Package: release.debian.org Severity: normal User: release.debian....@packages.debian.org Usertags: pu
Hi, libhtml-template-pro-perl has a minor XSS issue[1] that the security team suggests to fix though a point release (they do not plan to release a DSA for it). I prepared an update for squeeze, see the attached debdiff. Regards, Ansgar [1] <http://bugs.debian.org/652587>
diff -Nur '--exclude=.git' '--exclude=.svn' '--exclude=.pc' /tmp/libhtml-template-pro-perl-0.9502/debian/changelog ./debian/changelog --- /tmp/libhtml-template-pro-perl-0.9502/debian/changelog 2010-06-28 18:04:29.000000000 +0200 +++ ./debian/changelog 2011-12-27 18:33:54.624344313 +0100 @@ -1,3 +1,10 @@ +libhtml-template-pro-perl (0.9502-1+squeeze1) squeeze; urgency=low + + * Patch XSS vulnerability. (Closes: #652587) + + new patch: 652587.diff + + -- Ansgar Burchardt <ans...@debian.org> Sun, 18 Dec 2011 23:39:24 +0100 + libhtml-template-pro-perl (0.9502-1) unstable; urgency=low * New upstream release. diff -Nur '--exclude=.git' '--exclude=.svn' '--exclude=.pc' /tmp/libhtml-template-pro-perl-0.9502/debian/patches/652587.diff ./debian/patches/652587.diff --- /tmp/libhtml-template-pro-perl-0.9502/debian/patches/652587.diff 1970-01-01 01:00:00.000000000 +0100 +++ ./debian/patches/652587.diff 2011-12-27 18:33:54.624344313 +0100 @@ -0,0 +1,33 @@ +Origin: backported, changes included in 0.9507 +Bug-Debian: http://bugs.debian.org/652587 +Subject: XSS vulnerability (missing escaping) + +--- libhtml-template-pro-perl.orig/pstrutils.inc ++++ libhtml-template-pro-perl/pstrutils.inc +@@ -124,6 +124,8 @@ + case '\'' : bufdelta=2; strncpy(buf+offset, "\\'",bufdelta);break; + case '\n' : bufdelta=2; strncpy(buf+offset, "\\n",bufdelta);break; + case '\r' : bufdelta=2; strncpy(buf+offset, "\\r",bufdelta);break; ++ case '>' : bufdelta=4; strncpy(buf+offset, ">", bufdelta);break; ++ case '<' : bufdelta=4; strncpy(buf+offset, "<", bufdelta);break; + default: *(buf+offset)=curchar; + } + offset+=bufdelta; +--- libhtml-template-pro-perl.orig/templates-Pro/test_esc4.out ++++ libhtml-template-pro-perl/templates-Pro/test_esc4.out +@@ -1,3 +1,3 @@ + <H1> test_esc4 </H1> +- \\<>\"; %FAhidden:\r\nend ++ \\<>\"; %FAhidden:\r\nend + +--- libhtml-template-pro-perl.orig/templates-Pro/test_var3.out ++++ libhtml-template-pro-perl/templates-Pro/test_var3.out +@@ -8,7 +8,7 @@ + \<>"; %FAhidden: + end + +- \\<>\"; %FAhidden:\r\nend ++ \\<>\"; %FAhidden:\r\nend + + <H1> END test_var3 </H1> + </body></html> diff -Nur '--exclude=.git' '--exclude=.svn' '--exclude=.pc' /tmp/libhtml-template-pro-perl-0.9502/debian/patches/series ./debian/patches/series --- /tmp/libhtml-template-pro-perl-0.9502/debian/patches/series 2010-03-28 19:33:20.000000000 +0200 +++ ./debian/patches/series 2011-12-27 18:33:54.624344313 +0100 @@ -1 +1,2 @@ spelling.patch +652587.diff
