Control: retitle -1 trixie-pu: package python-memray/1.17.0+dfsg-1+deb13u1 Control: tags -1 - moreinfo
On Wed, Jun 24, 2026 at 03:05:19PM +0300, Adrian Bunk wrote: >... > +python-memray (1.17.0+dfsg-1.1) trixie; urgency=medium >... A debdiff with fixed version is attached. cu Adrian
diffstat for python-memray-1.17.0+dfsg python-memray-1.17.0+dfsg changelog | 8 ++ patches/0001-Fix-escaping-in-HTML-reports.patch | 88 ++++++++++++++++++++++++ patches/series | 1 3 files changed, 97 insertions(+) diff -Nru python-memray-1.17.0+dfsg/debian/changelog python-memray-1.17.0+dfsg/debian/changelog --- python-memray-1.17.0+dfsg/debian/changelog 2025-04-04 22:28:26.000000000 +0300 +++ python-memray-1.17.0+dfsg/debian/changelog 2026-06-27 16:51:20.000000000 +0300 @@ -1,3 +1,11 @@ +python-memray (1.17.0+dfsg-1+deb13u1) trixie; urgency=medium + + * Non-maintainer upload. + * CVE-2026-32722: XSS in generated HTML reports via unescaped + command-line metadata (Closes: #1131372) + + -- Adrian Bunk <[email protected]> Sat, 27 Jun 2026 16:51:20 +0300 + python-memray (1.17.0+dfsg-1) unstable; urgency=medium * New upstream version 1.17.0. diff -Nru python-memray-1.17.0+dfsg/debian/patches/0001-Fix-escaping-in-HTML-reports.patch python-memray-1.17.0+dfsg/debian/patches/0001-Fix-escaping-in-HTML-reports.patch --- python-memray-1.17.0+dfsg/debian/patches/0001-Fix-escaping-in-HTML-reports.patch 1970-01-01 02:00:00.000000000 +0200 +++ python-memray-1.17.0+dfsg/debian/patches/0001-Fix-escaping-in-HTML-reports.patch 2026-06-24 14:32:46.000000000 +0300 @@ -0,0 +1,88 @@ +From b08620f772126ed3e340ddbb9893819a32289ab5 Mon Sep 17 00:00:00 2001 +From: Matt Wozniski <[email protected]> +Date: Wed, 11 Mar 2026 14:52:56 -0400 +Subject: Fix escaping in HTML reports + +Ensure the command line is properly HTML escaped when writing it into +flamegraph and table reports. + +Signed-off-by: Matt Wozniski <[email protected]> +--- + src/memray/reporters/templates/base.html | 2 +- + tests/unit/test_templates.py | 43 ++++++++++++++++++++++++ + 2 files changed, 44 insertions(+), 1 deletion(-) + +diff --git a/src/memray/reporters/templates/base.html b/src/memray/reporters/templates/base.html +index b3bfc94..ce5f4ea 100644 +--- a/src/memray/reporters/templates/base.html ++++ b/src/memray/reporters/templates/base.html +@@ -95,7 +95,7 @@ + </button> + </div> + <div class="modal-body"> +- Command line: <code>{{ metadata.command_line }}</code><br> ++ Command line: <code>{{ metadata.command_line|e }}</code><br> + Start time: <span id="stats-start-time"> {{ metadata.start_time }}</span><br> + End time: <span id="stats-end-time"> {{ metadata.end_time }}</span><br> + Duration: {{ metadata.end_time - metadata.start_time }}<br> +diff --git a/tests/unit/test_templates.py b/tests/unit/test_templates.py +index 2a57ef3..1938f5c 100644 +--- a/tests/unit/test_templates.py ++++ b/tests/unit/test_templates.py +@@ -1,6 +1,11 @@ ++from datetime import datetime ++ + import pytest + ++from memray import Metadata ++from memray._memray import FileFormat + from memray.reporters.templates import get_report_title ++from memray.reporters.templates import render_report + + + @pytest.mark.parametrize( +@@ -21,3 +26,41 @@ def test_title_for_regular_report(kind, show_memory_leaks, inverted, expected): + ) + == expected + ) ++ ++ [email protected]( ++ "kind", ++ ["flamegraph", "table"], ++) ++def test_html_report_escaping(kind): ++ """Test that command line arguments are properly escaped.""" ++ # GIVEN ++ metadata = Metadata( ++ start_time=datetime(2024, 1, 1, 0, 0, 0), ++ end_time=datetime(2024, 1, 1, 0, 1, 0), ++ total_allocations=100, ++ total_frames=10, ++ peak_memory=1024, ++ command_line="python test.py </code>", ++ pid=12345, ++ main_thread_id=1, ++ python_allocator="pymalloc", ++ has_native_traces=False, ++ trace_python_allocators=False, ++ file_format=FileFormat.ALL_ALLOCATIONS, ++ ) ++ ++ # WHEN ++ html_output = render_report( ++ kind=kind, ++ data=[], ++ metadata=metadata, ++ memory_records=[], ++ show_memory_leaks=False, ++ merge_threads=False, ++ inverted=False, ++ ) ++ ++ # THEN ++ assert html_output.count("<code>") == html_output.count("</code>") ++ assert "python test.py </code>" in html_output +-- +2.47.3 + diff -Nru python-memray-1.17.0+dfsg/debian/patches/series python-memray-1.17.0+dfsg/debian/patches/series --- python-memray-1.17.0+dfsg/debian/patches/series 2025-04-04 22:28:26.000000000 +0300 +++ python-memray-1.17.0+dfsg/debian/patches/series 2026-06-24 14:32:44.000000000 +0300 @@ -3,3 +3,4 @@ 003-rm-distutils-from-setup.patch 002-rm-external-git-link.patch 001-fix-html-privacy-breach.patch +0001-Fix-escaping-in-HTML-reports.patch

