please accept blosxom 2.0-14+etch1 into stable

To: debian-release@lists.debian.org
Subject: please accept blosxom 2.0-14+etch1 into stable
From: Gerfried Fuchs <rhonda@deb.at>
Date: Mon, 6 Oct 2008 16:17:21 +0200
Message-id: <20081006141721.GA21098@edna.gwendoline.at>

	Hi!

 Please find attached my proposed interdiff that I would like to get
incorporated into the next stable point release. The two bugs have both
security impact but are too low to warrant a security advisory.
Nevertheless it would be pretty nice to have them fixed for stable
anyway.

 The second part of the patch (about $flavour) is just the same how it
was fixed in unstable and by upstream, the first part of the patch
(about param("-f") handling) was done just for stable because the way it
was fixed in the lenny/unstable version would be too intrusive and
changing the way the script works so it's not acceptable for a stable
update.

 Thanks in advance, I will upload only after a positive reply.
Rhonda

diff -u blosxom-2.0/blosxom.cgi blosxom-2.0/blosxom.cgi
--- blosxom-2.0/blosxom.cgi
+++ blosxom-2.0/blosxom.cgi
@@ -66,7 +66,12 @@
 
 ## On Debian GNU/Linux systems, read configuration files (if found)
 ## Dirk Eddelbuettel <edd@debian.org>
-for $rcfile ("/etc/blosxom/blosxom.conf", "/etc/blosxom.conf", param("-f")) {
+my @conffiles = ("/etc/blosxom/blosxom.conf", "/etc/blosxom.conf");
+
+# only use param("-f") if GATEWAY_INTERFACE isn't set, Debian BTS #423441
+push @conffiles, param("-f") unless $ENV{GATEWAY_INTERFACE};
+
+for $rcfile (@conffiles) {
   if (-r $rcfile) {
     open (RC, "< $rcfile") or die "Cannot open $rcfile: $!";
     while (<RC>) {
@@ -131,6 +136,23 @@
   $flavour = param('flav') || $default_flavour;
 }
 
+# Fix XSS in flavour name (CVE-2008-2236)
+$flavour = blosxom_html_escape($flavour);
+
+sub blosxom_html_escape {
+  my $string = shift;
+  my %escape = (
+                '<' => '&lt;',
+                '>' => '&gt;',
+                '&' => '&amp;',
+                '"' => '&quot;',
+                "'" => '&apos;'
+                );
+  my $escape_re = join '|' => keys %escape;
+  $string =~ s/($escape_re)/$escape{$1}/g;
+  $string;
+}
+
 # Strip spurious slashes
 $path_info =~ s!(^/*)|(/*$)!!g;
 
diff -u blosxom-2.0/debian/changelog blosxom-2.0/debian/changelog
--- blosxom-2.0/debian/changelog
+++ blosxom-2.0/debian/changelog
@@ -1,3 +1,12 @@
+blosxom (2.0-14+etch1) stable; urgency=high
+
+  * Apply patch to fix Cross-Site Scripting (XSS) vulnerability with respect
+    to unknown flavours (CVE-2008-2236) (closes: #500873)
+  * Only use param("-f") if $ENV{GATEWAY_INTERFACE} isn't set
+    (closes: #423441)
+
+ -- Gerfried Fuchs <rhonda@debian.at>  Mon, 06 Oct 2008 16:01:44 +0200
+
 blosxom (2.0-14) unstable; urgency=low
 
   alfie:

Reply to:

Prev by Date: please unblock ifmail
Next by Date: Re: approval for upload of openoffice.org 1:2.4.1-10
Previous by thread: Re: please unblock ifmail
Next by thread: Freeze exception request for gforge 4.7~rc2-5
Index(es):
- Date
- Thread