Bug#560191: opu: package kazehakase/0.4.2-1etch2

Wed, 09 Dec 2009 07:42:11 -0800 

Package: release.debian.org
Severity: normal
User: [email protected]
Usertags: opu

This is the same issue and fix as reported in #560185.
Please approve, thanks.

diff -u kazehakase-0.4.2/debian/patches/00list kazehakase-0.4.2/debian/patches/00list
--- kazehakase-0.4.2/debian/patches/00list
+++ kazehakase-0.4.2/debian/patches/00list
@@ -1,3 +1,4 @@
+CVE-2007-1084
 05_add_missing
 20_user_agent_tag
 30_bookmarkbar_DSA
diff -u kazehakase-0.4.2/debian/changelog kazehakase-0.4.2/debian/changelog
--- kazehakase-0.4.2/debian/changelog
+++ kazehakase-0.4.2/debian/changelog
@@ -1,3 +1,11 @@
+kazehakase (0.4.2-1etch2) oldstable; urgency=low
+
+  * debian/patches/CVE-2007-1084.dpatch: New; disallow adding bookmarks
+    with data:/javascript: URIs (CVE-2007-1084, Closes: #556271).
+  * debian/patches/00list: Update.
+
+ -- Yavor Doganov <[email protected]>  Wed, 09 Dec 2009 16:58:44 +0200
+
 kazehakase (0.4.2-1etch1) stable-security; urgency=high
 
   * Stop building against the bundled PCRE (v4.5) library, and instead
only in patch2:
unchanged:
--- kazehakase-0.4.2.orig/debian/patches/CVE-2007-1084.dpatch
+++ kazehakase-0.4.2/debian/patches/CVE-2007-1084.dpatch
@@ -0,0 +1,36 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## CVE-2007-1084.dpatch by Yavor Doganov <[email protected]>
+##
+## DP: Do not allow bookmarks with data:/javascript: URIs (CVE-2007-1084).
+
+...@dpatch@
+diff -urNad kazehakase-0.4.2~/src/actions/kz-actions.c kazehakase-0.4.2/src/actions/kz-actions.c
+--- kazehakase-0.4.2~/src/actions/kz-actions.c	2006-11-11 11:27:43.000000000 +0200
++++ kazehakase-0.4.2/src/actions/kz-actions.c	2009-12-09 16:57:58.000000000 +0200
+@@ -1133,6 +1133,26 @@
+ 
+ 	if (!uri) return;
+ 
++	/* Refuse to add a bookmark if the URI is data:/javascript:
++	   (CVE-2007-1084).  */
++	if (g_str_has_prefix(uri, "data:")
++	    || g_str_has_prefix(uri, "javascript:"))
++		{
++			GtkWidget *dialog;
++
++			dialog = gtk_message_dialog_new(NULL,
++							GTK_DIALOG_DESTROY_WITH_PARENT,
++							GTK_MESSAGE_WARNING,
++							GTK_BUTTONS_CLOSE,
++							_("Adding this bookmark is disallowed for security reasons."));
++			gtk_window_set_title(GTK_WINDOW(dialog),
++					     _("Security Warning"));
++			gtk_dialog_run(GTK_DIALOG(dialog));
++			gtk_widget_destroy(dialog);
++			return;
++		}
++
++
+ 	bookmark = kz_bookmark_new_with_attrs(title, uri, desc);
+ 	/* FIXME! show dialog */
+ 	if (sibling)

Reply via email to