[Bug 1940450] Re: XSS The data-template attribute of the tooltip and popover plugins lacks input sanitization and may allow attacker to execute arbitrary JavaScript.

2021-10-04 Thread Heather Lemon
We've decided to drop this issue while testing for the vulnerability and
was unable to recreate the issue. The product team is also not willing
to update the package on the basis that there is no way to exploit the
vulnerability within Horizon.

If we do find an exploit we would be happy to repopen the issue.

** Changed in: python-xstatic-bootstrap-scss (Ubuntu)
   Status: New => Won't Fix

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1940450

Title:
  XSS The data-template attribute of the tooltip and popover plugins
  lacks input sanitization and may allow attacker to execute arbitrary
  JavaScript.

To manage notifications about this bug go to:
https://bugs.launchpad.net/cloud-archive/+bug/1940450/+subscriptions


-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1940450] Re: XSS The data-template attribute of the tooltip and popover plugins lacks input sanitization and may allow attacker to execute arbitrary JavaScript.

2021-09-10 Thread Heather Lemon
Hello,

I've made several attempts at exploiting the XSS in horizon without the updated 
version. 
I will attach a video for one of those attempts. To me this seems like horizon 
it's using the scanned code at all, unless I've missed something so this could 
be a false positive in my opinion. 

Thank You,
Heather Lemon

** Attachment added: "xsshorizon-2021-09-10_11.30.01"
   
https://bugs.launchpad.net/horizon/+bug/1940450/+attachment/5524434/+files/xsshorizon-2021-09-10_11.30.01

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1940450

Title:
  XSS The data-template attribute of the tooltip and popover plugins
  lacks input sanitization and may allow attacker to execute arbitrary
  JavaScript.

To manage notifications about this bug go to:
https://bugs.launchpad.net/cloud-archive/+bug/1940450/+subscriptions


-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1940450] Re: XSS The data-template attribute of the tooltip and popover plugins lacks input sanitization and may allow attacker to execute arbitrary JavaScript.

2021-09-10 Thread Heather Lemon
Oh please use VLC to see video ;)

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1940450

Title:
  XSS The data-template attribute of the tooltip and popover plugins
  lacks input sanitization and may allow attacker to execute arbitrary
  JavaScript.

To manage notifications about this bug go to:
https://bugs.launchpad.net/cloud-archive/+bug/1940450/+subscriptions


-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1940450] Re: XSS The data-template attribute of the tooltip and popover plugins lacks input sanitization and may allow attacker to execute arbitrary JavaScript.

2021-09-10 Thread Heather Lemon
Hello,

I've made several attempts at exploiting the XSS in horizon without the updated 
version. 
I will attach a video for one of those attempts. To me this seems like horizon 
it's using the scanned code at all, unless I've missed something so this could 
be a false positive in my opinion. 

Thank You,
Heather Lemon

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1940450

Title:
  XSS The data-template attribute of the tooltip and popover plugins
  lacks input sanitization and may allow attacker to execute arbitrary
  JavaScript.

To manage notifications about this bug go to:
https://bugs.launchpad.net/cloud-archive/+bug/1940450/+subscriptions


-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1940450] Re: XSS The data-template attribute of the tooltip and popover plugins lacks input sanitization and may allow attacker to execute arbitrary JavaScript.

2021-09-01 Thread Heather Lemon
I take back my earlier comment, backporting the commit from upstream 
https://github.com/twbs/bootstrap/pull/28236/commits/5efa9b531d25927b907e3fa24b818608bc38a2f0
 
to both bionic and then xenial(if supported) with debian/changelog etc added is 
the correct way.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1940450

Title:
  XSS The data-template attribute of the tooltip and popover plugins
  lacks input sanitization and may allow attacker to execute arbitrary
  JavaScript.

To manage notifications about this bug go to:
https://bugs.launchpad.net/cloud-archive/+bug/1940450/+subscriptions


-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1940450] Re: XSS The data-template attribute of the tooltip and popover plugins lacks input sanitization and may allow attacker to execute arbitrary JavaScript.

2021-09-01 Thread Corey Bryant
For the Ubuntu horizon package, we vendor in the xstatic files (see
debian/README.source). So this could be as simple as refreshing the
xstatic files.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1940450

Title:
  XSS The data-template attribute of the tooltip and popover plugins
  lacks input sanitization and may allow attacker to execute arbitrary
  JavaScript.

To manage notifications about this bug go to:
https://bugs.launchpad.net/cloud-archive/+bug/1940450/+subscriptions


-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1940450] Re: XSS The data-template attribute of the tooltip and popover plugins lacks input sanitization and may allow attacker to execute arbitrary JavaScript.

2021-09-01 Thread Heather Lemon
** Tags added: cloud-archive

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1940450

Title:
  XSS The data-template attribute of the tooltip and popover plugins
  lacks input sanitization and may allow attacker to execute arbitrary
  JavaScript.

To manage notifications about this bug go to:
https://bugs.launchpad.net/cloud-archive/+bug/1940450/+subscriptions


-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1940450] Re: XSS The data-template attribute of the tooltip and popover plugins lacks input sanitization and may allow attacker to execute arbitrary JavaScript.

2021-09-01 Thread Heather Lemon
Yes, it's sufficient to upgrade the requirements.txt because it does not
require code changes, but package upgrades. The debian/changelog does
not track the requirements.txt file changes but need to be done
manually. I'll try adding a patch this week.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1940450

Title:
  XSS The data-template attribute of the tooltip and popover plugins
  lacks input sanitization and may allow attacker to execute arbitrary
  JavaScript.

To manage notifications about this bug go to:
https://bugs.launchpad.net/cloud-archive/+bug/1940450/+subscriptions


-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1940450] Re: XSS The data-template attribute of the tooltip and popover plugins lacks input sanitization and may allow attacker to execute arbitrary JavaScript.

2021-09-01 Thread Heather Lemon
Attached screenshot showing difference between Bootstrap versions with
missing sanitize functions

** Attachment added: "Screenshot from 2021-08-23 15-55-14.png"
   
https://bugs.launchpad.net/horizon/+bug/1940450/+attachment/5522304/+files/Screenshot%20from%202021-08-23%2015-55-14.png

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1940450

Title:
  XSS The data-template attribute of the tooltip and popover plugins
  lacks input sanitization and may allow attacker to execute arbitrary
  JavaScript.

To manage notifications about this bug go to:
https://bugs.launchpad.net/cloud-archive/+bug/1940450/+subscriptions


-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1940450] Re: XSS The data-template attribute of the tooltip and popover plugins lacks input sanitization and may allow attacker to execute arbitrary JavaScript.

2021-08-27 Thread Seth Arnold
The security team doesn't update cloud-archive packages, just Ubuntu
archive packages.

Is it really sufficient to modify just the requirements.txt file in the
git tree? I'm accustomed to seeing debian/changelog changes,
debian/patches/ changes, etc., but I've never done any of the git-based
packaging before.

Thanks

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1940450

Title:
  XSS The data-template attribute of the tooltip and popover plugins
  lacks input sanitization and may allow attacker to execute arbitrary
  JavaScript.

To manage notifications about this bug go to:
https://bugs.launchpad.net/cloud-archive/+bug/1940450/+subscriptions


-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1940450] Re: XSS The data-template attribute of the tooltip and popover plugins lacks input sanitization and may allow attacker to execute arbitrary JavaScript.

2021-08-27 Thread Heather Lemon
Upgrading the package to the fixed version shows the sanitize functions
like "sanitizeHtml" in
~/horizon/xstatic/pkg/bootstrap_scss/data/js/bootstrap.js, however since
this is a security fix, I'll have to let the security team handle it.

test branch with package upgrades
https://code.launchpad.net/~hypothetical-lemon/+git/horizon/+ref/lp1940450-cve-2019-8331

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1940450

Title:
  XSS The data-template attribute of the tooltip and popover plugins
  lacks input sanitization and may allow attacker to execute arbitrary
  JavaScript.

To manage notifications about this bug go to:
https://bugs.launchpad.net/cloud-archive/+bug/1940450/+subscriptions


-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1940450] Re: XSS The data-template attribute of the tooltip and popover plugins lacks input sanitization and may allow attacker to execute arbitrary JavaScript.

2021-08-26 Thread Heather Lemon
** Tags added: horizon-core

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1940450

Title:
  XSS The data-template attribute of the tooltip and popover plugins
  lacks input sanitization and may allow attacker to execute arbitrary
  JavaScript.

To manage notifications about this bug go to:
https://bugs.launchpad.net/cloud-archive/+bug/1940450/+subscriptions


-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1940450] Re: XSS The data-template attribute of the tooltip and popover plugins lacks input sanitization and may allow attacker to execute arbitrary JavaScript.

2021-08-25 Thread Radomir Dopieralski
Your conclusions from #7 are all correct. It's up to the Ubuntu
packagers to upgrade the relevant package to a version that is not
affected.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1940450

Title:
  XSS The data-template attribute of the tooltip and popover plugins
  lacks input sanitization and may allow attacker to execute arbitrary
  JavaScript.

To manage notifications about this bug go to:
https://bugs.launchpad.net/cloud-archive/+bug/1940450/+subscriptions


-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1940450] Re: XSS The data-template attribute of the tooltip and popover plugins lacks input sanitization and may allow attacker to execute arbitrary JavaScript.

2021-08-25 Thread Jeremy Stanley
I too am entirely out of my comfort zone with Javascript, so my level of
certainty is low, based solely on the text of CVE-2019-8331 which says
(all?) Bootstrap versions prior to 3.4.1 are affected. I also did not
check the rdepends for python3-xstatic-bootstrap-scss in Ubuntu and
perhaps incorrectly assumed it might be used by more packages or by
unpackaged software on people's systems.

I'll continue trying to get one of the Horizon developers to provide
input on this report... I am but a humble vulnerability coordinator in
this particular case, far from being a subject matter expert on the
software.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1940450

Title:
  XSS The data-template attribute of the tooltip and popover plugins
  lacks input sanitization and may allow attacker to execute arbitrary
  JavaScript.

To manage notifications about this bug go to:
https://bugs.launchpad.net/cloud-archive/+bug/1940450/+subscriptions


-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1940450] Re: XSS The data-template attribute of the tooltip and popover plugins lacks input sanitization and may allow attacker to execute arbitrary JavaScript.

2021-08-24 Thread Seth Arnold
I inspected some of the python3-xstatic-bootstrap-scss package:

./python-xstatic-bootstrap-
scss_3.3.7.1-5/xstatic/pkg/bootstrap_scss/data/js/bootstrap/tooltip.js

While the header sure looks related, I couldn't find *any* hints that
the patch from
https://github.com/twbs/bootstrap/pull/28236/commits/5efa9b531d25927b907e3fa24b818608bc38a2f0
is remotely related. If they are related, that file has changed pretty
drastically in the meantime.

Jeremy, can I ask, how confident you are that that package contains a
version of the bootstrap tooltips that needs to be updated to address
this flaw? (I only found one user of this package, python3-vitrage-
dashboard -- with just one user, it might also justify a similar "is
this even an issue?" sort of check.)

Thanks

** Also affects: python-xstatic-bootstrap-scss (Ubuntu)
   Importance: Undecided
   Status: New

** Also affects: horizon (Ubuntu)
   Importance: Undecided
   Status: New

** Information type changed from Private Security to Public Security

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1940450

Title:
  XSS The data-template attribute of the tooltip and popover plugins
  lacks input sanitization and may allow attacker to execute arbitrary
  JavaScript.

To manage notifications about this bug go to:
https://bugs.launchpad.net/cloud-archive/+bug/1940450/+subscriptions


-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs