Bug 574548 (CVE-2010-1195)

Summary: CVE-2010-1195 Ikiwiki: JavaScript code injection via URIs in SVG image (v3.20100312)
Product: [Other] Security Response Reporter: Jan Lieskovsky <jlieskov>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: bressers, thomas.moschny
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
URL: http://secunia.com/advisories/38983/
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2010-03-22 19:27:31 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Jan Lieskovsky 2010-03-17 18:57:48 UTC 
Ikiwiki upstream has released v3.20100312 version:
  [1] http://ikiwiki.info/security/#index36h2

addressing one security issue (from [1]):
"Ivan Shmakov pointed out that the htmlscrubber
allowed data:image/* urls, including data:image/svg+xml.
But svg can contain javascript, so that is unsafe.

This hole was discovered on 12 March 2010 and
fixed the same day with the release of ikiwiki
3.20100312. A fix was also backported to Debian
etch, as version 2.53.5. I recommend upgrading
to one of these versions if your wiki can be
edited by third parties."

References:
  [2] http://secunia.com/advisories/38983/

CVE Request:
  [3] http://www.openwall.com/lists/oss-security/2010/03/17/10

Credit:
  Ivan Shmakov
Comment 1 Jan Lieskovsky 2010-03-17 19:00:40 UTC 
This issue affects the current versions of the ikiwiki package
(ikiwiki-3.20100212-1.fc11 and ikiwiki-3.20100212-1.fc12), as
shipped with Fedora releases 11 and 12.

Please fix.
Comment 2 Fedora Update System 2010-03-18 21:42:30 UTC 
ikiwiki-3.20100312-1.fc12 has been submitted as an update for Fedora 12.
http://admin.fedoraproject.org/updates/ikiwiki-3.20100312-1.fc12
Comment 3 Fedora Update System 2010-03-18 21:42:34 UTC 
ikiwiki-3.20100312-1.fc13 has been submitted as an update for Fedora 13.
http://admin.fedoraproject.org/updates/ikiwiki-3.20100312-1.fc13
Comment 4 Fedora Update System 2010-03-18 21:42:38 UTC 
ikiwiki-3.20100312-1.fc11 has been submitted as an update for Fedora 11.
http://admin.fedoraproject.org/updates/ikiwiki-3.20100312-1.fc11
Comment 5 Jan Lieskovsky 2010-03-31 18:16:24 UTC 
This is CVE-2010-1195.
Comment 6 Fedora Update System 2010-04-01 01:47:23 UTC 
ikiwiki-3.20100312-1.fc12 has been pushed to the Fedora 12 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 7 Fedora Update System 2010-04-01 01:51:19 UTC 
ikiwiki-3.20100312-1.fc11 has been pushed to the Fedora 11 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 8 Fedora Update System 2010-04-01 17:18:07 UTC 
ikiwiki-3.20100312-1.fc13 has been pushed to the Fedora 13 stable repository.  If problems still persist, please make note of it in this bug report.