Bug 146337 - [security] devel/lxr XSS vulnerabilities
Summary: [security] devel/lxr XSS vulnerabilities
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: Normal Affects Only Me
Assignee: niels
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2010-05-05 19:50 UTC by niels
Modified: 2010-05-28 20:08 UTC (History)
0 users

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description niels freebsd_committer 2010-05-05 19:50:02 UTC

From the bug report:

There are several cross-site scripting vulnerabilities in LXR.  These
vulnerabilities could allow an attacker to execute scripts in a user's
browser, steal cookies associated with vulnerable domains,
redirect the user to malicious websites, etc.

This PR is to request a port upgrade. A VuXML entry will be committed shortly and therefore the port will be marked vulnerable until this PR is solved.

Fix: 

Two actions are required:

1) Please upgrade to port to version 0.9.8 (fixes CVE-2009-4497)
2) Apply the following patch:
   http://lxr.cvs.sourceforge.net/viewvc/lxr/lxr/lib/LXR/Common.pm?r1=1.63&r2=1.64

Thanks in advance!
Niels
How-To-Repeat: N/A
Comment 1 Edwin Groothuis freebsd_committer 2010-05-05 19:50:12 UTC
Responsible Changed
From-To: freebsd-ports-bugs->niels

Submitter has GNATS access (via the GNATS Auto Assign Tool)
Comment 2 Edwin Groothuis freebsd_committer 2010-05-05 19:50:15 UTC
Maintainer of devel/lxr,

Please note that PR ports/146337 has just been submitted.

If it contains a patch for an upgrade, an enhancement or a bug fix
you agree on, reply to this email stating that you approve the patch
and a committer will take care of it.

The full text of the PR can be found at:
    http://www.freebsd.org/cgi/query-pr.cgi?pr=ports/146337

-- 
Edwin Groothuis via the GNATS Auto Assign Tool
edwin@FreeBSD.org
Comment 3 Edwin Groothuis freebsd_committer 2010-05-05 19:50:16 UTC
State Changed
From-To: open->feedback

Awaiting maintainers feedback (via the GNATS Auto Assign Tool)
Comment 4 dfilter service freebsd_committer 2010-05-05 20:12:52 UTC
niels       2010-05-05 19:12:37 UTC

  FreeBSD ports repository

  Modified files:
    security/vuxml       vuln.xml 
  Log:
  - Added mediawiki and lxr vulnerabilities
  - Fixed vlc topic format (lower case, portname first)
  
  PR:             ports/146337
  Approved by:    itetcu (mentor, implicit)
  Security:       http://lists.wikimedia.org/pipermail/mediawiki-announce/2010-April/000090.html
  Security:       http://sourceforge.net/mailarchive/message.php?msg_name=E1NS2s4-0001PE-F2%403bkjzd1.ch3.sourceforge.com
  
  Revision  Changes    Path
  1.2154    +69 -2     ports/security/vuxml/vuln.xml
_______________________________________________
cvs-all@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/cvs-all
To unsubscribe, send any mail to "cvs-all-unsubscribe@freebsd.org"
Comment 5 Eygene Ryabinkin 2010-05-06 19:56:27 UTC
Wed, May 05, 2010 at 06:50:15PM +0000, Edwin Groothuis wrote:
> Please note that PR ports/146337 has just been submitted.

Upgraded port to 0.9.8 and now it is being tested inside the local
Tinderbox and at my own LXR instances.  Will try to roll out the
patch before tomorrow.
-- 
Eygene
 _                ___       _.--.   #
 \`.|\..----...-'`   `-._.-'_.-'`   #  Remember that it is hard
 /  ' `         ,       __.--'      #  to read the on-line manual
 )/' _/     \   `-_,   /            #  while single-stepping the kernel.
 `-'" `"\_  ,_.-;_.-\_ ',  fsc/as   #
     _.-'_./   {_.'   ; /           #    -- FreeBSD Developers handbook
    {_.-``-'         {_/            #
Comment 6 Eygene Ryabinkin 2010-05-07 07:15:22 UTC
Niels, good day.

Thu, May 06, 2010 at 09:23:46PM +0200, Niels Heinen wrote:
> Thats great news and thanks for the quick response !

