Debian Bug report logs - #546179
planet-venus: [CVE-2009-2937] - Insufficient escaping of input feeds

version graph

Package: planet-venus; Maintainer for planet-venus is Python Applications Packaging Team <python-apps-team@lists.alioth.debian.org>; Source for planet-venus is src:planet-venus (PTS, buildd, popcon).

Reported by: Steve Kemp <skx@debian.org>

Date: Fri, 11 Sep 2009 12:39:05 UTC

Severity: grave

Tags: security

Fixed in versions planet-venus/0~bzr116-1, planet-venus/0~bzr95-2+lenny1

Done: Python Applications Packaging Team <python-apps-team@lists.alioth.debian.org>

Bug is archived. No further changes may be made.

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Noah Slater <nslater@bytesexual.org>:
Bug#546179; Package planet-venus. (Fri, 11 Sep 2009 12:39:08 GMT) (full text, mbox, link).


Acknowledgement sent to Steve Kemp <skx@debian.org>:
New Bug report received and forwarded. Copy sent to Noah Slater <nslater@bytesexual.org>. (Fri, 11 Sep 2009 12:39:10 GMT) (full text, mbox, link).


Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Steve Kemp <skx@debian.org>
To: submit@bugs.debian.org
Subject: planet-venus: [CVE-2009-2937] - Insufficient escaping of input feeds
Date: Fri, 11 Sep 2009 13:29:37 +0100
Subject: planet-venus: [CVE-2009-2937] - Insufficient escaping of input feeds
Package: planet-venus
Justification: user security hole
Severity: grave
Tags: security

*** Please type your report below this line ***

The planet feed aggregator attempts to remove malicious content from
user-submitted feeds.  It does a great job, but fails to sanitize
this input:

  <img src="javascript:alert(1);" >

At least Opera will execute this code.

The package in Lenny is vulnerable and should require a
security update.  Fixed packages are available from:

 http://www.steve.org.uk/tmp/planet/lenny/

This is the patch I used, written by upstream:

skx@senfl:~$ diff --unified scrub.orig scrub.py
--- scrub.orig  2009-09-09 16:24:50.000000000 +0000
+++ scrub.py    2009-09-09 16:25:18.000000000 +0000
@@ -128,5 +128,13 @@
                 node['value'] = feedparser._resolveRelativeURIs(
                     node.value, node.base, 'utf-8', node.type)

-            node['value'] = feedparser._sanitizeHTML(
-                node.value, 'utf-8', node.type)
+            # Run this through HTML5's serializer
+            from html5lib import html5parser, sanitizer, treebuilders
+            from html5lib import treewalkers, serializer
+            p = html5parser.HTMLParser(tokenizer=sanitizer.HTMLSanitizer,
+              tree=treebuilders.getTreeBuilder('dom'))
+            doc = p.parseFragment(node.value, encoding='utf-8')
+            xhtml = serializer.XHTMLSerializer(inject_meta_charset = False)
+            walker = treewalkers.getTreeWalker('dom')
+            tree = xhtml.serialize(walker(doc), encoding='utf-8')
+            node['value'] = ''.join([str(token) for token in tree])


-- System Information:
Debian Release: squeeze/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.30-1-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash





Added tag(s) pending. Request was from piotr@users.alioth.debian.org to control@bugs.debian.org. (Thu, 01 Oct 2009 19:27:04 GMT) (full text, mbox, link).


Reply sent to Python Applications Packaging Team <python-apps-team@lists.alioth.debian.org>:
You have taken responsibility. (Thu, 01 Oct 2009 19:42:05 GMT) (full text, mbox, link).


Notification sent to Steve Kemp <skx@debian.org>:
Bug acknowledged by developer. (Thu, 01 Oct 2009 19:42:05 GMT) (full text, mbox, link).


Message #12 received at 546179-close@bugs.debian.org (full text, mbox, reply):

From: Python Applications Packaging Team <python-apps-team@lists.alioth.debian.org>
To: 546179-close@bugs.debian.org
Subject: Bug#546179: fixed in planet-venus 0~bzr116-1
Date: Thu, 01 Oct 2009 19:32:05 +0000
Source: planet-venus
Source-Version: 0~bzr116-1

We believe that the bug you reported is fixed in the latest version of
planet-venus, which is due to be installed in the Debian FTP archive:

planet-venus_0~bzr116-1.diff.gz
  to pool/main/p/planet-venus/planet-venus_0~bzr116-1.diff.gz
planet-venus_0~bzr116-1.dsc
  to pool/main/p/planet-venus/planet-venus_0~bzr116-1.dsc
planet-venus_0~bzr116-1_all.deb
  to pool/main/p/planet-venus/planet-venus_0~bzr116-1_all.deb
planet-venus_0~bzr116.orig.tar.gz
  to pool/main/p/planet-venus/planet-venus_0~bzr116.orig.tar.gz



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 546179@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Python Applications Packaging Team <python-apps-team@lists.alioth.debian.org> (supplier of updated planet-venus package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Thu, 01 Oct 2009 19:12:13 +0200
Source: planet-venus
Binary: planet-venus
Architecture: source all
Version: 0~bzr116-1
Distribution: unstable
Urgency: high
Maintainer: Noah Slater <nslater@tumbolia.org>
Changed-By: Python Applications Packaging Team <python-apps-team@lists.alioth.debian.org>
Description: 
 planet-venus - aggregate feed generator
Closes: 546179
Changes: 
 planet-venus (0~bzr116-1) unstable; urgency=high
 .
   [ Piotr Ożarowski ]
   * New upstream snapshot (Closes: #546179 - CVE-2009-2937)
   * Add python-beautifulsoup to Recommends and python-lxml to Suggests
   * Remove .py[oc] files in clean rule
   * Standards-Version bumped to 3.8.3 (no changes needed)
 .
   [ Noah Slater ]
   * Updated debian/rules to use clean and cleanbuilddir targets.
   * Updated patch for --help output to better satisfy GNU Coding Standards.
   * Updated debian/control, updated Vcs-Browser.
   * Updated debian/control, updated Build-Depends on debhelper to 7.2.11.
Checksums-Sha1: 
 0bae29cc7ae6f2df85f2faad6d32f529645ef6df 1386 planet-venus_0~bzr116-1.dsc
 e321e654092e4cd391d3bbb744591036504bf65d 400151 planet-venus_0~bzr116.orig.tar.gz
 331605b853a91b09ac1684b106c445ea732ab8d0 8819 planet-venus_0~bzr116-1.diff.gz
 43dddda9a2078f3bdecd6330281bfa9dd456550b 262518 planet-venus_0~bzr116-1_all.deb
Checksums-Sha256: 
 305dcd86918e8700e7b141941ceea813175af9adb02a2365198073735ce228e3 1386 planet-venus_0~bzr116-1.dsc
 003c4665d6ad9e3f0c1cc2044a139773b1e09102dbb7f0c01be7c37ca061f6ed 400151 planet-venus_0~bzr116.orig.tar.gz
 2ef143dc74919b744d0465419a352bdede23aa4cf727d1c19c652ef048d3b1c9 8819 planet-venus_0~bzr116-1.diff.gz
 2680efb12babf577eebaf81877c24a1c419c6c714a084b188b87b02ca6a0efaf 262518 planet-venus_0~bzr116-1_all.deb
Files: 
 242dcec10fb5db6d28bdf081b76728b6 1386 python extra planet-venus_0~bzr116-1.dsc
 7407f69f261b46be29e1983288c15bab 400151 python extra planet-venus_0~bzr116.orig.tar.gz
 8cf3b778fb4cf021da7fc1640bf418f3 8819 python extra planet-venus_0~bzr116-1.diff.gz
 37d7a81530a496734324df6db18cafc1 262518 python extra planet-venus_0~bzr116-1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iEYEARECAAYFAkrFAJIACgkQB01zfu119ZkZMACcDwfnnPRVqs4YzMVzHO75U5Vm
Z/QAoJ5u3IXTj7TeeFKOOzb5PQnn56Um
=genh
-----END PGP SIGNATURE-----





Reply sent to Python Applications Packaging Team <python-apps-team@lists.alioth.debian.org>:
You have taken responsibility. (Mon, 05 Oct 2009 20:27:20 GMT) (full text, mbox, link).


Notification sent to Steve Kemp <skx@debian.org>:
Bug acknowledged by developer. (Mon, 05 Oct 2009 20:27:20 GMT) (full text, mbox, link).


Message #17 received at 546179-close@bugs.debian.org (full text, mbox, reply):

From: Python Applications Packaging Team <python-apps-team@lists.alioth.debian.org>
To: 546179-close@bugs.debian.org
Subject: Bug#546179: fixed in planet-venus 0~bzr95-2+lenny1
Date: Mon, 05 Oct 2009 19:58:21 +0000
Source: planet-venus
Source-Version: 0~bzr95-2+lenny1

We believe that the bug you reported is fixed in the latest version of
planet-venus, which is due to be installed in the Debian FTP archive:

planet-venus_0~bzr95-2+lenny1.diff.gz
  to pool/main/p/planet-venus/planet-venus_0~bzr95-2+lenny1.diff.gz
planet-venus_0~bzr95-2+lenny1.dsc
  to pool/main/p/planet-venus/planet-venus_0~bzr95-2+lenny1.dsc
planet-venus_0~bzr95-2+lenny1_all.deb
  to pool/main/p/planet-venus/planet-venus_0~bzr95-2+lenny1_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 546179@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Python Applications Packaging Team <python-apps-team@lists.alioth.debian.org> (supplier of updated planet-venus package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Fri, 02 Oct 2009 15:29:44 +0200
Source: planet-venus
Binary: planet-venus
Architecture: source all
Version: 0~bzr95-2+lenny1
Distribution: stable
Urgency: high
Maintainer: Noah Slater <nslater@bytesexual.org>
Changed-By: Python Applications Packaging Team <python-apps-team@lists.alioth.debian.org>
Description: 
 planet-venus - aggregate feed generator
Closes: 546179
Changes: 
 planet-venus (0~bzr95-2+lenny1) stable; urgency=high
 .
   [ Runa Sandvik ]
   * Added patch from Steve Kemp to escape input feeds (Closes: #546179) [CVE-2009-2937]
 .
   [ Piotr Ożarowski ]
   * Upload (as PAPT member)
Checksums-Sha1: 
 c24bc24c5630f95776c70c01e4d9d84f9094cbfb 1415 planet-venus_0~bzr95-2+lenny1.dsc
 f3c08dc895269ad2899afd5f606bf5e060002c0a 9048 planet-venus_0~bzr95-2+lenny1.diff.gz
 4738ec7acc6054d83e0d9c40b0dece154fc81837 266920 planet-venus_0~bzr95-2+lenny1_all.deb
Checksums-Sha256: 
 1b966bd66f07ab309db7e3dc52903e46324b9a7eb1f00e6f3c1036043cd53912 1415 planet-venus_0~bzr95-2+lenny1.dsc
 8f1e3f7182fae6210c16ef13c188e96c0c359adb5727e7c2f4ae2ec302129655 9048 planet-venus_0~bzr95-2+lenny1.diff.gz
 0e662367d5b06876472fe7609a3e7c0375bb2b1137357fe2424379cfb7a5d4cd 266920 planet-venus_0~bzr95-2+lenny1_all.deb
Files: 
 d035a5f5e5d8da6bee7c09d97f32d651 1415 python extra planet-venus_0~bzr95-2+lenny1.dsc
 d971674b3e81b6f3f90508673239cce6 9048 python extra planet-venus_0~bzr95-2+lenny1.diff.gz
 9fd56469887d50e4435bd1814a64a4e3 266920 python extra planet-venus_0~bzr95-2+lenny1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iEYEARECAAYFAkrGDCkACgkQB01zfu119ZkiTwCgmfqw5HwfHU+PCSosl00TqkCl
JDYAni9sv5IEjX8EJHtjtKm269/F59Tr
=XJJT
-----END PGP SIGNATURE-----





Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sun, 31 Jan 2010 07:40:33 GMT) (full text, mbox, link).


Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sat Apr 19 12:22:07 2025; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU General Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.