Re: Cgit XSS "vulnerability" has no CVE?

[Peter Bex <peter () more-magic net>]

On Mon, Mar 07, 2016 at 06:53:33PM +0100, Jason A. Donenfeld wrote:
> On Sat, Mar 5, 2016 at 6:41 PM, Peter Bex <peter () more-magic net> wrote:
> > This allows for an XSS attack by anyone with write access: If you can
> > push to a git repository for which the "txt2html" converter is activate,
> > you can create a README or README.txt and insert arbitrary HTML.
>
> The XSS situation in those release notes does not cover what you've
> described here. You're conflating two separate things.

Thanks for clarifying this.  For some reason I expected this to be about
the same issue.

On Mon, Mar 07, 2016 at 06:52:04PM +0100, Jason A. Donenfeld wrote:
> At the moment, none of those example filters are XSS-safe. I think
> I'll likely rewrite them for the next version to use a framework for
> that.

Good to hear that!

> But there's never been any guarantee for those filters, and
> they've never been provided as anything but potential example filters
> for people to tweak and change.

Even so, I think a warning would have been appropriate.  The text issue
is a bit more surprising, as one might certainly expect that to be safe,
though a quick inspection of the code should be enough to know what's
going on.

Considering that it's been "fixed", I thought a CVE might be useful to
trigger distros to include the patch.  Without a CVE, distros like
Debian and RedHat will keep using the unpatched version, which is a
shame if such an easy fix is available.

Cheers,
Peter

Attachment: signature.asc
Description: Digital signature