Debian Bug report logs - #588138
CVE-2010-1625: Cross-site scripting (XSS) vulnerability

version graph

Package: lxr; Maintainer for lxr is (unknown);

Reported by: Giuseppe Iuculano <iuculano@debian.org>

Date: Mon, 5 Jul 2010 11:00:02 UTC

Severity: serious

Tags: security

Found in version 0.3.1-5~rm

Fixed in version 0.3.1-5+rm

Done: Alexander Reichle-Schmehl <tolimar@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Giacomo Catenazzi <cate@debian.org>:
Bug#588138; Package lxr. (Mon, 05 Jul 2010 11:00:05 GMT) Full text and rfc822 format available.

Acknowledgement sent to Giuseppe Iuculano <iuculano@debian.org>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Giacomo Catenazzi <cate@debian.org>. (Mon, 05 Jul 2010 11:00:05 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Giuseppe Iuculano <iuculano@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: CVE-2010-1625: Cross-site scripting (XSS) vulnerability
Date: Mon, 05 Jul 2010 12:57:32 +0200
Package: lxr
Severity: serious
Tags: security

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for lxr.

CVE-2010-1625[0]:
| Cross-site scripting (XSS) vulnerability in LXR Cross Referencer
| before 0.9.7 allows remote attackers to inject arbitrary web script or
| HTML via vectors related to the search body and the results page for a
| search, a different vulnerability than CVE-2009-4497 and
| CVE-2010-1448.

If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.

For further information see:

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1625
    http://security-tracker.debian.org/tracker/CVE-2010-1625


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iEYEARECAAYFAkwxupsACgkQNxpp46476aosxgCgkuY2Cj109ESjFEyZbMOcUuQu
YK8AnAy8I7TJSd0IhhBtR5C6CV/Dt9Oz
=hikO
-----END PGP SIGNATURE-----




Information forwarded to debian-bugs-dist@lists.debian.org, Giacomo Catenazzi <cate@debian.org>:
Bug#588138; Package lxr. (Sat, 31 Jul 2010 14:36:09 GMT) Full text and rfc822 format available.

Acknowledgement sent to Nico Golde <nion@debian.org>:
Extra info received and forwarded to list. Copy sent to Giacomo Catenazzi <cate@debian.org>. (Sat, 31 Jul 2010 14:36:09 GMT) Full text and rfc822 format available.

Message #10 received at 588138@bugs.debian.org (full text, mbox):

From: Nico Golde <nion@debian.org>
To: submit@bugs.debian.org
Cc: 588138@bugs.debian.org, 585411@bugs.debian.org
Subject: RM: lxr -- RoQA; security bugs, oooold upstream version, not properly maintained
Date: Sat, 31 Jul 2010 16:38:59 +0200
[Message part 1 (text/plain, inline)]
Package: ftp.debian.org
Severity: normal

Hi,
I hereby request the removal of lxr from the archive, it should not be
included in squeeze as well.

The version that our package is currently based on is 0.3 (from 2003), which
is light years behind upstream, has security bugs and not properly maintained.
See e.g. #588138 and #585411. Probably #575745 affects lxr as well, hard to tell
though, the code heavily differs since it's so old.

There has been no move from the maintainer towards packaging current upstream
versions and given the small number of popcon installations this doesn't have
an impact on many users.

Cheers
Nico
-- 
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0xA0A0AAAA
For security reasons, all text in this mail is double-rot13 encrypted.
[Message part 2 (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#588138; Package lxr. (Sat, 31 Jul 2010 15:51:08 GMT) Full text and rfc822 format available.

Acknowledgement sent to Giacomo Catenazzi <cate@debian.org>:
Extra info received and forwarded to list. (Sat, 31 Jul 2010 15:51:08 GMT) Full text and rfc822 format available.

Message #15 received at 588138@bugs.debian.org (full text, mbox):

From: Giacomo Catenazzi <cate@debian.org>
To: Nico Golde <nion@debian.org>, 585411@bugs.debian.org
Cc: 588138@bugs.debian.org
Subject: Re: Bug#585411: RM: lxr -- RoQA; security bugs, oooold upstream version, not properly maintained
Date: Sat, 31 Jul 2010 17:42:54 +0200
On 07/31/2010 04:38 PM, Nico Golde wrote:
> Package: ftp.debian.org
> Severity: normal
>
> Hi,
> I hereby request the removal of lxr from the archive, it should not be
> included in squeeze as well.
>
> The version that our package is currently based on is 0.3 (from 2003), which
> is light years behind upstream, has security bugs and not properly maintained.
> See e.g. #588138 and #585411. Probably #575745 affects lxr as well, hard to tell
> though, the code heavily differs since it's so old.
>
> There has been no move from the maintainer towards packaging current upstream
> versions and given the small number of popcon installations this doesn't have
> an impact on many users.

No. please wait. I agree that there are problems but:
- I would not include it squeeze anyway
- let go before the security fixes in lxr, than we could see if we
could remove it.

BTW most of security bugs are only in lxr-cvs, which is an
"enhancement" of lxr with other upstreams.
One of the enhancement was to allow cross-referencing many languages, 
thus doing indirect regex and other more complex tasks, inducing
such errors. LXR instead has hardcoded C decoding, and it seems with
many less errors.

For now I would remove lxr and lxr-cvs from squeeze, and
I'll ask upstream what are their plan, and probably I propose
to remove also lxr-cvs.

ciao
    cate

PS: I would use some debconf time to improve the situation so
that users will not have security problem after we remove
the packages.




Information forwarded to debian-bugs-dist@lists.debian.org, Giacomo Catenazzi <cate@debian.org>:
Bug#588138; Package lxr. (Sat, 31 Jul 2010 15:57:07 GMT) Full text and rfc822 format available.

Acknowledgement sent to Nico Golde <nion@debian.org>:
Extra info received and forwarded to list. Copy sent to Giacomo Catenazzi <cate@debian.org>. (Sat, 31 Jul 2010 15:57:08 GMT) Full text and rfc822 format available.

Message #20 received at 588138@bugs.debian.org (full text, mbox):

From: Nico Golde <nion@debian.org>
To: Giacomo Catenazzi <cate@debian.org>
Cc: 585411@bugs.debian.org, 588138@bugs.debian.org, 591059@bugs.debian.org
Subject: Re: Bug#585411: RM: lxr -- RoQA; security bugs, oooold upstream version, not properly maintained
Date: Sat, 31 Jul 2010 17:59:31 +0200
[Message part 1 (text/plain, inline)]
Hi,
* Giacomo Catenazzi <cate@debian.org> [2010-07-31 17:52]:
> On 07/31/2010 04:38 PM, Nico Golde wrote:
> >Package: ftp.debian.org
> >Severity: normal
> >
> >I hereby request the removal of lxr from the archive, it should not be
> >included in squeeze as well.
> >
> >The version that our package is currently based on is 0.3 (from 2003), which
> >is light years behind upstream, has security bugs and not properly maintained.
> >See e.g. #588138 and #585411. Probably #575745 affects lxr as well, hard to 
> >tell
> >though, the code heavily differs since it's so old.
> >
> >There has been no move from the maintainer towards packaging current upstream
> >versions and given the small number of popcon installations this doesn't have
> >an impact on many users.
> 
> No. please wait. I agree that there are problems but:
> - I would not include it squeeze anyway

Did I miss the removal request for squeeze then?

> - let go before the security fixes in lxr, than we could see if we
> could remove it.

I don't understand this part.

> BTW most of security bugs are only in lxr-cvs, which is an
> "enhancement" of lxr with other upstreams.

What do you mean by most? The affected once are filed in the BTS and I did 
state that #575745 probably affects lxr as well.

> One of the enhancement was to allow cross-referencing many languages, thus 
> doing indirect regex and other more complex tasks, inducing
> such errors.

None of the bugs that are currently open have been introduced due to such 
things but affect rather general functionality.

> LXR instead has hardcoded C decoding, and it seems with
> many less errors.
> 
> For now I would remove lxr and lxr-cvs from squeeze, and
> I'll ask upstream what are their plan, and probably I propose
> to remove also lxr-cvs.

