ports/110585: [PATCH] security/vuxml: add new entry for WebCalendar
Greg Larkin
glarkin at sourcehosting.net
Tue Mar 20 16:10:05 UTC 2007
>Number: 110585
>Category: ports
>Synopsis: [PATCH] security/vuxml: add new entry for WebCalendar
>Confidential: no
>Severity: critical
>Priority: high
>Responsible: freebsd-ports-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: change-request
>Submitter-Id: current-users
>Arrival-Date: Tue Mar 20 16:10:04 GMT 2007
>Closed-Date:
>Last-Modified:
>Originator: Greg Larkin
>Release: FreeBSD 6.1-RELEASE i386
>Organization:
SourceHosting.net, LLC
>Environment:
System: FreeBSD ports.entropy.prv 6.1-RELEASE FreeBSD 6.1-RELEASE #0: Sun May 7 04:32:43 UTC
>Description:
I will submit a PR for the WebCalendar port shortly, but I wanted to get
this VuXML database entry in place first.
NOTE: I ran "make validate" on the old vuln.xml and my modified version.
Both times, I received thousands of warnings like this:
/usr/ports/security/vuxml/vuln.xml:XXXX: element p: validity error :
Value for attribute xmlns of p must be "http://www.w3.org/1999/xhtml"
If I need to update something on my system to remove these warnings, please
let me know.
Port maintainer (secteam at FreeBSD.org) is cc'd.
Generated with FreeBSD Port Tools 0.77
>How-To-Repeat:
>Fix:
--- vuxml-1.1_1.patch begins here ---
diff -ruN --exclude=CVS /usr/ports/security/vuxml.orig/vuln.xml /usr/ports/security/vuxml/vuln.xml
--- /usr/ports/security/vuxml.orig/vuln.xml Tue Mar 20 11:06:14 2007
+++ /usr/ports/security/vuxml/vuln.xml Tue Mar 20 11:39:17 2007
@@ -34,6 +34,41 @@
-->
<vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">
+ <vuln vid="72999d57-d6f6-11db-961b-005056847b26">
+ <topic>webcalendar -- "noSet" variable overwrite vulnerability</topic>
+ <affects>
+ <package>
+ <name>WebCalendar</name>
+ <range><lt>1.0.5</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>Secunia reports:</p>
+ <blockquote cite="http://secunia.com/advisories/24403/">
+ <p>A vulnerability has been discovered in WebCalendar,
+ which can be exploited by malicious people to compromise
+ a vulnerable system.</p>
+ <p>Input passed to unspecified parameters is not properly
+ verified before being used with the "noSet" parameter set.
+ This can be exploited to overwrite certain variables, and
+ allows e.g. the inclusion of arbitrary PHP files from internal
+ or external resources.</p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <cvename>CVE-2007-1343</cvename>
+ <bid>22834</bid>
+ <mlist msgid="38457558">https://sourceforge.net/mailarchive/message.php?msg_id=38457558</mlist>
+ <url>http://sourceforge.net/project/shownotes.php?release_id=491130</url>
+ <url>http://xforce.iss.net/xforce/xfdb/32832</url>
+ </references>
+ <dates>
+ <discovery>2007-03-04</discovery>
+ </dates>
+ </vuln>
+
<vuln vid="8e02441d-d39c-11db-a6da-0003476f14d3">
<topic>sql-ledger -- security bypass vulnerability</topic>
<affects>
--- vuxml-1.1_1.patch ends here ---
>Release-Note:
>Audit-Trail:
>Unformatted:
More information about the freebsd-ports-bugs
mailing list