Your message dated Thu, 01 Oct 2009 19:32:05 +0000
with message-id <e1mtrnl-000169...@ries.debian.org>
and subject line Bug#546179: fixed in planet-venus 0~bzr116-1
has caused the Debian Bug report #546179,
regarding planet-venus: [CVE-2009-2937] - Insufficient escaping of input feeds
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
546179: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=546179
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Subject: planet-venus: [CVE-2009-2937] - Insufficient escaping of input feeds
Package: planet-venus
Justification: user security hole
Severity: grave
Tags: security
*** Please type your report below this line ***
The planet feed aggregator attempts to remove malicious content from
user-submitted feeds. It does a great job, but fails to sanitize
this input:
<img src="javascript:alert(1);" >
At least Opera will execute this code.
The package in Lenny is vulnerable and should require a
security update. Fixed packages are available from:
http://www.steve.org.uk/tmp/planet/lenny/
This is the patch I used, written by upstream:
s...@senfl:~$ diff --unified scrub.orig scrub.py
--- scrub.orig 2009-09-09 16:24:50.000000000 +0000
+++ scrub.py 2009-09-09 16:25:18.000000000 +0000
@@ -128,5 +128,13 @@
node['value'] = feedparser._resolveRelativeURIs(
node.value, node.base, 'utf-8', node.type)
- node['value'] = feedparser._sanitizeHTML(
- node.value, 'utf-8', node.type)
+ # Run this through HTML5's serializer
+ from html5lib import html5parser, sanitizer, treebuilders
+ from html5lib import treewalkers, serializer
+ p = html5parser.HTMLParser(tokenizer=sanitizer.HTMLSanitizer,
+ tree=treebuilders.getTreeBuilder('dom'))
+ doc = p.parseFragment(node.value, encoding='utf-8')
+ xhtml = serializer.XHTMLSerializer(inject_meta_charset = False)
+ walker = treewalkers.getTreeWalker('dom')
+ tree = xhtml.serialize(walker(doc), encoding='utf-8')
+ node['value'] = ''.join([str(token) for token in tree])
-- System Information:
Debian Release: squeeze/sid
APT prefers unstable
APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Kernel: Linux 2.6.30-1-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
--- End Message ---
--- Begin Message ---
Source: planet-venus
Source-Version: 0~bzr116-1
We believe that the bug you reported is fixed in the latest version of
planet-venus, which is due to be installed in the Debian FTP archive:
planet-venus_0~bzr116-1.diff.gz
to pool/main/p/planet-venus/planet-venus_0~bzr116-1.diff.gz
planet-venus_0~bzr116-1.dsc
to pool/main/p/planet-venus/planet-venus_0~bzr116-1.dsc
planet-venus_0~bzr116-1_all.deb
to pool/main/p/planet-venus/planet-venus_0~bzr116-1_all.deb
planet-venus_0~bzr116.orig.tar.gz
to pool/main/p/planet-venus/planet-venus_0~bzr116.orig.tar.gz
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 546...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Python Applications Packaging Team <python-apps-t...@lists.alioth.debian.org>
(supplier of updated planet-venus package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Thu, 01 Oct 2009 19:12:13 +0200
Source: planet-venus
Binary: planet-venus
Architecture: source all
Version: 0~bzr116-1
Distribution: unstable
Urgency: high
Maintainer: Noah Slater <nsla...@tumbolia.org>
Changed-By: Python Applications Packaging Team
<python-apps-t...@lists.alioth.debian.org>
Description:
planet-venus - aggregate feed generator
Closes: 546179
Changes:
planet-venus (0~bzr116-1) unstable; urgency=high
.
[ Piotr Ożarowski ]
* New upstream snapshot (Closes: #546179 - CVE-2009-2937)
* Add python-beautifulsoup to Recommends and python-lxml to Suggests
* Remove .py[oc] files in clean rule
* Standards-Version bumped to 3.8.3 (no changes needed)
.
[ Noah Slater ]
* Updated debian/rules to use clean and cleanbuilddir targets.
* Updated patch for --help output to better satisfy GNU Coding Standards.
* Updated debian/control, updated Vcs-Browser.
* Updated debian/control, updated Build-Depends on debhelper to 7.2.11.
Checksums-Sha1:
0bae29cc7ae6f2df85f2faad6d32f529645ef6df 1386 planet-venus_0~bzr116-1.dsc
e321e654092e4cd391d3bbb744591036504bf65d 400151
planet-venus_0~bzr116.orig.tar.gz
331605b853a91b09ac1684b106c445ea732ab8d0 8819 planet-venus_0~bzr116-1.diff.gz
43dddda9a2078f3bdecd6330281bfa9dd456550b 262518 planet-venus_0~bzr116-1_all.deb
Checksums-Sha256:
305dcd86918e8700e7b141941ceea813175af9adb02a2365198073735ce228e3 1386
planet-venus_0~bzr116-1.dsc
003c4665d6ad9e3f0c1cc2044a139773b1e09102dbb7f0c01be7c37ca061f6ed 400151
planet-venus_0~bzr116.orig.tar.gz
2ef143dc74919b744d0465419a352bdede23aa4cf727d1c19c652ef048d3b1c9 8819
planet-venus_0~bzr116-1.diff.gz
2680efb12babf577eebaf81877c24a1c419c6c714a084b188b87b02ca6a0efaf 262518
planet-venus_0~bzr116-1_all.deb
Files:
242dcec10fb5db6d28bdf081b76728b6 1386 python extra planet-venus_0~bzr116-1.dsc
7407f69f261b46be29e1983288c15bab 400151 python extra
planet-venus_0~bzr116.orig.tar.gz
8cf3b778fb4cf021da7fc1640bf418f3 8819 python extra
planet-venus_0~bzr116-1.diff.gz
37d7a81530a496734324df6db18cafc1 262518 python extra
planet-venus_0~bzr116-1_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iEYEARECAAYFAkrFAJIACgkQB01zfu119ZkZMACcDwfnnPRVqs4YzMVzHO75U5Vm
Z/QAoJ5u3IXTj7TeeFKOOzb5PQnn56Um
=genh
-----END PGP SIGNATURE-----
--- End Message ---