No problems, but the news aren't good as expected: 0.9.8 is terribly
messed up and nearly unusable.  So, I bumped the port to 0.9.6_1
applying two security patches for the Common.pm.  The patch is at
  http://codelabs.ru/fbsd/ports/lxr/0.9.6-fix-CVE-2009-4497.diff
VUXML entry needs no fixing, because the version specification is
'<= 0.9.6', so 0.9.6_1 will be already fine.

I am working on the upgrade to 0.9.8, but this will take up some
time: looks like people from LXR are not testing their code at all,
because it is broken all over the place.

Thanks!
-- 
Eygene
 _                ___       _.--.   #
 \`.|\..----...-'`   `-._.-'_.-'`   #  Remember that it is hard
 /  ' `         ,       __.--'      #  to read the on-line manual
 )/' _/     \   `-_,   /            #  while single-stepping the kernel.
 `-'" `"\_  ,_.-;_.-\_ ',  fsc/as   #
     _.-'_./   {_.'   ; /           #    -- FreeBSD Developers handbook
    {_.-``-'         {_/            #
Comment 7 niels freebsd_committer 2010-05-07 11:26:01 UTC
Thanks. The patch looks ok. I only added the remove of the new .orig
files which were (and should) not be in pkg-plist.

Shall I commit this one then?

http://freebsd.heinen.ws/tb/logs/8.0-STABLE/lxr-0.9.6_1.log
http://people.freebsd.org/~niels/ports/diffs/lxr-0.9.6_1.diff

Niels

On 05/07/10 08:15, Eygene Ryabinkin wrote:
> Niels, good day.
> 
> Thu, May 06, 2010 at 09:23:46PM +0200, Niels Heinen wrote:
>> Thats great news and thanks for the quick response !
> 
> No problems, but the news aren't good as expected: 0.9.8 is terribly
> messed up and nearly unusable.  So, I bumped the port to 0.9.6_1
> applying two security patches for the Common.pm.  The patch is at
>   http://codelabs.ru/fbsd/ports/lxr/0.9.6-fix-CVE-2009-4497.diff
> VUXML entry needs no fixing, because the version specification is
> '<= 0.9.6', so 0.9.6_1 will be already fine.
> 
> I am working on the upgrade to 0.9.8, but this will take up some
> time: looks like people from LXR are not testing their code at all,
> because it is broken all over the place.
> 
> Thanks!

-- 
Niels Heinen
FreeBSD committer | www.freebsd.org
PGP: 0x5FE39B80
Comment 8 Eygene Ryabinkin 2010-05-07 15:44:31 UTC
Niels,

Fri, May 07, 2010 at 12:26:01PM +0200, Niels Heinen wrote:
> Thanks. The patch looks ok. I only added the remove of the new .orig
> files which were (and should) not be in pkg-plist.
> 
> Shall I commit this one then?
> 
> http://freebsd.heinen.ws/tb/logs/8.0-STABLE/lxr-0.9.6_1.log
> http://people.freebsd.org/~niels/ports/diffs/lxr-0.9.6_1.diff

The removal of the .orig files is good, but it is redundant in the
current version of the Makefile: it has the following lines for the
install target ("do-install"):
{{{
	${TAR} -C ${WRKSRC}/lib -cf - --exclude *.orig LXR | ${TAR} -C ${PREFIX}/${SITE_PERL_REL} -xf -
	${TAR} -C ${WRKSRC} -cf - --exclude *.orig templates | ${TAR} -C ${LXRDIR} -xf -
}}}
So, .orig files will only live inside WRKSRC, they won't be installed
and so, they (obviously) aren't specified in the pkg-plist.

But may be I am missing something?
-- 
Eygene
 _                ___       _.--.   #
 \`.|\..----...-'`   `-._.-'_.-'`   #  Remember that it is hard
 /  ' `         ,       __.--'      #  to read the on-line manual
 )/' _/     \   `-_,   /            #  while single-stepping the kernel.
 `-'" `"\_  ,_.-;_.-\_ ',  fsc/as   #
     _.-'_./   {_.'   ; /           #    -- FreeBSD Developers handbook
    {_.-``-'         {_/            #
Comment 9 bsd 2010-05-07 16:44:04 UTC
Its not duplicate because the current makefile removes the .orig from  
the distfile during extraction. My change cleans up the .origs that  
are created by   'patch' (when applying the patchfiles) so that these  
aren't installed.

