[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

stable update for planet-venus to fix security bug

Hi,

A patch for the package 'planet-venus', provided by Steve Kemp, fixes
the problem with insufficient escaping of input feeds in bug #546179. I
would like to apply the following patch to the package in lenny stable.

OK for upload to stable?

Regards,
Runa Sandvik

diff -u planet-venus-0~bzr95/debian/changelog planet-venus-0~bzr95/debian/changelog
--- planet-venus-0~bzr95/debian/changelog
+++ planet-venus-0~bzr95/debian/changelog
@@ -1,3 +1,13 @@
+planet-venus (0~bzr95-2+lenny1) stable; urgency=high
+
+  [ Runa Sandvik ]
+  * Added patch from Steve Kemp to escape input feeds (Closes: #546179) [CVE-2009-2937]
+
+  [ Piotr Ożarowski ]
+  * Upload (as PAPT member)
+
+ -- Python Applications Packaging Team <python-apps-team@lists.alioth.debian.org>  Fri, 02 Oct 2009 15:29:44 +0200
+
 planet-venus (0~bzr95-2) unstable; urgency=medium
 
   * Added debian/README.source for upstream source information.
only in patch2:
unchanged:
--- planet-venus-0~bzr95.orig/debian/patches/escaping-of-input.patch
+++ planet-venus-0~bzr95/debian/patches/escaping-of-input.patch
@@ -0,0 +1,20 @@
+diff -Nur planet-venus-0~bzr95.orig/planet/scrub.orig planet-venus-0~bzr95.orig.new/planet/scrub.py
+--- planet-venus-0~bzr95.orig/planet/scrub.orig  2009-09-09 16:24:50.000000000 +0000
++++ planet-venus-0~bzr95.orig.new/planet/scrub.py    2009-09-09 16:25:18.000000000 +0000
+@@ -128,5 +128,13 @@
+                 node['value'] = feedparser._resolveRelativeURIs(
+                     node.value, node.base, 'utf-8', node.type)
+
+-            node['value'] = feedparser._sanitizeHTML(
+-                node.value, 'utf-8', node.type)
++            # Run this through HTML5's serializer
++            from html5lib import html5parser, sanitizer, treebuilders
++            from html5lib import treewalkers, serializer
++            p = html5parser.HTMLParser(tokenizer=sanitizer.HTMLSanitizer,
++              tree=treebuilders.getTreeBuilder('dom'))
++            doc = p.parseFragment(node.value, encoding='utf-8')
++            xhtml = serializer.XHTMLSerializer(inject_meta_charset = False)
++            walker = treewalkers.getTreeWalker('dom')
++            tree = xhtml.serialize(walker(doc), encoding='utf-8')
++            node['value'] = ''.join([str(token) for token in tree])
+

Attachment: signature.asc
Description: Digital signature

Reply to: