This is an automated email from the git hooks/post-receive script. hertzog pushed a commit to branch squeeze in repository libhtml-scrubber-perl.
commit f48c0a9389d35e59253bbb0ba4bd2cff0cb7eaf0 Author: Raphaël Hertzog <hert...@debian.org> Date: Tue Nov 3 11:07:52 2015 +0000 Fix CVE-2015-5667 in squeeze-lts --- Scrubber.pm | 16 +++++--- debian/changelog | 9 +++++ debian/patches/CVE-2015-5667.patch | 80 ++++++++++++++++++++++++++++++++++++++ t/jvn53973084.t | 21 ++++++++++ 4 files changed, 121 insertions(+), 5 deletions(-) diff --git a/Scrubber.pm b/Scrubber.pm index a6d990c..af5ce54 100644 --- a/Scrubber.pm +++ b/Scrubber.pm @@ -444,10 +444,13 @@ sub _scrub_fh { } elsif ( $e eq 'comment' ) { - print - {$s->{_out}} - $text - if $s->{_comment}; + if ($s->{_comment}) { + # only copy comments through if they are well formed... + print + {$s->{_out}} + $text + if ( $text =~ m|^<!--.*-->$|ms ); + } } elsif ( $e eq 'process' ) { @@ -507,7 +510,10 @@ sub _scrub { } elsif ( $e eq 'comment' ) { - $s->{_r} .= $text if $s->{_comment}; + if ($s->{_comment}) { + # only copy comments through if they are well formed... + $s->{_r} .= $text if ( $text =~ m|^<!--.*-->$|ms ); + } } elsif ( $e eq 'process' ) { diff --git a/debian/changelog b/debian/changelog index fac42be..861daff 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,12 @@ +libhtml-scrubber-perl (0.08-4+deb6u1) squeeze-lts; urgency=low + + * Non maintainer upload by the Debian LTS team. + * Backport upstream fix for CVE-2015-5667. Apply the patch + directly in the source package but keep a copy for reference + in debian/patches/CVE-2015-5667.patch. + + -- Raphaël Hertzog <hert...@debian.org> Tue, 03 Nov 2015 11:06:14 +0000 + libhtml-scrubber-perl (0.08-4) unstable; urgency=low * New maintainer. diff --git a/debian/patches/CVE-2015-5667.patch b/debian/patches/CVE-2015-5667.patch new file mode 100644 index 0000000..fe0a6a5 --- /dev/null +++ b/debian/patches/CVE-2015-5667.patch @@ -0,0 +1,80 @@ +From: Nigel Metheringham <nig...@cpan.org> +Date: Sat, 10 Oct 2015 15:01:14 +0100 +Subject: [PATCH] Test and fix for JVN53973084 + +Malformed tags can pass through as comments. +Thus comments are now only passed through if +they are well formed - currently defined as +matching a regular expression. + +[hert...@debian.org: +Backported to version 0.08 by implementing the new check +in _scrub_fh() and _scrub() and adapted the test case +to use "Test" instead of Test::More. + +Fixes CVE-2015-5667. +] + +Origin: backport, https://github.com/nigelm/html-scrubber/commit/e1978cc37867e85c06a84a4651745235010cd6cd + +diff --git a/Scrubber.pm b/Scrubber.pm +index a6d990c..af5ce54 100644 +--- a/Scrubber.pm ++++ b/Scrubber.pm +@@ -444,10 +444,13 @@ sub _scrub_fh { + } + elsif ( $e eq 'comment' ) + { +- print +- {$s->{_out}} +- $text +- if $s->{_comment}; ++ if ($s->{_comment}) { ++ # only copy comments through if they are well formed... ++ print ++ {$s->{_out}} ++ $text ++ if ( $text =~ m|^<!--.*-->$|ms ); ++ } + } + elsif ( $e eq 'process' ) + { +@@ -507,7 +510,10 @@ sub _scrub { + } + elsif ( $e eq 'comment' ) + { +- $s->{_r} .= $text if $s->{_comment}; ++ if ($s->{_comment}) { ++ # only copy comments through if they are well formed... ++ $s->{_r} .= $text if ( $text =~ m|^<!--.*-->$|ms ); ++ } + } + elsif ( $e eq 'process' ) + { +diff --git a/t/jvn53973084.t b/t/jvn53973084.t +new file mode 100644 +index 0000000..955de0d +--- /dev/null ++++ b/t/jvn53973084.t +@@ -0,0 +1,21 @@ ++# Tests related to JVN53973084 ++ ++use strict; ++use warnings; ++use Test; ++ ++BEGIN { plan tests => 4 } ++ ++use HTML::Scrubber; ++ ++my @allow = qw[ ++ hr ++]; ++ ++my $html_1 = q[<hr><a href="javascript:alert(1)"<hr>abc]; ++my $html_2 = q[<img src="javascript:alert(1)"]; ++foreach my $comment_value ( 0, 1 ) { ++ my $scrubber = HTML::Scrubber->new( allow => \@allow, comment => $comment_value ); ++ ok( $scrubber->scrub($html_1), '<hr>abc', "correct result (1) - with comment => $comment_value" ); ++ ok( $scrubber->scrub($html_2), '', "correct result (2) - with comment => $comment_value" ); ++} diff --git a/t/jvn53973084.t b/t/jvn53973084.t new file mode 100644 index 0000000..955de0d --- /dev/null +++ b/t/jvn53973084.t @@ -0,0 +1,21 @@ +# Tests related to JVN53973084 + +use strict; +use warnings; +use Test; + +BEGIN { plan tests => 4 } + +use HTML::Scrubber; + +my @allow = qw[ + hr +]; + +my $html_1 = q[<hr><a href="javascript:alert(1)"<hr>abc]; +my $html_2 = q[<img src="javascript:alert(1)"]; +foreach my $comment_value ( 0, 1 ) { + my $scrubber = HTML::Scrubber->new( allow => \@allow, comment => $comment_value ); + ok( $scrubber->scrub($html_1), '<hr>abc', "correct result (1) - with comment => $comment_value" ); + ok( $scrubber->scrub($html_2), '', "correct result (2) - with comment => $comment_value" ); +} -- Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-perl/packages/libhtml-scrubber-perl.git _______________________________________________ Pkg-perl-cvs-commits mailing list Pkg-perl-cvs-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-perl-cvs-commits