Bug#560185: pu: package kazehakase/0.5.4-2.2+lenny1

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#560185: pu: package kazehakase/0.5.4-2.2+lenny1
From: Yavor Doganov <yavor@gnu.org>
Date: Wed, 09 Dec 2009 16:36:40 +0200
Message-id: <20091209143640.25780.90454.reportbug@keel.southway-varna.com>
Reply-to: Yavor Doganov <yavor@gnu.org>, 560185@bugs.debian.org

Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: pu

Please approve a stable update to fix CVE-2007-1084 (#556271).
According to the bug reporter (Michael Gilbert) this is not a severe
problem (no DSA will be issued), but fixes for stable and oldstable are
warranted.

Debdiff attached.  (Note: The actual diff also updates
config.{guess,sub} but as these are harmless and I'm not supposed to
fix anything else in a stable update, I've left that out.  Let me know
if I must fix the handling of these files as well.)

Thanks.

diff -u kazehakase-0.5.4/debian/changelog kazehakase-0.5.4/debian/changelog
--- kazehakase-0.5.4/debian/changelog
+++ kazehakase-0.5.4/debian/changelog
@@ -1,3 +1,11 @@
+kazehakase (0.5.4-2.2+lenny1) stable; urgency=medium
+
+  * debian/patches/CVE-2007-1084.dpatch: New; disallow adding bookmarks
+    with data:/javascript: URIs (CVE-2007-1084, Closes: #556271).
+  * debian/patches/00list: Update.
+
+ -- Yavor Doganov <yavor@gnu.org>  Wed, 09 Dec 2009 16:07:11 +0200
+
 kazehakase (0.5.4-2.2) unstable; urgency=low
 
   * Non-maintainer upload.
diff -u kazehakase-0.5.4/debian/patches/00list kazehakase-0.5.4/debian/patches/00list
--- kazehakase-0.5.4/debian/patches/00list
+++ kazehakase-0.5.4/debian/patches/00list
@@ -1,3 +1,4 @@
+CVE-2007-1084
 20_user_agent_tag
 30_bookmarkbar_DSA
 50_passwordmgr
only in patch2:
unchanged:
--- kazehakase-0.5.4.orig/debian/patches/CVE-2007-1084.dpatch
+++ kazehakase-0.5.4/debian/patches/CVE-2007-1084.dpatch
@@ -0,0 +1,36 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## CVE-2007-1084.dpatch by Yavor Doganov <yavor@gnu.org>
+##
+## DP: Do not allow bookmarks with data:/javascript: URIs (CVE-2007-1084).
+
+@DPATCH@
+diff -urNad kazehakase-0.5.4~/src/actions/kz-actions.c kazehakase-0.5.4/src/actions/kz-actions.c
+--- kazehakase-0.5.4~/src/actions/kz-actions.c	2008-03-29 10:20:41.000000000 +0200
++++ kazehakase-0.5.4/src/actions/kz-actions.c	2009-12-09 16:03:53.000000000 +0200
+@@ -1076,6 +1076,26 @@
+ 
+ 	if (!uri) return;
+ 
++	/* Refuse to add a bookmark if the URI is data:/javascript:
++	   (CVE-2007-1084).  */
++	if (g_str_has_prefix(uri, "data:")
++	    || g_str_has_prefix(uri, "javascript:"))
++		{
++			GtkWidget *dialog;
++
++			dialog = gtk_message_dialog_new(NULL,
++							GTK_DIALOG_DESTROY_WITH_PARENT,
++							GTK_MESSAGE_WARNING,
++							GTK_BUTTONS_CLOSE,
++							_("Adding this bookmark is disallowed for security reasons."));
++			gtk_window_set_title(GTK_WINDOW(dialog),
++					     _("Security Warning"));
++			gtk_dialog_run(GTK_DIALOG(dialog));
++			gtk_widget_destroy(dialog);
++			return;
++		}
++
++
+ 	bookmark = kz_bookmark_new_with_attrs(title, uri, desc);
+ 	/* FIXME! show dialog */
+ 	if (sibling)

Reply to:

Follow-Ups:
- Bug#560185: pu: package kazehakase/0.5.4-2.2+lenny1
  - From: "Adam D. Barratt" <adam@adam-barratt.org.uk>

Prev by Date: Bug#559725: RM: alien-arena/7.0-1
Next by Date: Bug#559346: Most packages based on source package mysql-dfsg-5.1
Previous by thread: Re: RFC: Proposed updates to the Python Policy to reflect current practices
Next by thread: Bug#560185: pu: package kazehakase/0.5.4-2.2+lenny1
Index(es):
- Date
- Thread