Your message dated Sat, 11 Jul 2026 10:32:48 +0000
with message-id <[email protected]>
and subject line Released in 13.6
has caused the Debian Bug report #1140671,
regarding trixie-pu: package python-memray/1.17.0+dfsg-1+deb13u1
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1140671: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1140671
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: trixie
X-Debbugs-Cc: [email protected], [email protected]
Control: affects -1 + src:python-memray
User: [email protected]
Usertags: pu
* CVE-2026-32722: XSS in generated HTML reports via unescaped
command-line metadata (Closes: #1131372)
diffstat for python-memray-1.17.0+dfsg python-memray-1.17.0+dfsg
changelog | 8 ++
patches/0001-Fix-escaping-in-HTML-reports.patch | 88 ++++++++++++++++++++++++
patches/series | 1
3 files changed, 97 insertions(+)
diff -Nru python-memray-1.17.0+dfsg/debian/changelog
python-memray-1.17.0+dfsg/debian/changelog
--- python-memray-1.17.0+dfsg/debian/changelog 2025-04-04 22:28:26.000000000
+0300
+++ python-memray-1.17.0+dfsg/debian/changelog 2026-06-24 14:32:46.000000000
+0300
@@ -1,3 +1,11 @@
+python-memray (1.17.0+dfsg-1.1) trixie; urgency=medium
+
+ * Non-maintainer upload.
+ * CVE-2026-32722: XSS in generated HTML reports via unescaped
+ command-line metadata (Closes: #1131372)
+
+ -- Adrian Bunk <[email protected]> Wed, 24 Jun 2026 14:32:46 +0300
+
python-memray (1.17.0+dfsg-1) unstable; urgency=medium
* New upstream version 1.17.0.
diff -Nru
python-memray-1.17.0+dfsg/debian/patches/0001-Fix-escaping-in-HTML-reports.patch
python-memray-1.17.0+dfsg/debian/patches/0001-Fix-escaping-in-HTML-reports.patch
---
python-memray-1.17.0+dfsg/debian/patches/0001-Fix-escaping-in-HTML-reports.patch
1970-01-01 02:00:00.000000000 +0200
+++
python-memray-1.17.0+dfsg/debian/patches/0001-Fix-escaping-in-HTML-reports.patch
2026-06-24 14:32:46.000000000 +0300
@@ -0,0 +1,88 @@
+From b08620f772126ed3e340ddbb9893819a32289ab5 Mon Sep 17 00:00:00 2001
+From: Matt Wozniski <[email protected]>
+Date: Wed, 11 Mar 2026 14:52:56 -0400
+Subject: Fix escaping in HTML reports
+
+Ensure the command line is properly HTML escaped when writing it into
+flamegraph and table reports.
+
+Signed-off-by: Matt Wozniski <[email protected]>
+---
+ src/memray/reporters/templates/base.html | 2 +-
+ tests/unit/test_templates.py | 43 ++++++++++++++++++++++++
+ 2 files changed, 44 insertions(+), 1 deletion(-)
+
+diff --git a/src/memray/reporters/templates/base.html
b/src/memray/reporters/templates/base.html
+index b3bfc94..ce5f4ea 100644
+--- a/src/memray/reporters/templates/base.html
++++ b/src/memray/reporters/templates/base.html
+@@ -95,7 +95,7 @@
+ </button>
+ </div>
+ <div class="modal-body">
+- Command line: <code>{{ metadata.command_line }}</code><br>
++ Command line: <code>{{ metadata.command_line|e }}</code><br>
+ Start time: <span id="stats-start-time"> {{ metadata.start_time
}}</span><br>
+ End time: <span id="stats-end-time"> {{ metadata.end_time
}}</span><br>
+ Duration: {{ metadata.end_time - metadata.start_time }}<br>
+diff --git a/tests/unit/test_templates.py b/tests/unit/test_templates.py
+index 2a57ef3..1938f5c 100644
+--- a/tests/unit/test_templates.py
++++ b/tests/unit/test_templates.py
+@@ -1,6 +1,11 @@
++from datetime import datetime
++
+ import pytest
+
++from memray import Metadata
++from memray._memray import FileFormat
+ from memray.reporters.templates import get_report_title
++from memray.reporters.templates import render_report
+
+
+ @pytest.mark.parametrize(
+@@ -21,3 +26,41 @@ def test_title_for_regular_report(kind, show_memory_leaks,
inverted, expected):
+ )
+ == expected
+ )
++
++
[email protected](
++ "kind",
++ ["flamegraph", "table"],
++)
++def test_html_report_escaping(kind):
++ """Test that command line arguments are properly escaped."""
++ # GIVEN
++ metadata = Metadata(
++ start_time=datetime(2024, 1, 1, 0, 0, 0),
++ end_time=datetime(2024, 1, 1, 0, 1, 0),
++ total_allocations=100,
++ total_frames=10,
++ peak_memory=1024,
++ command_line="python test.py </code>",
++ pid=12345,
++ main_thread_id=1,
++ python_allocator="pymalloc",
++ has_native_traces=False,
++ trace_python_allocators=False,
++ file_format=FileFormat.ALL_ALLOCATIONS,
++ )
++
++ # WHEN
++ html_output = render_report(
++ kind=kind,
++ data=[],
++ metadata=metadata,
++ memory_records=[],
++ show_memory_leaks=False,
++ merge_threads=False,
++ inverted=False,
++ )
++
++ # THEN
++ assert html_output.count("<code>") == html_output.count("</code>")
++ assert "python test.py </code>" in html_output
+--
+2.47.3
+
diff -Nru python-memray-1.17.0+dfsg/debian/patches/series
python-memray-1.17.0+dfsg/debian/patches/series
--- python-memray-1.17.0+dfsg/debian/patches/series 2025-04-04
22:28:26.000000000 +0300
+++ python-memray-1.17.0+dfsg/debian/patches/series 2026-06-24
14:32:44.000000000 +0300
@@ -3,3 +3,4 @@
003-rm-distutils-from-setup.patch
002-rm-external-git-link.patch
001-fix-html-privacy-breach.patch
+0001-Fix-escaping-in-HTML-reports.patch
--- End Message ---
--- Begin Message ---
Version: 13.6
This update was released as part of 13.6.
--- End Message ---