Your message dated Sat, 06 Sep 2025 12:14:57 +0100
with message-id
<165032e5317517556dd7fd8cf24843112a3fb6ac.ca...@adam-barratt.org.uk>
and subject line Closing p-u requests for fixes included in 13.1
has caused the Debian Bug report #1112529,
regarding trixie-pu: package shaarli/0.14.0+dfsg-2
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1112529: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1112529
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: trixie
X-Debbugs-Cc: [email protected], [email protected]
Control: affects -1 + src:shaarli
User: [email protected]
Usertags: pu
[ Reason ]
Fixes CVE-2025-55291:
Prior to 0.15.0, the input string in the cloud tag page is not
properly sanitized. This allows the </title> tag to be prematurely
closed, leading to a reflected Cross-Site Scripting (XSS)
vulnerability. This vulnerability is fixed in 0.15.0.
This issue is also present in old-stable.
In discussion with the security team, they requested it to be fixed in
the upcoming point release.
[ Impact ]
The tag search functionality with the XSS vulnerability is accessible
in instances of Shaarli that are on the public Internet, even without
login.
[ Tests ]
I manually tested for the exploit before and after the fix.
[ Risks ]
It is a very simple change, so the risk appears to be low.
[ Checklist ]
[x] *all* changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in (old)stable
[x] the issue is verified as fixed in unstable
[ Changes ]
Wrap the $searchTags variable in escape() to sanitize the user input.
This change is from an upstream commit that applied directly to the older
version.
I have already uploaded the package to proposed-updates.
diff -Nru shaarli-0.14.0+dfsg/debian/changelog shaarli-0.14.0+dfsg/debian/changelog
--- shaarli-0.14.0+dfsg/debian/changelog 2025-04-15 14:31:42.000000000 -0400
+++ shaarli-0.14.0+dfsg/debian/changelog 2025-08-30 07:45:06.000000000 -0400
@@ -1,3 +1,9 @@
+shaarli (0.14.0+dfsg-2) trixie; urgency=medium
+
+ * Add patch to fix CVE-2025-55291 (Closes: #1111589)
+
+ -- James Valleroy <[email protected]> Sat, 30 Aug 2025 07:45:06 -0400
+
shaarli (0.14.0+dfsg-1) unstable; urgency=medium
[ William Desportes ]
diff -Nru shaarli-0.14.0+dfsg/debian/patches/0025-fix-reflected-XSS-via-searchtags-parameter.patch shaarli-0.14.0+dfsg/debian/patches/0025-fix-reflected-XSS-via-searchtags-parameter.patch
--- shaarli-0.14.0+dfsg/debian/patches/0025-fix-reflected-XSS-via-searchtags-parameter.patch 1969-12-31 19:00:00.000000000 -0500
+++ shaarli-0.14.0+dfsg/debian/patches/0025-fix-reflected-XSS-via-searchtags-parameter.patch 2025-08-30 07:45:06.000000000 -0400
@@ -0,0 +1,26 @@
+From: James Valleroy <[email protected]>
+Date: Fri, 22 Aug 2025 16:22:13 -0400
+Subject: fix reflected XSS via searchtags parameter
+
+Applied from upstream commit:
+https://github.com/shaarli/Shaarli/commit/e77c04a76601cdcd62e74c396a931d750e007c45
+
+Fix for CVE-2025-55291:
+https://security-tracker.debian.org/tracker/CVE-2025-55291
+---
+ application/front/controller/visitor/TagCloudController.php | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/application/front/controller/visitor/TagCloudController.php b/application/front/controller/visitor/TagCloudController.php
+index 46d6277..2012740 100644
+--- a/application/front/controller/visitor/TagCloudController.php
++++ b/application/front/controller/visitor/TagCloudController.php
+@@ -87,7 +87,7 @@ class TagCloudController extends ShaarliVisitorController
+ $searchTags = !empty($searchTags) ? trim(str_replace($tagsSeparator, ' ', $searchTags)) . ' - ' : '';
+ $this->assignView(
+ 'pagetitle',
+- $searchTags . t('Tag ' . $type) . ' - ' . $this->container->conf->get('general.title', 'Shaarli')
++ escape($searchTags) . t('Tag ' . $type) . ' - ' . $this->container->conf->get('general.title', 'Shaarli')
+ );
+
+ return $response->write($this->render('tag.' . $type));
diff -Nru shaarli-0.14.0+dfsg/debian/patches/series shaarli-0.14.0+dfsg/debian/patches/series
--- shaarli-0.14.0+dfsg/debian/patches/series 2025-04-15 14:31:42.000000000 -0400
+++ shaarli-0.14.0+dfsg/debian/patches/series 2025-08-30 07:45:06.000000000 -0400
@@ -21,3 +21,4 @@
0022-RequiresPhpunit-11-for-test-failing-with-PHPUnit-11.patch
0023-Rename-PluginQrcodeTest-as-PluginReadItLaterTest-PHP.patch
0024-RequiresPhpunit-12-for-test-failing-with-PHPUnit-12.patch
+0025-fix-reflected-XSS-via-searchtags-parameter.patch
OpenPGP_signature.asc
Description: OpenPGP digital signature
--- End Message ---
--- Begin Message ---
Package: release.debian.org
Version: 13.1
Hi,
Each of the updates referenced by these requests was included in
today's 13.1 point release for trixie.
Regards,
Adam
--- End Message ---
