[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#1112529: marked as done (trixie-pu: package shaarli/0.14.0+dfsg-2)

Your message dated Sat, 06 Sep 2025 12:14:57 +0100
with message-id <165032e5317517556dd7fd8cf24843112a3fb6ac.camel@adam-barratt.org.uk>
and subject line Closing p-u requests for fixes included in 13.1
has caused the Debian Bug report #1112529,
regarding trixie-pu: package shaarli/0.14.0+dfsg-2
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
1112529: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1112529
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
Tags: trixie
X-Debbugs-Cc: shaarli@packages.debian.org, jvalleroy@mailbox.org
Control: affects -1 + src:shaarli
User: release.debian.org@packages.debian.org
Usertags: pu

[ Reason ]
Fixes CVE-2025-55291:
 Prior to 0.15.0, the input string in the cloud tag page is not
 properly sanitized. This allows the </title> tag to be prematurely
 closed, leading to a reflected Cross-Site Scripting (XSS)
 vulnerability. This vulnerability is fixed in 0.15.0.

This issue is also present in old-stable.

In discussion with the security team, they requested it to be fixed in
the upcoming point release.

[ Impact ]
The tag search functionality with the XSS vulnerability is accessible
in instances of Shaarli that are on the public Internet, even without
login.

[ Tests ]
I manually tested for the exploit before and after the fix.

[ Risks ]
It is a very simple change, so the risk appears to be low.

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
  [x] the issue is verified as fixed in unstable

[ Changes ]
Wrap the $searchTags variable in escape() to sanitize the user input.
This change is from an upstream commit that applied directly to the older
version.

I have already uploaded the package to proposed-updates.

diff -Nru shaarli-0.14.0+dfsg/debian/changelog shaarli-0.14.0+dfsg/debian/changelog
--- shaarli-0.14.0+dfsg/debian/changelog	2025-04-15 14:31:42.000000000 -0400
+++ shaarli-0.14.0+dfsg/debian/changelog	2025-08-30 07:45:06.000000000 -0400
@@ -1,3 +1,9 @@
+shaarli (0.14.0+dfsg-2) trixie; urgency=medium
+
+  * Add patch to fix CVE-2025-55291 (Closes: #1111589)
+
+ -- James Valleroy <jvalleroy@mailbox.org>  Sat, 30 Aug 2025 07:45:06 -0400
+
 shaarli (0.14.0+dfsg-1) unstable; urgency=medium
 
   [ William Desportes ]
diff -Nru shaarli-0.14.0+dfsg/debian/patches/0025-fix-reflected-XSS-via-searchtags-parameter.patch shaarli-0.14.0+dfsg/debian/patches/0025-fix-reflected-XSS-via-searchtags-parameter.patch
--- shaarli-0.14.0+dfsg/debian/patches/0025-fix-reflected-XSS-via-searchtags-parameter.patch	1969-12-31 19:00:00.000000000 -0500
+++ shaarli-0.14.0+dfsg/debian/patches/0025-fix-reflected-XSS-via-searchtags-parameter.patch	2025-08-30 07:45:06.000000000 -0400
@@ -0,0 +1,26 @@
+From: James Valleroy <jvalleroy@mailbox.org>
+Date: Fri, 22 Aug 2025 16:22:13 -0400
+Subject: fix reflected XSS via searchtags parameter
+
+Applied from upstream commit:
+https://github.com/shaarli/Shaarli/commit/e77c04a76601cdcd62e74c396a931d750e007c45
+
+Fix for CVE-2025-55291:
+https://security-tracker.debian.org/tracker/CVE-2025-55291
+---
+ application/front/controller/visitor/TagCloudController.php | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/application/front/controller/visitor/TagCloudController.php b/application/front/controller/visitor/TagCloudController.php
+index 46d6277..2012740 100644
+--- a/application/front/controller/visitor/TagCloudController.php
++++ b/application/front/controller/visitor/TagCloudController.php
+@@ -87,7 +87,7 @@ class TagCloudController extends ShaarliVisitorController
+         $searchTags = !empty($searchTags) ? trim(str_replace($tagsSeparator, ' ', $searchTags)) . ' - ' : '';
+         $this->assignView(
+             'pagetitle',
+-            $searchTags . t('Tag ' . $type) . ' - ' . $this->container->conf->get('general.title', 'Shaarli')
++            escape($searchTags) . t('Tag ' . $type) . ' - ' . $this->container->conf->get('general.title', 'Shaarli')
+         );
+ 
+         return $response->write($this->render('tag.' . $type));
diff -Nru shaarli-0.14.0+dfsg/debian/patches/series shaarli-0.14.0+dfsg/debian/patches/series
--- shaarli-0.14.0+dfsg/debian/patches/series	2025-04-15 14:31:42.000000000 -0400
+++ shaarli-0.14.0+dfsg/debian/patches/series	2025-08-30 07:45:06.000000000 -0400
@@ -21,3 +21,4 @@
 0022-RequiresPhpunit-11-for-test-failing-with-PHPUnit-11.patch
 0023-Rename-PluginQrcodeTest-as-PluginReadItLaterTest-PHP.patch
 0024-RequiresPhpunit-12-for-test-failing-with-PHPUnit-12.patch
+0025-fix-reflected-XSS-via-searchtags-parameter.patch

Attachment: OpenPGP_signature.asc
Description: OpenPGP digital signature


--- End Message ---
--- Begin Message --- 
Package: release.debian.org
Version: 13.1

Hi,

Each of the updates referenced by these requests was included in
today's 13.1 point release for trixie.

Regards,

Adam

--- End Message ---
Reply to: