Bug#555276: wesnoth: CVE-2007-2383 and CVE-2008-7720 proto..

package: wesnoth
version: 1:1.6.5-1
severity: serious
tags: security

Hi,

Your package contains an embedded version of prototype.js that is
vulnerable to either CVE-2007-2383 (affecting prototype.js before 1.5.1)
[0], CVE-2008-7220 (affecting prototype.js before 1.6.0.2) [1], or both.

Your package embeds the following prototype.js versions:

sid: 1.6.0.1
lenny: N/A
etch: N/A

This is a mass-filing, and the only checking done so far is a version
comparison, so please determine whether or not your package is itself
affected or not. If it is not affected please close the bug with a
message indicating this along with what you did to check.

The version of your package specified above is the earliest version
with the affected embedded code. If this version is in one or both of
the stable releases and you are affected, please coordinate with the
release team to prepare a proposed-update for your package to
stable/oldstable.

There are patches available for CVE-2007-2383 [2] and a backport for
prototypejs 1.5 for CVE-2008-7720 [3].

If you correct the problem in unstable, please make sure to include the
CVE number in your changelog.

Thank you for your attention to this problem.

Mike

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2383
[1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-7220
[2] http://dev.rubyonrails.org/ticket/7910
[3] http://prototypejs.org/2008/1/25/prototype-1-6-0-2-bug-fixes-performan...improve



--
To UNSUBSCRIBE, email to debian-bugs-dist-REQUEST DeleteThis @lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster DeleteThis @lists.debian.org

On Mon, 9 Nov 2009 20:43:45 +0100, Gerfried Fuchs wrote:
> Can you please run your check also against packages from experimental -
> I am sure you will find at least wesnoth 1.7.6 also to be affected, I
> would expect.

yes, prototype.js is in the wesnoth 1.7.6 source package.

> Actually, the package doesn't really use it. It's used in the stats
> server which isn't shipped or enabled or used in the Debian packages. If
> you feel like removing it from the source tarball might gain us anything
> I can offer to do that, too.

this isn't necessary. as long as the problematic file is not included
in any binary package, then wesnoth can be considered not-affected, and
this bug can be safely closed. since there were so many of these
embeds, i did not have time to individually check to see what each
package was doing.

> [a] well, symlinking. I ship jquery and tablesorter. The former is
> available as package but the later not. Given that the two has to go
> together I chose explicitly not to symlink jquery neither.

this is definitely a problem. since a common version of jquery is
available, it should be used. as for tablesorter you have the option
of either packaging it separately or sticking with the embed (if other
packages use tablesorter, then a separate package should be preferred).

mike



--
To UNSUBSCRIBE, email to debian-bugs-dist-REQUEST RemoveThis @lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster RemoveThis @lists.debian.org