thr3ads.net - Xapian discuss - Incomplete HTML escaping by Xapian::MSet::snippet() (CVE-2018-0499) [Jul 2018]

If this information is useful, please help other people find it:
Share via:

Olly Betts

2018-Jul-02 04:58 UTC

Incomplete HTML escaping by Xapian::MSet::snippet() (CVE-2018-0499)

Hi folks,

I spotted an HTML escaping bug in Xapian::MSet::snippet() while working
on the code. This issue has been assigned CVE-2018-0499 (though
currently there's no useful information on cve.mitre.org for it). I've
added a wiki page for it here:

https://trac.xapian.org/wiki/SecurityFixes/2018-07-02

The intended behaviour is that the selected input text is escaped for
use in HTML, but this wasn't happening in all cases and there's
potential for an attacker who can feed documents into a system to inject
HTML markup into results pages for some searches.

This method is wrapped for most of the language bindings, and also
available in Omega via the $snippet{} command. Unless you're using
static linking, fixing xapian-core will fix the bindings and Omega.

This will be fixed in xapian-core 1.4.6, which should be out later today.

Xapian-core 1.4.5 and earlier are vulnerable (back to when this feature
was added in development release 1.3.5; 1.2.x doesn't have this method,
so isn't vulnerable). You can apply this patch to fix the problem for
vulnerable 1.4.x versions:

https://oligarchy.co.uk/xapian/patches/cve-2018-0499-mset-snippet-escaping.patch

The fix is not complex and the code this patch changes is only used by
Xapian::MSet::snippet(), so it should be a safe fix (unless you're
somehow relying on the missing escaping).

In order to gauge the likely impact, I looked at the sources of all
Debian packages (using https://codesearch.debian.net) and was unable to
find any that seemed vulnerable - the only ones which actually used this
method seemed to be stripping HTML tags themselves beforehand. But
obviously this can still affect user code so I'll be sorting out updates
for this in Debian which add the patch above (and I'd encourage
maintainers of packages in other distros to do the same).

Sorry about this. I try hard to ensure such bugs don't slip in, but
clearly failed on this occasion.

Cheers,
Olly
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL:
<http://lists.xapian.org/pipermail/xapian-discuss/attachments/20180702/0e5ab13e/attachment.sig>

Possibly Parallel Threads

Search for more reasonably related threads

Xapian discuss - Jul 2018 - Incomplete HTML escaping by Xapian::MSet::snippet() (CVE-2018-0499)

Incomplete HTML escaping by Xapian::MSet::snippet() (CVE-2018-0499)

Possibly Parallel Threads

Wisdom of the Ancients