Bug#653393: pu: package libhtml-template-pro-perl/0.9502-1+squeeze1

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#653393: pu: package libhtml-template-pro-perl/0.9502-1+squeeze1
From: Ansgar Burchardt <ansgar@debian.org>
Date: Tue, 27 Dec 2011 18:40:32 +0100
Message-id: <[🔎] 20111227174032.4413.89081.reportbug@marvin.43-1.org>
Reply-to: Ansgar Burchardt <ansgar@debian.org>, 653393@bugs.debian.org

Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: pu

Hi,

libhtml-template-pro-perl has a minor XSS issue[1] that the security
team suggests to fix though a point release (they do not plan to release
a DSA for it).  I prepared an update for squeeze, see the attached
debdiff.

Regards,
Ansgar

[1] <http://bugs.debian.org/652587>

diff -Nur '--exclude=.git' '--exclude=.svn' '--exclude=.pc' /tmp/libhtml-template-pro-perl-0.9502/debian/changelog ./debian/changelog
--- /tmp/libhtml-template-pro-perl-0.9502/debian/changelog	2010-06-28 18:04:29.000000000 +0200
+++ ./debian/changelog	2011-12-27 18:33:54.624344313 +0100
@@ -1,3 +1,10 @@
+libhtml-template-pro-perl (0.9502-1+squeeze1) squeeze; urgency=low
+
+  * Patch XSS vulnerability. (Closes: #652587)
+    + new patch: 652587.diff
+
+ -- Ansgar Burchardt <ansgar@debian.org>  Sun, 18 Dec 2011 23:39:24 +0100
+
 libhtml-template-pro-perl (0.9502-1) unstable; urgency=low
 
   * New upstream release.
diff -Nur '--exclude=.git' '--exclude=.svn' '--exclude=.pc' /tmp/libhtml-template-pro-perl-0.9502/debian/patches/652587.diff ./debian/patches/652587.diff
--- /tmp/libhtml-template-pro-perl-0.9502/debian/patches/652587.diff	1970-01-01 01:00:00.000000000 +0100
+++ ./debian/patches/652587.diff	2011-12-27 18:33:54.624344313 +0100
@@ -0,0 +1,33 @@
+Origin: backported, changes included in 0.9507
+Bug-Debian: http://bugs.debian.org/652587
+Subject: XSS vulnerability (missing escaping)
+
+--- libhtml-template-pro-perl.orig/pstrutils.inc
++++ libhtml-template-pro-perl/pstrutils.inc
+@@ -124,6 +124,8 @@
+     case '\'' : bufdelta=2; strncpy(buf+offset, "\\'",bufdelta);break;
+     case '\n' : bufdelta=2; strncpy(buf+offset, "\\n",bufdelta);break;
+     case '\r' : bufdelta=2; strncpy(buf+offset, "\\r",bufdelta);break;
++    case '>' : bufdelta=4; strncpy(buf+offset, "&gt;",  bufdelta);break;
++    case '<' : bufdelta=4; strncpy(buf+offset, "&lt;",  bufdelta);break;
+     default: *(buf+offset)=curchar;
+     }
+     offset+=bufdelta;
+--- libhtml-template-pro-perl.orig/templates-Pro/test_esc4.out
++++ libhtml-template-pro-perl/templates-Pro/test_esc4.out
+@@ -1,3 +1,3 @@
+ <H1> test_esc4 </H1>
+- \\<>\"; %FAhidden:\r\nend 
++ \\&lt;&gt;\"; %FAhidden:\r\nend 
+  
+--- libhtml-template-pro-perl.orig/templates-Pro/test_var3.out
++++ libhtml-template-pro-perl/templates-Pro/test_var3.out
+@@ -8,7 +8,7 @@
+  \&lt;&gt;&quot;; %FAhidden:
+ end 
+  
+- \\<>\"; %FAhidden:\r\nend 
++ \\&lt;&gt;\"; %FAhidden:\r\nend 
+  
+ <H1> END test_var3 </H1>
+ </body></html>
diff -Nur '--exclude=.git' '--exclude=.svn' '--exclude=.pc' /tmp/libhtml-template-pro-perl-0.9502/debian/patches/series ./debian/patches/series
--- /tmp/libhtml-template-pro-perl-0.9502/debian/patches/series	2010-03-28 19:33:20.000000000 +0200
+++ ./debian/patches/series	2011-12-27 18:33:54.624344313 +0100
@@ -1 +1,2 @@
 spelling.patch
+652587.diff

Reply to:

Follow-Ups:
- Bug#653393: pu: package libhtml-template-pro-perl/0.9502-1+squeeze1
  - From: "Adam D. Barratt" <adam@adam-barratt.org.uk>

Prev by Date: Re: Boost defaults change (1.46.1 --> 1.48)
Next by Date: Bug#653393: pu: package libhtml-template-pro-perl/0.9502-1+squeeze1
Previous by thread: Bug#649173: pu: package nss-pam-ldapd/0.7.16
Next by thread: Bug#653393: pu: package libhtml-template-pro-perl/0.9502-1+squeeze1
Index(es):
- Date
- Thread