Sorry, attached faulty debdiff. This is one looks better.
diff -Nru beets-1.6.0/debian/changelog beets-1.6.0/debian/changelog --- beets-1.6.0/debian/changelog 2023-01-01 19:44:21.000000000 +0100 +++ beets-1.6.0/debian/changelog 2026-05-15 18:02:11.000000000 +0200 @@ -1,3 +1,10 @@ +beets (1.6.0-4+deb12u1) UNRELEASED; urgency=medium + + * Add patches fixing CVE-2026-42052 (Closes: #1135779) + * Backport patch to fix a test that thinks 2025 is in the future + + -- Pieter Lenaerts <[email protected]> Thu, 15 May 2026 18:02:11 +0200 + beets (1.6.0-4) unstable; urgency=medium * Patch: Support mediafile 0.11. (Closes: #1027461, 1027519) diff -Nru beets-1.6.0/debian/patches/2025-future beets-1.6.0/debian/patches/2025-future --- beets-1.6.0/debian/patches/2025-future 1970-01-01 01:00:00.000000000 +0100 +++ beets-1.6.0/debian/patches/2025-future 2026-05-15 17:56:39.000000000 +0200 @@ -0,0 +1,37 @@ +From: Pieter Lenaerts <[email protected]> +Date: Mon, 11 May 2026 19:55:36 +0200 +Subject: Future proof BucketPluginTest.test_year_single_year_last_folder + +This test assumes 2025 is in the future. It used to be. + +This is a backport from Stefano's patch in tag debian/2.2.0-2 + +Forwarded: not-needed +Origin: https://salsa.debian.org/python-team/packages/beets/-/blob/debian/2.2.0-2/debian/patches/2025-future?ref_type=tags +--- + test/test_bucket.py | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/test/test_bucket.py b/test/test_bucket.py +index 46091e2..a2db41b 100644 +--- a/test/test_bucket.py ++++ b/test/test_bucket.py +@@ -14,6 +14,7 @@ + + """Tests for the 'bucket' plugin.""" + ++from datetime import datetime + + import unittest + from beetsplug import bucket +@@ -50,7 +51,9 @@ class BucketPluginTest(unittest.TestCase, TestHelper): + year.""" + self._setup_config(bucket_year=['1950', '1970']) + self.assertEqual(self.plugin._tmpl_bucket('2014'), '1970') +- self.assertEqual(self.plugin._tmpl_bucket('2025'), '2025') ++ next_year = datetime.now().year + 1 ++ self.assertEqual(self.plugin._tmpl_bucket(str(next_year)), ++ str(next_year)) + + def test_year_two_years(self): + """Buckets can be named with the 'from-to' syntax.""" diff -Nru beets-1.6.0/debian/patches/add_unit_test_checking_unsafe_web_ui_input beets-1.6.0/debian/patches/add_unit_test_checking_unsafe_web_ui_input --- beets-1.6.0/debian/patches/add_unit_test_checking_unsafe_web_ui_input 1970-01-01 01:00:00.000000000 +0100 +++ beets-1.6.0/debian/patches/add_unit_test_checking_unsafe_web_ui_input 2026-05-15 17:56:39.000000000 +0200 @@ -0,0 +1,100 @@ +From: Pieter Lenaerts <[email protected]> +Date: Sat, 9 May 2026 12:22:05 +0200 +Subject: Add unit test checking for unsafe input in web ui + +Forwarded: https://github.com/beetbox/beets/pull/6639 +--- + test/plugins/test_web_xss.py | 84 ++++++++++++++++++++++++++++++++++++++++++++ + 1 file changed, 84 insertions(+) + create mode 100644 test/plugins/test_web_xss.py + +diff --git a/test/plugins/test_web_xss.py b/test/plugins/test_web_xss.py +new file mode 100644 +index 0000000..2743489 +--- /dev/null ++++ b/test/plugins/test_web_xss.py +@@ -0,0 +1,84 @@ ++"""Tests for XSS vulnerability in the web plugin templates. ++ ++This test verifies that the Underscore.js templates in index.html use ++the escaping syntax (<%- %) instead of the non-escaping syntax (<%= %). ++ ++In