Bug 207001 - graphics/jpgraph2 - CVE-2009-4422
Summary: graphics/jpgraph2 - CVE-2009-4422
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Only Me
Assignee: Thomas Zander
URL:
Keywords: needs-qa, patch, security
Depends on:
Blocks:
 
Reported: 2016-02-07 15:40 UTC by Sevan Janiyan
Modified: 2016-03-14 06:14 UTC (History)
2 users (show)

See Also:
riggs: merge-quarterly+

Attachments
CVE-2009-4422 (1.86 KB, patch)
2016-02-07 15:40 UTC, Sevan Janiyan 		rakuco: maintainer-approval+
Details | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Sevan Janiyan 2016-02-07 15:40:52 UTC 
Created attachment 166710 [details]
CVE-2009-4422

http://cve.mitre.org/cgi-bin/cvename.cgi?name=2009-4422
Patch fished out from http://www.securityfocus.com/archive/1/archive/1/508586/100/0/threaded
Needs a vuxml entry
Comment 1 commit-hook freebsd_committer freebsd_triage 2016-03-13 16:20:18 UTC 
A commit references this bug:

Author: riggs
Date: Sun Mar 13 16:19:28 UTC 2016
New revision: 410998
URL: https://svnweb.freebsd.org/changeset/ports/410998

Log:
  Fix cross site scripting vulnerability, bump PORTREVISION

  Fix CVE-2009-4422: Multiple cross-site scripting (XSS) vulnerabilities in
  the GetURLArguments function in jpgraph.php in Aditus Consulting JpGraph
  3.0.6 allow remote attackers to inject arbitrary web script or HTML via a
  key to csim_in_html_ex1.php, and other unspecified vectors.

  Despite ports tree version is 3.0.7, this vulnerability has not been fixed.
  The solution is taken from
  http://www.securityfocus.com/archive/1/archive/1/508586/100/0/threaded

  While on it:
  - Fix typo in port creator's mail address
  - Add LICENSE*
  - Add NO_ARCH=yes (port only installs scripts)

  PR:		207001
  Submitted by:	venture37@geeklan.co.uk
  MFH:		2016Q1
  Security:	CVE-2009-4422

Changes:
  head/graphics/jpgraph2/Makefile
  head/graphics/jpgraph2/files/
  head/graphics/jpgraph2/files/patch-src_jpgraph.php
Comment 2 commit-hook freebsd_committer freebsd_triage 2016-03-13 16:29:21 UTC 
A commit references this bug:

Author: riggs
Date: Sun Mar 13 16:28:29 UTC 2016
New revision: 411000
URL: https://svnweb.freebsd.org/changeset/ports/411000

Log:
  Document XSS vulnerability in graphics/jpgraph2 before 3.0.7_1

  PR:		207001
  Security:	CVE-2009-4422

Changes:
  head/security/vuxml/vuln.xml
Comment 3 commit-hook freebsd_committer freebsd_triage 2016-03-14 06:13:34 UTC 
A commit references this bug:

Author: riggs
Date: Mon Mar 14 06:13:16 UTC 2016
New revision: 411047
URL: https://svnweb.freebsd.org/changeset/ports/411047

Log:
  MFH: r410998

  Fix cross site scripting vulnerability, bump PORTREVISION

  Fix CVE-2009-4422: Multiple cross-site scripting (XSS) vulnerabilities in
  the GetURLArguments function in jpgraph.php in Aditus Consulting JpGraph
  3.0.6 allow remote attackers to inject arbitrary web script or HTML via a
  key to csim_in_html_ex1.php, and other unspecified vectors.

  Despite ports tree version is 3.0.7, this vulnerability has not been fixed.
  The solution is taken from
  http://www.securityfocus.com/archive/1/archive/1/508586/100/0/threaded

  While on it:
  - Fix typo in port creator's mail address
  - Add LICENSE*
  - Add NO_ARCH=yes (port only installs scripts)

  PR:		207001
  Submitted by:	venture37@geeklan.co.uk
  Security:	CVE-2009-4422
  Approved by:	ports-secteam (feld)

Changes:
_U  branches/2016Q1/
  branches/2016Q1/graphics/jpgraph2/Makefile
  branches/2016Q1/graphics/jpgraph2/files/