Bug#780191: wheezy-pu: package tcllib/1.14-dfsg-3+deb7u1
Package: release.debian.org
Severity: normal
Tags: wheezy
User: release.debian.org@packages.debian.org
Usertags: pu
Hi!
I'd like to upload the tcllib package to wheezy. The updated package
fixed a small security related bug (see [1] for details).
I've attached the difference between the package currently in wheezy and
proposed update.
[1] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=780100
-- System Information:
Debian Release: 8.0
APT prefers testing
APT policy: (500, 'testing')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 3.16.0-4-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
diff -u tcllib-1.14-dfsg/debian/changelog tcllib-1.14-dfsg/debian/changelog
--- tcllib-1.14-dfsg/debian/changelog
+++ tcllib-1.14-dfsg/debian/changelog
@@ -1,3 +1,10 @@
+tcllib (1.14-dfsg-3+deb7u1) stable; urgency=low
+
+ * Added a patch from upstream which fixes an XSS vulnerability in
+ the html module for <textarea/> elements (closes: #780100).
+
+ -- Sergei Golovan <sgolovan@debian.org> Tue, 10 Mar 2015 11:39:48 +0300
+
tcllib (1.14-dfsg-3) unstable; urgency=low
* Added a patch which fixes ::ini::commit procedure in the inifile module.
diff -u tcllib-1.14-dfsg/debian/patches/series tcllib-1.14-dfsg/debian/patches/series
--- tcllib-1.14-dfsg/debian/patches/series
+++ tcllib-1.14-dfsg/debian/patches/series
@@ -3,0 +4 @@
+html-textarea-xss.diff
only in patch2:
unchanged:
--- tcllib-1.14-dfsg.orig/debian/patches/html-textarea-xss.diff
+++ tcllib-1.14-dfsg/debian/patches/html-textarea-xss.diff
@@ -0,0 +1,16 @@
+Author: upstream
+Description: Patch fixes an XSS vulnerability in <textarea/> HTML element in
+ the html Tcllib module
+Last-Modified: Mon, 09 Mar 2015 15:06:15 +0300
+
+--- a/modules/html/html.tcl
++++ b/modules/html/html.tcl
+@@ -912,7 +912,7 @@
+ # The html fragment
+
+ proc ::html::textarea {name {param {}} {current {}}} {
+- ::set value [ncgi::value $name $current]
++ ::set value [quoteFormValue [ncgi::value $name $current]]
+ return "<[string trimright \
+ "textarea name=\"$name\"\
+ [tagParam textarea $param]"]>$value</textarea>\n"
Reply to: