please accept blosxom 2.0-14+etch1 into stable
Hi!
Please find attached my proposed interdiff that I would like to get
incorporated into the next stable point release. The two bugs have both
security impact but are too low to warrant a security advisory.
Nevertheless it would be pretty nice to have them fixed for stable
anyway.
The second part of the patch (about $flavour) is just the same how it
was fixed in unstable and by upstream, the first part of the patch
(about param("-f") handling) was done just for stable because the way it
was fixed in the lenny/unstable version would be too intrusive and
changing the way the script works so it's not acceptable for a stable
update.
Thanks in advance, I will upload only after a positive reply.
Rhonda
diff -u blosxom-2.0/blosxom.cgi blosxom-2.0/blosxom.cgi
--- blosxom-2.0/blosxom.cgi
+++ blosxom-2.0/blosxom.cgi
@@ -66,7 +66,12 @@
## On Debian GNU/Linux systems, read configuration files (if found)
## Dirk Eddelbuettel <edd@debian.org>
-for $rcfile ("/etc/blosxom/blosxom.conf", "/etc/blosxom.conf", param("-f")) {
+my @conffiles = ("/etc/blosxom/blosxom.conf", "/etc/blosxom.conf");
+
+# only use param("-f") if GATEWAY_INTERFACE isn't set, Debian BTS #423441
+push @conffiles, param("-f") unless $ENV{GATEWAY_INTERFACE};
+
+for $rcfile (@conffiles) {
if (-r $rcfile) {
open (RC, "< $rcfile") or die "Cannot open $rcfile: $!";
while (<RC>) {
@@ -131,6 +136,23 @@
$flavour = param('flav') || $default_flavour;
}
+# Fix XSS in flavour name (CVE-2008-2236)
+$flavour = blosxom_html_escape($flavour);
+
+sub blosxom_html_escape {
+ my $string = shift;
+ my %escape = (
+ '<' => '<',
+ '>' => '>',
+ '&' => '&',
+ '"' => '"',
+ "'" => '''
+ );
+ my $escape_re = join '|' => keys %escape;
+ $string =~ s/($escape_re)/$escape{$1}/g;
+ $string;
+}
+
# Strip spurious slashes
$path_info =~ s!(^/*)|(/*$)!!g;
diff -u blosxom-2.0/debian/changelog blosxom-2.0/debian/changelog
--- blosxom-2.0/debian/changelog
+++ blosxom-2.0/debian/changelog
@@ -1,3 +1,12 @@
+blosxom (2.0-14+etch1) stable; urgency=high
+
+ * Apply patch to fix Cross-Site Scripting (XSS) vulnerability with respect
+ to unknown flavours (CVE-2008-2236) (closes: #500873)
+ * Only use param("-f") if $ENV{GATEWAY_INTERFACE} isn't set
+ (closes: #423441)
+
+ -- Gerfried Fuchs <rhonda@debian.at> Mon, 06 Oct 2008 16:01:44 +0200
+
blosxom (2.0-14) unstable; urgency=low
alfie:
Reply to: