Hi, Hendrik, the problem is that the patch decodes %%2222 to %22 and then back to ".
I will upload Florians patch in an NMU. debdiff attached. Cheers Nico -- Nico Golde - http://www.ngolde.de - [EMAIL PROTECTED] - GPG: 0x73647CFF For security reasons, all text in this mail is double-rot13 encrypted.
diff -u awstats-6.7.dfsg/debian/changelog awstats-6.7.dfsg/debian/changelog --- awstats-6.7.dfsg/debian/changelog +++ awstats-6.7.dfsg/debian/changelog @@ -1,3 +1,11 @@ +awstats (6.7.dfsg-5.1) unstable; urgency=high + + * Non-maintainer upload by the Security Team. + * Strip '"' characters during URL decoding, fixing a cross-site + scripting attack (CVE-2008-3714; CVE-2008-5080; Closes: #495432). + + -- Nico Golde <[EMAIL PROTECTED]> Wed, 10 Dec 2008 13:05:43 +0100 + awstats (6.7.dfsg-5) unstable; urgency=low * Add debian/patches/0001_awstats69beta_xss.patch, diff -u awstats-6.7.dfsg/debian/patches/series awstats-6.7.dfsg/debian/patches/series --- awstats-6.7.dfsg/debian/patches/series +++ awstats-6.7.dfsg/debian/patches/series @@ -5,0 +6 @@ +1006_CVE-2008-3714_5080.patch only in patch2: unchanged: --- awstats-6.7.dfsg.orig/debian/patches/1006_CVE-2008-3714_5080.patch +++ awstats-6.7.dfsg/debian/patches/1006_CVE-2008-3714_5080.patch @@ -0,0 +1,10 @@ +--- awstats-6.5+dfsg.orig/wwwroot/cgi-bin/awstats.pl ++++ awstats-6.5+dfsg/wwwroot/cgi-bin/awstats.pl +@@ -4395,6 +4395,7 @@ + my $stringtodecode=shift; + $stringtodecode =~ tr/\+/ /s; + $stringtodecode =~ s/%([A-F0-9][A-F0-9])/pack("C", hex($1))/ieg; ++ $stringtodecode =~ s/["']//g; + return $stringtodecode; + } +
pgpb65ECCXFXC.pgp
Description: PGP signature