Bug#1112542: bookworm-pu: package shaarli/0.12.1+dfsg-8+deb12u1

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#1112542: bookworm-pu: package shaarli/0.12.1+dfsg-8+deb12u1
From: James Valleroy <jvalleroy@mailbox.org>
Date: Sat, 30 Aug 2025 12:34:49 -0400
Message-id: <[🔎] def1f586-c4bb-4c5e-90ca-2310f3be2911@mailbox.org>
Reply-to: James Valleroy <jvalleroy@mailbox.org>, 1112542@bugs.debian.org

Package: release.debian.org
Severity: normal
Tags: bookworm
X-Debbugs-Cc: shaarli@packages.debian.org, jvalleroy@mailbox.org
Control: affects -1 + src:shaarli
User: release.debian.org@packages.debian.org
Usertags: pu

[ Reason ]
Fixes CVE-2025-55291:
 Prior to 0.15.0, the input string in the cloud tag page is not
 properly sanitized. This allows the </title> tag to be prematurely
 closed, leading to a reflected Cross-Site Scripting (XSS)
 vulnerability. This vulnerability is fixed in 0.15.0.

The issue affects all versions of shaarli prior to 0.15.0.

[ Impact ]
The tag search functionality with the XSS vulnerability is accessible
in instances of Shaarli that are on the public Internet, even without
login.

[ Tests ]
I manually tested for the exploit before and after the fix.

[ Risks ]
It is a very simple change, so the risk appears to be low.

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
  [x] the issue is verified as fixed in unstable

[ Changes ]
Wrap the $searchTags variable in escape() to sanitize the user input.
This change is from an upstream commit that applied directly to the older
version.

[ Other info ]
I have already uploaded the package to bookworm-proposed-updates.

diff -Nru shaarli-0.12.1+dfsg/debian/changelog shaarli-0.12.1+dfsg/debian/changelog
--- shaarli-0.12.1+dfsg/debian/changelog	2023-01-29 07:36:49.000000000 -0500
+++ shaarli-0.12.1+dfsg/debian/changelog	2025-08-30 09:48:22.000000000 -0400
@@ -1,3 +1,9 @@
+shaarli (0.12.1+dfsg-8+deb12u1) bookworm; urgency=medium
+
+  * Add patch to fix CVE-2025-55291 (Closes: #1111589)
+
+ -- James Valleroy <jvalleroy@mailbox.org>  Sat, 30 Aug 2025 09:48:22 -0400
+
 shaarli (0.12.1+dfsg-8) unstable; urgency=medium
 
   * Allow AuthConfig in .htaccess
diff -Nru shaarli-0.12.1+dfsg/debian/patches/0025-fix-reflected-XSS-via-searchtags-parameter.patch shaarli-0.12.1+dfsg/debian/patches/0025-fix-reflected-XSS-via-searchtags-parameter.patch
--- shaarli-0.12.1+dfsg/debian/patches/0025-fix-reflected-XSS-via-searchtags-parameter.patch	1969-12-31 19:00:00.000000000 -0500
+++ shaarli-0.12.1+dfsg/debian/patches/0025-fix-reflected-XSS-via-searchtags-parameter.patch	2025-08-30 09:48:22.000000000 -0400
@@ -0,0 +1,26 @@
+From: James Valleroy <jvalleroy@mailbox.org>
+Date: Fri, 22 Aug 2025 16:22:13 -0400
+Subject: fix reflected XSS via searchtags parameter
+
+Applied from upstream commit:
+https://github.com/shaarli/Shaarli/commit/e77c04a76601cdcd62e74c396a931d750e007c45
+
+Fix for CVE-2025-55291:
+https://security-tracker.debian.org/tracker/CVE-2025-55291
+---
+ application/front/controller/visitor/TagCloudController.php | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/application/front/controller/visitor/TagCloudController.php b/application/front/controller/visitor/TagCloudController.php
+index 46d6277..2012740 100644
+--- a/application/front/controller/visitor/TagCloudController.php
++++ b/application/front/controller/visitor/TagCloudController.php
+@@ -87,7 +87,7 @@ class TagCloudController extends ShaarliVisitorController
+         $searchTags = !empty($searchTags) ? trim(str_replace($tagsSeparator, ' ', $searchTags)) . ' - ' : '';
+         $this->assignView(
+             'pagetitle',
+-            $searchTags . t('Tag ' . $type) . ' - ' . $this->container->conf->get('general.title', 'Shaarli')
++            escape($searchTags) . t('Tag ' . $type) . ' - ' . $this->container->conf->get('general.title', 'Shaarli')
+         );
+ 
+         return $response->write($this->render('tag.' . $type));
diff -Nru shaarli-0.12.1+dfsg/debian/patches/series shaarli-0.12.1+dfsg/debian/patches/series
--- shaarli-0.12.1+dfsg/debian/patches/series	2023-01-29 07:36:49.000000000 -0500
+++ shaarli-0.12.1+dfsg/debian/patches/series	2025-08-30 09:48:22.000000000 -0400
@@ -18,3 +18,4 @@
 0019-webpack-Resolve-from-system-install-paths.patch
 0020-Cherry-pick-date-view-fix-from-upstream.patch
 0021-webpack-css-loader-Disable-url-resolving.patch
+0025-fix-reflected-XSS-via-searchtags-parameter.patch

Attachment: OpenPGP_signature.asc
Description: OpenPGP digital signature

Reply to:

Follow-Ups:
- Processed: bookworm-pu: package shaarli/0.12.1+dfsg-8+deb12u1
  - From: "Debian Bug Tracking System" <owner@bugs.debian.org>
- Bug#1112542: shaarli 0.12.1+dfsg-8+deb12u1 flagged for acceptance
  - From: Adam D Barratt <adam@adam-barratt.org.uk>

Prev by Date: Processed: bookworm-pu: package shaarli/0.12.1+dfsg-8+deb12u1
Next by Date: Processed: trixie-pu: package flvstreamer/2.1c1-2+deb13u1
Previous by thread: Processed: orca 48.1-1+deb13u1 flagged for acceptance
Next by thread: Processed: bookworm-pu: package shaarli/0.12.1+dfsg-8+deb12u1
Index(es):
- Date
- Thread