Control: retitle -1 trixie-pu: package python-memray/1.17.0+dfsg-1+deb13u1
Control: tags -1 - moreinfo

On Wed, Jun 24, 2026 at 03:05:19PM +0300, Adrian Bunk wrote:
>...
> +python-memray (1.17.0+dfsg-1.1) trixie; urgency=medium
>...

A debdiff with fixed version is attached.

cu
Adrian
diffstat for python-memray-1.17.0+dfsg python-memray-1.17.0+dfsg

 changelog                                       |    8 ++
 patches/0001-Fix-escaping-in-HTML-reports.patch |   88 ++++++++++++++++++++++++
 patches/series                                  |    1 
 3 files changed, 97 insertions(+)

diff -Nru python-memray-1.17.0+dfsg/debian/changelog 
python-memray-1.17.0+dfsg/debian/changelog
--- python-memray-1.17.0+dfsg/debian/changelog  2025-04-04 22:28:26.000000000 
+0300
+++ python-memray-1.17.0+dfsg/debian/changelog  2026-06-27 16:51:20.000000000 
+0300
@@ -1,3 +1,11 @@
+python-memray (1.17.0+dfsg-1+deb13u1) trixie; urgency=medium
+
+  * Non-maintainer upload.
+  * CVE-2026-32722: XSS in generated HTML reports via unescaped
+    command-line metadata (Closes: #1131372)
+
+ -- Adrian Bunk <[email protected]>  Sat, 27 Jun 2026 16:51:20 +0300
+
 python-memray (1.17.0+dfsg-1) unstable; urgency=medium
 
   * New upstream version 1.17.0.
diff -Nru 
python-memray-1.17.0+dfsg/debian/patches/0001-Fix-escaping-in-HTML-reports.patch
 
python-memray-1.17.0+dfsg/debian/patches/0001-Fix-escaping-in-HTML-reports.patch
--- 
python-memray-1.17.0+dfsg/debian/patches/0001-Fix-escaping-in-HTML-reports.patch
    1970-01-01 02:00:00.000000000 +0200
+++ 
python-memray-1.17.0+dfsg/debian/patches/0001-Fix-escaping-in-HTML-reports.patch
    2026-06-24 14:32:46.000000000 +0300
@@ -0,0 +1,88 @@
+From b08620f772126ed3e340ddbb9893819a32289ab5 Mon Sep 17 00:00:00 2001
+From: Matt Wozniski <[email protected]>
+Date: Wed, 11 Mar 2026 14:52:56 -0400
+Subject: Fix escaping in HTML reports
+
+Ensure the command line is properly HTML escaped when writing it into
+flamegraph and table reports.
+
+Signed-off-by: Matt Wozniski <[email protected]>
+---
+ src/memray/reporters/templates/base.html |  2 +-
+ tests/unit/test_templates.py             | 43 ++++++++++++++++++++++++
+ 2 files changed, 44 insertions(+), 1 deletion(-)
+
+diff --git a/src/memray/reporters/templates/base.html 
b/src/memray/reporters/templates/base.html
+index b3bfc94..ce5f4ea 100644
+--- a/src/memray/reporters/templates/base.html
++++ b/src/memray/reporters/templates/base.html
+@@ -95,7 +95,7 @@
+           </button>
+         </div>
+         <div class="modal-body">
+-          Command line: <code>{{ metadata.command_line }}</code><br>
++          Command line: <code>{{ metadata.command_line|e }}</code><br>
+           Start time: <span id="stats-start-time"> {{ metadata.start_time 
}}</span><br>
+           End time: <span id="stats-end-time"> {{ metadata.end_time 
}}</span><br>
+           Duration: {{ metadata.end_time - metadata.start_time }}<br>
+diff --git a/tests/unit/test_templates.py b/tests/unit/test_templates.py
+index 2a57ef3..1938f5c 100644
+--- a/tests/unit/test_templates.py
++++ b/tests/unit/test_templates.py
+@@ -1,6 +1,11 @@
++from datetime import datetime
++
+ import pytest
+ 
++from memray import Metadata
++from memray._memray import FileFormat
+ from memray.reporters.templates import get_report_title
++from memray.reporters.templates import render_report
+ 
+ 
+ @pytest.mark.parametrize(
+@@ -21,3 +26,41 @@ def test_title_for_regular_report(kind, show_memory_leaks, 
inverted, expected):
+         )
+         == expected
+     )
++
++
[email protected](
++    "kind",
++    ["flamegraph", "table"],
++)
++def test_html_report_escaping(kind):
++    """Test that command line arguments are properly escaped."""
++    # GIVEN
++    metadata = Metadata(
++        start_time=datetime(2024, 1, 1, 0, 0, 0),
++        end_time=datetime(2024, 1, 1, 0, 1, 0),
++        total_allocations=100,
++        total_frames=10,
++        peak_memory=1024,
++        command_line="python test.py </code>",
++        pid=12345,
++        main_thread_id=1,
++        python_allocator="pymalloc",
++        has_native_traces=False,
++        trace_python_allocators=False,
++        file_format=FileFormat.ALL_ALLOCATIONS,
++    )
++
++    # WHEN
++    html_output = render_report(
++        kind=kind,
++        data=[],
++        metadata=metadata,
++        memory_records=[],
++        show_memory_leaks=False,
++        merge_threads=False,
++        inverted=False,
++    )
++
++    # THEN
++    assert html_output.count("<code>") == html_output.count("</code>")
++    assert "python test.py &lt;/code&gt;" in html_output
+-- 
+2.47.3
+
diff -Nru python-memray-1.17.0+dfsg/debian/patches/series 
python-memray-1.17.0+dfsg/debian/patches/series
--- python-memray-1.17.0+dfsg/debian/patches/series     2025-04-04 
22:28:26.000000000 +0300
+++ python-memray-1.17.0+dfsg/debian/patches/series     2026-06-24 
14:32:44.000000000 +0300
@@ -3,3 +3,4 @@
 003-rm-distutils-from-setup.patch
 002-rm-external-git-link.patch
 001-fix-html-privacy-breach.patch
+0001-Fix-escaping-in-HTML-reports.patch

Reply via email to