Bug#546178: marked as done (planet: [CVE-2009-2937] - Insufficient escaping of input feeds)

Sun, 27 Mar 2011 04:27:16 -0700 

Your message dated 
with message-id <20110327111458.14453.4566.mass-bugs-cl...@quantz.debian.org>
and subject line planet removed from Debian unstable
has caused the Debian Bug report #546178,
regarding planet: [CVE-2009-2937] - Insufficient escaping of input feeds
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
546178: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=546178
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message --- 
Subject: planet: [CVE-2009-2937] - Insufficient escaping of input feeds
Package: planet
Justification: user security hole
Severity: grave
Tags: security

*** Please type your report below this line ***

The planet feed aggregator attempts to remove malicious content from
user-submitted feeds.  It does a great job, but fails to sanitize
this input:

  <img src="javascript:alert(1);" >

At least Opera will execute this code.

The packages in Etch and Lenny are vulnerable and should require a
security update.  Fixed packages are available from:

 http://www.steve.org.uk/tmp/planet/etch/
+
 http://www.steve.org.uk/tmp/planet/lenny/

This is the patch I used:

--- planet-2.0.orig/planet/sanitize.py
+++ planet-2.0/planet/sanitize.py
@@ -70,6 +70,12 @@
         # utility method to be called by descendants
         attrs = [(k.lower(), v) for k, v in attrs]
         attrs = [(k, k in ('rel', 'type') and v.lower() or v) for k, v in 
attrs]
+
+        for i in xrange (len (attrs)):
+            k,v = attrs[i]
+            if (( k == "src" ) or ( k == "href" ) ) and (v.find("javascript:" 
) <> -1 ):
+                del attrs[i]
+
         return attrs

     def unknown_starttag(self, tag, attrs):


-- System Information:
Debian Release: squeeze/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.30-1-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

--- End Message ---
--- Begin Message --- 
Version: 2.0-16+rm

planet has been removed from Debian unstable: http://bugs.debian.org/547542

Closing its bugs with a Version higher than the last unstable upload.

More information about this script at:
  
http://git.debian.org/?p=users/morph/mass-bugs-close.git;a=blob_plain;f=README;hb=HEAD

--- End Message ---

Reply via email to