I have to give credits to tinderbox ;)



Sent from my mobile

Op 7 mei 2010 om 16:44 heeft Eygene Ryabinkin <rea-fbsd@codelabs.ru>  
het volgende geschreven:\

> Niels,
>
> Fri, May 07, 2010 at 12:26:01PM +0200, Niels Heinen wrote:
>> Thanks. The patch looks ok. I only added the remove of the new .orig
>> files which were (and should) not be in pkg-plist.
>>
>> Shall I commit this one then?
>>
>> http://freebsd.heinen.ws/tb/logs/8.0-STABLE/lxr-0.9.6_1.log
>> http://people.freebsd.org/~niels/ports/diffs/lxr-0.9.6_1.diff
>
> The removal of the .orig files is good, but it is redundant in the
> current version of the Makefile: it has the following lines for the
> install target ("do-install"):
> {{{
>    ${TAR} -C ${WRKSRC}/lib -cf - --exclude *.orig LXR | ${TAR} -C $ 
> {PREFIX}/${SITE_PERL_REL} -xf -
>    ${TAR} -C ${WRKSRC} -cf - --exclude *.orig templates | ${TAR} -C $ 
> {LXRDIR} -xf -
> }}}
> So, .orig files will only live inside WRKSRC, they won't be installed
> and so, they (obviously) aren't specified in the pkg-plist.
>
> But may be I am missing something?
> -- 
> Eygene
> _                ___       _.--.   #
> \`.|\..----...-'`   `-._.-'_.-'`   #  Remember that it is hard
> /  ' `         ,       __.--'      #  to read the on-line manual
> )/' _/     \   `-_,   /            #  while single-stepping the  
> kernel.
> `-'" `"\_  ,_.-;_.-\_ ',  fsc/as   #
>     _.-'_./   {_.'   ; /           #    -- FreeBSD Developers handbook
>    {_.-``-'         {_/            #
Comment 10 Eygene Ryabinkin 2010-05-07 17:21:46 UTC
Niels,

Fri, May 07, 2010 at 05:44:04PM +0200, Niels Heinen wrote:
> Its not duplicate because the current makefile removes the .orig from  
> the distfile during extraction. My change cleans up the .origs that  
> are created by   'patch' (when applying the patchfiles) so that these  
> aren't installed.

Please, note that the 'install' phase is completely done by the
port's Makefile (not the LXR Makefile), so you can't refer to the
LXR's makefiles -- they are just not used.

> I have to give credits to tinderbox ;)

Please, look at your tinderbox's logs at
  http://freebsd.heinen.ws/tb/logs/8.0-STABLE/lxr-0.9.6_1.log
section 'phase 6: make install' and you'll see what I am talking
about.

May be you meant that you had some errors with my patch?  If yes,
can you show the logs or anything?

Thanks.
-- 
Eygene
 _                ___       _.--.   #
 \`.|\..----...-'`   `-._.-'_.-'`   #  Remember that it is hard
 /  ' `         ,       __.--'      #  to read the on-line manual
 )/' _/     \   `-_,   /            #  while single-stepping the kernel.
 `-'" `"\_  ,_.-;_.-\_ ',  fsc/as   #
     _.-'_./   {_.'   ; /           #    -- FreeBSD Developers handbook
    {_.-``-'         {_/            #
Comment 11 niels freebsd_committer 2010-05-07 18:53:52 UTC
> 
> May be you meant that you had some errors with my patch?  If yes,
> can you show the logs or anything?
> 

Hi Eygene,

I've rebuild the package without my modifications and now the .orig
files are not removed. Please reload the log file to see the error:

http://freebsd.heinen.ws/tb/logs/8.0-STABLE/lxr-0.9.6_1.log

Can you please check this ?

Niels
Comment 12 Eygene Ryabinkin 2010-05-09 16:53:27 UTC
Niels, good day.

Fri, May 07, 2010 at 07:53:52PM +0200, Niels Heinen wrote:
> I've rebuild the package without my modifications and now the .orig
> files are not removed. Please reload the log file to see the error:
> 
> http://freebsd.heinen.ws/tb/logs/8.0-STABLE/lxr-0.9.6_1.log
> 
> Can you please check this ?

My Tinderbox shows no such error, but I have one idea
what can go wrong: shell metacharacters could be substituted.
Please, try this additional patch at your Tindy:
   http://codelabs.ru/fbsd/ports/lxr/0.9.6-use-wildcard-quoting.diff

Thanks for you patience!
-- 
Eygene
 _                ___       _.--.   #
 \`.|\..----...-'`   `-._.-'_.-'`   #  Remember that it is hard
 /  ' `         ,       __.--'      #  to read the on-line manual
 )/' _/     \   `-_,   /            #  while single-stepping the kernel.
 `-'" `"\_  ,_.-;_.-\_ ',  fsc/as   #
     _.-'_./   {_.'   ; /           #    -- FreeBSD Developers handbook
    {_.-``-'         {_/            #
Comment 13 niels freebsd_committer 2010-05-11 19:07:57 UTC
Yes that works.. pffheeww ;-)))

Shall I commit ?

Thanks!
Niels

On 05/09/10 17:53, Eygene Ryabinkin wrote:
> Niels, good day.
> 
> Fri, May 07, 2010 at 07:53:52PM +0200, Niels Heinen wrote:
>> I've rebuild the package without my modifications and now the .orig
>> files are not removed. Please reload the log file to see the error:
>>
>> http://freebsd.heinen.ws/tb/logs/8.0-STABLE/lxr-0.9.6_1.log
>>
>> Can you please check this ?
> 
> My Tinderbox shows no such error, but I have one idea
> what can go wrong: shell metacharacters could be substituted.
> Please, try this additional patch at your Tindy:
>    http://codelabs.ru/fbsd/ports/lxr/0.9.6-use-wildcard-quoting.diff
> 
> Thanks for you patience!

-- 
Niels Heinen
FreeBSD committer | www.freebsd.org
PGP: 0x5FE39B80
Comment 14 Eygene Ryabinkin 2010-05-12 05:36:15 UTC
Tue, May 11, 2010 at 08:07:57PM +0200, Niels Heinen wrote:
> Yes that works.. pffheeww ;-)))

Cool, thanks for the testing!

> Shall I commit ?

Sure!
-- 
Eygene
 _                ___       _.--.   #
 \`.|\..----...-'`   `-._.-'_.-'`   #  Remember that it is hard
 /  ' `         ,       __.--'      #  to read the on-line manual
 )/' _/     \   `-_,   /            #  while single-stepping the kernel.
 `-'" `"\_  ,_.-;_.-\_ ',  fsc/as   #
     _.-'_./   {_.'   ; /           #    -- FreeBSD Developers handbook
    {_.-``-'         {_/            #
Comment 15 dfilter service freebsd_committer 2010-05-12 10:14:09 UTC
niels       2010-05-12 09:13:54 UTC

  FreeBSD ports repository

  Modified files:
    devel/lxr            Makefile 
  Added files:
    devel/lxr/files      patch-CVE-2009-4497 
                         patch-fix-clean_identifier 
  Removed files:
    devel/lxr/files      fix-perl-warnings.patch 
  Log:
  Added security patch for XSS vulnerability (CVE-2009-4497)
  
  PR:             ports/146337
  Submitted by:   Eygene Ryabinkin (maintainer)
  Approved by:    itetcu (mentor, implicit)
  Security:       http://www.vuxml.org/freebsd/0491d15a-5875-11df-8d80-0015587e2cc1.html
  
  Revision  Changes    Path
  1.3       +4 -4      ports/devel/lxr/Makefile
  1.2       +0 -127    ports/devel/lxr/files/fix-perl-warnings.patch (dead)
  1.1       +14 -0     ports/devel/lxr/files/patch-CVE-2009-4497 (new)
  1.1       +20 -0     ports/devel/lxr/files/patch-fix-clean_identifier (new)
_______________________________________________
cvs-all@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/cvs-all
To unsubscribe, send any mail to "cvs-all-unsubscribe@freebsd.org"
Comment 16 niels freebsd_committer 2010-05-28 20:08:16 UTC
State Changed
From-To: feedback->closed


Committed and fixed