Bug#560185: pu: package kazehakase/0.5.4-2.2+lenny1
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: pu
Please approve a stable update to fix CVE-2007-1084 (#556271).
According to the bug reporter (Michael Gilbert) this is not a severe
problem (no DSA will be issued), but fixes for stable and oldstable are
warranted.
Debdiff attached. (Note: The actual diff also updates
config.{guess,sub} but as these are harmless and I'm not supposed to
fix anything else in a stable update, I've left that out. Let me know
if I must fix the handling of these files as well.)
Thanks.
diff -u kazehakase-0.5.4/debian/changelog kazehakase-0.5.4/debian/changelog
--- kazehakase-0.5.4/debian/changelog
+++ kazehakase-0.5.4/debian/changelog
@@ -1,3 +1,11 @@
+kazehakase (0.5.4-2.2+lenny1) stable; urgency=medium
+
+ * debian/patches/CVE-2007-1084.dpatch: New; disallow adding bookmarks
+ with data:/javascript: URIs (CVE-2007-1084, Closes: #556271).
+ * debian/patches/00list: Update.
+
+ -- Yavor Doganov <yavor@gnu.org> Wed, 09 Dec 2009 16:07:11 +0200
+
kazehakase (0.5.4-2.2) unstable; urgency=low
* Non-maintainer upload.
diff -u kazehakase-0.5.4/debian/patches/00list kazehakase-0.5.4/debian/patches/00list
--- kazehakase-0.5.4/debian/patches/00list
+++ kazehakase-0.5.4/debian/patches/00list
@@ -1,3 +1,4 @@
+CVE-2007-1084
20_user_agent_tag
30_bookmarkbar_DSA
50_passwordmgr
only in patch2:
unchanged:
--- kazehakase-0.5.4.orig/debian/patches/CVE-2007-1084.dpatch
+++ kazehakase-0.5.4/debian/patches/CVE-2007-1084.dpatch
@@ -0,0 +1,36 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## CVE-2007-1084.dpatch by Yavor Doganov <yavor@gnu.org>
+##
+## DP: Do not allow bookmarks with data:/javascript: URIs (CVE-2007-1084).
+
+@DPATCH@
+diff -urNad kazehakase-0.5.4~/src/actions/kz-actions.c kazehakase-0.5.4/src/actions/kz-actions.c
+--- kazehakase-0.5.4~/src/actions/kz-actions.c 2008-03-29 10:20:41.000000000 +0200
++++ kazehakase-0.5.4/src/actions/kz-actions.c 2009-12-09 16:03:53.000000000 +0200
+@@ -1076,6 +1076,26 @@
+
+ if (!uri) return;
+
++ /* Refuse to add a bookmark if the URI is data:/javascript:
++ (CVE-2007-1084). */
++ if (g_str_has_prefix(uri, "data:")
++ || g_str_has_prefix(uri, "javascript:"))
++ {
++ GtkWidget *dialog;
++
++ dialog = gtk_message_dialog_new(NULL,
++ GTK_DIALOG_DESTROY_WITH_PARENT,
++ GTK_MESSAGE_WARNING,
++ GTK_BUTTONS_CLOSE,
++ _("Adding this bookmark is disallowed for security reasons."));
++ gtk_window_set_title(GTK_WINDOW(dialog),
++ _("Security Warning"));
++ gtk_dialog_run(GTK_DIALOG(dialog));
++ gtk_widget_destroy(dialog);
++ return;
++ }
++
++
+ bookmark = kz_bookmark_new_with_attrs(title, uri, desc);
+ /* FIXME! show dialog */
+ if (sibling)
Reply to: