Hi Alan, Sorry for the delay, very busy days here...
The vulnerability was originally reported in the Sage bugzilla mailing-list and here you can find the link: https://www.mozdev.org/bugs/show_bug.cgi?id=20610 and here is the security report detailing the bug: https://www.mozdev.org/bugs/attachment.cgi?id=5749 I have tried to follow up with the author but still today I haven't got any response as you can see from the thread. Recently, we have been contacted by another guy, Dave Schaefer, who joined the thread above and who is willing to fix the bug. My suggestion would be to touch base with Dave and then work together to fix the issue. I am not sure about the author and its current involvement with the extension code. Regarding your questions: Q: Is this a regression of the 2006 vulnerability [4]? I am not sure about the vulnerability in 2006. What I know is that according to the Sage author, Peter Andrews, the '2006' bug was fixed and resolved. That is also reported in this thread: https://www.mozdev.org/bugs/show_bug.cgi?id=15101 So the current bug is a new bug as far as I can tell you. Also, I can't access the PoC of the vulnerability in 2006, which should be available here: https://www.gnucitizen.org/static/blog/2006/09/sage-feed-poc.xml so I am not sure where the "injection" point was. Q: Are there more problems I should be aware of besides that? Potentially, there might be other input-validation issues. Q: How would you suggest dealing with this? My suggestion would be to render untrusted content in about:blank instead of a window with chrome privileges. Second recommendation would be to filter input based on whitelist and escape output as well. Some extension developers suggest the use of the nsIScriptableUnescapeHTML.parseFragment() function to perform input validation. However, some other developers do not agree with that. I am not an extension developer, so I am not able to tell you if u can just rely on that function. Other recommendation would be to have a look to other RSS readers and see how the handle the feeds, in which location, and what type of filtering they perform. My 2 cents, Roberto Alan Woodland wrote: > Hi, > > For my sins I'm the maintainer of the Debian package of Sage. I'm > looking at fixing the security bug that was recently reported [1]. > Both of your names were mentioned in [2] as reporting the bug. > > I'm looking to either prepare my own patch, in which a test case and > some advice would be extremely helpful, or ideally verify and apply an > existing patch. I've read through the two sets of slides at [3], but > there doesn't seem to be much detail on the actual exploit or a test > case. There are some references online to 'the author [of sage] being > made aware of patches', but nothing public that I can find. > > Q: Is this a regression of the 2006 vulnerability [4]? Are there more > problems I should be aware of besides that? > Q: How would you suggest dealing with this? > > Thanks, > Alan > > P.S. If you want to discuss this privately I can send/receive PGP > encrypted mails to my @debian.org address using the key in the Debian > keyring. > > [1] http://bugs.debian.org/559267 > [2] http://www.securityfocus.com/bid/37120\ > [3] http://malerisch.net/docs/security_docs.html > [4] http://www.gnucitizen.org/blog/cross-context-scripting-with-sage/ > -- Roberto Suggi Liverani Senior Security Consultant Mob. +64 21 928 780 www.security-assessment.com -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
