Bug 438664 (CVE-2008-1468)

Summary: CVE-2008-1468 namazu XSS flaw
Product: [Other] Security Response Reporter: Lubomir Kundrak <lkundrak>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: jonathanbaron7, tagoh
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
URL: http://bugs.gentoo.org/show_bug.cgi?id=214266
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2008-05-06 16:03:12 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 438666, 438667, 438668    
Bug Blocks:    

Description Lubomir Kundrak 2008-03-24 10:33:11 UTC 
A vulnerability has been reported in Namazu, which can be exploited
by malicious people to conduct cross-site scripting attacks.

Input passed in certain character encodings (e.g. UTF-7) to
namazu.cgi is not properly sanitised before being returned to the
user. This can be exploited to execute arbitrary HTML and script code
in a user's browser session in context of an affected site.

The vulnerability is reported in versions prior to 2.0.18.

ORIGINAL ADVISORY:
JVN: http://jvn.jp/jp/JVN%2300892830/index.html
Namazu: http://www.namazu.org/security.html.eniubvg
Comment 1 Lubomir Kundrak 2008-03-24 10:36:42 UTC 
CVE name was requested.
Comment 3 Fedora Update System 2008-03-24 13:27:24 UTC 
namazu-2.0.18-1.fc7 has been submitted as an update for Fedora 7
Comment 4 Fedora Update System 2008-03-24 13:32:03 UTC 
namazu-2.0.18-1.fc8 has been submitted as an update for Fedora 8
Comment 5 Lubomir Kundrak 2008-03-25 08:32:55 UTC 
CVE-2008-1468
Comment 6 Fedora Update System 2008-03-26 17:11:54 UTC 
namazu-2.0.18-1.fc7 has been pushed to the Fedora 7 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 7 Fedora Update System 2008-03-26 17:19:36 UTC 
namazu-2.0.18-1.fc8 has been pushed to the Fedora 8 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 8 Jonathan Baron 2008-03-27 13:43:24 UTC 
Update won't work because of missing dependencies:
Error: Missing Dependency: perl(time.pl) is needed by package namazu
Error: Missing Dependency: perl(util.pl) is needed by package namazu
Error: Missing Dependency: perl(document.pl) is needed by package namazu
Error: Missing Dependency: perl(nmzidx.pl) is needed by package namazu
Error: Missing Dependency: perl(var.pl) is needed by package namazu
Error: Missing Dependency: perl(conf.pl) is needed by package namazu
and likewise for namazu.cgi
This is in Fedora 8.
Comment 9 Lubomir Kundrak 2008-03-27 16:05:30 UTC 
See section on filtering unwanted requires on details how to fix this.
http://fedoraproject.org/wiki/Packaging/Perl
Comment 10 Akira TAGOH 2008-03-28 11:20:37 UTC 
Actually no. this was caused by following that. rpmbuild for F-8 seems not
looking into __perl_requires, but __find_requires. I have to revert that change
anyway.
Comment 11 Red Hat Product Security 2008-05-06 16:03:12 UTC 
This issue was addressed in:

Fedora:
  https://admin.fedoraproject.org/updates/F7/FEDORA-2008-2678
  https://admin.fedoraproject.org/updates/F8/FEDORA-2008-2767