Bug#1112529: trixie-pu: package shaarli/0.14.0+dfsg-2

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#1112529: trixie-pu: package shaarli/0.14.0+dfsg-2
From: James Valleroy <jvalleroy@mailbox.org>
Date: Sat, 30 Aug 2025 09:05:21 -0400
Message-id: <[🔎] 4a325eee-79f1-4a1d-a2e9-7b7760492ec0@mailbox.org>
Reply-to: James Valleroy <jvalleroy@mailbox.org>, 1112529@bugs.debian.org

Package: release.debian.org
Severity: normal
Tags: trixie
X-Debbugs-Cc: shaarli@packages.debian.org, jvalleroy@mailbox.org
Control: affects -1 + src:shaarli
User: release.debian.org@packages.debian.org
Usertags: pu

[ Reason ]
Fixes CVE-2025-55291:
 Prior to 0.15.0, the input string in the cloud tag page is not
 properly sanitized. This allows the </title> tag to be prematurely
 closed, leading to a reflected Cross-Site Scripting (XSS)
 vulnerability. This vulnerability is fixed in 0.15.0.

This issue is also present in old-stable.

In discussion with the security team, they requested it to be fixed in
the upcoming point release.

[ Impact ]
The tag search functionality with the XSS vulnerability is accessible
in instances of Shaarli that are on the public Internet, even without
login.

[ Tests ]
I manually tested for the exploit before and after the fix.

[ Risks ]
It is a very simple change, so the risk appears to be low.

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
  [x] the issue is verified as fixed in unstable

[ Changes ]
Wrap the $searchTags variable in escape() to sanitize the user input.
This change is from an upstream commit that applied directly to the older
version.

I have already uploaded the package to proposed-updates.

diff -Nru shaarli-0.14.0+dfsg/debian/changelog shaarli-0.14.0+dfsg/debian/changelog
--- shaarli-0.14.0+dfsg/debian/changelog	2025-04-15 14:31:42.000000000 -0400
+++ shaarli-0.14.0+dfsg/debian/changelog	2025-08-30 07:45:06.000000000 -0400
@@ -1,3 +1,9 @@
+shaarli (0.14.0+dfsg-2) trixie; urgency=medium
+
+  * Add patch to fix CVE-2025-55291 (Closes: #1111589)
+
+ -- James Valleroy <jvalleroy@mailbox.org>  Sat, 30 Aug 2025 07:45:06 -0400
+
 shaarli (0.14.0+dfsg-1) unstable; urgency=medium
 
   [ William Desportes ]
diff -Nru shaarli-0.14.0+dfsg/debian/patches/0025-fix-reflected-XSS-via-searchtags-parameter.patch shaarli-0.14.0+dfsg/debian/patches/0025-fix-reflected-XSS-via-searchtags-parameter.patch
--- shaarli-0.14.0+dfsg/debian/patches/0025-fix-reflected-XSS-via-searchtags-parameter.patch	1969-12-31 19:00:00.000000000 -0500
+++ shaarli-0.14.0+dfsg/debian/patches/0025-fix-reflected-XSS-via-searchtags-parameter.patch	2025-08-30 07:45:06.000000000 -0400
@@ -0,0 +1,26 @@
+From: James Valleroy <jvalleroy@mailbox.org>
+Date: Fri, 22 Aug 2025 16:22:13 -0400
+Subject: fix reflected XSS via searchtags parameter
+
+Applied from upstream commit:
+https://github.com/shaarli/Shaarli/commit/e77c04a76601cdcd62e74c396a931d750e007c45
+
+Fix for CVE-2025-55291:
+https://security-tracker.debian.org/tracker/CVE-2025-55291
+---
+ application/front/controller/visitor/TagCloudController.php | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/application/front/controller/visitor/TagCloudController.php b/application/front/controller/visitor/TagCloudController.php
+index 46d6277..2012740 100644
+--- a/application/front/controller/visitor/TagCloudController.php
++++ b/application/front/controller/visitor/TagCloudController.php
+@@ -87,7 +87,7 @@ class TagCloudController extends ShaarliVisitorController
+         $searchTags = !empty($searchTags) ? trim(str_replace($tagsSeparator, ' ', $searchTags)) . ' - ' : '';
+         $this->assignView(
+             'pagetitle',
+-            $searchTags . t('Tag ' . $type) . ' - ' . $this->container->conf->get('general.title', 'Shaarli')
++            escape($searchTags) . t('Tag ' . $type) . ' - ' . $this->container->conf->get('general.title', 'Shaarli')
+         );
+ 
+         return $response->write($this->render('tag.' . $type));
diff -Nru shaarli-0.14.0+dfsg/debian/patches/series shaarli-0.14.0+dfsg/debian/patches/series
--- shaarli-0.14.0+dfsg/debian/patches/series	2025-04-15 14:31:42.000000000 -0400
+++ shaarli-0.14.0+dfsg/debian/patches/series	2025-08-30 07:45:06.000000000 -0400
@@ -21,3 +21,4 @@
 0022-RequiresPhpunit-11-for-test-failing-with-PHPUnit-11.patch
 0023-Rename-PluginQrcodeTest-as-PluginReadItLaterTest-PHP.patch
 0024-RequiresPhpunit-12-for-test-failing-with-PHPUnit-12.patch
+0025-fix-reflected-XSS-via-searchtags-parameter.patch

Attachment: OpenPGP_signature.asc
Description: OpenPGP digital signature

Reply to:

Follow-Ups:
- Processed: trixie-pu: package shaarli/0.14.0+dfsg-2
  - From: "Debian Bug Tracking System" <owner@bugs.debian.org>
- Bug#1112529: trixie-pu: package shaarli/0.14.0+dfsg-2
  - From: "Adam D. Barratt" <adam@adam-barratt.org.uk>
- Bug#1112529: shaarli 0.14.0+dfsg-2 flagged for acceptance
  - From: Jonathan Wiltshire <jmw@debian.org>

Prev by Date: Processed: trixie-pu: package shaarli/0.14.0+dfsg-2
Next by Date: Bug#1112335: libcoap3 4.3.4-1.1+deb13u1 flagged for acceptance
Previous by thread: Bug#1102752: bookworm-pu: expat/2.5.0-1+deb12u2
Next by thread: Processed: trixie-pu: package shaarli/0.14.0+dfsg-2
Index(es):
- Date
- Thread