CVE-2007-6306: Multiple cross-site scripting vulnerabilities

Debian Bug report logs - #456148
CVE-2007-6306: Multiple cross-site scripting vulnerabilities

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Steffen Joeris <steffen.joeris@skolelinux.de>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: CVE-2007-6306: Multiple cross-site scripting vulnerabilities

Date: Thu, 13 Dec 2007 09:58:58 +0100

Package: libjfreechart-java
Severity: important
Tags: security

Hi

The following CVE[0] has been issued against libjfreechart-java.

CVE-2007-6306:

Multiple cross-site scripting (XSS) vulnerabilities in the image map
feature in JFreeChart 1.0.8 allow remote attackers to inject arbitrary
web script or HTML via the (1) chart name or (2) chart tool tip text; or
the (3) href, (4) shape, or (5) coords attribute of a chart area.


A potential patch can be found here[1][2], not quite sure, if there is
more.

Please mention the CVE id in the changelog, when you fix this issue.
Thanks for your efforts.

Cheers
Steffen

[0]: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6306

[1]:
http://jfreechart.svn.sourceforge.net/viewvc/jfreechart/trunk/source/org/jfree/chart/entity/ChartEntity.java?r1=662&r2=661&pathrev=662

[2]:
http://jfreechart.svn.sourceforge.net/viewvc/jfreechart/trunk/source/org/jfree/chart/imagemap/ImageMapUtilities.java?r1=662&r2=661&pathrev=662

Message #10 received at 456148@bugs.debian.org (full text, mbox, reply):

From: Tomas Hoger <thoger@redhat.com>

To: 456148@bugs.debian.org

Subject: Current upstream fix for CVE-2007-6306 introduced regression

Date: Thu, 13 Dec 2007 13:46:58 +0100

Hi!

This has been brought to our attention:

http://sourceforge.net/tracker/index.php?func=detail&aid=1849333&group_id=15494&atid=115494

Upstream author is looking into the issue and expects to release update
soon.

HTH

-- 
Tomas Hoger

Message #15 received at 456148@bugs.debian.org (full text, mbox, reply):

From: Varun Hiremath <varunhiremath@gmail.com>

To: 456148@bugs.debian.org

Subject: Re: Bug#456148: Current upstream fix for CVE-2007-6306 introduced regression

Date: Tue, 18 Dec 2007 22:46:15 +0530

On Thu, 13 Dec, 2007 at 01:46:58PM +0100, Tomas Hoger wrote:
> Hi!
> 
> This has been brought to our attention:
> 
> http://sourceforge.net/tracker/index.php?func=detail&aid=1849333&group_id=15494&atid=115494
> 
> Upstream author is looking into the issue and expects to release update
> soon.

The following comment[1] was added by the Upstream author:

| This bug has been fixed in the jfreechart-1.0.x-branch in Subversion,
| and I'll be releasing version 1.0.9 as soon as possible.  The chances
| of that happening this week are slim, however.
 
[1]: https://sourceforge.net/tracker/?func=detail&atid=115494&aid=1849333&group_id=15494

I shall update the package once version 1.0.9 is released.

Regards
Varun

-- 
Varun Hiremath
Undergraduate Student,
Aerospace Engineering Department,
Indian Institute of Technology Madras,
Chennai, India
-------------------------------------
Homepage : http://varun.travisbsd.org

Message #20 received at 456148@bugs.debian.org (full text, mbox, reply):

From: Nico Golde <nion@debian.org>

To: Varun Hiremath <varunhiremath@gmail.com>, 456148@bugs.debian.org

Subject: Re: Bug#456148: Current upstream fix for CVE-2007-6306 introduced regression

Date: Sat, 22 Dec 2007 15:59:26 +0100

[Message part 1 (text/plain, inline)]

Hi Varun,
* Varun Hiremath <varunhiremath@gmail.com> [2007-12-18 19:02]:
> On Thu, 13 Dec, 2007 at 01:46:58PM +0100, Tomas Hoger wrote:
> > This has been brought to our attention:
> > 
> > http://sourceforge.net/tracker/index.php?func=detail&aid=1849333&group_id=15494&atid=115494
> > 
> > Upstream author is looking into the issue and expects to release update
> > soon.
> 
> The following comment[1] was added by the Upstream author:
> 
> | This bug has been fixed in the jfreechart-1.0.x-branch in Subversion,
> | and I'll be releasing version 1.0.9 as soon as possible.  The chances
> | of that happening this week are slim, however.
>  
> [1]: https://sourceforge.net/tracker/?func=detail&atid=115494&aid=1849333&group_id=15494
> 
> I shall update the package once version 1.0.9 is released.

What about updating the current package with the referenced 
patches which fix this?

Kind regards
Nico
-- 
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.

[Message part 2 (application/pgp-signature, inline)]

Message #25 received at 456148@bugs.debian.org (full text, mbox, reply):

From: Nico Golde <nion@debian.org>

To: 456148@bugs.debian.org

Subject: Intend to NMU

Date: Sat, 22 Dec 2007 16:29:31 +0100

[Message part 1 (text/plain, inline)]

Hi,
attached is a patch for an NMU which fixes these issues.
It will be also archived on:
http://people.debian.org/~nion/nmu-diff/libjfreechart-java-1.0.8-1_1.0.8-1.1.patch

Kind regards
Nico

-- 
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.

[libjfreechart-java-1.0.8-1_1.0.8-1.1.patch (text/x-diff, attachment)]

[Message part 3 (application/pgp-signature, inline)]

Message #32 received at 456148@bugs.debian.org (full text, mbox, reply):

From: Varun Hiremath <varunhiremath@iitm.ac.in>

To: Nico Golde <nion@debian.org>, 456148@bugs.debian.org

Cc: Michael Koch <konqueror@gmx.de>

Subject: Re: Bug#456148: Intend to NMU

Date: Sat, 22 Dec 2007 23:32:35 +0530

Hi Nico,

On Sat, 22 Dec, 2007 at 04:29:31PM +0100, Nico Golde wrote:
> Hi,
> attached is a patch for an NMU which fixes these issues.
> It will be also archived on:
> http://people.debian.org/~nion/nmu-diff/libjfreechart-java-1.0.8-1_1.0.8-1.1.patch

These two patches are included in the new upstream release 1.0.8a
which we already have ready for upload, but it introduces new bugs
[1]. The bug [1] has been fixed in the jfreechart-1.0.x-branch but
that branch doesn't seem to include the security fixes, so we can't
update to that branch also. So, we thought of waiting for the new
1.0.9 release which should happen any time next week.

@ Michael, should we release 1.0.8a version?

Regards
Varun

[1]: http://sourceforge.net/tracker/index.php?func=detail&aid=1849333&group_id=15494&atid=115494

-- 
Varun Hiremath
Undergraduate Student,
Aerospace Engineering Department,
Indian Institute of Technology Madras,
Chennai, India
---------------------------------------
Homepage : http://varun.travisbsd.org

Message #37 received at 456148@bugs.debian.org (full text, mbox, reply):

From: Nico Golde <nion@debian.org>

To: Varun Hiremath <varunhiremath@iitm.ac.in>, 456148@bugs.debian.org

Cc: Michael Koch <konqueror@gmx.de>

Subject: Re: Bug#456148: Intend to NMU

Date: Sat, 22 Dec 2007 19:46:12 +0100

[Message part 1 (text/plain, inline)]

Hi Varun,
* Varun Hiremath <varunhiremath@iitm.ac.in> [2007-12-22 19:12]:
> On Sat, 22 Dec, 2007 at 04:29:31PM +0100, Nico Golde wrote:
> > Hi,
> > attached is a patch for an NMU which fixes these issues.
> > It will be also archived on:
> > http://people.debian.org/~nion/nmu-diff/libjfreechart-java-1.0.8-1_1.0.8-1.1.patch
> 
> These two patches are included in the new upstream release 1.0.8a
> which we already have ready for upload, but it introduces new bugs
> [1].

Oh thanks I missed this in the bug report.

> The bug [1] has been fixed in the jfreechart-1.0.x-branch but
> that branch doesn't seem to include the security fixes, so we can't
> update to that branch also. So, we thought of waiting for the new
> 1.0.9 release which should happen any time next week.

Waiting for security releases is considered to be bad if you 
can gather the information for fixing this issue.

> @ Michael, should we release 1.0.8a version?

No please not if it breaks things.

Can you maybe ask upstream for the patch then?
His changes to the branch are in revision 676 but he later 
removed some of them in 683 so I am bit confused about the 
status of this in the branch.

Kind regards
Nico


-- 
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.

[Message part 2 (application/pgp-signature, inline)]

Message #42 received at 456148@bugs.debian.org (full text, mbox, reply):

From: Varun Hiremath <varunhiremath@gmail.com>

To: Nico Golde <nion@debian.org>

Cc: 456148@bugs.debian.org, Michael Koch <konqueror@gmx.de>

Subject: Re: Bug#456148: Intend to NMU

Date: Sun, 23 Dec 2007 00:37:45 +0530

Hi Nico,

On Sat, 22 Dec, 2007 at 07:46:12PM +0100, Nico Golde wrote:
> Hi Varun,
> * Varun Hiremath <varunhiremath@iitm.ac.in> [2007-12-22 19:12]:
> > On Sat, 22 Dec, 2007 at 04:29:31PM +0100, Nico Golde wrote:
> > > Hi,
> > > attached is a patch for an NMU which fixes these issues.
> > > It will be also archived on:
> > > http://people.debian.org/~nion/nmu-diff/libjfreechart-java-1.0.8-1_1.0.8-1.1.patch
> > 
> > These two patches are included in the new upstream release 1.0.8a
> > which we already have ready for upload, but it introduces new bugs
> > [1].
> 
> Oh thanks I missed this in the bug report.
> 
> > The bug [1] has been fixed in the jfreechart-1.0.x-branch but
> > that branch doesn't seem to include the security fixes, so we can't
> > update to that branch also. So, we thought of waiting for the new
> > 1.0.9 release which should happen any time next week.
> 
> Waiting for security releases is considered to be bad if you 
> can gather the information for fixing this issue.
> 
> > @ Michael, should we release 1.0.8a version?
> 
> No please not if it breaks things.
> 
> Can you maybe ask upstream for the patch then?
> His changes to the branch are in revision 676 but he later 
> removed some of them in 683 so I am bit confused about the 
> status of this in the branch.

Exactly, even the upstream Changelog entries are totally confusing
and haven't mentioned anywhere clearly that it fixes the concerned
CVE. But, still I will try to ask him for a patch. 

I am on vacation from day after tomorrow, so Michael, could you please
take care of this bug?

Regards
Varun

-- 
Varun Hiremath
Undergraduate Student,
Aerospace Engineering Department,
Indian Institute of Technology Madras,
Chennai, India
---------------------------------------
Homepage : http://varun.travisbsd.org

Message #47 received at 456148@bugs.debian.org (full text, mbox, reply):

From: Michael Koch <konqueror@gmx.de>

To: Varun Hiremath <varunhiremath@gmail.com>, 456148@bugs.debian.org

Cc: Nico Golde <nion@debian.org>

Subject: Re: Bug#456148: Intend to NMU

Date: Thu, 27 Dec 2007 13:55:41 +0100

On Sun, Dec 23, 2007 at 12:37:45AM +0530, Varun Hiremath wrote:
> Hi Nico,
> 
> On Sat, 22 Dec, 2007 at 07:46:12PM +0100, Nico Golde wrote:
> > Hi Varun,
> > * Varun Hiremath <varunhiremath@iitm.ac.in> [2007-12-22 19:12]:
> > > On Sat, 22 Dec, 2007 at 04:29:31PM +0100, Nico Golde wrote:
> > > > Hi,
> > > > attached is a patch for an NMU which fixes these issues.
> > > > It will be also archived on:
> > > > http://people.debian.org/~nion/nmu-diff/libjfreechart-java-1.0.8-1_1.0.8-1.1.patch
> > > 
> > > These two patches are included in the new upstream release 1.0.8a
> > > which we already have ready for upload, but it introduces new bugs
> > > [1].
> > 
> > Oh thanks I missed this in the bug report.
> > 
> > > The bug [1] has been fixed in the jfreechart-1.0.x-branch but
> > > that branch doesn't seem to include the security fixes, so we can't
> > > update to that branch also. So, we thought of waiting for the new
> > > 1.0.9 release which should happen any time next week.
> > 
> > Waiting for security releases is considered to be bad if you 
> > can gather the information for fixing this issue.
> > 
> > > @ Michael, should we release 1.0.8a version?
> > 
> > No please not if it breaks things.
> > 
> > Can you maybe ask upstream for the patch then?
> > His changes to the branch are in revision 676 but he later 
> > removed some of them in 683 so I am bit confused about the 
> > status of this in the branch.
> 
> Exactly, even the upstream Changelog entries are totally confusing
> and haven't mentioned anywhere clearly that it fixes the concerned
> CVE. But, still I will try to ask him for a patch. 
> 
> I am on vacation from day after tomorrow, so Michael, could you please
> take care of this bug?

I will take care of this. I'm in private contact with the upstream
author.


Cheers,
Michael

Message #52 received at 456148-close@bugs.debian.org (full text, mbox, reply):

From: Varun Hiremath <varun@debian.org>

To: 456148-close@bugs.debian.org

Subject: Bug#456148: fixed in libjfreechart-java 1.0.9-1

Date: Fri, 04 Jan 2008 21:17:06 +0000

Source: libjfreechart-java
Source-Version: 1.0.9-1

We believe that the bug you reported is fixed in the latest version of
libjfreechart-java, which is due to be installed in the Debian FTP archive:

libjfreechart-java-doc_1.0.9-1_all.deb
  to pool/main/libj/libjfreechart-java/libjfreechart-java-doc_1.0.9-1_all.deb
libjfreechart-java_1.0.9-1.diff.gz
  to pool/main/libj/libjfreechart-java/libjfreechart-java_1.0.9-1.diff.gz
libjfreechart-java_1.0.9-1.dsc
  to pool/main/libj/libjfreechart-java/libjfreechart-java_1.0.9-1.dsc
libjfreechart-java_1.0.9-1_all.deb
  to pool/main/libj/libjfreechart-java/libjfreechart-java_1.0.9-1_all.deb
libjfreechart-java_1.0.9.orig.tar.gz
  to pool/main/libj/libjfreechart-java/libjfreechart-java_1.0.9.orig.tar.gz



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 456148@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Varun Hiremath <varun@debian.org> (supplier of updated libjfreechart-java package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Sat, 05 Jan 2008 01:08:58 +0530
Source: libjfreechart-java
Binary: libjfreechart-java-doc libjfreechart-java
Architecture: source all
Version: 1.0.9-1
Distribution: unstable
Urgency: high
Maintainer: Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>
Changed-By: Varun Hiremath <varun@debian.org>
Description: 
 libjfreechart-java - Chart library for Java
 libjfreechart-java-doc - Chart library for Java - documentation
Closes: 456148
Changes: 
 libjfreechart-java (1.0.9-1) unstable; urgency=high
 .
   [ Varun Hiremath ]
   * New upstream release
   * This release fixes the following security issue:
     + Multiple cross-site scripting vulnerabilities in the image map
     feature allow remote attackers to inject arbitrary web script or HTML
     via several attributes (CVE-2007-6306; Closes: #456148).
   * Fix debian/watch to include letters also in upstream version.
   * Make some minor fixes in debian/orig-tar.sh file.
   * debian/control: Bumped up Standards-Version to 3.7.3
 .
   [ Michael Koch ]
   * Use uscan SourceForge helper in watch file.
Files: 
 a76c253b3c9ab70a66d58ac122278132 1110 libs optional libjfreechart-java_1.0.9-1.dsc
 38c83ca75c50564337d585799819fc95 1351748 libs optional libjfreechart-java_1.0.9.orig.tar.gz
 a58e395ecf4ea91a02b777262f5af633 4072 libs optional libjfreechart-java_1.0.9-1.diff.gz
 dc4e4f6f3de6b15ef911e9e129f9bc63 1307878 libs optional libjfreechart-java_1.0.9-1_all.deb
 aa5eb879a78f4c1c0e7d585cde06a3a3 5790130 doc optional libjfreechart-java-doc_1.0.9-1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFHfp8aWSOgCCdjSDsRAnbTAJ0buBjaUrZGzNy6a2u5GsIyRvqRzQCglGs1
c9uKZxzaXQE3bf5aBeDfUEg=
=cvmc
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.