[Buildroot] [PATCH 1/1] package/janus-gateway: fix CVE-2021-4124

[Buildroot] [PATCH 1/1] package/janus-gateway: fix CVE-2021-4124

[Fabrice Fontaine]

janus-gateway is vulnerable to Improper Neutralization of Input During
Web Page Generation ('Cross-site Scripting')

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
---
 .../0004-Fixed-missing-XSS-mitigation.patch   | 25 +++++++++++++++++++
 package/janus-gateway/janus-gateway.mk        |  3 +++
 2 files changed, 28 insertions(+)
 create mode 100644 package/janus-gateway/0004-Fixed-missing-XSS-mitigation.patch

diff --git a/package/janus-gateway/0004-Fixed-missing-XSS-mitigation.patch b/package/janus-gateway/0004-Fixed-missing-XSS-mitigation.patch
new file mode 100644
index 0000000000..e1e612133b
--- /dev/null
+++ b/package/janus-gateway/0004-Fixed-missing-XSS-mitigation.patch
@@ -0,0 +1,25 @@
+From f62bba6513ec840761f2434b93168106c7c65a3d Mon Sep 17 00:00:00 2001
+From: Lorenzo Miniero <lminiero@gmail.com>
+Date: Wed, 15 Dec 2021 14:10:01 +0100
+Subject: [PATCH] Fixed missing XSS mitigation (see #2817)
+
+[Retrieved from:
+https://github.com/meetecho/janus-gateway/commit/f62bba6513ec840761f2434b93168106c7c65a3d]
+Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
+---
+ html/textroomtest.js | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/html/textroomtest.js b/html/textroomtest.js
+index bf95a260a..7d5ae832c 100644
+--- a/html/textroomtest.js
++++ b/html/textroomtest.js
+@@ -351,7 +351,7 @@ function sendPrivateMsg(username) {
+ 				text: JSON.stringify(message),
+ 				error: function(reason) { bootbox.alert(reason); },
+ 				success: function() {
+-					$('#chatroom').append('<p style="color: purple;">[' + getDateString() + '] <b>[whisper to ' + display + ']</b> ' + result);
++					$('#chatroom').append('<p style="color: purple;">[' + getDateString() + '] <b>[whisper to ' + display + ']</b> ' + escapeXmlTags(result));
+ 					$('#chatroom').get(0).scrollTop = $('#chatroom').get(0).scrollHeight;
+ 				}
+ 			});
diff --git a/package/janus-gateway/janus-gateway.mk b/package/janus-gateway/janus-gateway.mk
index 98e00aeeb8..83d28ff6c7 100644
--- a/package/janus-gateway/janus-gateway.mk
+++ b/package/janus-gateway/janus-gateway.mk
@@ -14,6 +14,9 @@ JANUS_GATEWAY_CPE_ID_PRODUCT = janus
 # 0003-Fix-potential-Cross-site-Scripting-XSS-exploits-in-demos.patch
 JANUS_GATEWAY_IGNORE_CVES += CVE-2021-4020
 
+# 0004-Fixed-missing-XSS-mitigation.patch
+JANUS_GATEWAY_IGNORE_CVES += CVE-2021-4124
+
 # ding-libs provides the ini_config library
 JANUS_GATEWAY_DEPENDENCIES = host-pkgconf jansson libnice \
 	libsrtp host-gengetopt libglib2 openssl libconfig \
-- 
2.33.0

_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] [PATCH 1/1] package/janus-gateway: fix CVE-2021-4124

[Peter Korsgaard]

>>>>> "Fabrice" == Fabrice Fontaine <fontaine.fabrice@gmail.com> writes:

 > janus-gateway is vulnerable to Improper Neutralization of Input During
 > Web Page Generation ('Cross-site Scripting')

 > Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>

Committed, thanks.

-- 
Bye, Peter Korsgaard
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] [PATCH 1/1] package/janus-gateway: fix CVE-2021-4124

[Peter Korsgaard]

>>>>> "Fabrice" == Fabrice Fontaine <fontaine.fabrice@gmail.com> writes:

 > janus-gateway is vulnerable to Improper Neutralization of Input During
 > Web Page Generation ('Cross-site Scripting')

 > Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>

Committed to 2021.02.x and 2021.11.x, thanks.

-- 
Bye, Peter Korsgaard
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot