Bug#715450: pu: package xmonad-contrib/0.10-3

Tue, 09 Jul 2013 01:15:37 -0700 

Package: release.debian.org
Severity: normal
User: release.debian....@packages.debian.org
Usertags: pu

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi,

I'd like to propose the attached patch for inclusion in the next stable
point release, as it fixes a remote code execution security issue.

Sorry for already uploading the package.

Greetings,
Joachim


- -- System Information:
Debian Release: jessie/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (101, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 3.9-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iEYEARECAAYFAlHbxlkACgkQ9ijrk0dDIGwTIQCgnLjedjCxfUorCgdQ047CGWC3
V68AnRk7VZFnpDhhveuxwC2TEM6rEMIi
=v/MH
-----END PGP SIGNATURE-----

diff -Nru xmonad-contrib-0.10/debian/changelog xmonad-contrib-0.10/debian/changelog
--- xmonad-contrib-0.10/debian/changelog	2012-02-10 23:16:12.000000000 +0100
+++ xmonad-contrib-0.10/debian/changelog	2013-07-09 08:23:04.000000000 +0200
@@ -1,3 +1,12 @@
+xmonad-contrib (0.10-4~deb7u1) stable; urgency=low
+
+  * debian/patches/escape-window-titles.patch:
+    Escape dzen markup and remove xmobar tags from window titles by default.
+    Fixes possible malicous code execution. Thanks to Raúl Benencia for
+    noticing and Adam Vogt for fixing. CVE-2013-1436
+
+ -- Joachim Breitner <nome...@debian.org>  Mon, 08 Jul 2013 23:02:16 +0200
+
 xmonad-contrib (0.10-3) unstable; urgency=low
 
   * Sourceful upload to rebuild documentation package
diff -Nru xmonad-contrib-0.10/debian/NEWS xmonad-contrib-0.10/debian/NEWS
--- xmonad-contrib-0.10/debian/NEWS	1970-01-01 01:00:00.000000000 +0100
+++ xmonad-contrib-0.10/debian/NEWS	2013-07-09 08:28:48.000000000 +0200
@@ -0,0 +1,8 @@
+xmonad-contrib (0.10-4~deb7u1) stable; urgency=low
+
+  This update fixes a possible security hole in the XMonad.Hooks.DynamicLog
+  module (CVE-2013-1436). If you use this module, please make sure to
+  recompile your xmonad binary after upgrading the package: Edit your
+  ~/.xmonad/xmonad.hs file and then press Mod-Q.
+
+ -- Joachim Breitner <nome...@debian.org>  Mon, 08 Jul 2013 22:49:35 +0200
diff -Nru xmonad-contrib-0.10/debian/patches/escape-window-titles.patch xmonad-contrib-0.10/debian/patches/escape-window-titles.patch
--- xmonad-contrib-0.10/debian/patches/escape-window-titles.patch	1970-01-01 01:00:00.000000000 +0100
+++ xmonad-contrib-0.10/debian/patches/escape-window-titles.patch	2013-07-08 22:47:49.000000000 +0200
@@ -0,0 +1,112 @@
+Author: Adam Vogt <vogt.a...@gmail.com>
+Description: Escape dzen markup and remove xmobar tags from window titles by default.
+  The issue was that window titles, such as those set by, for example a browser,
+  could set the window title to display something like
+  . 
+     <action=malicious shell command>normal title</action>
+  .
+  Which could be executed by xmobar (or dzen).
+  .
+  This adds a ppTitleSanitize which does the above functions. This way when users
+  override ppTitle, the benefits are not lost.
+  .
+  Thanks to Raúl Benencia and Joachim Breitner for bringing this to my attention.
+Origin: upstream, http://code.haskell.org/XMonadContrib
+Forwarded: not-needed
+
+Index: xmonad-contrib-0.10/XMonad/Hooks/DynamicLog.hs
+===================================================================
+--- xmonad-contrib-0.10.orig/XMonad/Hooks/DynamicLog.hs	2013-07-08 22:45:02.043159857 +0200
++++ xmonad-contrib-0.10/XMonad/Hooks/DynamicLog.hs	2013-07-08 22:45:02.039159857 +0200
+@@ -1,4 +1,4 @@
+-{-# LANGUAGE FlexibleContexts #-}
++{-# LANGUAGE FlexibleContexts, PatternGuards #-}
+ 
+ -----------------------------------------------------------------------------
+ -- |
+@@ -43,6 +43,7 @@
+     -- * Formatting utilities
+     wrap, pad, trim, shorten,
+     xmobarColor, xmobarStrip,
++    xmobarStripTags,
+     dzenColor, dzenEscape, dzenStrip,
+ 
+     -- * Internal formatting functions
+@@ -57,10 +58,10 @@
+ -- Useful imports
+ 
+ import Codec.Binary.UTF8.String (encodeString)
+-import Control.Monad (liftM2)
++import Control.Monad (liftM2, msum)
+ import Data.Char ( isSpace, ord )
+-import Data.List (intersperse, isPrefixOf, sortBy)
+-import Data.Maybe ( isJust, catMaybes )
++import Data.List (intersperse, stripPrefix, isPrefixOf, sortBy)
++import Data.Maybe ( isJust, catMaybes, mapMaybe )
+ import Data.Ord ( comparing )
+ import qualified Data.Map as M
+ import qualified XMonad.StackSet as S
+@@ -279,7 +280,7 @@
+     return $ encodeString . sepBy (ppSep pp) . ppOrder pp $
+                         [ ws
+                         , ppLayout pp ld
+-                        , ppTitle  pp wt
++                        , ppTitle  pp $ ppTitleSanitize pp wt
+                         ]
+                         ++ catMaybes extras
+ 
+@@ -394,16 +395,29 @@
+ 
+ -- ??? add an xmobarEscape function?
+ 
+--- | Strip xmobar markup.
++-- | Strip xmobar markup, specifically the <fc>, <icon> and <action> tags and
++-- the matching tags like </fc>.
+ xmobarStrip :: String -> String
+-xmobarStrip = strip [] where
++xmobarStrip = xmobarStripTags ["fc","icon","action"] where
++
++xmobarStripTags :: [String] -- ^ tags
++        -> String -> String -- ^ with all <tag>...</tag> removed
++xmobarStripTags tags = strip [] where
++    strip keep [] = keep
+     strip keep x
+-      | null x                 = keep
+-      | "<fc="  `isPrefixOf` x = strip keep (drop 1 . dropWhile (/= '>') $ x)
+-      | "</fc>" `isPrefixOf` x = strip keep (drop 5  x)
+-      | '<' == head x          = strip (keep ++ "<") (tail x)
+-      | otherwise              = let (good,x') = span (/= '<') x
+-                                 in strip (keep ++ good) x'
++        | rest: _ <- mapMaybe dropTag tags = strip keep rest
++
++
++        | '<':xs <- x = strip (keep ++ "<") xs
++        | (good,x') <- span (/= '<') x = strip (keep ++ good) x' -- this is n^2 bad... but titles have few tags
++      where dropTag :: String -> Maybe String
++            dropTag tag = msum [fmap dropTilClose (openTag tag `stripPrefix` x),
++                                                   closeTag tag `stripPrefix` x]
++
++    dropTilClose, openTag, closeTag :: String -> String
++    dropTilClose = drop 1 . dropWhile (/= '>')
++    openTag str = "<" ++ str ++ "="
++    closeTag str = "</" ++ str ++ ">"
+ 
+ -- | The 'PP' type allows the user to customize the formatting of
+ --   status information.
+@@ -427,6 +441,8 @@
+                -- ^ separator to use between workspace tags
+              , ppTitle :: String -> String
+                -- ^ window title format
++             , ppTitleSanitize :: String -> String
++              -- ^  escape / sanitizes input to 'ppTitle'
+              , ppLayout :: String -> String
+                -- ^ layout name format
+              , ppOrder :: [String] -> [String]
+@@ -468,6 +484,7 @@
+                , ppSep             = " : "
+                , ppWsSep           = " "
+                , ppTitle           = shorten 80
++               , ppTitleSanitize   = xmobarStrip . dzenEscape
+                , ppLayout          = id
+                , ppOrder           = id
+                , ppOutput          = putStrLn
diff -Nru xmonad-contrib-0.10/debian/patches/series xmonad-contrib-0.10/debian/patches/series
--- xmonad-contrib-0.10/debian/patches/series	2012-02-10 23:16:05.000000000 +0100
+++ xmonad-contrib-0.10/debian/patches/series	2013-07-08 22:45:00.000000000 +0200
@@ -1 +1,2 @@
 use-x-www-browser.patch
+escape-window-titles.patch

Reply via email to