CVE Request -- php-geshi / GeSHi (1.0.8.11): Remote directory traversal and information disclosure in the cssgen contrib module (plus possibly XSS, but it needs upstream to confirm)

[Jan Lieskovsky <jlieskov () redhat com>]

Hello Kurt, Steve, Ben, Nigel, vendors,

  Issue #A:
  ---------
  A directory traversal and information disclosure
  (local file inclusion) flaws were found in the cssgen
  contrib module (application to generate custom CSS files)
  of GeSHi, a generic syntax highlighter, performed sanitization
  of 'geshi-path' and 'geshi-lang-path' HTTP GET / POST variables.
  A remote attacker could provide a specially-crafted URL that,
  when visited could lead to local file system traversal or,
  potentially, ability to read content of any local file,
  accessible with the privileges of the user running the webserver.

  References:
  [1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=685324
  [2] https://bugzilla.redhat.com/show_bug.cgi?id=850425

  Upstream patch:
  [3] http://geshi.svn.sourceforge.net/viewvc/geshi?view=revision&revision=2507

  Issue #B:
  ---------
  Then there is a report about non-persistent XSS flaw, that have been
  fixed in the contrib module of 1.0.8.11 version too:
  [4] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=685323

  but I was unable to find the relevant upstream patch (and above Debian BTS
  entry doesn't contain further information too, which could be acted upon).

  Thus I am Cc-in GeSHi upstream to this post to shed the light on the XSS flaw [4].
  
  Ben, Nigel, could you please clarify what was the relevant upstream patch for the
  Debian BTS#685323 / Non-persistent XSS vulnerability in contrib script [4] issue?
  Thank you for that, Jan.

Kurt, once the second issue clarified, could you allocate CVE ids for these?

Thank you && Regards, Jan.
--
Jan iankko Lieskovsky / Red Hat Security Response Team