[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#1112542: marked as done (bookworm-pu: package shaarli/0.12.1+dfsg-8+deb12u1)

Your message dated Sat, 06 Sep 2025 12:14:50 +0100
with message-id <ee4c0876608d99eb3f8b333b556fbd92e7a652eb.camel@adam-barratt.org.uk>
and subject line Closing p-u requests for fixes included in 12.12
has caused the Debian Bug report #1112542,
regarding bookworm-pu: package shaarli/0.12.1+dfsg-8+deb12u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
1112542: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1112542
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
Tags: bookworm
X-Debbugs-Cc: shaarli@packages.debian.org, jvalleroy@mailbox.org
Control: affects -1 + src:shaarli
User: release.debian.org@packages.debian.org
Usertags: pu

[ Reason ]
Fixes CVE-2025-55291:
 Prior to 0.15.0, the input string in the cloud tag page is not
 properly sanitized. This allows the </title> tag to be prematurely
 closed, leading to a reflected Cross-Site Scripting (XSS)
 vulnerability. This vulnerability is fixed in 0.15.0.

The issue affects all versions of shaarli prior to 0.15.0.

[ Impact ]
The tag search functionality with the XSS vulnerability is accessible
in instances of Shaarli that are on the public Internet, even without
login.

[ Tests ]
I manually tested for the exploit before and after the fix.

[ Risks ]
It is a very simple change, so the risk appears to be low.

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
  [x] the issue is verified as fixed in unstable

[ Changes ]
Wrap the $searchTags variable in escape() to sanitize the user input.
This change is from an upstream commit that applied directly to the older
version.

[ Other info ]
I have already uploaded the package to bookworm-proposed-updates.


diff -Nru shaarli-0.12.1+dfsg/debian/changelog shaarli-0.12.1+dfsg/debian/changelog
--- shaarli-0.12.1+dfsg/debian/changelog	2023-01-29 07:36:49.000000000 -0500
+++ shaarli-0.12.1+dfsg/debian/changelog	2025-08-30 09:48:22.000000000 -0400
@@ -1,3 +1,9 @@
+shaarli (0.12.1+dfsg-8+deb12u1) bookworm; urgency=medium
+
+  * Add patch to fix CVE-2025-55291 (Closes: #1111589)
+
+ -- James Valleroy <jvalleroy@mailbox.org>  Sat, 30 Aug 2025 09:48:22 -0400
+
 shaarli (0.12.1+dfsg-8) unstable; urgency=medium
 
   * Allow AuthConfig in .htaccess
diff -Nru shaarli-0.12.1+dfsg/debian/patches/0025-fix-reflected-XSS-via-searchtags-parameter.patch shaarli-0.12.1+dfsg/debian/patches/0025-fix-reflected-XSS-via-searchtags-parameter.patch
--- shaarli-0.12.1+dfsg/debian/patches/0025-fix-reflected-XSS-via-searchtags-parameter.patch	1969-12-31 19:00:00.000000000 -0500
+++ shaarli-0.12.1+dfsg/debian/patches/0025-fix-reflected-XSS-via-searchtags-parameter.patch	2025-08-30 09:48:22.000000000 -0400
@@ -0,0 +1,26 @@
+From: James Valleroy <jvalleroy@mailbox.org>
+Date: Fri, 22 Aug 2025 16:22:13 -0400
+Subject: fix reflected XSS via searchtags parameter
+
+Applied from upstream commit:
+https://github.com/shaarli/Shaarli/commit/e77c04a76601cdcd62e74c396a931d750e007c45
+
+Fix for CVE-2025-55291:
+https://security-tracker.debian.org/tracker/CVE-2025-55291
+---
+ application/front/controller/visitor/TagCloudController.php | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/application/front/controller/visitor/TagCloudController.php b/application/front/controller/visitor/TagCloudController.php
+index 46d6277..2012740 100644
+--- a/application/front/controller/visitor/TagCloudController.php
++++ b/application/front/controller/visitor/TagCloudController.php
+@@ -87,7 +87,7 @@ class TagCloudController extends ShaarliVisitorController
+         $searchTags = !empty($searchTags) ? trim(str_replace($tagsSeparator, ' ', $searchTags)) . ' - ' : '';
+         $this->assignView(
+             'pagetitle',
+-            $searchTags . t('Tag ' . $type) . ' - ' . $this->container->conf->get('general.title', 'Shaarli')
++            escape($searchTags) . t('Tag ' . $type) . ' - ' . $this->container->conf->get('general.title', 'Shaarli')
+         );
+ 
+         return $response->write($this->render('tag.' . $type));
diff -Nru shaarli-0.12.1+dfsg/debian/patches/series shaarli-0.12.1+dfsg/debian/patches/series
--- shaarli-0.12.1+dfsg/debian/patches/series	2023-01-29 07:36:49.000000000 -0500
+++ shaarli-0.12.1+dfsg/debian/patches/series	2025-08-30 09:48:22.000000000 -0400
@@ -18,3 +18,4 @@
 0019-webpack-Resolve-from-system-install-paths.patch
 0020-Cherry-pick-date-view-fix-from-upstream.patch
 0021-webpack-css-loader-Disable-url-resolving.patch
+0025-fix-reflected-XSS-via-searchtags-parameter.patch

Attachment: OpenPGP_signature.asc
Description: OpenPGP digital signature


--- End Message ---
--- Begin Message --- 
Package: release.debian.org
Version: 12.12

Hi,

Each of the updates referenced by these requests was included in
today's 12.12 point release for bookworm.

Regards,

Adam

--- End Message ---
Reply to: