Bug#780191: wheezy-pu: package tcllib/1.14-dfsg-3+deb7u1

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#780191: wheezy-pu: package tcllib/1.14-dfsg-3+deb7u1
From: Sergei Golovan <sgolovan@nes.ru>
Date: Tue, 10 Mar 2015 12:06:20 +0300
Message-id: <[🔎] 20150310090620.11535.33301.reportbug@jupiter.golovan.home>
Reply-to: Sergei Golovan <sgolovan@nes.ru>, 780191@bugs.debian.org

Package: release.debian.org
Severity: normal
Tags: wheezy
User: release.debian.org@packages.debian.org
Usertags: pu

Hi!

I'd like to upload the tcllib package to wheezy. The updated package
fixed a small security related bug (see [1] for details).

I've attached the difference between the package currently in wheezy and
proposed update.

[1] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=780100

-- System Information:
Debian Release: 8.0
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 3.16.0-4-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

diff -u tcllib-1.14-dfsg/debian/changelog tcllib-1.14-dfsg/debian/changelog
--- tcllib-1.14-dfsg/debian/changelog
+++ tcllib-1.14-dfsg/debian/changelog
@@ -1,3 +1,10 @@
+tcllib (1.14-dfsg-3+deb7u1) stable; urgency=low
+
+  * Added a patch from upstream which fixes an XSS vulnerability in
+    the html module for <textarea/> elements (closes: #780100).
+
+ -- Sergei Golovan <sgolovan@debian.org>  Tue, 10 Mar 2015 11:39:48 +0300
+
 tcllib (1.14-dfsg-3) unstable; urgency=low
 
   * Added a patch which fixes ::ini::commit procedure in the inifile module.
diff -u tcllib-1.14-dfsg/debian/patches/series tcllib-1.14-dfsg/debian/patches/series
--- tcllib-1.14-dfsg/debian/patches/series
+++ tcllib-1.14-dfsg/debian/patches/series
@@ -3,0 +4 @@
+html-textarea-xss.diff
only in patch2:
unchanged:
--- tcllib-1.14-dfsg.orig/debian/patches/html-textarea-xss.diff
+++ tcllib-1.14-dfsg/debian/patches/html-textarea-xss.diff
@@ -0,0 +1,16 @@
+Author: upstream
+Description: Patch fixes an XSS vulnerability in <textarea/> HTML element in
+    the html Tcllib module
+Last-Modified: Mon, 09 Mar 2015 15:06:15 +0300
+
+--- a/modules/html/html.tcl
++++ b/modules/html/html.tcl
+@@ -912,7 +912,7 @@
+ #	The html fragment
+ 
+ proc ::html::textarea {name {param {}} {current {}}} {
+-    ::set value [ncgi::value $name $current]
++    ::set value [quoteFormValue [ncgi::value $name $current]]
+     return "<[string trimright \
+ 	"textarea name=\"$name\"\
+ 		[tagParam textarea $param]"]>$value</textarea>\n"

Reply to:

Prev by Date: Bug#780190: unblock: tcllib/1.16-dfsg-2
Next by Date: Bug#780190: marked as done (unblock: tcllib/1.16-dfsg-2)
Previous by thread: Bug#780190: marked as done (unblock: tcllib/1.16-dfsg-2)
Next by thread: Bug#780201: new codename needed for oldstable (due to squeeze-lts) when stable becomes oldstable
Index(es):
- Date
- Thread