Bug 207001

Summary:

graphics/jpgraph2 - CVE-2009-4422

Product:

Ports & Packages

Reporter:

Sevan Janiyan <venture37>

Component:

Individual Port(s)

Assignee:

Thomas Zander <riggs>

Status:

Closed FIXED

Severity:

Affects Only Me

CC:

ports-secteam, riggs

Priority:

---

Keywords:

needs-qa, patch, security

Version:

Latest

Flags:

riggs: merge-quarterly+

Hardware:

Any

OS:

Any

Attachments:

Description	Flags
CVE-2009-4422	rakuco: maintainer-approval+

Description Sevan Janiyan 2016-02-07 15:40:52 UTC

Created attachment 166710 [details]
CVE-2009-4422

http://cve.mitre.org/cgi-bin/cvename.cgi?name=2009-4422
Patch fished out from http://www.securityfocus.com/archive/1/archive/1/508586/100/0/threaded
Needs a vuxml entry

Comment 1 commit-hook freebsd_committer

2016-03-13 16:20:18 UTC

A commit references this bug:

Author: riggs
Date: Sun Mar 13 16:19:28 UTC 2016
New revision: 410998
URL: https://svnweb.freebsd.org/changeset/ports/410998

Log:
  Fix cross site scripting vulnerability, bump PORTREVISION

  Fix CVE-2009-4422: Multiple cross-site scripting (XSS) vulnerabilities in
  the GetURLArguments function in jpgraph.php in Aditus Consulting JpGraph
  3.0.6 allow remote attackers to inject arbitrary web script or HTML via a
  key to csim_in_html_ex1.php, and other unspecified vectors.

  Despite ports tree version is 3.0.7, this vulnerability has not been fixed.
  The solution is taken from
  http://www.securityfocus.com/archive/1/archive/1/508586/100/0/threaded

  While on it:
  - Fix typo in port creator's mail address
  - Add LICENSE*
  - Add NO_ARCH=yes (port only installs scripts)

  PR:		207001
  Submitted by:	venture37@geeklan.co.uk
  MFH:		2016Q1
  Security:	CVE-2009-4422

Changes:
  head/graphics/jpgraph2/Makefile
  head/graphics/jpgraph2/files/
  head/graphics/jpgraph2/files/patch-src_jpgraph.php

Comment 2 commit-hook freebsd_committer

2016-03-13 16:29:21 UTC

A commit references this bug:

Author: riggs
Date: Sun Mar 13 16:28:29 UTC 2016
New revision: 411000
URL: https://svnweb.freebsd.org/changeset/ports/411000

Log:
  Document XSS vulnerability in graphics/jpgraph2 before 3.0.7_1

  PR:		207001
  Security:	CVE-2009-4422

Changes:
  head/security/vuxml/vuln.xml

Comment 3 commit-hook freebsd_committer

2016-03-14 06:13:34 UTC

A commit references this bug:

Author: riggs
Date: Mon Mar 14 06:13:16 UTC 2016
New revision: 411047
URL: https://svnweb.freebsd.org/changeset/ports/411047

Log:
  MFH: r410998

  Fix cross site scripting vulnerability, bump PORTREVISION

  Fix CVE-2009-4422: Multiple cross-site scripting (XSS) vulnerabilities in
  the GetURLArguments function in jpgraph.php in Aditus Consulting JpGraph
  3.0.6 allow remote attackers to inject arbitrary web script or HTML via a
  key to csim_in_html_ex1.php, and other unspecified vectors.

  Despite ports tree version is 3.0.7, this vulnerability has not been fixed.
  The solution is taken from
  http://www.securityfocus.com/archive/1/archive/1/508586/100/0/threaded

  While on it:
  - Fix typo in port creator's mail address
  - Add LICENSE*
  - Add NO_ARCH=yes (port only installs scripts)

  PR:		207001
  Submitted by:	venture37@geeklan.co.uk
  Security:	CVE-2009-4422
  Approved by:	ports-secteam (feld)

Changes:
_U  branches/2016Q1/
  branches/2016Q1/graphics/jpgraph2/Makefile
  branches/2016Q1/graphics/jpgraph2/files/