Underscore.js 1.2.2 (used by beets): ++- <%= variable %> does NOT escape HTML (vulnerable to XSS) ++- <%- variable %> DOES escape HTML (safe) ++ ++The test checks the index.html template file served by Flask to ensure ++all user data interpolations in the Underscore.js templates use the escaping ++syntax. ++ ++Generated using mistral vibe, verified by Pieter Lenaerts <[email protected]> ++""" ++ ++import re ++ ++from test import _common ++from beetsplug import web ++ ++ ++class WebXSSTest(_common.LibTestCase): ++ def setUp(self): ++ super().setUp() ++ web.app.config['TESTING'] = True ++ web.app.config['lib'] = self.lib ++ web.app.config['INCLUDE_PATHS'] = False ++ web.app.config['READONLY'] = True ++ self.client = web.app.test_client() ++ ++ def test_templates_use_escaping_syntax(self): ++ """Verify that all Underscore.js templates use <%- %> for escaping. ++ ++ This test requests the index.html page and checks that all ++ user data interpolations in the Underscore.js templates use ++ the escaping syntax (<%- %) rather than the non-escaping syntax (<%= %). ++ ++ Before the fix (with <%= %>), this test will fail. ++ After the fix (with <%- %>), this test will pass. ++ """ ++ # Request the index.html page ++ response = self.client.get("/") ++ html = response.data.decode("utf-8") ++ ++ # Extract the template scripts from the HTML ++ # The templates are in <script type="text/template"> blocks ++ template_pattern = r'<script type="text/template"[^>]*>(.*?)</script>' ++ templates = re.findall(template_pattern, html, re.DOTALL) ++ ++ # Combine all template content for checking ++ all_template_content = "\n".join(templates) ++ ++ # Check that no <%= %> (non-escaping) tags exist for user data ++ # We look for <%= followed by a variable name (word characters) ++ non_escaping_pattern = r'<%=\s*(\w+)\s*%>' ++ non_escaping_matches = re.findall(non_escaping_pattern, all_template_content) ++ ++ # List of fields that should be escaped (user-controlled data) ++ user_data_fields = [ ++ 'title', 'artist', 'album', 'year', 'track', 'tracktotal', ++ 'disc', 'disctotal', 'length', 'format', 'bitrate', ++ 'mb_trackid', 'id', 'lyrics', 'comments' ++ ] ++ ++ # Check if any user data fields are using non-escaping <%= %> ++ vulnerable_fields = [field for field in non_escaping_matches if field in user_data_fields] ++ ++ # If we found any user data fields using <%= %>, the templates are vulnerable ++ assert len(vulnerable_fields) == 0, ( ++ f"Found non-escaping <%= %> tags for user data fields: {vulnerable_fields}. " ++ f"These should use <%- %> for HTML escaping to prevent XSS." ++ ) ++ ++ # Also verify that escaping tags (<%- %>) are present for user data ++ escaping_pattern = r'<%-\s*(\w+)\s*%>' ++ escaping_matches = re.findall(escaping_pattern, all_template_content) ++ ++ # At least some user data fields should use escaping ++ safe_fields = [field for field in escaping_matches if field in user_data_fields] ++ assert len(safe_fields) > 0, ( ++ "No escaping <%- %> tags found for user data fields. " ++ "Templates should use <%- %> for HTML escaping." ++ ) diff -Nru beets-1.6.0/debian/patches/fix_xss_by_using_escaped_template_tags_in_web_ui beets-1.6.0/debian/patches/fix_xss_by_using_escaped_template_tags_in_web_ui --- beets-1.6.0/debian/patches/fix_xss_by_using_escaped_template_tags_in_web_ui 1970-01-01 01:00:00.000000000 +0100 +++ beets-1.6.0/debian/patches/fix_xss_by_using_escaped_template_tags_in_web_ui 2026-05-15 17:56:39.000000000 +0200 @@ -0,0 +1,82 @@ +From: Šarūnas Nejus https://github.com/snejus +Date: Sat, 9 May 2026 08:04:44 +0200 +Subject: Fix XSS by using escaped template tags in web UI + +Bug: https://github.com/beetbox/beets/security/advisories/GHSA-3gxm-wfjx-m847 +Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1135779 +Origin: backport, https://github.com/beetbox/beets/commit/75f0d8f4899e61afb939adf02dcfb078aed23a6a +Forwarded: not-needed +--- + beetsplug/web/templates/index.html | 28 ++++++++++++++-------------- + 1 file changed, 14 insertions(+), 14 deletions(-) + +diff --git a/beetsplug/web/templates/index.html b/beetsplug/web/templates/index.html +index 0fdd46d..7b1e43f 100644 +--- a/beetsplug/web/templates/index.html ++++ b/beetsplug/web/templates/index.html +@@ -45,16 +45,16 @@ + + <!-- Templates. --> + <script type="text/template" id="item-entry-template"> +- <%= title %> ++ <%- title %> + <span class="playing">▶</span> + </script> + <script type="text/template" id="item-main-detail-template"> +- <span class="artist"><%= artist %></span> ++ <span class="artist"><%- artist %></span> + <span class="album"> +- <span class="albumtitle"><%= album %></span> +- <span class="year">(<%= year %>)</span> ++ <span class="albumtitle"><%- album %></span> ++ <span class="year">(<%- year %>)</span> + </span> +- <span class="title"><%= title %></span> ++ <span class="title"><%- title %></span> + + <button class="play">▶</button> + +@@ -63,34 +63,34 @@ + <script type="text/template" id="item-extra-detail-template"> + <dl> + <dt>Track</dt> +- <dd><%= track %>/<%= tracktotal %></dd> ++ <dd><%- track %>/<%- tracktotal %></dd> + <% if (disc) { %> + <dt>Disc</dt> +- <dd><%= disc %>/<%= disctotal %></dd> ++ <dd><%- disc %>/<%- disctotal %></dd> + <% } %> + <dt>Length</dt> +- <dd><%= timeFormat(length) %></dd> ++ <dd><%- timeFormat(length) %></dd> + <dt>Format</dt> +- <dd><%= format %></dd> ++ <dd><%- format %></dd> + <dt>Bitrate</dt> +- <dd><%= Math.round(bitrate/1000) %> kbps</dd> ++ <dd><%- Math.round(bitrate/1000) %> kbps</dd> + <% if (mb_trackid) { %> + <dt>MusicBrainz entry</dt> + <dd> +- <a target="_blank" href="http://musicbrainz.org/recording/<%= mb_trackid %>">view</a> ++ <a target="_blank" href="http://musicbrainz.org/recording/<%- mb_trackid %>">view</a> + </dd> + <% } %> + <dt>File</dt> + <dd> +- <a target="_blank" class="download" href="item/<%= id %>/file">download</a> ++ <a target="_blank" class="download" href="item/<%- id %>/file">download</a> + </dd> + <% if (lyrics) { %> + <dt>Lyrics</dt> +- <dd class="lyrics"><%= lyrics %></dd> ++ <dd class="lyrics"><%- lyrics %></dd> + <% } %> + <% if (comments) { %> + <dt>Comments</dt> +- <dd><%= comments %></dd> ++ <dd><%- comments %></dd> + <% } %> + </dl> + </script> diff -Nru beets-1.6.0/debian/patches/series beets-1.6.0/debian/patches/series --- beets-1.6.0/debian/patches/series 2023-01-01 19:44:21.000000000 +0100 +++ beets-1.6.0/debian/patches/series 2026-05-15 17:56:39.000000000 +0200 @@ -3,3 +3,6 @@ skip-buildd-failures unidecode-1.3.6 mediafile-0.11 +fix_xss_by_using_escaped_template_tags_in_web_ui +add_unit_test_checking_unsafe_web_ui_input +2025-future
signature.asc
Description: PGP signature
