Bug 525772 - planet: Insufficient sanitization of "description" part of an "item", when it's not escaped within <![CDATA ... ]]>.
Summary: planet: Insufficient sanitization of "description" part of an "item", when it...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2009-09-25 16:47 UTC by Jan Lieskovsky
Modified: 2021-10-19 09:03 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2021-10-19 09:03:13 UTC
Embargoed:

Attachments (Terms of Use)

Description Jan Lieskovsky 2009-09-25 16:47:02 UTC 
Stefan Cornelius of Secunia reported that planet fails to sanitize this input:

 <description>something something <img src="javascript:alert(2);"></img> - <img src="javascript:alert(3);" > should be filtered?</description>

while   

 <description>something something <![CDATA[<img src="javascript:alert(2);"></img> - <img src="javascript:alert(3);" > should be filtered?]]></description>

is properly filtered.

At least Opera will execute this code.
Comment 3 seth vidal 2009-09-25 16:54:28 UTC 
I think this is a duplicate.

And it is already done.

*** This bug has been marked as a duplicate of bug 522802 ***
Comment 5 Jan Lieskovsky 2009-09-25 17:02:07 UTC 
(In reply to comment #3)
> I think this is a duplicate.
> 
> And it is already done.
> 
> *** This bug has been marked as a duplicate of 522802 ***  

This should be different issue from #CVE-2009-2937, but need more details
from the reporter.
Comment 8 Vincent Danen 2009-10-05 20:30:07 UTC 
Adding the reporter to the CC.  Also note that this issue seems to be public: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=546178
Comment 10 seth vidal 2009-10-05 20:37:39 UTC 
Just to be sure when you say 'fully updated f11' what ver-rel of planet do you mean specifically?
Comment 11 Secunia 2009-10-07 07:47:57 UTC 
This was tested using planet version 2.0 release 10.fc11 (planet-2.0-10.fc11.noarch).
Comment 12 Vincent Danen 2009-10-08 17:04:29 UTC 
Additional comments from the reporter:

Comment #30 of the Debian bug [1] reveals most of the information, thus
Secunia has no objections against making the RH bug public.

I'm not sure what the questions in the Debian bug are about, but here is
how I understand the situation right now:

* Steve Kemp's first patch [2] does not catch all cases. A new patch [3]
is available (please note that Fedora seems to ship the old patch).

* Secunia reported another problem (the CDATA one mentioned in e.g.
comment #30 [1]). There is no patch for this, so that's probably the
problem described in comment #45 [4].

[1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=546178#30
[2] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=546178#5
[3] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=546178#10
[4] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=546178#45
Comment 13 Vincent Danen 2009-10-08 17:07:19 UTC 
This does not have a CVE yet, but since the information in the Debian report is public, we need to request one from MITRE.

I am also making the bug public as per the reporter and the information in the Debian report already being public.
Comment 14 Vincent Danen 2009-10-08 17:18:10 UTC 
CVE requested: http://www.openwall.com/lists/oss-security/2009/10/08/1
Note You need to log in before you can comment on or make changes to this bug.