Re: CVE request: lxr

[Dan Rosenberg <dan.j.rosenberg () gmail com>]

Josh,

The XSS in the title string was already assigned CVE-2010-1448.  Do
you mean to assign issue #2, the XSS reflected in search results?

-Dan

On Fri, May 14, 2010 at 3:28 PM, Josh Bressers <bressers () redhat com> wrote:
> ----- "Dan Rosenberg" <dan.j.rosenberg () gmail com> wrote:
>
> > Sorry for not making this explicitly clear.  There are three issues:
> >
> > 1.  XSS in the ident parameter, as described in CVE-2009-4497.
> >
> > 2.  XSS that is reflected via the search results page after issuing a
> > search.
> >
> > 3.  XSS that is reflected via the <title> tag on the search page, as
> > described in Raphael's original e-mail a few days ago, which Josh just
> > assigned CVE-2010-1448.
> >
> > Bugs 1 and 2 were fixed simultaneously, as indicated in the 2010-01-05
> > changelog entry for LXR:
> >
> > 2010-01-05 18:00  mbox
> >
> >       * ident, search: Fix for CVE-2009-4497 from Dan Rosenberg
> >
> >         Avoid a XSS vulnerability
> >
> > Bug 3 was fixed a few days later on 2010-01-15, as indicated by:
> >
> > 2010-01-15 23:23  mbox
> >
> >       * lib/LXR/Common.pm: Fix XSS exploit in title string
> >
> > So, while my original intent at the time of disclosure was to have a
> > single CVE identifier assigned to cover all three of these issues, that
> > obviously did not happen.  As it stands, bugs 1 and 3 have their own CVE
> > identifiers, and bug 2 remains unassigned.
>
> Sorry this took so long.
>
> CVE-2010-1625 lxr lib/LXR/Common.pm: Fix XSS exploit in title string
>
> The diff is here:
> http://lxr.cvs.sourceforge.net/viewvc/lxr/lxr/lib/LXR/Common.pm?r1=1.63&r2=1.64
>
> Thanks
>
> --
>    JB