Your message dated Sat, 11 Jul 2026 10:32:48 +0000
with message-id <[email protected]>
and subject line Released in 13.6
has caused the Debian Bug report #1140671,
regarding trixie-pu: package python-memray/1.17.0+dfsg-1+deb13u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
1140671: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1140671
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: trixie
X-Debbugs-Cc: [email protected], [email protected]
Control: affects -1 + src:python-memray
User: [email protected]
Usertags: pu

  * CVE-2026-32722: XSS in generated HTML reports via unescaped
    command-line metadata (Closes: #1131372)
diffstat for python-memray-1.17.0+dfsg python-memray-1.17.0+dfsg

 changelog                                       |    8 ++
 patches/0001-Fix-escaping-in-HTML-reports.patch |   88 ++++++++++++++++++++++++
 patches/series                                  |    1 
 3 files changed, 97 insertions(+)

diff -Nru python-memray-1.17.0+dfsg/debian/changelog 
python-memray-1.17.0+dfsg/debian/changelog
--- python-memray-1.17.0+dfsg/debian/changelog  2025-04-04 22:28:26.000000000 
+0300
+++ python-memray-1.17.0+dfsg/debian/changelog  2026-06-24 14:32:46.000000000 
+0300
@@ -1,3 +1,11 @@
+python-memray (1.17.0+dfsg-1.1) trixie; urgency=medium
+
+  * Non-maintainer upload.
+  * CVE-2026-32722: XSS in generated HTML reports via unescaped
+    command-line metadata (Closes: #1131372)
+
+ -- Adrian Bunk <[email protected]>  Wed, 24 Jun 2026 14:32:46 +0300
+
 python-memray (1.17.0+dfsg-1) unstable; urgency=medium
 
   * New upstream version 1.17.0.
diff -Nru 
python-memray-1.17.0+dfsg/debian/patches/0001-Fix-escaping-in-HTML-reports.patch
 
python-memray-1.17.0+dfsg/debian/patches/0001-Fix-escaping-in-HTML-reports.patch
--- 
python-memray-1.17.0+dfsg/debian/patches/0001-Fix-escaping-in-HTML-reports.patch
    1970-01-01 02:00:00.000000000 +0200
+++ 
python-memray-1.17.0+dfsg/debian/patches/0001-Fix-escaping-in-HTML-reports.patch
    2026-06-24 14:32:46.000000000 +0300
@@ -0,0 +1,88 @@
+From b08620f772126ed3e340ddbb9893819a32289ab5 Mon Sep 17 00:00:00 2001
+From: Matt Wozniski <[email protected]>
+Date: Wed, 11 Mar 2026 14:52:56 -0400
+Subject: Fix escaping in HTML reports
+
+Ensure the command line is properly HTML escaped when writing it into
+flamegraph and table reports.
+
+Signed-off-by: Matt Wozniski <[email protected]>
+---
+ src/memray/reporters/templates/base.html |  2 +-
+ tests/unit/test_templates.py             | 43 ++++++++++++++++++++++++
+ 2 files changed, 44 insertions(+), 1 deletion(-)
+
+diff --git a/src/memray/reporters/templates/base.html 
b/src/memray/reporters/templates/base.html
+index b3bfc94..ce5f4ea 100644
+--- a/src/memray/reporters/templates/base.html
++++ b/src/memray/reporters/templates/base.html
+@@ -95,7 +95,7 @@
+           </button>
+         </div>
+         <div class="modal-body">
+-          Command line: <code>{{ metadata.command_line }}</code><br>
++          Command line: <code>{{ metadata.command_line|e }}</code><br>
+           Start time: <span id="stats-start-time"> {{ metadata.start_time 
}}</span><br>
+           End time: <span id="stats-end-time"> {{ metadata.end_time 
}}</span><br>
+           Duration: {{ metadata.end_time - metadata.start_time }}<br>
+diff --git a/tests/unit/test_templates.py b/tests/unit/test_templates.py
+index 2a57ef3..1938f5c 100644
+--- a/tests/unit/test_templates.py
++++ b/tests/unit/test_templates.py
+@@ -1,6 +1,11 @@
++from datetime import datetime
++
+ import pytest
+ 
++from memray import Metadata
++from memray._memray import FileFormat
+ from memray.reporters.templates import get_report_title
++from memray.reporters.templates import render_report
+ 
+ 
+ @pytest.mark.parametrize(
+@@ -21,3 +26,41 @@ def test_title_for_regular_report(kind, show_memory_leaks, 
inverted, expected):
+         )
+         == expected
+     )
++
++
[email protected](
++    "kind",
++    ["flamegraph", "table"],
++)
++def test_html_report_escaping(kind):
++    """Test that command line arguments are properly escaped."""
++    # GIVEN
++    metadata = Metadata(
++        start_time=datetime(2024, 1, 1, 0, 0, 0),
++        end_time=datetime(2024, 1, 1, 0, 1, 0),
++        total_allocations=100,
++        total_frames=10,
++        peak_memory=1024,
++        command_line="python test.py </code>",
++        pid=12345,
++        main_thread_id=1,
++        python_allocator="pymalloc",
++        has_native_traces=False,
++        trace_python_allocators=False,
++        file_format=FileFormat.ALL_ALLOCATIONS,
++    )
++
++    # WHEN
++    html_output = render_report(
++        kind=kind,
++        data=[],
++        metadata=metadata,
++        memory_records=[],
++        show_memory_leaks=False,
++        merge_threads=False,
++        inverted=False,
++    )
++
++    # THEN
++    assert html_output.count("<code>") == html_output.count("</code>")
++    assert "python test.py &lt;/code&gt;" in html_output
+-- 
+2.47.3
+
diff -Nru python-memray-1.17.0+dfsg/debian/patches/series 
python-memray-1.17.0+dfsg/debian/patches/series
--- python-memray-1.17.0+dfsg/debian/patches/series     2025-04-04 
22:28:26.000000000 +0300
+++ python-memray-1.17.0+dfsg/debian/patches/series     2026-06-24 
14:32:44.000000000 +0300
@@ -3,3 +3,4 @@
 003-rm-distutils-from-setup.patch
 002-rm-external-git-link.patch
 001-fix-html-privacy-breach.patch
+0001-Fix-escaping-in-HTML-reports.patch

--- End Message ---
--- Begin Message ---
Version: 13.6

This update was released as part of 13.6.

--- End Message ---

Reply via email to