--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: security-tracker: MITRE descriptions containing non-ascii characters might cause issues on accessing CVE page
- From: Salvatore Bonaccorso <carnil@debian.org>
- Date: Sun, 19 May 2019 18:24:29 +0200
- Message-id: <155828306989.6925.6676671305580377192.reportbug@eldamar.local>
Package: security-tracker
Severity: normal
Found this while checking for other issues, but not time to further
properly investigate, but did now want to loose that initial tracking.
When a CVE description from MITRE contains non-ascii/non-valid
characters like
https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=CVE-2019-0976
> A tampering vulnerability exists in the NuGet Package Manager for Linux and Mac
> that could allow an authenticated attacker to modify contents of the
> intermediate build folder (by default “objâ€Â),
> aka 'NuGet Package Manager Tampering Vulnerability'.
this causes issue accessing the respective CVE page once the
description has been merged:
https://security-tracker.debian.org/tracker/CVE-2019-0976
Traceback (most recent call last):
File "/usr/lib/python2.7/SocketServer.py", line 596, in process_request_thread
self.finish_request(request, client_address)
File "/usr/lib/python2.7/SocketServer.py", line 331, in finish_request
self.RequestHandlerClass(request, client_address, self)
File "/usr/lib/python2.7/SocketServer.py", line 652, in __init__
self.handle()
File "/usr/lib/python2.7/BaseHTTPServer.py", line 340, in handle
self.handle_one_request()
File "/usr/lib/python2.7/BaseHTTPServer.py", line 328, in handle_one_request
method()
File "../lib/python/web_support.py", line 805, in do_GET
result = r.flatten_later()
File "../lib/python/web_support.py", line 662, in flatten_later
self.contents.flatten(buf.write)
File "../lib/python/web_support.py", line 334, in flatten
x.flatten(write)
File "../lib/python/web_support.py", line 334, in flatten
x.flatten(write)
File "../lib/python/web_support.py", line 286, in flatten
x.flatten(write)
File "../lib/python/web_support.py", line 334, in flatten
x.flatten(write)
File "../lib/python/web_support.py", line 334, in flatten
x.flatten(write)
File "../lib/python/web_support.py", line 332, in flatten
write(escapeHTML(x))
File "../lib/python/web_support.py", line 242, in escapeHTML
append(charToHTML[ord(ch)])
IndexError: list index out of range
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Hi Florian,
On Fri, May 01, 2020 at 04:01:39PM +0200, Florian Weimer wrote:
> * Salvatore Bonaccorso:
>
> > Hi Florian,
> >
> > On Fri, May 01, 2020 at 02:33:21PM +0200, Florian Weimer wrote:
> >> * Salvatore Bonaccorso:
> >>
> >> > Hi Florian,
> >> >
> >> > On Fri, May 01, 2020 at 02:11:50PM +0200, Florian Weimer wrote:
> >> >> * Florian Weimer:
> >> >>
> >> >> > * Francesco Poli:
> >> >> >
> >> >> >> Please note that the CVE is mentioned in [DSA-4667-1].
> >> >> >>
> >> >> >> [DSA-4667-1]: <https://lists.debian.org/debian-security-announce/2020/msg00071.html>
> >> >> >>
> >> >> >> What's wrong with that tracker page?
> >> >> >
> >> >> > It's something in the NVD data that breaks the HTML escaping.
> >> >>
> >> >> This patch adds basic Unicode support to the web framework. I'm not
> >> >> sure if it is the right direction to move in, but it fixes the issue.
> >> >>
> >> >> An alternative fix would be to change the NVD importer not to put
> >> >> Unicode strings into the database, by encoding them as byte strings
> >> >> first.
> >> >
> >> > Do you want to deploy that or rather investigate an alternative?
> >>
> >> I'd appreciate if you could spot-check the changes (e.g., do we still
> >> do HTML escaping properly?) and deploy it. It looks like I have
> >> forgotten how to do it.
> >
> > Looks good to me, and yes can deploy it if you want me to. Please have
> > a look at at attache git format-patch'ed version if you agree with the
> > slight rewrite, since I do not want to commit something in your name
> > you would not agree with).
>
> Still looks fine.
>
> Signed-off-by: Florian Weimer <fw@deneb.enyo.de>
Thanks, applied and deployed.
Regards,
Salvatore
--- End Message ---