Package: release.debian.org Severity: normal Tags: wheezy User: [email protected] Usertags: pu
Hi! I'd like to upload the tcllib package to wheezy. The updated package fixed a small security related bug (see [1] for details). I've attached the difference between the package currently in wheezy and proposed update. [1] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=780100 -- System Information: Debian Release: 8.0 APT prefers testing APT policy: (500, 'testing') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 3.16.0-4-amd64 (SMP w/8 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system)
diff -u tcllib-1.14-dfsg/debian/changelog tcllib-1.14-dfsg/debian/changelog --- tcllib-1.14-dfsg/debian/changelog +++ tcllib-1.14-dfsg/debian/changelog @@ -1,3 +1,10 @@ +tcllib (1.14-dfsg-3+deb7u1) stable; urgency=low + + * Added a patch from upstream which fixes an XSS vulnerability in + the html module for <textarea/> elements (closes: #780100). + + -- Sergei Golovan <[email protected]> Tue, 10 Mar 2015 11:39:48 +0300 + tcllib (1.14-dfsg-3) unstable; urgency=low * Added a patch which fixes ::ini::commit procedure in the inifile module. diff -u tcllib-1.14-dfsg/debian/patches/series tcllib-1.14-dfsg/debian/patches/series --- tcllib-1.14-dfsg/debian/patches/series +++ tcllib-1.14-dfsg/debian/patches/series @@ -3,0 +4 @@ +html-textarea-xss.diff only in patch2: unchanged: --- tcllib-1.14-dfsg.orig/debian/patches/html-textarea-xss.diff +++ tcllib-1.14-dfsg/debian/patches/html-textarea-xss.diff @@ -0,0 +1,16 @@ +Author: upstream +Description: Patch fixes an XSS vulnerability in <textarea/> HTML element in + the html Tcllib module +Last-Modified: Mon, 09 Mar 2015 15:06:15 +0300 + +--- a/modules/html/html.tcl ++++ b/modules/html/html.tcl +@@ -912,7 +912,7 @@ + # The html fragment + + proc ::html::textarea {name {param {}} {current {}}} { +- ::set value [ncgi::value $name $current] ++ ::set value [quoteFormValue [ncgi::value $name $current]] + return "<[string trimright \ + "textarea name=\"$name\"\ + [tagParam textarea $param]"]>$value</textarea>\n"
