Incomplete HTML escaping by Xapian::MSet::snippet() (CVE-2018-0499)

Olly Betts olly at survex.com
Mon Jul 2 05:58:13 BST 2018


Hi folks,

I spotted an HTML escaping bug in Xapian::MSet::snippet() while working
on the code.  This issue has been assigned CVE-2018-0499 (though
currently there's no useful information on cve.mitre.org for it).  I've
added a wiki page for it here:

https://trac.xapian.org/wiki/SecurityFixes/2018-07-02

The intended behaviour is that the selected input text is escaped for
use in HTML, but this wasn't happening in all cases and there's
potential for an attacker who can feed documents into a system to inject
HTML markup into results pages for some searches.

This method is wrapped for most of the language bindings, and also
available in Omega via the $snippet{} command.  Unless you're using
static linking, fixing xapian-core will fix the bindings and Omega.

This will be fixed in xapian-core 1.4.6, which should be out later today.

Xapian-core 1.4.5 and earlier are vulnerable (back to when this feature
was added in development release 1.3.5; 1.2.x doesn't have this method,
so isn't vulnerable).  You can apply this patch to fix the problem for
vulnerable 1.4.x versions:

https://oligarchy.co.uk/xapian/patches/cve-2018-0499-mset-snippet-escaping.patch

The fix is not complex and the code this patch changes is only used by
Xapian::MSet::snippet(), so it should be a safe fix (unless you're
somehow relying on the missing escaping).

In order to gauge the likely impact, I looked at the sources of all
Debian packages (using https://codesearch.debian.net) and was unable to
find any that seemed vulnerable - the only ones which actually used this
method seemed to be stripping HTML tags themselves beforehand.  But
obviously this can still affect user code so I'll be sorting out updates
for this in Debian which add the patch above (and I'd encourage
maintainers of packages in other distros to do the same).

Sorry about this.  I try hard to ensure such bugs don't slip in, but
clearly failed on this occasion.

Cheers,
    Olly
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://lists.xapian.org/pipermail/xapian-discuss/attachments/20180702/0e5ab13e/attachment.sig>


More information about the Xapian-discuss mailing list