Ansgar Burchardt <[email protected]> writes: > The JS escaping in libhtml-template-pro-perl misses to escape "<" and > ">" which allows XSS. This was fixed in the last upstream release (0.9507). > > An example script that triggers the bug is attached. With 0.9507 it > outputs > > <evil> > > older versions generate > > <evil> > > instead.
I prepared a backport of the relevant changes to squeeze (attached). Lenny might be affected as well, I'll look into that in the next days. Does the security team want to release a DSA for this issue or should it be fixed via proposed-updates? Regards, Ansgar
diff -Nru libhtml-template-pro-perl-0.9502/debian/changelog libhtml-template-pro-perl-0.9502/debian/changelog --- libhtml-template-pro-perl-0.9502/debian/changelog 2010-06-28 18:04:29.000000000 +0200 +++ libhtml-template-pro-perl-0.9502/debian/changelog 2011-12-18 23:40:12.000000000 +0100 @@ -1,3 +1,10 @@ +libhtml-template-pro-perl (0.9502-1+squeeze1) squeeze; urgency=low + + * Patch XSS vulnerability. (Closes: #652587) + + new patch: 652587.diff + + -- Ansgar Burchardt <[email protected]> Sun, 18 Dec 2011 23:39:24 +0100 + libhtml-template-pro-perl (0.9502-1) unstable; urgency=low * New upstream release. diff -Nru libhtml-template-pro-perl-0.9502/debian/patches/652587.diff libhtml-template-pro-perl-0.9502/debian/patches/652587.diff --- libhtml-template-pro-perl-0.9502/debian/patches/652587.diff 1970-01-01 01:00:00.000000000 +0100 +++ libhtml-template-pro-perl-0.9502/debian/patches/652587.diff 2011-12-18 23:46:04.000000000 +0100 @@ -0,0 +1,33 @@ +Origin: backported, changes included in 0.9507 +Bug-Debian: http://bugs.debian.org/652587 +Subject: XSS vulnerability (missing escaping) + +--- libhtml-template-pro-perl.orig/pstrutils.inc ++++ libhtml-template-pro-perl/pstrutils.inc +@@ -124,6 +124,8 @@ + case '\'' : bufdelta=2; strncpy(buf+offset, "\\'",bufdelta);break; + case '\n' : bufdelta=2; strncpy(buf+offset, "\\n",bufdelta);break; + case '\r' : bufdelta=2; strncpy(buf+offset, "\\r",bufdelta);break; ++ case '>' : bufdelta=4; strncpy(buf+offset, ">", bufdelta);break; ++ case '<' : bufdelta=4; strncpy(buf+offset, "<", bufdelta);break; + default: *(buf+offset)=curchar; + } + offset+=bufdelta; +--- libhtml-template-pro-perl.orig/templates-Pro/test_esc4.out ++++ libhtml-template-pro-perl/templates-Pro/test_esc4.out +@@ -1,3 +1,3 @@ + <H1> test_esc4 </H1> +- \\<>\"; %FAhidden:\r\nend ++ \\<>\"; %FAhidden:\r\nend + +--- libhtml-template-pro-perl.orig/templates-Pro/test_var3.out ++++ libhtml-template-pro-perl/templates-Pro/test_var3.out +@@ -8,7 +8,7 @@ + \<>"; %FAhidden: + end + +- \\<>\"; %FAhidden:\r\nend ++ \\<>\"; %FAhidden:\r\nend + + <H1> END test_var3 </H1> + </body></html> diff -Nru libhtml-template-pro-perl-0.9502/debian/patches/series libhtml-template-pro-perl-0.9502/debian/patches/series --- libhtml-template-pro-perl-0.9502/debian/patches/series 2010-03-28 19:33:20.000000000 +0200 +++ libhtml-template-pro-perl-0.9502/debian/patches/series 2011-12-18 23:35:36.000000000 +0100 @@ -1 +1,2 @@ spelling.patch +652587.diff
