Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Tue, 21 Aug 2012 17:56:19 -0600
From: Kurt Seifried <kseifried@...hat.com>
To: oss-security@...ts.openwall.com
CC: Jan Lieskovsky <jlieskov@...hat.com>, Benny Baumann <BenBE@...hi.org>,
        Benny Baumann <BenBE@...rphia.de>, Nigel McNie <nigel@...hi.org>
Subject: Re: CVE Request -- php-geshi / GeSHi (1.0.8.11): Remote
 directory traversal and information disclosure in the cssgen contrib module
 (plus possibly XSS, but it needs upstream to confirm)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 08/21/2012 09:05 AM, Jan Lieskovsky wrote:
> Hello Kurt, Steve, Ben, Nigel, vendors,
> 
> Issue #A: --------- A directory traversal and information
> disclosure (local file inclusion) flaws were found in the cssgen 
> contrib module (application to generate custom CSS files) of GeSHi,
> a generic syntax highlighter, performed sanitization of
> 'geshi-path' and 'geshi-lang-path' HTTP GET / POST variables. A
> remote attacker could provide a specially-crafted URL that, when
> visited could lead to local file system traversal or, potentially,
> ability to read content of any local file, accessible with the
> privileges of the user running the webserver.
> 
> References: [1]
> http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=685324 [2]
> https://bugzilla.redhat.com/show_bug.cgi?id=850425
> 
> Upstream patch: [3]
> http://geshi.svn.sourceforge.net/viewvc/geshi?view=revision&revision=2507

Please
> 
use CVE-2012-3521 for this issue.

> Issue #B: --------- Then there is a report about non-persistent XSS
> flaw, that have been fixed in the contrib module of 1.0.8.11
> version too: [4]
> http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=685323
> 
> but I was unable to find the relevant upstream patch (and above
> Debian BTS entry doesn't contain further information too, which
> could be acted upon).
> 
> Thus I am Cc-in GeSHi upstream to this post to shed the light on
> the XSS flaw [4].
> 
> Ben, Nigel, could you please clarify what was the relevant upstream
> patch for the Debian BTS#685323 / Non-persistent XSS vulnerability
> in contrib script [4] issue? Thank you for that, Jan.
> 
> Kurt, once the second issue clarified, could you allocate CVE ids
> for these?
> 

> The fix is: 
> http://geshi.svn.sourceforge.net/viewvc/geshi?view=revision& 
> revision=2508
> 
> Cheers, -- Raphael Geissert - Debian Developer www.debian.org -
> get.debian.net

Please use CVE-2012-3522 for this issue.



> Thank you && Regards, Jan. -- Jan iankko Lieskovsky / Red Hat
> Security Response Team
> 
> 


- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJQNCAjAAoJEBYNRVNeJnmTsXQP/3hn67j+7v3GLAyHYnX3nalE
eBM+YyMfaDcTEVYcHlQLKx+I2/GEKfb7q+IRPVVChFiXWdM7qLnAG5VOLAoM1SJe
bPVXbwaTWAXMMRhnYN4ssD0w9bcy6eNX02ugOWhL4mo7mpLN1GW4DXHGerHe+s8e
PTLeyS45UEEvKln4hvj0we9sCPJAmazKR/j1dxmeJsA9MOihauK8VLr9l5tM+gj9
EmXnuzIfOGPasDZGIjCTITQD0C+FkrQ67t50RD2J29cLanB+Ev5TR22KZYPeeoRQ
2KOsRa1dn7RW3MUtpw53dnYbJfI3NKSPHk2GzXSss20zxWMGntU0U+3gX878BGLj
FJzwjbLOQUhsjJvb7C3cYukq0bbQ02cgCXz6d92dOa5o5OgsTxa2EdWElbctFMCT
47cYHaJW4KICpybCcaoju+Z0U8Vwn/b28K+7pcxJYOoE6MgtKDVowtyiGc8sAHAU
aqYQUh/9Hy7LC4qwCa5XPxeiQFe9/o+xWvGfYV6S+1G+Zl7wEOrTwkX8Tw+qJKBb
99NwYMNi4sJmI5CDBW6O4ChiEwDUVtHYg+AfgRUxLRJcvc+BNQH03/Gb01kT4Q2G
VmSR+jX2tOL8bkqkk6//JG0FU1Nz0l5CgEQUpryxww+x0gtQb4el1FJQIDfnc4Dw
fC6smDP2CWsL3rv6GH+B
=tO+2
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