Bug 525772

Summary: planet: Insufficient sanitization of "description" part of an "item", when it's not escaped within <![CDATA ... ]]>.
Product: [Other] Security Response Reporter: Jan Lieskovsky <jlieskov>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: security-response-team, vdanen, vuln
Target Milestone: ---Keywords: Reopened, Security
Target Release: ---   
Hardware: All   
OS: Linux   
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-10-19 09:03:13 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Jan Lieskovsky 2009-09-25 16:47:02 UTC
Stefan Cornelius of Secunia reported that planet fails to sanitize this input:

 <description>something something <img src="javascript:alert(2);"></img> - <img src="javascript:alert(3);" > should be filtered?</description>


 <description>something something <![CDATA[<img src="javascript:alert(2);"></img> - <img src="javascript:alert(3);" > should be filtered?]]></description>

is properly filtered.

At least Opera will execute this code.

Comment 3 seth vidal 2009-09-25 16:54:28 UTC
I think this is a duplicate.

And it is already done.

*** This bug has been marked as a duplicate of bug 522802 ***

Comment 5 Jan Lieskovsky 2009-09-25 17:02:07 UTC
(In reply to comment #3)
> I think this is a duplicate.
> And it is already done.
> *** This bug has been marked as a duplicate of 522802 ***  

This should be different issue from #CVE-2009-2937, but need more details
from the reporter.

Comment 8 Vincent Danen 2009-10-05 20:30:07 UTC
Adding the reporter to the CC.  Also note that this issue seems to be public: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=546178

Comment 10 seth vidal 2009-10-05 20:37:39 UTC
Just to be sure when you say 'fully updated f11' what ver-rel of planet do you mean specifically?

Comment 11 Secunia 2009-10-07 07:47:57 UTC
This was tested using planet version 2.0 release 10.fc11 (planet-2.0-10.fc11.noarch).

Comment 12 Vincent Danen 2009-10-08 17:04:29 UTC
Additional comments from the reporter:

Comment #30 of the Debian bug [1] reveals most of the information, thus
Secunia has no objections against making the RH bug public.

I'm not sure what the questions in the Debian bug are about, but here is
how I understand the situation right now:

* Steve Kemp's first patch [2] does not catch all cases. A new patch [3]
is available (please note that Fedora seems to ship the old patch).

* Secunia reported another problem (the CDATA one mentioned in e.g.
comment #30 [1]). There is no patch for this, so that's probably the
problem described in comment #45 [4].

[1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=546178#30
[2] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=546178#5
[3] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=546178#10
[4] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=546178#45

Comment 13 Vincent Danen 2009-10-08 17:07:19 UTC
This does not have a CVE yet, but since the information in the Debian report is public, we need to request one from MITRE.

I am also making the bug public as per the reporter and the information in the Debian report already being public.

Comment 14 Vincent Danen 2009-10-08 17:18:10 UTC
CVE requested: http://www.openwall.com/lists/oss-security/2009/10/08/1