[Pkg-freevo-maint] Bug#684232: feedparser code embedded in freevo and possibly may be out of date and vulnerable

Silvio Cesare silvio.cesare at gmail.com
Wed Aug 8 00:07:45 UTC 2012 

Package: freevo
Severity: important
Tags: security

I have been working on a tool called Clonewise to automatically identify
embedded code copies in Debian packages and determine if they are out of
date and vulnerable. Ideally, embedding code and libraries should be
avoided and a system wide library should be used instead.

I recently ran the tool on Debian 6 stable. The results are here at
http://www.foocodechu.com/downloads/Clonewise-report.txt*

*The freevo package reported potential issues appended to this message.

Apologies if these are false positives. Your help in advising me on whether
these issues are real will help me improve the analysis for the future.

--
Silvio Cesare
Deakin University

### Summary:
###

feedparser CLONED_IN_SOURCE freevo <unfixed> CVE-2011-1156
feedparser CLONED_IN_SOURCE freevo <unfixed> CVE-2011-1157
feedparser CLONED_IN_SOURCE freevo <unfixed> CVE-2011-1158

### Reports by package:
###

# Package freevo may be vulnerable to the following issues:
#
	CVE-2011-1156
	CVE-2011-1157
	CVE-2011-1158


# SUMMARY: feedparser.py in Universal Feed Parser (aka feedparser or
python-feedparser) before 5.0.1 allows remote attackers to cause a
denial of service (application crash) via a malformed DOCTYPE
declaration.
#

# CVE-2011-1156 relates to a vulnerability in package feedparser.
# The following source filenames are likely responsible:
#	feedparser.py
#

# The following package clones are tracked in the embedded-code-copies
# database. They have not been fixed.
#

feedparser CLONED_IN_SOURCE freevo <unfixed> CVE-2011-1156


# SUMMARY: Cross-site scripting (XSS) vulnerability in feedparser.py
in Universal Feed Parser (aka feedparser or python-feedparser) 5.x
before 5.0.1 allows remote attackers to inject arbitrary web script or
HTML via malformed XML comments.
#

# CVE-2011-1157 relates to a vulnerability in package feedparser.
# The following source filenames are likely responsible:
#	feedparser.py
#

# The following package clones are tracked in the embedded-code-copies
# database. They have not been fixed.
#

feedparser CLONED_IN_SOURCE freevo <unfixed> CVE-2011-1157


# SUMMARY: Cross-site scripting (XSS) vulnerability in feedparser.py
in Universal Feed Parser (aka feedparser or python-feedparser) 5.x
before 5.0.1 allows remote attackers to inject arbitrary web script or
HTML via an unexpected URI scheme, as demonstrated by a javascript:
URI.
#

# CVE-2011-1158 relates to a vulnerability in package feedparser.
# The following source filenames are likely responsible:
#	feedparser.py
#

# The following package clones are tracked in the embedded-code-copies
# database. They have not been fixed.
#

feedparser CLONED_IN_SOURCE freevo <unfixed> CVE-2011-1158
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.alioth.debian.org/pipermail/pkg-freevo-maint/attachments/20120808/02b53b26/attachment.html>

More information about the Pkg-freevo-maint mailing list