Package: release.debian.org Severity: normal User: [email protected] Usertags: unblock
Please unblock package tcllib It fixes a small security related bug. See [1] for details. The diff between the current package in testing and 1.16-dfsg-2 is attached. unblock tcllib/1.16-dfsg-2 [1] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=780100 -- System Information: Debian Release: 8.0 APT prefers testing APT policy: (500, 'testing') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 3.16.0-4-amd64 (SMP w/8 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system)
diff -Nru tcllib-1.16-dfsg/debian/changelog tcllib-1.16-dfsg/debian/changelog --- tcllib-1.16-dfsg/debian/changelog 2014-02-12 13:29:13.000000000 +0400 +++ tcllib-1.16-dfsg/debian/changelog 2015-03-09 15:12:48.000000000 +0300 @@ -1,3 +1,10 @@ +tcllib (1.16-dfsg-2) unstable; urgency=medium + + * Added a patch from upstream which fixes an XSS vulnerability in + the html module for <textarea/> elements (closes: #780100). + + -- Sergei Golovan <[email protected]> Mon, 09 Mar 2015 15:12:05 +0300 + tcllib (1.16-dfsg-1) unstable; urgency=low * New upstream release. diff -Nru tcllib-1.16-dfsg/debian/patches/html-textarea-xss.patch tcllib-1.16-dfsg/debian/patches/html-textarea-xss.patch --- tcllib-1.16-dfsg/debian/patches/html-textarea-xss.patch 1970-01-01 03:00:00.000000000 +0300 +++ tcllib-1.16-dfsg/debian/patches/html-textarea-xss.patch 2015-03-09 15:06:25.000000000 +0300 @@ -0,0 +1,16 @@ +Author: upstream +Description: Patch fixes an XSS vulnerability in <textarea/> HTML element in + the html Tcllib module +Last-Modified: Mon, 09 Mar 2015 15:06:15 +0300 + +--- a/modules/html/html.tcl ++++ b/modules/html/html.tcl +@@ -912,7 +912,7 @@ + # The html fragment + + proc ::html::textarea {name {param {}} {current {}}} { +- ::set value [ncgi::value $name $current] ++ ::set value [quoteFormValue [ncgi::value $name $current]] + return "<[string trimright \ + "textarea name=\"$name\"\ + [tagParam textarea $param]"]>$value</textarea>\n" diff -Nru tcllib-1.16-dfsg/debian/patches/series tcllib-1.16-dfsg/debian/patches/series --- tcllib-1.16-dfsg/debian/patches/series 2013-05-11 18:49:10.000000000 +0400 +++ tcllib-1.16-dfsg/debian/patches/series 2015-03-09 15:09:35.000000000 +0300 @@ -1 +1 @@ -# +html-textarea-xss.patch
