* [Buildroot] [PATCH 1/1] package/janus-gateway: fix CVE-2021-4124
@ 2021-12-22 9:09 Fabrice Fontaine
2021-12-22 17:48 ` Peter Korsgaard
2022-01-23 19:41 ` Peter Korsgaard
0 siblings, 2 replies; 3+ messages in thread
From: Fabrice Fontaine @ 2021-12-22 9:09 UTC (permalink / raw)
To: buildroot; +Cc: Gregory Dymarek, Fabrice Fontaine
janus-gateway is vulnerable to Improper Neutralization of Input During
Web Page Generation ('Cross-site Scripting')
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
---
.../0004-Fixed-missing-XSS-mitigation.patch | 25 +++++++++++++++++++
package/janus-gateway/janus-gateway.mk | 3 +++
2 files changed, 28 insertions(+)
create mode 100644 package/janus-gateway/0004-Fixed-missing-XSS-mitigation.patch
diff --git a/package/janus-gateway/0004-Fixed-missing-XSS-mitigation.patch b/package/janus-gateway/0004-Fixed-missing-XSS-mitigation.patch
new file mode 100644
index 0000000000..e1e612133b
--- /dev/null
+++ b/package/janus-gateway/0004-Fixed-missing-XSS-mitigation.patch
@@ -0,0 +1,25 @@
+From f62bba6513ec840761f2434b93168106c7c65a3d Mon Sep 17 00:00:00 2001
+From: Lorenzo Miniero <lminiero@gmail.com>
+Date: Wed, 15 Dec 2021 14:10:01 +0100
+Subject: [PATCH] Fixed missing XSS mitigation (see #2817)
+
+[Retrieved from:
+https://github.com/meetecho/janus-gateway/commit/f62bba6513ec840761f2434b93168106c7c65a3d]
+Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
+---
+ html/textroomtest.js | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/html/textroomtest.js b/html/textroomtest.js
+index bf95a260a..7d5ae832c 100644
+--- a/html/textroomtest.js
++++ b/html/textroomtest.js
+@@ -351,7 +351,7 @@ function sendPrivateMsg(username) {
+ text: JSON.stringify(message),
+ error: function(reason) { bootbox.alert(reason); },
+ success: function() {
+- $('#chatroom').append('<p style="color: purple;">[' + getDateString() + '] <b>[whisper to ' + display + ']</b> ' + result);
++ $('#chatroom').append('<p style="color: purple;">[' + getDateString() + '] <b>[whisper to ' + display + ']</b> ' + escapeXmlTags(result));
+ $('#chatroom').get(0).scrollTop = $('#chatroom').get(0).scrollHeight;
+ }
+ });
diff --git a/package/janus-gateway/janus-gateway.mk b/package/janus-gateway/janus-gateway.mk
index 98e00aeeb8..83d28ff6c7 100644
--- a/package/janus-gateway/janus-gateway.mk
+++ b/package/janus-gateway/janus-gateway.mk
@@ -14,6 +14,9 @@ JANUS_GATEWAY_CPE_ID_PRODUCT = janus
# 0003-Fix-potential-Cross-site-Scripting-XSS-exploits-in-demos.patch
JANUS_GATEWAY_IGNORE_CVES += CVE-2021-4020
+# 0004-Fixed-missing-XSS-mitigation.patch
+JANUS_GATEWAY_IGNORE_CVES += CVE-2021-4124
+
# ding-libs provides the ini_config library
JANUS_GATEWAY_DEPENDENCIES = host-pkgconf jansson libnice \
libsrtp host-gengetopt libglib2 openssl libconfig \
--
2.33.0
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
^ permalink raw reply related [flat|nested] 3+ messages in thread
* Re: [Buildroot] [PATCH 1/1] package/janus-gateway: fix CVE-2021-4124
2021-12-22 9:09 [Buildroot] [PATCH 1/1] package/janus-gateway: fix CVE-2021-4124 Fabrice Fontaine
@ 2021-12-22 17:48 ` Peter Korsgaard
2022-01-23 19:41 ` Peter Korsgaard
1 sibling, 0 replies; 3+ messages in thread
From: Peter Korsgaard @ 2021-12-22 17:48 UTC (permalink / raw)
To: Fabrice Fontaine; +Cc: Gregory Dymarek, buildroot
>>>>> "Fabrice" == Fabrice Fontaine <fontaine.fabrice@gmail.com> writes:
> janus-gateway is vulnerable to Improper Neutralization of Input During
> Web Page Generation ('Cross-site Scripting')
> Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Committed, thanks.
--
Bye, Peter Korsgaard
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [Buildroot] [PATCH 1/1] package/janus-gateway: fix CVE-2021-4124
2021-12-22 9:09 [Buildroot] [PATCH 1/1] package/janus-gateway: fix CVE-2021-4124 Fabrice Fontaine
2021-12-22 17:48 ` Peter Korsgaard
@ 2022-01-23 19:41 ` Peter Korsgaard
1 sibling, 0 replies; 3+ messages in thread
From: Peter Korsgaard @ 2022-01-23 19:41 UTC (permalink / raw)
To: Fabrice Fontaine; +Cc: Gregory Dymarek, buildroot
>>>>> "Fabrice" == Fabrice Fontaine <fontaine.fabrice@gmail.com> writes:
> janus-gateway is vulnerable to Improper Neutralization of Input During
> Web Page Generation ('Cross-site Scripting')
> Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Committed to 2021.02.x and 2021.11.x, thanks.
--
Bye, Peter Korsgaard
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2022-01-23 19:41 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-12-22 9:09 [Buildroot] [PATCH 1/1] package/janus-gateway: fix CVE-2021-4124 Fabrice Fontaine
2021-12-22 17:48 ` Peter Korsgaard
2022-01-23 19:41 ` Peter Korsgaard
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.