Bug#715450: pu: package xmonad-contrib/0.10-3
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: pu
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi,
I'd like to propose the attached patch for inclusion in the next stable
point release, as it fixes a remote code execution security issue.
Sorry for already uploading the package.
Greetings,
Joachim
- -- System Information:
Debian Release: jessie/sid
APT prefers unstable
APT policy: (500, 'unstable'), (101, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 3.9-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iEYEARECAAYFAlHbxlkACgkQ9ijrk0dDIGwTIQCgnLjedjCxfUorCgdQ047CGWC3
V68AnRk7VZFnpDhhveuxwC2TEM6rEMIi
=v/MH
-----END PGP SIGNATURE-----
diff -Nru xmonad-contrib-0.10/debian/changelog xmonad-contrib-0.10/debian/changelog
--- xmonad-contrib-0.10/debian/changelog 2012-02-10 23:16:12.000000000 +0100
+++ xmonad-contrib-0.10/debian/changelog 2013-07-09 08:23:04.000000000 +0200
@@ -1,3 +1,12 @@
+xmonad-contrib (0.10-4~deb7u1) stable; urgency=low
+
+ * debian/patches/escape-window-titles.patch:
+ Escape dzen markup and remove xmobar tags from window titles by default.
+ Fixes possible malicous code execution. Thanks to Raúl Benencia for
+ noticing and Adam Vogt for fixing. CVE-2013-1436
+
+ -- Joachim Breitner <nomeata@debian.org> Mon, 08 Jul 2013 23:02:16 +0200
+
xmonad-contrib (0.10-3) unstable; urgency=low
* Sourceful upload to rebuild documentation package
diff -Nru xmonad-contrib-0.10/debian/NEWS xmonad-contrib-0.10/debian/NEWS
--- xmonad-contrib-0.10/debian/NEWS 1970-01-01 01:00:00.000000000 +0100
+++ xmonad-contrib-0.10/debian/NEWS 2013-07-09 08:28:48.000000000 +0200
@@ -0,0 +1,8 @@
+xmonad-contrib (0.10-4~deb7u1) stable; urgency=low
+
+ This update fixes a possible security hole in the XMonad.Hooks.DynamicLog
+ module (CVE-2013-1436). If you use this module, please make sure to
+ recompile your xmonad binary after upgrading the package: Edit your
+ ~/.xmonad/xmonad.hs file and then press Mod-Q.
+
+ -- Joachim Breitner <nomeata@debian.org> Mon, 08 Jul 2013 22:49:35 +0200
diff -Nru xmonad-contrib-0.10/debian/patches/escape-window-titles.patch xmonad-contrib-0.10/debian/patches/escape-window-titles.patch
--- xmonad-contrib-0.10/debian/patches/escape-window-titles.patch 1970-01-01 01:00:00.000000000 +0100
+++ xmonad-contrib-0.10/debian/patches/escape-window-titles.patch 2013-07-08 22:47:49.000000000 +0200
@@ -0,0 +1,112 @@
+Author: Adam Vogt <vogt.adam@gmail.com>
+Description: Escape dzen markup and remove xmobar tags from window titles by default.
+ The issue was that window titles, such as those set by, for example a browser,
+ could set the window title to display something like
+ .
+ <action=malicious shell command>normal title</action>
+ .
+ Which could be executed by xmobar (or dzen).
+ .
+ This adds a ppTitleSanitize which does the above functions. This way when users
+ override ppTitle, the benefits are not lost.
+ .
+ Thanks to Raúl Benencia and Joachim Breitner for bringing this to my attention.
+Origin: upstream, http://code.haskell.org/XMonadContrib
+Forwarded: not-needed
+
+Index: xmonad-contrib-0.10/XMonad/Hooks/DynamicLog.hs
+===================================================================
+--- xmonad-contrib-0.10.orig/XMonad/Hooks/DynamicLog.hs 2013-07-08 22:45:02.043159857 +0200
++++ xmonad-contrib-0.10/XMonad/Hooks/DynamicLog.hs 2013-07-08 22:45:02.039159857 +0200
+@@ -1,4 +1,4 @@
+-{-# LANGUAGE FlexibleContexts #-}
++{-# LANGUAGE FlexibleContexts, PatternGuards #-}
+
+ -----------------------------------------------------------------------------
+ -- |
+@@ -43,6 +43,7 @@
+ -- * Formatting utilities
+ wrap, pad, trim, shorten,
+ xmobarColor, xmobarStrip,
++ xmobarStripTags,
+ dzenColor, dzenEscape, dzenStrip,
+
+ -- * Internal formatting functions
+@@ -57,10 +58,10 @@
+ -- Useful imports
+
+ import Codec.Binary.UTF8.String (encodeString)
+-import Control.Monad (liftM2)
++import Control.Monad (liftM2, msum)
+ import Data.Char ( isSpace, ord )
+-import Data.List (intersperse, isPrefixOf, sortBy)
+-import Data.Maybe ( isJust, catMaybes )
++import Data.List (intersperse, stripPrefix, isPrefixOf, sortBy)
++import Data.Maybe ( isJust, catMaybes, mapMaybe )
+ import Data.Ord ( comparing )
+ import qualified Data.Map as M
+ import qualified XMonad.StackSet as S
+@@ -279,7 +280,7 @@
+ return $ encodeString . sepBy (ppSep pp) . ppOrder pp $
+ [ ws
+ , ppLayout pp ld
+- , ppTitle pp wt
++ , ppTitle pp $ ppTitleSanitize pp wt
+ ]
+ ++ catMaybes extras
+
+@@ -394,16 +395,29 @@
+
+ -- ??? add an xmobarEscape function?
+
+--- | Strip xmobar markup.
++-- | Strip xmobar markup, specifically the <fc>, <icon> and <action> tags and
++-- the matching tags like </fc>.
+ xmobarStrip :: String -> String
+-xmobarStrip = strip [] where
++xmobarStrip = xmobarStripTags ["fc","icon","action"] where
++
++xmobarStripTags :: [String] -- ^ tags
++ -> String -> String -- ^ with all <tag>...</tag> removed
++xmobarStripTags tags = strip [] where
++ strip keep [] = keep
+ strip keep x
+- | null x = keep
+- | "<fc=" `isPrefixOf` x = strip keep (drop 1 . dropWhile (/= '>') $ x)
+- | "</fc>" `isPrefixOf` x = strip keep (drop 5 x)
+- | '<' == head x = strip (keep ++ "<") (tail x)
+- | otherwise = let (good,x') = span (/= '<') x
+- in strip (keep ++ good) x'
++ | rest: _ <- mapMaybe dropTag tags = strip keep rest
++
++
++ | '<':xs <- x = strip (keep ++ "<") xs
++ | (good,x') <- span (/= '<') x = strip (keep ++ good) x' -- this is n^2 bad... but titles have few tags
++ where dropTag :: String -> Maybe String
++ dropTag tag = msum [fmap dropTilClose (openTag tag `stripPrefix` x),
++ closeTag tag `stripPrefix` x]
++
++ dropTilClose, openTag, closeTag :: String -> String
++ dropTilClose = drop 1 . dropWhile (/= '>')
++ openTag str = "<" ++ str ++ "="
++ closeTag str = "</" ++ str ++ ">"
+
+ -- | The 'PP' type allows the user to customize the formatting of
+ -- status information.
+@@ -427,6 +441,8 @@
+ -- ^ separator to use between workspace tags
+ , ppTitle :: String -> String
+ -- ^ window title format
++ , ppTitleSanitize :: String -> String
++ -- ^ escape / sanitizes input to 'ppTitle'
+ , ppLayout :: String -> String
+ -- ^ layout name format
+ , ppOrder :: [String] -> [String]
+@@ -468,6 +484,7 @@
+ , ppSep = " : "
+ , ppWsSep = " "
+ , ppTitle = shorten 80
++ , ppTitleSanitize = xmobarStrip . dzenEscape
+ , ppLayout = id
+ , ppOrder = id
+ , ppOutput = putStrLn
diff -Nru xmonad-contrib-0.10/debian/patches/series xmonad-contrib-0.10/debian/patches/series
--- xmonad-contrib-0.10/debian/patches/series 2012-02-10 23:16:05.000000000 +0100
+++ xmonad-contrib-0.10/debian/patches/series 2013-07-08 22:45:00.000000000 +0200
@@ -1 +1,2 @@
use-x-www-browser.patch
+escape-window-titles.patch
Reply to: