Package: release.debian.org Severity: normal Tags: trixie X-Debbugs-Cc: [email protected], [email protected] Control: affects -1 + src:beets User: [email protected] Usertags: pu
Fix CVE-2026-42052 and #1135779 [ Reason ] CVE is considered low risk, no DSA, and fixable by production update. [ Impact ] CVE remains unfixed. [ Tests ] Added a test in patch add_unit_test_checking_unsafe_web_ui_input to check the CVE is fixed. test/plugins/test_web.py should give assurance against regressions. [ Risks ] Regression in web ui plugin, but existing tests should cover this. [ Checklist ] [x] *all* changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in (old)stable [x] the issue is verified as fixed in unstable, not uploaded yet. [ Changes ] All input fields in the web ui js template are using escaping syntax (<%- %) instead of the non-escaping syntax (<%= %) [ Other info ] I'm not a DD, I won't be uploading myself. I will probably be continuing work with eamanu who did a first review.
diff -Nru beets-2.2.0/debian/changelog beets-2.2.0/debian/changelog --- beets-2.2.0/debian/changelog 2025-04-13 23:38:58.000000000 +0200 +++ beets-2.2.0/debian/changelog 2026-05-14 19:51:52.000000000 +0200 @@ -1,3 +1,11 @@ +beets (2.2.0-3+deb13u1) UNRELEASED; urgency=medium + + * Add patch to fix xss vulnerability CVE-2026-42052 in web ui + (Closes: #1135779) + * Add patch with test for unsafe web ui input + + -- Pieter Lenaerts <[email protected]> Thu, 14 May 2026 19:51:52 +0200 + beets (2.2.0-3) unstable; urgency=medium [ Florent 'Skia' Jacquet ] diff -Nru beets-2.2.0/debian/patches/add_unit_test_checking_unsafe_web_ui_input beets-2.2.0/debian/patches/add_unit_test_checking_unsafe_web_ui_input --- beets-2.2.0/debian/patches/add_unit_test_checking_unsafe_web_ui_input 2025-04-13 23:38:58.000000000 +0200 +++ beets-2.2.0/debian/patches/add_unit_test_checking_unsafe_web_ui_input 2026-05-14 19:51:52.000000000 +0200 @@ -2,7 +2,7 @@ Date: Sat, 9 May 2026 12:22:05 +0200 Subject: Add unit test checking for unsafe input in web ui -Forwarded: No +Forwarded: https://github.com/beetbox/beets/pull/6639 --- test/plugins/test_web_xss.py | 84 ++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 84 insertions(+) diff -Nru beets-2.2.0/debian/patches/fix_xss_by_using_escaped_template_tags_in_web_ui beets-2.2.0/debian/patches/fix_xss_by_using_escaped_template_tags_in_web_ui --- beets-2.2.0/debian/patches/fix_xss_by_using_escaped_template_tags_in_web_ui 2025-04-13 23:38:58.000000000 +0200 +++ beets-2.2.0/debian/patches/fix_xss_by_using_escaped_template_tags_in_web_ui 2026-05-14 19:51:52.000000000 +0200 @@ -1,10 +1,10 @@ -From: Pieter Lenaerts <[email protected]> +From: Šarūnas Nejus https://github.com/snejus Date: Sat, 9 May 2026 08:04:44 +0200 Subject: Fix XSS by using escaped template tags in web UI Bug: https://github.com/beetbox/beets/security/advisories/GHSA-3gxm-wfjx-m847 -Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1135779 -Origin: https://github.com/beetbox/beets/commit/75f0d8f4899e61afb939adf02dcfb078aed23a6a +Bug-Debian: https://bugs.debian.org/1135779 +Origin: backport, https://github.com/beetbox/beets/commit/75f0d8f4899e61afb939adf02dcfb078aed23a6a Forwarded: not-needed --- beetsplug/web/templates/index.html | 28 ++++++++++++++--------------
