Bug#780190: unblock: tcllib/1.16-dfsg-2

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#780190: unblock: tcllib/1.16-dfsg-2
From: Sergei Golovan <sgolovan@nes.ru>
Date: Tue, 10 Mar 2015 12:03:19 +0300
Message-id: <[🔎] 20150310090319.11475.13410.reportbug@jupiter.golovan.home>
Reply-to: Sergei Golovan <sgolovan@nes.ru>, 780190@bugs.debian.org

Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock

Please unblock package tcllib

It fixes a small security related bug. See [1] for details.

The diff between the current package in testing and 1.16-dfsg-2 is attached.

unblock tcllib/1.16-dfsg-2

[1] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=780100

-- System Information:
Debian Release: 8.0
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 3.16.0-4-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

diff -Nru tcllib-1.16-dfsg/debian/changelog tcllib-1.16-dfsg/debian/changelog
--- tcllib-1.16-dfsg/debian/changelog	2014-02-12 13:29:13.000000000 +0400
+++ tcllib-1.16-dfsg/debian/changelog	2015-03-09 15:12:48.000000000 +0300
@@ -1,3 +1,10 @@
+tcllib (1.16-dfsg-2) unstable; urgency=medium
+
+  * Added a patch from upstream which fixes an XSS vulnerability in
+    the html module for <textarea/> elements (closes: #780100).
+
+ -- Sergei Golovan <sgolovan@debian.org>  Mon, 09 Mar 2015 15:12:05 +0300
+
 tcllib (1.16-dfsg-1) unstable; urgency=low
 
   * New upstream release.
diff -Nru tcllib-1.16-dfsg/debian/patches/html-textarea-xss.patch tcllib-1.16-dfsg/debian/patches/html-textarea-xss.patch
--- tcllib-1.16-dfsg/debian/patches/html-textarea-xss.patch	1970-01-01 03:00:00.000000000 +0300
+++ tcllib-1.16-dfsg/debian/patches/html-textarea-xss.patch	2015-03-09 15:06:25.000000000 +0300
@@ -0,0 +1,16 @@
+Author: upstream
+Description: Patch fixes an XSS vulnerability in <textarea/> HTML element in
+    the html Tcllib module
+Last-Modified: Mon, 09 Mar 2015 15:06:15 +0300
+
+--- a/modules/html/html.tcl
++++ b/modules/html/html.tcl
+@@ -912,7 +912,7 @@
+ #	The html fragment
+ 
+ proc ::html::textarea {name {param {}} {current {}}} {
+-    ::set value [ncgi::value $name $current]
++    ::set value [quoteFormValue [ncgi::value $name $current]]
+     return "<[string trimright \
+ 	"textarea name=\"$name\"\
+ 		[tagParam textarea $param]"]>$value</textarea>\n"
diff -Nru tcllib-1.16-dfsg/debian/patches/series tcllib-1.16-dfsg/debian/patches/series
--- tcllib-1.16-dfsg/debian/patches/series	2013-05-11 18:49:10.000000000 +0400
+++ tcllib-1.16-dfsg/debian/patches/series	2015-03-09 15:09:35.000000000 +0300
@@ -1 +1 @@
-#
+html-textarea-xss.patch

Reply to:

Follow-Ups:
- Bug#780190: marked as done (unblock: tcllib/1.16-dfsg-2)
  - From: owner@bugs.debian.org (Debian Bug Tracking System)

Prev by Date: Processed: Re: Bug#780169: jessie-pu: package youtube-dl/2014.08.05-1jessie0.1
Next by Date: Bug#780191: wheezy-pu: package tcllib/1.14-dfsg-3+deb7u1
Previous by thread: Bug#780183: marked as done (unblock: python-django/1.7.6-1)
Next by thread: Bug#780190: marked as done (unblock: tcllib/1.16-dfsg-2)
Index(es):
- Date
- Thread