Hi, attached is a patch for an NMU which fixes these issues. It will be also archived on: http://people.debian.org/~nion/nmu-diff/libjfreechart-java-1.0.8-1_1.0.8-1.1.patch
Kind regards Nico -- Nico Golde - http://www.ngolde.de - [EMAIL PROTECTED] - GPG: 0x73647CFF For security reasons, all text in this mail is double-rot13 encrypted.
diff -u libjfreechart-java-1.0.8/debian/changelog libjfreechart-java-1.0.8/debian/changelog
--- libjfreechart-java-1.0.8/debian/changelog
+++ libjfreechart-java-1.0.8/debian/changelog
@@ -1,3 +1,13 @@
+libjfreechart-java (1.0.8-1.1) unstable; urgency=high
+
+ * Non-maintainer upload by security team.
+ * This update fixes the following security issue:
+ - Multiple cross-site scripting vulnerabilities in the image map
+ feature allow remote attackers to inject arbitrary web script
+ or HTML via several attributes (CVE-2007-6306; Closes: #456148).
+
+ -- Nico Golde <[EMAIL PROTECTED]> Sat, 22 Dec 2007 16:04:32 +0100
+
libjfreechart-java (1.0.8-1) unstable; urgency=low
* New upstream release.
only in patch2:
unchanged:
--- libjfreechart-java-1.0.8.orig/source/org/jfree/chart/entity/ChartEntity.java
+++ libjfreechart-java-1.0.8/source/org/jfree/chart/entity/ChartEntity.java
@@ -76,6 +76,7 @@
import java.io.Serializable;
import org.jfree.chart.HashUtilities;
+import org.jfree.chart.imagemap.ImageMapUtilities;
import org.jfree.chart.imagemap.ToolTipTagFragmentGenerator;
import org.jfree.chart.imagemap.URLTagFragmentGenerator;
import org.jfree.io.SerialUtilities;
@@ -316,11 +317,11 @@
+ getShapeCoords() + "\"");
if (hasToolTip) {
tag.append(toolTipTagFragmentGenerator.generateToolTipFragment(
- this.toolTipText));
+ ImageMapUtilities.htmlEscape(this.toolTipText)));
}
if (hasURL) {
tag.append(urlTagFragmentGenerator.generateURLFragment(
- this.urlText));
+ ImageMapUtilities.htmlEscape(this.urlText)));
}
// if there is a tool tip, we expect it to generate the title and
// alt values, so we only add an empty alt if there is no tooltip
only in patch2:
unchanged:
--- libjfreechart-java-1.0.8.orig/source/org/jfree/chart/imagemap/ImageMapUtilities.java
+++ libjfreechart-java-1.0.8/source/org/jfree/chart/imagemap/ImageMapUtilities.java
@@ -171,7 +171,7 @@
URLTagFragmentGenerator urlTagFragmentGenerator) {
StringBuffer sb = new StringBuffer();
- sb.append("<map id=\"" + name + "\" name=\"" + name + "\">");
+ sb.append("<map id=\"" + htmlEscape(name) + "\" name=\"" + htmlEscape(name) + "\">");
sb.append(StringUtils.getLineSeparator());
EntityCollection entities = info.getEntityCollection();
if (entities != null) {
@@ -191,8 +191,49 @@
}
}
sb.append("</map>");
- return sb.toString();
-
- }
+ return sb.toString();
+ }
+ /**
+ * Returns a string that is equivalent to the input string, but with
+ * special characters converted to HTML escape sequences.
+ *
+ * @param input the string to escape (<code>null</code> not permitted).
+ *
+ * @return A string with characters escaped.
+ *
+ * @since 1.0.9
+ */
+ public static String htmlEscape(String input) {
+ if (input == null) {
+ throw new IllegalArgumentException("Null 'input' argument.");
+ }
+ StringBuffer result = new StringBuffer();
+ int length = input.length();
+ for (int i = 0; i < length; i++) {
+ char c = input.charAt(i);
+ if (c == '&') {
+ result.append("&");
+ }
+ else if (c == '\"') {
+ result.append(""");
+ }
+ else if (c == '<') {
+ result.append("<");
+ }
+ else if (c == '>') {
+ result.append(">");
+ }
+ else if (c == '\'') {
+ result.append("'");
+ }
+ else if (c == '\\') {
+ result.append("\");
+ }
+ else {
+ result.append(c);
+ }
+ }
+ return result.toString();
+ }
}
pgpFlTgNsWV0Q.pgp
Description: PGP signature
_______________________________________________ pkg-java-maintainers mailing list [email protected] http://lists.alioth.debian.org/mailman/listinfo/pkg-java-maintainers
