Bug#780190: unblock: tcllib/1.16-dfsg-2
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock
Please unblock package tcllib
It fixes a small security related bug. See [1] for details.
The diff between the current package in testing and 1.16-dfsg-2 is attached.
unblock tcllib/1.16-dfsg-2
[1] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=780100
-- System Information:
Debian Release: 8.0
APT prefers testing
APT policy: (500, 'testing')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 3.16.0-4-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
diff -Nru tcllib-1.16-dfsg/debian/changelog tcllib-1.16-dfsg/debian/changelog
--- tcllib-1.16-dfsg/debian/changelog 2014-02-12 13:29:13.000000000 +0400
+++ tcllib-1.16-dfsg/debian/changelog 2015-03-09 15:12:48.000000000 +0300
@@ -1,3 +1,10 @@
+tcllib (1.16-dfsg-2) unstable; urgency=medium
+
+ * Added a patch from upstream which fixes an XSS vulnerability in
+ the html module for <textarea/> elements (closes: #780100).
+
+ -- Sergei Golovan <sgolovan@debian.org> Mon, 09 Mar 2015 15:12:05 +0300
+
tcllib (1.16-dfsg-1) unstable; urgency=low
* New upstream release.
diff -Nru tcllib-1.16-dfsg/debian/patches/html-textarea-xss.patch tcllib-1.16-dfsg/debian/patches/html-textarea-xss.patch
--- tcllib-1.16-dfsg/debian/patches/html-textarea-xss.patch 1970-01-01 03:00:00.000000000 +0300
+++ tcllib-1.16-dfsg/debian/patches/html-textarea-xss.patch 2015-03-09 15:06:25.000000000 +0300
@@ -0,0 +1,16 @@
+Author: upstream
+Description: Patch fixes an XSS vulnerability in <textarea/> HTML element in
+ the html Tcllib module
+Last-Modified: Mon, 09 Mar 2015 15:06:15 +0300
+
+--- a/modules/html/html.tcl
++++ b/modules/html/html.tcl
+@@ -912,7 +912,7 @@
+ # The html fragment
+
+ proc ::html::textarea {name {param {}} {current {}}} {
+- ::set value [ncgi::value $name $current]
++ ::set value [quoteFormValue [ncgi::value $name $current]]
+ return "<[string trimright \
+ "textarea name=\"$name\"\
+ [tagParam textarea $param]"]>$value</textarea>\n"
diff -Nru tcllib-1.16-dfsg/debian/patches/series tcllib-1.16-dfsg/debian/patches/series
--- tcllib-1.16-dfsg/debian/patches/series 2013-05-11 18:49:10.000000000 +0400
+++ tcllib-1.16-dfsg/debian/patches/series 2015-03-09 15:09:35.000000000 +0300
@@ -1 +1 @@
-#
+html-textarea-xss.patch
Reply to: