Hi, the maintainer seems to be MIA, attached is a patch extracted from the diff between the version we ship and the new upstream version.
It will be also archived on: http://people.debian.org/~nion/nmu-diff/roundup-1.3.3-3_1.3.3-3.1.patch Kind regards Nico -- Nico Golde - http://www.ngolde.de - [EMAIL PROTECTED] - GPG: 0x73647CFF For security reasons, all text in this mail is double-rot13 encrypted.
diff -u roundup-1.3.3/debian/patches/00list roundup-1.3.3/debian/patches/00list
--- roundup-1.3.3/debian/patches/00list
+++ roundup-1.3.3/debian/patches/00list
@@ -6,0 +7 @@
+10_CVE-2008-1474.dpatch
diff -u roundup-1.3.3/debian/changelog roundup-1.3.3/debian/changelog
--- roundup-1.3.3/debian/changelog
+++ roundup-1.3.3/debian/changelog
@@ -1,3 +1,11 @@
+roundup (1.3.3-3.1) unstable; urgency=high
+
+ * Non-maintainer upload by the Security Team.
+ * Add 10_CVE-2008-1474.dpatch to fix several cross-site scripting
+ issues via unescaped user input (Closes: #472643).
+
+ -- Nico Golde <[EMAIL PROTECTED]> Wed, 02 Apr 2008 13:29:23 +0200
+
roundup (1.3.3-3) unstable; urgency=low
* fixed uid bug again (the fix in 1.3.3-2 was non-functional)
only in patch2:
unchanged:
--- roundup-1.3.3.orig/debian/patches/10_CVE-2008-1474.dpatch
+++ roundup-1.3.3/debian/patches/10_CVE-2008-1474.dpatch
@@ -0,0 +1,228 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## 10_CVE-2008-1474.dpatch by Nico Golde <[EMAIL PROTECTED]>
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: No description.
+
[EMAIL PROTECTED]@
+diff -urNad roundup-1.3.3~/roundup/cgi/templating.py roundup-1.3.3/roundup/cgi/templating.py
+--- roundup-1.3.3~/roundup/cgi/templating.py 2006-12-18 22:05:44.000000000 +0100
++++ roundup-1.3.3/roundup/cgi/templating.py 2008-04-02 13:21:40.000000000 +0200
+@@ -867,7 +867,7 @@
+ prop = self[prop_n]
+ if not isinstance(prop, HTMLProperty):
+ continue
+- current[prop_n] = prop.plain()
++ current[prop_n] = prop.plain(escape=1)
+ # make link if hrefable
+ if (self._props.has_key(prop_n) and
+ isinstance(self._props[prop_n], hyperdb.Link)):
+@@ -968,6 +968,7 @@
+ if labelprop is not None and \
+ labelprop != 'id':
+ label = linkcl.get(linkid, labelprop)
++ label = cgi.escape(label)
+ except IndexError:
+ comments['no_link'] = self._(
+ "<strike>The linked node"
+@@ -991,7 +992,7 @@
+ # there's no labelprop!
+ if labelprop is not None and labelprop != 'id':
+ try:
+- label = linkcl.get(args[k], labelprop)
++ label = cgi.escape(linkcl.get(args[k],labelprop))
+ except IndexError:
+ comments['no_link'] = self._(
+ "<strike>The linked node"
+@@ -1001,7 +1002,7 @@
+ label = None
+ if label is not None:
+ if hrefable:
+- old = '<a href="%s%s">%s</a>'%(classname, args[k], label)
++ old = '<a href="%s%s">%s</a>'%(classname,args[k], label)
+ else:
+ old = label;
+ cell.append('%s: %s' % (self._(k), old))
+@@ -1328,7 +1329,7 @@
+ If not editable, just display the value via plain().
+ '''
+ if not self.is_edit_ok():
+- return self.plain()
++ return self.plain(escape=1)
+
+ value = self._value
+ if value is None:
+@@ -1380,7 +1381,7 @@
+ return value
+
+ class PasswordHTMLProperty(HTMLProperty):
+- def plain(self):
++ def plain(self, escape=0):
+ ''' Render a "plain" representation of the property
+ '''
+ if not self.is_view_ok():
+@@ -1396,7 +1397,7 @@
+ If not editable, just display the value via plain().
+ '''
+ if not self.is_edit_ok():
+- return self.plain()
++ return self.plain(escape=1)
+
+ return self.input(type="password", name=self._formname, size=size)
+
+@@ -1416,7 +1417,7 @@
+ size=size)
+
+ class NumberHTMLProperty(HTMLProperty):
+- def plain(self):
++ def plain(self, escape=0):
+ ''' Render a "plain" representation of the property
+ '''
+ if not self.is_view_ok():
+@@ -1433,7 +1434,7 @@
+ If not editable, just display the value via plain().
+ '''
+ if not self.is_edit_ok():
+- return self.plain()
++ return self.plain(escape=1)
+
+ value = self._value
+ if value is None:
+@@ -1453,7 +1454,7 @@
+
+
+ class BooleanHTMLProperty(HTMLProperty):
+- def plain(self):
++ def plain(self, escape=0):
+ ''' Render a "plain" representation of the property
+ '''
+ if not self.is_view_ok():
+@@ -1469,7 +1470,7 @@
+ If not editable, just display the value via plain().
+ '''
+ if not self.is_edit_ok():
+- return self.plain()
++ return self.plain(escape=1)
+
+ value = self._value
+ if isinstance(value, str) or isinstance(value, unicode):
+@@ -1506,7 +1507,7 @@
+ if self._offset is None :
+ self._offset = self._prop.offset (self._db)
+
+- def plain(self):
++ def plain(self, escape=0):
+ ''' Render a "plain" representation of the property
+ '''
+ if not self.is_view_ok():
+@@ -1557,7 +1558,7 @@
+ '''
+ if not self.is_edit_ok():
+ if format is self._marker:
+- return self.plain()
++ return self.plain(escape=1)
+ else:
+ return self.pretty(format)
+
+@@ -1677,7 +1678,7 @@
+ if self._value and not isinstance(self._value, (str, unicode)):
+ self._value.setTranslator(self._client.translator)
+
+- def plain(self):
++ def plain(self, escape=0):
+ ''' Render a "plain" representation of the property
+ '''
+ if not self.is_view_ok():
+@@ -1701,7 +1702,7 @@
+ If not editable, just display the value via plain().
+ '''
+ if not self.is_edit_ok():
+- return self.plain()
++ return self.plain(escape=1)
+
+ value = self._value
+ if value is None:
+@@ -1760,7 +1761,7 @@
+ If not editable, just display the value via plain().
+ '''
+ if not self.is_edit_ok():
+- return self.plain()
++ return self.plain(escape=1)
+
+ # edit field
+ linkcl = self._db.getclass(self._prop.classname)
+@@ -1796,7 +1797,7 @@
+ If not editable, just display the value via plain().
+ '''
+ if not self.is_edit_ok():
+- return self.plain()
++ return self.plain(escape=1)
+
+ if value is None:
+ value = self._value
+@@ -1953,7 +1954,7 @@
+ If not editable, just display the value via plain().
+ '''
+ if not self.is_edit_ok():
+- return self.plain()
++ return self.plain(escape=1)
+
+ linkcl = self._db.getclass(self._prop.classname)
+ value = self._value[:]
+@@ -1988,7 +1989,7 @@
+ If not editable, just display the value via plain().
+ '''
+ if not self.is_edit_ok():
+- return self.plain()
++ return self.plain(escape=1)
+
+ if value is None:
+ value = self._value
+diff -urNad roundup-1.3.3~/templates/classic/html/_generic.help-list.html roundup-1.3.3/templates/classic/html/_generic.help-list.html
+--- roundup-1.3.3~/templates/classic/html/_generic.help-list.html 2006-09-18 02:03:02.000000000 +0200
++++ roundup-1.3.3/templates/classic/html/_generic.help-list.html 2008-04-02 13:24:02.000000000 +0200
+@@ -64,7 +64,7 @@
+ <td tal:repeat="prop props">
+ <label class="classhelp-label"
+ tal:attributes="for string:id_$attr"
+- tal:content="structure python:item[prop]"></label>
++ tal:content="python:item[prop]"></label>
+ </td>
+ </tal:block>
+ </tr>
+diff -urNad roundup-1.3.3~/templates/classic/html/_generic.help.html roundup-1.3.3/templates/classic/html/_generic.help.html
+--- roundup-1.3.3~/templates/classic/html/_generic.help.html 2006-08-03 02:48:56.000000000 +0200
++++ roundup-1.3.3/templates/classic/html/_generic.help.html 2008-04-02 13:25:10.000000000 +0200
+@@ -83,7 +83,7 @@
+ <td tal:repeat="prop props">
+ <label class="classhelp-label"
+ tal:attributes="for string:id_$attr"
+- tal:content="structure python:item[prop]"></label>
++ tal:content="python:item[prop]"></label>
+ </td>
+ </tal:block>
+ </tr>
+diff -urNad roundup-1.3.3~/templates/classic/html/page.html roundup-1.3.3/templates/classic/html/page.html
+--- roundup-1.3.3~/templates/classic/html/page.html 2006-12-12 09:09:31.000000000 +0100
++++ roundup-1.3.3/templates/classic/html/page.html 2008-04-02 13:24:51.000000000 +0200
+@@ -144,7 +144,7 @@
+
+ <p class="userblock" tal:condition="python:request.user.username != 'anonymous'">
+ <b i18n:translate="">Hello, <span i18n:name="user"
+- tal:replace="request/user/username">username</span></b><br>
++ tal:replace="python:request.user.username.plain(escape=1)">username</span></b><br>
+ <a href="#"
+ tal:attributes="href python:request.indexargs_url('issue', {
+ '@sort': '-activity',
+diff -urNad roundup-1.3.3~/templates/minimal/html/page.html roundup-1.3.3/templates/minimal/html/page.html
+--- roundup-1.3.3~/templates/minimal/html/page.html 2006-12-12 09:09:31.000000000 +0100
++++ roundup-1.3.3/templates/minimal/html/page.html 2008-04-02 13:25:57.000000000 +0200
+@@ -143,7 +143,7 @@
+
+ <p class="userblock" tal:condition="python:request.user.username != 'anonymous'">
+ <b i18n:translate="">Hello, <span i18n:name="user"
+- tal:replace="request/user/username">username</span></b><br>
++ tal:replace="python:request.user.username.plain(escape=1)">username</span></b><br>
+ <a href="#" tal:attributes="href string:user${request/user/id}"
+ i18n:translate="">Your Details</a><br>
+ <a href="#" tal:attributes="href python:request.indexargs_url('',
pgpxXUJmMsVR3.pgp
Description: PGP signature
