diff -u firefox-sage-1.4.2/debian/rules firefox-sage-1.4.2/debian/rules --- firefox-sage-1.4.2/debian/rules +++ firefox-sage-1.4.2/debian/rules @@ -25,11 +25,13 @@ # apply patch for security vulnerabilities # CVE-2006-4711 # CVE-2006-4712 +# CVE-2009-4102 -# cd temp/chrome && unzip -d sage sage.jar + cd temp/chrome && unzip -d sage sage.jar + cd temp/chrome/sage && patch -p1 < ../../../debian/new_xss_fix.patch # cd temp/chrome/sage && patch -p1 < ../../../debian/default_nohtml.patch -# rm temp/chrome/sage.jar -# cd temp/chrome/sage && zip -r ../sage.jar content locale skin + rm temp/chrome/sage.jar + cd temp/chrome/sage && zip -r ../sage.jar content locale skin # apply patch to disable encoded content by default cd temp/defaults && patch -p1 < ../../debian/disable_encoded_content.patch diff -u firefox-sage-1.4.2/debian/changelog firefox-sage-1.4.2/debian/changelog --- firefox-sage-1.4.2/debian/changelog +++ firefox-sage-1.4.2/debian/changelog @@ -1,3 +1,17 @@ +firefox-sage (1.4.2-0.1lenny1) unstable; urgency=high + + * Fix two security bugs: + - Setting urgency=high, this vulnerability allowed remote + exploitation, without any user interaction. + - CVE-2009-4102 Cross Domain Scripting vulnerability. + Don't trust HTML in titles, descriptions. Don't allow + 'strange' (i.e. javascript:, data:) URLs in Links. + - CVE-2006-4712 (Regression), some of the old test cases + no longer passed due to problem with htmlToText. + - Closes: #559267 + + -- Alan Woodland Thu, 10 Dec 2009 15:18:10 +0000 + firefox-sage (1.4.2-0.1) unstable; urgency=low * Non-maintainer upload. only in patch2: unchanged: --- firefox-sage-1.4.2.orig/debian/new_xss_fix.patch +++ firefox-sage-1.4.2/debian/new_xss_fix.patch @@ -0,0 +1,75 @@ +diff -uNr sage.orig/content/createhtml.js sage/content/createhtml.js +--- sage.orig/content/createhtml.js 2009-12-10 14:01:59.000000000 +0000 ++++ sage/content/createhtml.js 2009-12-10 14:41:04.000000000 +0000 +@@ -136,7 +136,8 @@ + return this.entityEncode(feed.getTitle()); + + case "**LINK**": +- return feed.getLink(); ++ // Partial fix for CVE-2009-4102 ++ return this.cleanHref(feed.getLink()); + break; + + case "**AUTHOR**": +@@ -147,7 +148,8 @@ + + case "**DESCRIPTION**": + if (feed.hasDescription()) { +- return feed.getDescription(); ++ // Entity encode call is Partial fix for CVE-2009-4102 ++ return this.entityEncode(SageUtils.htmlToText(feed.getDescription())); + } + return ""; + +@@ -216,7 +218,8 @@ + return i +1; + + case "**LINK**": +- return item.getLink(); ++ // Partial fix for CVE-2009-4102 ++ return this.cleanHref(item.getLink()); + + case "**TITLE**": + if (item.hasTitle()) { +@@ -242,7 +245,8 @@ + this.simpleHtmlParser.parse(item.getContent()); + ds = this.filterHtmlHandler.toString(); + } else { +- ds = SageUtils.htmlToText(item.getContent()); ++ // Entity encode call is fix for regression from CVE-2006-4712 ++ ds = this.entityEncode(SageUtils.htmlToText(item.getContent())); + } + return "
" + ds + "
"; + } +@@ -291,6 +295,31 @@ + return dirService.get(aProp, Components.interfaces.nsILocalFile); + }, + ++ // Partial fix for CVE-2009-4102 ++ cleanHref: function(aUrl) ++ { ++ // We only want to allow http, ftp, news and mailto before : ++ var ltype = aUrl.split(":")[0]; ++ aUrl = aUrl.replace(/^[^:]*:/, ""); ++ switch(ltype.toLowerCase()) ++ { ++ case "http": ++ aUrl = ltype + ":" + aUrl; ++ break; ++ case "nntp": ++ aUrl = ltype + ":" + aUrl; ++ break; ++ case "mailto": ++ aUrl = ltype + ":" + aUrl; ++ break; ++ case "ftp": ++ aUrl = ltype + ":" + aUrl; ++ break; ++ } ++ // Did I miss some safe ones? ++ return aUrl ++ }, ++ + entityEncode: function(aStr) + { + function replacechar(match) {