Bug#929228: security-tracker: MITRE descriptions containing non-ascii characters might cause issues on accessing CVE page

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#929228: security-tracker: MITRE descriptions containing non-ascii characters might cause issues on accessing CVE page
From: Salvatore Bonaccorso <carnil@debian.org>
Date: Sun, 19 May 2019 18:24:29 +0200
Message-id: <[🔎] 155828306989.6925.6676671305580377192.reportbug@eldamar.local>
Reply-to: Salvatore Bonaccorso <carnil@debian.org>, 929228@bugs.debian.org

Package: security-tracker
Severity: normal

Found this while checking for other issues, but not time to further
properly investigate, but did now want to loose that initial tracking.

When a CVE description from MITRE contains non-ascii/non-valid
characters like

https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=CVE-2019-0976

> A tampering vulnerability exists in the NuGet Package Manager for Linux and Mac
> that could allow an authenticated attacker to modify contents of the
> intermediate build folder (by default Ã¢â&#8218;¬Å&#8220;objÃ¢â&#8218;¬Â),
> aka 'NuGet Package Manager Tampering Vulnerability'.

this causes issue accessing the respective CVE page once the
description has been merged:

https://security-tracker.debian.org/tracker/CVE-2019-0976

Traceback (most recent call last):
  File "/usr/lib/python2.7/SocketServer.py", line 596, in process_request_thread
    self.finish_request(request, client_address)
  File "/usr/lib/python2.7/SocketServer.py", line 331, in finish_request
    self.RequestHandlerClass(request, client_address, self)
  File "/usr/lib/python2.7/SocketServer.py", line 652, in __init__
    self.handle()
  File "/usr/lib/python2.7/BaseHTTPServer.py", line 340, in handle
    self.handle_one_request()
  File "/usr/lib/python2.7/BaseHTTPServer.py", line 328, in handle_one_request
    method()
  File "../lib/python/web_support.py", line 805, in do_GET
    result = r.flatten_later()
  File "../lib/python/web_support.py", line 662, in flatten_later
    self.contents.flatten(buf.write)
  File "../lib/python/web_support.py", line 334, in flatten
    x.flatten(write)
  File "../lib/python/web_support.py", line 334, in flatten
    x.flatten(write)
  File "../lib/python/web_support.py", line 286, in flatten
    x.flatten(write)
  File "../lib/python/web_support.py", line 334, in flatten
    x.flatten(write)
  File "../lib/python/web_support.py", line 334, in flatten
    x.flatten(write)
  File "../lib/python/web_support.py", line 332, in flatten
    write(escapeHTML(x))
  File "../lib/python/web_support.py", line 242, in escapeHTML
    append(charToHTML[ord(ch)])
IndexError: list index out of range

Regards,
Salvatore

Reply to:

Prev by Date: External check
Next by Date: External check
Previous by thread: Bug#908678: security-tracker - Breaks salsa.d.o
Index(es):
- Date
- Thread