Package: release.debian.org Severity: normal Tags: bookworm X-Debbugs-Cc: [email protected], [email protected] Control: affects -1 + src:beets User: [email protected] Usertags: pu
Fix CVE-2026-42052 and #1135779 [ Reason ] CVE is considered low risk, no DSA, and fixable by production update. [ Impact ] CVE remains unfixed. [ Tests ] Added a test in patch add_unit_test_checking_unsafe_web_ui_input to check the CVE is fixed. test/plugins/test_web.py should give assurance against regressions. [ Risks ] Regression in web ui plugin, but existing tests should cover this. [ Checklist ] [x] *all* changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in (old)stable [ ] the issue is verified as fixed in unstable [ Changes ] All input fields in the web ui js template are using escaping syntax (<%- %) instead of the non-escaping syntax (<%= %) [ Other info ] I'm not a DD, I won't be uploading myself. I will probably be continuing work with eamanu who did a first review. My fix for unstable is also waiting review/upload.
diff -Nru beets-1.6.0/debian/changelog beets-1.6.0/debian/changelog --- beets-1.6.0/debian/changelog 2023-01-01 19:44:21.000000000 +0100 +++ beets-1.6.0/debian/changelog 2026-05-15 18:02:11.000000000 +0200 @@ -1,3 +1,10 @@ +beets (1.6.0-4+deb12u1) UNRELEASED; urgency=medium + + * Add patches fixing CVE-2026-42052 (Closes: #1135779) + * Backport patch to fix a test that thinks 2025 is in the future + + -- Pieter Lenaerts <[email protected]> Thu, 15 May 2026 18:02:11 +0200 + beets (1.6.0-4) unstable; urgency=medium * Patch: Support mediafile 0.11. (Closes: #1027461, 1027519) diff -Nru beets-1.6.0/debian/patches/add_unit_test_checking_unsafe_web_ui_input beets-1.6.0/debian/patches/add_unit_test_checking_unsafe_web_ui_input --- beets-1.6.0/debian/patches/add_unit_test_checking_unsafe_web_ui_input 2023-01-01 19:44:21.000000000 +0100 +++ beets-1.6.0/debian/patches/add_unit_test_checking_unsafe_web_ui_input 2026-05-15 17:56:39.000000000 +0200 @@ -2,7 +2,7 @@ Date: Sat, 9 May 2026 12:22:05 +0200 Subject: Add unit test checking for unsafe input in web ui -Forwarded: No +Forwarded: https://github.com/beetbox/beets/pull/6639 --- test/plugins/test_web_xss.py | 84 ++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 84 insertions(+) diff -Nru beets-1.6.0/debian/patches/fix_xss_by_using_escaped_template_tags_in_web_ui beets-1.6.0/debian/patches/fix_xss_by_using_escaped_template_tags_in_web_ui --- beets-1.6.0/debian/patches/fix_xss_by_using_escaped_template_tags_in_web_ui 2023-01-01 19:44:21.000000000 +0100 +++ beets-1.6.0/debian/patches/fix_xss_by_using_escaped_template_tags_in_web_ui 2026-05-15 17:56:39.000000000 +0200 @@ -1,10 +1,10 @@ -From: Pieter Lenaerts <[email protected]> +From: Šarūnas Nejus https://github.com/snejus Date: Sat, 9 May 2026 08:04:44 +0200 Subject: Fix XSS by using escaped template tags in web UI Bug: https://github.com/beetbox/beets/security/advisories/GHSA-3gxm-wfjx-m847 Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1135779 -Origin: https://github.com/beetbox/beets/commit/75f0d8f4899e61afb939adf02dcfb078aed23a6a +Origin: backport, https://github.com/beetbox/beets/commit/75f0d8f4899e61afb939adf02dcfb078aed23a6a Forwarded: not-needed --- beetsplug/web/templates/index.html | 28 ++++++++++++++--------------
