Hi! Please find attached my proposed interdiff that I would like to get incorporated into the next stable point release. The two bugs have both security impact but are too low to warrant a security advisory. Nevertheless it would be pretty nice to have them fixed for stable anyway.
The second part of the patch (about $flavour) is just the same how it was fixed in unstable and by upstream, the first part of the patch (about param("-f") handling) was done just for stable because the way it was fixed in the lenny/unstable version would be too intrusive and changing the way the script works so it's not acceptable for a stable update. Thanks in advance, I will upload only after a positive reply. Rhonda
diff -u blosxom-2.0/blosxom.cgi blosxom-2.0/blosxom.cgi --- blosxom-2.0/blosxom.cgi +++ blosxom-2.0/blosxom.cgi @@ -66,7 +66,12 @@ ## On Debian GNU/Linux systems, read configuration files (if found) ## Dirk Eddelbuettel <[EMAIL PROTECTED]> -for $rcfile ("/etc/blosxom/blosxom.conf", "/etc/blosxom.conf", param("-f")) { +my @conffiles = ("/etc/blosxom/blosxom.conf", "/etc/blosxom.conf"); + +# only use param("-f") if GATEWAY_INTERFACE isn't set, Debian BTS #423441 +push @conffiles, param("-f") unless $ENV{GATEWAY_INTERFACE}; + +for $rcfile (@conffiles) { if (-r $rcfile) { open (RC, "< $rcfile") or die "Cannot open $rcfile: $!"; while (<RC>) { @@ -131,6 +136,23 @@ $flavour = param('flav') || $default_flavour; } +# Fix XSS in flavour name (CVE-2008-2236) +$flavour = blosxom_html_escape($flavour); + +sub blosxom_html_escape { + my $string = shift; + my %escape = ( + '<' => '<', + '>' => '>', + '&' => '&', + '"' => '"', + "'" => ''' + ); + my $escape_re = join '|' => keys %escape; + $string =~ s/($escape_re)/$escape{$1}/g; + $string; +} + # Strip spurious slashes $path_info =~ s!(^/*)|(/*$)!!g; diff -u blosxom-2.0/debian/changelog blosxom-2.0/debian/changelog --- blosxom-2.0/debian/changelog +++ blosxom-2.0/debian/changelog @@ -1,3 +1,12 @@ +blosxom (2.0-14+etch1) stable; urgency=high + + * Apply patch to fix Cross-Site Scripting (XSS) vulnerability with respect + to unknown flavours (CVE-2008-2236) (closes: #500873) + * Only use param("-f") if $ENV{GATEWAY_INTERFACE} isn't set + (closes: #423441) + + -- Gerfried Fuchs <[EMAIL PROTECTED]> Mon, 06 Oct 2008 16:01:44 +0200 + blosxom (2.0-14) unstable; urgency=low alfie: