[PKG-Openstack-devel] Bug#788306: Bug#788306: horizon: CVE-2015-3219: XSS in Horizon Heat stack creation
László Böszörményi (GCS)
gcs at debian.org
Wed Jun 10 10:23:24 UTC 2015
On Wed, Jun 10, 2015 at 10:42 AM, Salvatore Bonaccorso
<carnil at debian.org> wrote:
> On Wed, Jun 10, 2015 at 09:10:56AM +0200, László Böszörményi (GCS) wrote:
>> Just checked. The Wheezy version doesn't contain the vulnerable code
>> segment, but the Jessie version does. Mark the bug accordingly.
>> In case you may accept, I attach a debdiff for Jessie.
>
> Thanks for the quick followups. Am I right that jessie though is not
> affected due to
> https://bugs.launchpad.net/horizon/+bug/1453074/comments/13
>
> The field help_text is always escaped already.
>
> Is that right?
I think the correct answer would be 'it depends'. If you check the
presentation layer when that text used as-is, then yes, it's escaped
there already. On the other hand that text may be used in the code for
addition to other variables that may not be escaped for the
presentation tier. Then the user may have customized his/her
installation that use the mentioned text without escaping. Last but
not least some plugin or other software may also use that text without
filtering. If I think these cases then OpenStack may be vulnerable in
other places that can be harder (but not impossible) to take advantage
of this CVE.
In short, the comment you mention emphasize this: "Juno - ASSUME that
help text is always safe:" (ie, not 100% sure). That can be the reason
upstream has an update for Juno which was merged[1]:
Branch stable/juno
Status Merged
I say it's better to be more safe and may escape that string twice
than have a risk of a vulnerability remain in some use cases. But of
course, you are in the position to choose if a DSA is issued or not.
Cheers,
Laszlo/GCS
[1] https://review.openstack.org/#/c/189821/
More information about the Openstack-devel
mailing list