There is no need to remove lxr-cvs as I just prepared an NMU for it. As for 
lxr my opinion stands. If you can properly maintain it, it has no place in the 
archive. Proper maintenance includes keeping up2date with upstream version 
(which would solve all your problems in this case from what I see). There 
isn't even the need to remove anything if you would keep up with upstream.

> PS: I would use some debconf time to improve the situation so
> that users will not have security problem after we remove
> the packages.

Again, see the NMU I prepared for lxr-cvs, it should be fine. For lxr I think 
there is hardly much todo apart from upgrading to the current upstream version 
which you haven't done for quite a long. Thus the removal request. If that 
changes now fine, then I see no reason to remove it.

Cheers
Nico
-- 
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0xA0A0AAAA
For security reasons, all text in this mail is double-rot13 encrypted.
[Message part 2 (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Giacomo Catenazzi <cate@debian.org>:
Bug#588138; Package lxr. (Wed, 04 Aug 2010 11:51:09 GMT) Full text and rfc822 format available.

Acknowledgement sent to Alexander Reichle-Schmehl <tolimar@debian.org>:
Extra info received and forwarded to list. Copy sent to Giacomo Catenazzi <cate@debian.org>. (Wed, 04 Aug 2010 11:51:09 GMT) Full text and rfc822 format available.

Message #25 received at 588138@bugs.debian.org (full text, mbox):

From: Alexander Reichle-Schmehl <tolimar@debian.org>
To: Nico Golde <nion@debian.org>, 591059@bugs.debian.org
Cc: Giacomo Catenazzi <cate@debian.org>, 585411@bugs.debian.org, 588138@bugs.debian.org
Subject: Re: Bug#591059: Bug#585411: RM: lxr -- RoQA; security bugs, oooold upstream version, not properly maintained
Date: Wed, 4 Aug 2010 13:49:06 +0200
Hi!

* Nico Golde <nion@debian.org> [100731 17:59]:

> > PS: I would use some debconf time to improve the situation so
> > that users will not have security problem after we remove
> > the packages.
> Again, see the NMU I prepared for lxr-cvs, it should be fine. For lxr I think 
> there is hardly much todo apart from upgrading to the current upstream version 
> which you haven't done for quite a long. Thus the removal request. If that 
> changes now fine, then I see no reason to remove it.

So, any comments, Giacomo?  I must say, that I tend to agree with Nico
here, and therefore tend to remove the package soonish unless you show some
activity or at least give comment.


Best Regards,
  Alexander




Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#588138; Package lxr. (Wed, 04 Aug 2010 12:09:07 GMT) Full text and rfc822 format available.

Acknowledgement sent to Giacomo Catenazzi <cate@debian.org>:
Extra info received and forwarded to list. (Wed, 04 Aug 2010 12:09:07 GMT) Full text and rfc822 format available.

Message #30 received at 588138@bugs.debian.org (full text, mbox):

From: Giacomo Catenazzi <cate@debian.org>
To: Alexander Reichle-Schmehl <tolimar@debian.org>
Cc: Nico Golde <nion@debian.org>, 591059@bugs.debian.org, 585411@bugs.debian.org, 588138@bugs.debian.org
Subject: Re: Bug#591059: Bug#585411: RM: lxr -- RoQA; security bugs, oooold upstream version, not properly maintained
Date: Wed, 04 Aug 2010 14:05:03 +0200
On 08/04/2010 01:49 PM, Alexander Reichle-Schmehl wrote:
> Hi!
>
> * Nico Golde<nion@debian.org>  [100731 17:59]:
>
>>> PS: I would use some debconf time to improve the situation so
>>> that users will not have security problem after we remove
>>> the packages.
>> Again, see the NMU I prepared for lxr-cvs, it should be fine. For lxr I think
>> there is hardly much todo apart from upgrading to the current upstream version
>> which you haven't done for quite a long. Thus the removal request. If that
>> changes now fine, then I see no reason to remove it.
>
> So, any comments, Giacomo?  I must say, that I tend to agree with Nico
> here, and therefore tend to remove the package soonish unless you show some
> activity or at least give comment.

It is a difficult question:
- I really think that lxr has less problem than lxr-cvs
- both upstreams are not very active in publishing the tarball
  (and debian is doing most of security support)
- lxr-cvs has released many unusable versions (buggy in
  core functionality, see e.g. the lasts versions)
- I don't find real alternative in debian (let see
  where sources.d.n will go)
- but OTOH I don't think is is so useful to have it in Debian:
  they are web application that need many customization,
  so IMHO for them it is better to work in a VCS branch
  than a package
- I think there are very few true installation of debian
  packages (and IMHO the security problems are found
  testing the online mozilla lxr).

So let's remove the two packages.

	cate




Information forwarded to debian-bugs-dist@lists.debian.org, Giacomo Catenazzi <cate@debian.org>:
Bug#588138; Package lxr. (Wed, 04 Aug 2010 12:51:09 GMT) Full text and rfc822 format available.

Acknowledgement sent to Alexander Reichle-Schmehl <alexander@schmehl.info>:
Extra info received and forwarded to list. Copy sent to Giacomo Catenazzi <cate@debian.org>. (Wed, 04 Aug 2010 12:51:09 GMT) Full text and rfc822 format available.

Message #35 received at 588138@bugs.debian.org (full text, mbox):

From: Alexander Reichle-Schmehl <alexander@schmehl.info>
To: Giacomo Catenazzi <cate@debian.org>
Cc: Nico Golde <nion@debian.org>, 591059@bugs.debian.org, 585411@bugs.debian.org, 588138@bugs.debian.org
Subject: Re: Bug#591059: Bug#585411: RM: lxr -- RoQA; security bugs, oooold upstream version, not properly maintained
Date: Wed, 4 Aug 2010 14:46:57 +0200
Hi!

* Giacomo Catenazzi <cate@debian.org> [100804 14:05]:

> So let's remove the two packages.

Thanks for your contribution so far and your comment.


Best Regards,
  Alexander




Reply sent to Alexander Reichle-Schmehl <tolimar@debian.org>:
You have taken responsibility. (Thu, 05 Aug 2010 09:09:32 GMT) Full text and rfc822 format available.

Notification sent to Giuseppe Iuculano <iuculano@debian.org>:
Bug acknowledged by developer. (Thu, 05 Aug 2010 09:09:32 GMT) Full text and rfc822 format available.

Message #40 received at 588138-done@bugs.debian.org (full text, mbox):

From: Alexander Reichle-Schmehl <tolimar@debian.org>
To: 588138-done@bugs.debian.org, 585411-done@bugs.debian.org, 509526-done@bugs.debian.org, 123635-done@bugs.debian.org
Subject: Package got removed
Date: Thu, 5 Aug 2010 11:04:51 +0200
Version: 0.3.1-5~rm

Hi!

As the package got removed from the archive, I hereby close this bug
report.  Please see http://bugs.debian.org/591059 for more information
about the package removal.

Best Regards,
  Alexander




Bug Marked as found in versions 0.3.1-5~rm; no longer marked as fixed in versions 0.3.1-5~rm and reopened. Request was from Alexander Reichle-Schmehl <tolimar@debian.org> to control@bugs.debian.org. (Sat, 07 Aug 2010 11:54:07 GMT) Full text and rfc822 format available.

Reply sent to Alexander Reichle-Schmehl <tolimar@debian.org>:
You have taken responsibility. (Sat, 07 Aug 2010 12:03:53 GMT) Full text and rfc822 format available.

Notification sent to Giuseppe Iuculano <iuculano@debian.org>:
Bug acknowledged by developer. (Sat, 07 Aug 2010 12:03:53 GMT) Full text and rfc822 format available.

Message #47 received at 588138-done@bugs.debian.org (full text, mbox):

From: Alexander Reichle-Schmehl <tolimar@debian.org>
To: 588138-done@bugs.debian.org, 585411-done@bugs.debian.org, 509526-done@bugs.debian.org, 123635-done@bugs.debian.org
Subject: Package got removed
Date: Sat, 7 Aug 2010 14:02:57 +0200
Version: 0.3.1-5+rm

Hi!

As the package got removed from the archive, I hereby close this bug
report.  Please see http://bugs.debian.org/591059 for more information
about the package removal.

Best Regards,
  Alexander




Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sun, 05 Sep 2010 07:35:27 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Fri Apr 25 07:52:45 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.