Your message dated Mon, 05 Oct 2009 19:58:21 +0000
with message-id <e1muthn-0005y7...@ries.debian.org>
and subject line Bug#546179: fixed in planet-venus 0~bzr95-2+lenny1
has caused the Debian Bug report #546179,
regarding planet-venus: [CVE-2009-2937] - Insufficient escaping of input feeds
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
546179: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=546179
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Subject: planet-venus: [CVE-2009-2937] - Insufficient escaping of input feeds
Package: planet-venus
Justification: user security hole
Severity: grave
Tags: security
*** Please type your report below this line ***
The planet feed aggregator attempts to remove malicious content from
user-submitted feeds. It does a great job, but fails to sanitize
this input:
<img src="javascript:alert(1);" >
At least Opera will execute this code.
The package in Lenny is vulnerable and should require a
security update. Fixed packages are available from:
http://www.steve.org.uk/tmp/planet/lenny/
This is the patch I used, written by upstream:
s...@senfl:~$ diff --unified scrub.orig scrub.py
--- scrub.orig 2009-09-09 16:24:50.000000000 +0000
+++ scrub.py 2009-09-09 16:25:18.000000000 +0000
@@ -128,5 +128,13 @@
node['value'] = feedparser._resolveRelativeURIs(
node.value, node.base, 'utf-8', node.type)
- node['value'] = feedparser._sanitizeHTML(
- node.value, 'utf-8', node.type)
+ # Run this through HTML5's serializer
+ from html5lib import html5parser, sanitizer, treebuilders
+ from html5lib import treewalkers, serializer
+ p = html5parser.HTMLParser(tokenizer=sanitizer.HTMLSanitizer,
+ tree=treebuilders.getTreeBuilder('dom'))
+ doc = p.parseFragment(node.value, encoding='utf-8')
+ xhtml = serializer.XHTMLSerializer(inject_meta_charset = False)
+ walker = treewalkers.getTreeWalker('dom')
+ tree = xhtml.serialize(walker(doc), encoding='utf-8')
+ node['value'] = ''.join([str(token) for token in tree])
-- System Information:
Debian Release: squeeze/sid
APT prefers unstable
APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Kernel: Linux 2.6.30-1-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
--- End Message ---
--- Begin Message ---
Source: planet-venus
Source-Version: 0~bzr95-2+lenny1
We believe that the bug you reported is fixed in the latest version of
planet-venus, which is due to be installed in the Debian FTP archive:
planet-venus_0~bzr95-2+lenny1.diff.gz
to pool/main/p/planet-venus/planet-venus_0~bzr95-2+lenny1.diff.gz
planet-venus_0~bzr95-2+lenny1.dsc
to pool/main/p/planet-venus/planet-venus_0~bzr95-2+lenny1.dsc
planet-venus_0~bzr95-2+lenny1_all.deb
to pool/main/p/planet-venus/planet-venus_0~bzr95-2+lenny1_all.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 546...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Python Applications Packaging Team <python-apps-t...@lists.alioth.debian.org>
(supplier of updated planet-venus package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Fri, 02 Oct 2009 15:29:44 +0200
Source: planet-venus
Binary: planet-venus
Architecture: source all
Version: 0~bzr95-2+lenny1
Distribution: stable
Urgency: high
Maintainer: Noah Slater <nsla...@bytesexual.org>
Changed-By: Python Applications Packaging Team
<python-apps-t...@lists.alioth.debian.org>
Description:
planet-venus - aggregate feed generator
Closes: 546179
Changes:
planet-venus (0~bzr95-2+lenny1) stable; urgency=high
.
[ Runa Sandvik ]
* Added patch from Steve Kemp to escape input feeds (Closes: #546179)
[CVE-2009-2937]
.
[ Piotr Ożarowski ]
* Upload (as PAPT member)
Checksums-Sha1:
c24bc24c5630f95776c70c01e4d9d84f9094cbfb 1415 planet-venus_0~bzr95-2+lenny1.dsc
f3c08dc895269ad2899afd5f606bf5e060002c0a 9048
planet-venus_0~bzr95-2+lenny1.diff.gz
4738ec7acc6054d83e0d9c40b0dece154fc81837 266920
planet-venus_0~bzr95-2+lenny1_all.deb
Checksums-Sha256:
1b966bd66f07ab309db7e3dc52903e46324b9a7eb1f00e6f3c1036043cd53912 1415
planet-venus_0~bzr95-2+lenny1.dsc
8f1e3f7182fae6210c16ef13c188e96c0c359adb5727e7c2f4ae2ec302129655 9048
planet-venus_0~bzr95-2+lenny1.diff.gz
0e662367d5b06876472fe7609a3e7c0375bb2b1137357fe2424379cfb7a5d4cd 266920
planet-venus_0~bzr95-2+lenny1_all.deb
Files:
d035a5f5e5d8da6bee7c09d97f32d651 1415 python extra
planet-venus_0~bzr95-2+lenny1.dsc
d971674b3e81b6f3f90508673239cce6 9048 python extra
planet-venus_0~bzr95-2+lenny1.diff.gz
9fd56469887d50e4435bd1814a64a4e3 266920 python extra
planet-venus_0~bzr95-2+lenny1_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iEYEARECAAYFAkrGDCkACgkQB01zfu119ZkiTwCgmfqw5HwfHU+PCSosl00TqkCl
JDYAni9sv5IEjX8EJHtjtKm269/F59Tr
=XJJT
-----END PGP SIGNATURE-----
--- End Message ---
