras-orphan, gkotton, gmccullo, gwync, herrold, hhorak, hobbes1069, home, iarnell, i, ipa-maint, i, jaswinder, jdetiber, jdornak, jhardy, jialiu, jimi, jkeck, jochen, joelsmith, jokajak, jokerman, jonathansteffan, jorton, jprause, jrafanie, jrusnack, jsmith.fedora, jstribny, jvlcek, karlthered, katello-bugs, kevin, kseifried, ktdreyer, kwizart, lemenkov, lhh, lmacken, lmeyer, loganjerry, lpeer, markmc, matt, mburns, mcepl, mclasen, metherid, mhroncok, michel, mike, mkosek, mmaslano, mmccomas, mmccune, mmcgrath, mrunge, msaulnier, nelsonab, nonamedotc, nushio, obarenbo, oliver, orion, paulo.cesar.pereira.de.andrade, perl-devel, peter.borsa, phalliday, promac, puiterwijk, pvoborni, python-maint, rbean, rbryant, rcritten, relrod, rhos-maint, rnovacek, robinlee.sysu, satya.komaragiri, sclewis, scott, sdodson, smparrish, ssorce, stickster, sven, sysoutfran, tchollingsworth, thomas.moschny, thozza, tjay, tmckay, tomckay, vanmeeuwen+fedora, volker27, vondruch, vonsch, wtogami, xlecauch, yeylon, yohangraterol92, zbyszek
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: jQuery UI 1.10.0 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-10-06 05:57:08 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1166086, 1166087, 1166088, 1166089, 1166090, 1166091, 1166092, 1166093, 1166094, 1166095, 1166096, 1166097, 1166098, 1166099, 1166100, 1166101, 1166102, 1166103, 1166104, 1166105, 1166106, 1166107, 1166109, 1166111, 1166112, 1166113, 1166114, 1166115, 1166116, 1166117, 1166229, 1166241, 1166242, 1166758, 1166759, 1166760, 1166761, 1166762, 1166764, 1166765, 1166766, 1166767, 1166768, 1166769, 1166771, 1166772, 1166773, 1166775, 1166776, 1166777, 1166779, 1166780, 1166781, 1166782, 1166784, 1166785, 1166786, 1166787, 1166788, 1166789, 1166790, 1166791, 1166792, 1166793, 1166794, 1166795, 1166796, 1166797, 1166798, 1166799, 1166800, 1166801, 1166802, 1166803, 1166804, 1166805, 1166806, 1166807, 1166809, 1166810, 1166812, 1166813, 1166814, 1166815, 1166816, 1166817, 1166818, 1166819, 1166820, 1166822, 1166823, 1166824, 1166825, 1166826, 1166827    
Bug Blocks: 1162456    

Description Vasyl Kaigorodov 2014-11-20 11:06:08 UTC 
jQuery UI 1.10.0 release fixes XSS issue [1] in jQuery Tooltip widget.
From [1]:
...
WIDGETS
Tooltip
Fixed: XSS vulnerability in default content. (#8861, f285440)
...

The issue was initially reported in [2], and then actually fixed in [3] by commit [4].

[1]: http://jqueryui.com/changelog/1.10.0/
[2]: http://bugs.jqueryui.com/ticket/8859
[3]: http://bugs.jqueryui.com/ticket/8861
[4]: https://github.com/jquery/jquery-ui/commit/f2854408cce7e4b7fc6bf8676761904af9c96bde

--
Note: whiteboard lists quite some packages, which are known to have jQuery embedded.
Comment 1 Dominic Cleal 2014-11-20 14:44:09 UTC 
Regarding products that ship rubygem-jquery-ui-rails (or ruby193-) such as Satellite 6 or OpenStack, versions 4.0.0 or higher of jquery-ui-rails contain jquery-ui 1.10.0, so should not be vulnerable if newer than 4.0.0.

jquery-ui-rails is essentially a redistribution of jquery-ui and has a version scheme of its own: https://github.com/joliss/jquery-ui-rails/blob/master/VERSIONS.md
Comment 4 Mukundan Ragavan 2014-11-22 01:52:14 UTC 
I don't think any of the packages I maintain are listed here ...
Comment 5 Tomas Hoger 2014-11-24 08:25:48 UTC 
(In reply to Mukundan Ragavan from comment #4)
> I don't think any of the packages I maintain are listed here ...

You got CCed here because you own fityk, which was first listed as affected, and is now listed an unaffected.
Comment 7 errata-xmlrpc 2015-03-05 10:15:17 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2015:0442 https://rhn.redhat.com/errata/RHSA-2015-0442.html
Comment 8 errata-xmlrpc 2015-07-22 07:39:11 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6

Via RHSA-2015:1462 https://rhn.redhat.com/errata/RHSA-2015-1462.html