Bug#653393: pu: package libhtml-template-pro-perl/0.9502-1+squeeze1
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: pu
Hi,
libhtml-template-pro-perl has a minor XSS issue[1] that the security
team suggests to fix though a point release (they do not plan to release
a DSA for it). I prepared an update for squeeze, see the attached
debdiff.
Regards,
Ansgar
[1] <http://bugs.debian.org/652587>
diff -Nur '--exclude=.git' '--exclude=.svn' '--exclude=.pc' /tmp/libhtml-template-pro-perl-0.9502/debian/changelog ./debian/changelog
--- /tmp/libhtml-template-pro-perl-0.9502/debian/changelog 2010-06-28 18:04:29.000000000 +0200
+++ ./debian/changelog 2011-12-27 18:33:54.624344313 +0100
@@ -1,3 +1,10 @@
+libhtml-template-pro-perl (0.9502-1+squeeze1) squeeze; urgency=low
+
+ * Patch XSS vulnerability. (Closes: #652587)
+ + new patch: 652587.diff
+
+ -- Ansgar Burchardt <ansgar@debian.org> Sun, 18 Dec 2011 23:39:24 +0100
+
libhtml-template-pro-perl (0.9502-1) unstable; urgency=low
* New upstream release.
diff -Nur '--exclude=.git' '--exclude=.svn' '--exclude=.pc' /tmp/libhtml-template-pro-perl-0.9502/debian/patches/652587.diff ./debian/patches/652587.diff
--- /tmp/libhtml-template-pro-perl-0.9502/debian/patches/652587.diff 1970-01-01 01:00:00.000000000 +0100
+++ ./debian/patches/652587.diff 2011-12-27 18:33:54.624344313 +0100
@@ -0,0 +1,33 @@
+Origin: backported, changes included in 0.9507
+Bug-Debian: http://bugs.debian.org/652587
+Subject: XSS vulnerability (missing escaping)
+
+--- libhtml-template-pro-perl.orig/pstrutils.inc
++++ libhtml-template-pro-perl/pstrutils.inc
+@@ -124,6 +124,8 @@
+ case '\'' : bufdelta=2; strncpy(buf+offset, "\\'",bufdelta);break;
+ case '\n' : bufdelta=2; strncpy(buf+offset, "\\n",bufdelta);break;
+ case '\r' : bufdelta=2; strncpy(buf+offset, "\\r",bufdelta);break;
++ case '>' : bufdelta=4; strncpy(buf+offset, ">", bufdelta);break;
++ case '<' : bufdelta=4; strncpy(buf+offset, "<", bufdelta);break;
+ default: *(buf+offset)=curchar;
+ }
+ offset+=bufdelta;
+--- libhtml-template-pro-perl.orig/templates-Pro/test_esc4.out
++++ libhtml-template-pro-perl/templates-Pro/test_esc4.out
+@@ -1,3 +1,3 @@
+ <H1> test_esc4 </H1>
+- \\<>\"; %FAhidden:\r\nend
++ \\<>\"; %FAhidden:\r\nend
+
+--- libhtml-template-pro-perl.orig/templates-Pro/test_var3.out
++++ libhtml-template-pro-perl/templates-Pro/test_var3.out
+@@ -8,7 +8,7 @@
+ \<>"; %FAhidden:
+ end
+
+- \\<>\"; %FAhidden:\r\nend
++ \\<>\"; %FAhidden:\r\nend
+
+ <H1> END test_var3 </H1>
+ </body></html>
diff -Nur '--exclude=.git' '--exclude=.svn' '--exclude=.pc' /tmp/libhtml-template-pro-perl-0.9502/debian/patches/series ./debian/patches/series
--- /tmp/libhtml-template-pro-perl-0.9502/debian/patches/series 2010-03-28 19:33:20.000000000 +0200
+++ ./debian/patches/series 2011-12-27 18:33:54.624344313 +0100
@@ -1 +1,2 @@
spelling.patch
+652587.diff
Reply to: