Debian Bug report logs - #652587
libhtml-template-pro-perl: [CVE-2011-4616] missing escaping allows XSS

version graph

Package: libhtml-template-pro-perl; Maintainer for libhtml-template-pro-perl is Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>; Source for libhtml-template-pro-perl is src:libhtml-template-pro-perl.

Reported by: Ansgar Burchardt <ansgar@debian.org>

Date: Sun, 18 Dec 2011 22:21:02 UTC

Severity: important

Tags: security

Found in version libhtml-template-pro-perl/0.9502-1

Fixed in versions libhtml-template-pro-perl/0.9507-1, libhtml-template-pro-perl/0.9502-1+squeeze1

Done: Ansgar Burchardt <ansgar@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>:
Bug#652587; Package libhtml-template-pro-perl. (Sun, 18 Dec 2011 22:21:05 GMT) Full text and rfc822 format available.

Acknowledgement sent to Ansgar Burchardt <ansgar@debian.org>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>. (Sun, 18 Dec 2011 22:21:05 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Ansgar Burchardt <ansgar@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: libhtml-template-pro-perl: missing escaping allows XSS
Date: Sun, 18 Dec 2011 23:17:04 +0100
Package: libhtml-template-pro-perl
Version: 0.9502-1
Severity: important
Tags: security

The JS escaping in libhtml-template-pro-perl misses to escape "<" and
">" which allows XSS.  This was fixed in the last upstream release (0.9507).

An example script that triggers the bug is attached.  With 0.9507 it
outputs

  &lt;evil&gt;

older versions generate

  <evil>

instead.

Ansgar




Information forwarded to debian-bugs-dist@lists.debian.org, Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>:
Bug#652587; Package libhtml-template-pro-perl. (Sun, 18 Dec 2011 22:27:07 GMT) Full text and rfc822 format available.

Message #8 received at 652587@bugs.debian.org (full text, mbox):

From: Ansgar Burchardt <ansgar@debian.org>
To: 652587@bugs.debian.org
Subject: Re: libhtml-template-pro-perl: missing escaping allows XSS
Date: Sun, 18 Dec 2011 23:26:55 +0100
[Message part 1 (text/plain, inline)]
> An example script that triggers the bug is attached.  With 0.9507 it
> outputs
>
>   &lt;evil&gt;
>
> older versions generate
>
>   <evil>
>
> instead.

This time for real.

[xs.pl (text/x-perl, attachment)]

Reply sent to Ansgar Burchardt <ansgar@debian.org>:
You have taken responsibility. (Sun, 18 Dec 2011 22:36:31 GMT) Full text and rfc822 format available.

Notification sent to Ansgar Burchardt <ansgar@debian.org>:
Bug acknowledged by developer. (Sun, 18 Dec 2011 22:36:31 GMT) Full text and rfc822 format available.

Message #13 received at 652587-close@bugs.debian.org (full text, mbox):

From: Ansgar Burchardt <ansgar@debian.org>
To: 652587-close@bugs.debian.org
Subject: Bug#652587: fixed in libhtml-template-pro-perl 0.9507-1
Date: Sun, 18 Dec 2011 22:33:51 +0000
Source: libhtml-template-pro-perl
Source-Version: 0.9507-1

We believe that the bug you reported is fixed in the latest version of
libhtml-template-pro-perl, which is due to be installed in the Debian FTP archive:

libhtml-template-pro-perl_0.9507-1.debian.tar.gz
  to main/libh/libhtml-template-pro-perl/libhtml-template-pro-perl_0.9507-1.debian.tar.gz
libhtml-template-pro-perl_0.9507-1.dsc
  to main/libh/libhtml-template-pro-perl/libhtml-template-pro-perl_0.9507-1.dsc
libhtml-template-pro-perl_0.9507-1_amd64.deb
  to main/libh/libhtml-template-pro-perl/libhtml-template-pro-perl_0.9507-1_amd64.deb
libhtml-template-pro-perl_0.9507.orig.tar.gz
  to main/libh/libhtml-template-pro-perl/libhtml-template-pro-perl_0.9507.orig.tar.gz



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 652587@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Ansgar Burchardt <ansgar@debian.org> (supplier of updated libhtml-template-pro-perl package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sun, 18 Dec 2011 23:04:24 +0100
Source: libhtml-template-pro-perl
Binary: libhtml-template-pro-perl
Architecture: amd64 source
Version: 0.9507-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>
Changed-By: Ansgar Burchardt <ansgar@debian.org>
Closes: 652587
Description: 
 libhtml-template-pro-perl - Perl module to use HTML Templates from CGI scripts
Changes: 
 libhtml-template-pro-perl (0.9507-1) unstable; urgency=medium
 .
   * Team upload.
   * New upstream release.
   * Upload with medium urgency as this fixes a XSS vulnerability.
     (Closes: #652587)
Checksums-Sha1: 
 764576c079b1e8aa7418cf3927561a25d94eeddc 2410 libhtml-template-pro-perl_0.9507-1.dsc
 05c91a35b7a02b9863587db023fe22606b01c8d5 170813 libhtml-template-pro-perl_0.9507.orig.tar.gz
 a83d72df014f1c952718c26cce6730cc4a7e1127 4727 libhtml-template-pro-perl_0.9507-1.debian.tar.gz
 2a9645c100ee6421699d9504c12b5b090afe0636 110860 libhtml-template-pro-perl_0.9507-1_amd64.deb
Checksums-Sha256: 
 b3a7cc08d7ec24889cac6086f9ce9a0c72be41ad3bf80418eac2e08315e29e7d 2410 libhtml-template-pro-perl_0.9507-1.dsc
 dc1feb55e85014560e36956acc800aaaa323022570a62828ba6fa7312bd8f463 170813 libhtml-template-pro-perl_0.9507.orig.tar.gz
 461b44d68c15596b8f6601c9520a24d5c87142f76ecc0b1088be509c9b9de96c 4727 libhtml-template-pro-perl_0.9507-1.debian.tar.gz
 febcb98d5f35868c37abcc7708d221f5c7283c342ef90e0c41b88d8e53dc80d3 110860 libhtml-template-pro-perl_0.9507-1_amd64.deb
Files: 
 b03cbf498d69ff821e2d84b54ce181e6 2410 perl optional libhtml-template-pro-perl_0.9507-1.dsc
 e7d80dd88844b3f58054291c58580b5d 170813 perl optional libhtml-template-pro-perl_0.9507.orig.tar.gz
 7595e059d6764aecaf749f91dbe5fafd 4727 perl optional libhtml-template-pro-perl_0.9507-1.debian.tar.gz
 eefb0e11eaedfedf34d1512072e1d233 110860 perl optional libhtml-template-pro-perl_0.9507-1_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iQIcBAEBCgAGBQJO7mjYAAoJEIATJTTdNH3IpZ0QALr3i1OJ7akeruWyjA0Qj4kT
qG7iSCRWQuwGp44HCOGBKm+WhuwM7My/fvzG2ClWXQX7yOR87i1zm3dtL6kufkSc
DKorFuLCIwoWSHEPWBhYCmvqef5dLGVVcvruvTtj4myJ54E/wHG/IGdgD7Sp7ZgR
oGjWS/4ZB7okTOJaE2hzihy1lRoUz55FD06kZPZPfnH4/Kq3O3GhQFF/hpzaAMrJ
7x1OV121Yj+aK5Z7bWo6D3CCA8EyjxejAK3fploChCbzcHDB66dIe/0lVGLHZtkz
QfdGKfDyBJJAasJF/tRcS9Asllu+Su+XsxC3IcofTpzXRQrBe8BCzf6isltwd6VW
sw23AMFgZ54pVnkSws27SZ+QjTDMocaoI0c5QWkaGZXHRcuwjgyiihgzr5Sc8QRK
1kyt5eDF70M2+Pvp7vHUOyvQiOZtSht6U9jPFOVX51IckE7kl88Xkdew0jBdWVPm
ceSNq9QKI9JCL82rKGmORY5Rtmfa7oAthivjaZAF0IlyZK40tu3fKN/0o92DslRe
i6VXeyPeoso6a5CoD9c3/c64CEAFXIQYIsqFGvYKp+XEvG8CSYv4x/e+AdYG5glm
Fibp1B/PeCyD9LSqGFcqFpqDHH1XAm11niPKbYa9xL3YkhDS3IFoeZHHSdSxyicg
C2nXIOXtwdAGr5QdMdQt
=Rwgx
-----END PGP SIGNATURE-----





Information forwarded to debian-bugs-dist@lists.debian.org, Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>:
Bug#652587; Package libhtml-template-pro-perl. (Mon, 19 Dec 2011 05:18:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to kseifried@redhat.com:
Extra info received and forwarded to list. Copy sent to Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>. (Mon, 19 Dec 2011 05:18:03 GMT) Full text and rfc822 format available.

Message #18 received at 652587@bugs.debian.org (full text, mbox):

From: Kurt Seifried <kseifried@redhat.com>
To: 652587@bugs.debian.org
Subject: use CVE-2011-4616 for this issue
Date: Sun, 18 Dec 2011 22:06:29 -0700
http://www.openwall.com/lists/oss-security/2011/12/19/1

-- -Kurt Seifried / Red Hat Security Response Team




Changed Bug title to 'libhtml-template-pro-perl: [CVE-2011-4616] missing escaping allows XSS' from 'libhtml-template-pro-perl: missing escaping allows XSS' Request was from Ansgar Burchardt <ansgar@debian.org> to control@bugs.debian.org. (Mon, 19 Dec 2011 09:17:16 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>:
Bug#652587; Package libhtml-template-pro-perl. (Mon, 19 Dec 2011 18:51:03 GMT) Full text and rfc822 format available.

Message #23 received at 652587@bugs.debian.org (full text, mbox):

From: Ansgar Burchardt <ansgar@debian.org>
To: team@security.debian.org
Cc: 652587@bugs.debian.org
Subject: Re: Bug#652587: libhtml-template-pro-perl: missing escaping allows XSS
Date: Mon, 19 Dec 2011 19:47:52 +0100
[Message part 1 (text/plain, inline)]
Ansgar Burchardt <ansgar@debian.org> writes:
> The JS escaping in libhtml-template-pro-perl misses to escape "<" and
> ">" which allows XSS.  This was fixed in the last upstream release (0.9507).
>
> An example script that triggers the bug is attached.  With 0.9507 it
> outputs
>
>   &lt;evil&gt;
>
> older versions generate
>
>   <evil>
>
> instead.

I prepared a backport of the relevant changes to squeeze (attached).
Lenny might be affected as well, I'll look into that in the next days.

Does the security team want to release a DSA for this issue or should it
be fixed via proposed-updates?

Regards,
Ansgar
[652587-squeeze.diff (text/x-diff, attachment)]

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>:
Bug#652587; Package libhtml-template-pro-perl. (Mon, 19 Dec 2011 19:30:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Moritz Mühlenhoff <jmm@inutil.org>:
Extra info received and forwarded to list. Copy sent to Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>. (Mon, 19 Dec 2011 19:30:03 GMT) Full text and rfc822 format available.

Message #28 received at 652587@bugs.debian.org (full text, mbox):

From: Moritz Mühlenhoff <jmm@inutil.org>
To: Ansgar Burchardt <ansgar@debian.org>
Cc: team@security.debian.org, 652587@bugs.debian.org
Subject: Re: Bug#652587: libhtml-template-pro-perl: missing escaping allows XSS
Date: Mon, 19 Dec 2011 20:29:18 +0100
On Mon, Dec 19, 2011 at 07:47:52PM +0100, Ansgar Burchardt wrote:
> Ansgar Burchardt <ansgar@debian.org> writes:
> > The JS escaping in libhtml-template-pro-perl misses to escape "<" and
> > ">" which allows XSS.  This was fixed in the last upstream release (0.9507).
> >
> > An example script that triggers the bug is attached.  With 0.9507 it
> > outputs
> >
> >   &lt;evil&gt;
> >
> > older versions generate
> >
> >   <evil>
> >
> > instead.
> 
> I prepared a backport of the relevant changes to squeeze (attached).
> Lenny might be affected as well, I'll look into that in the next days.

Support for Lenny ends really soon and the final release will be the closing
one, better invest your time elsewhere.
 
> Does the security team want to release a DSA for this issue or should it
> be fixed via proposed-updates?

Please fix this through a point update, this doesn't warrant a DSA. 

Cheers,
        Moritz

Cheers,
        Moritz




Reply sent to Ansgar Burchardt <ansgar@debian.org>:
You have taken responsibility. (Wed, 28 Dec 2011 02:00:08 GMT) Full text and rfc822 format available.

Notification sent to Ansgar Burchardt <ansgar@debian.org>:
Bug acknowledged by developer. (Wed, 28 Dec 2011 02:00:09 GMT) Full text and rfc822 format available.

Message #33 received at 652587-close@bugs.debian.org (full text, mbox):

From: Ansgar Burchardt <ansgar@debian.org>
To: 652587-close@bugs.debian.org
Subject: Bug#652587: fixed in libhtml-template-pro-perl 0.9502-1+squeeze1
Date: Wed, 28 Dec 2011 01:56:54 +0000
Source: libhtml-template-pro-perl
Source-Version: 0.9502-1+squeeze1

We believe that the bug you reported is fixed in the latest version of
libhtml-template-pro-perl, which is due to be installed in the Debian FTP archive:

libhtml-template-pro-perl_0.9502-1+squeeze1.debian.tar.gz
  to main/libh/libhtml-template-pro-perl/libhtml-template-pro-perl_0.9502-1+squeeze1.debian.tar.gz
libhtml-template-pro-perl_0.9502-1+squeeze1.dsc
  to main/libh/libhtml-template-pro-perl/libhtml-template-pro-perl_0.9502-1+squeeze1.dsc
libhtml-template-pro-perl_0.9502-1+squeeze1_amd64.deb
  to main/libh/libhtml-template-pro-perl/libhtml-template-pro-perl_0.9502-1+squeeze1_amd64.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 652587@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Ansgar Burchardt <ansgar@debian.org> (supplier of updated libhtml-template-pro-perl package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sun, 18 Dec 2011 23:39:24 +0100
Source: libhtml-template-pro-perl
Binary: libhtml-template-pro-perl
Architecture: amd64 source
Version: 0.9502-1+squeeze1
Distribution: squeeze
Urgency: low
Maintainer: Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>
Changed-By: Ansgar Burchardt <ansgar@debian.org>
Closes: 652587
Description: 
 libhtml-template-pro-perl - Perl module to use HTML Templates from CGI scripts
Changes: 
 libhtml-template-pro-perl (0.9502-1+squeeze1) squeeze; urgency=low
 .
   * Patch XSS vulnerability. (Closes: #652587)
     + new patch: 652587.diff
Checksums-Sha1: 
 794670f310064dc395a83d44e28310fbfab5069a 2398 libhtml-template-pro-perl_0.9502-1+squeeze1.dsc
 1c275b08a62e69491c2ccea6f467726345f001a0 6170 libhtml-template-pro-perl_0.9502-1+squeeze1.debian.tar.gz
 a7fb75b42aa471ff599e834f9a1d7bc60efad4b3 112708 libhtml-template-pro-perl_0.9502-1+squeeze1_amd64.deb
Checksums-Sha256: 
 6b8639e5e538d75104dbca7578931e731338dab0b3fb40791d367dc25aa292c1 2398 libhtml-template-pro-perl_0.9502-1+squeeze1.dsc
 151406043497d1a00de6f0bb62a269b093ea46dc5803f659f0f3d63625a9300f 6170 libhtml-template-pro-perl_0.9502-1+squeeze1.debian.tar.gz
 11fe9fbff4d63dbf806e5530e63a989c563133a83b0514a3ef21848d95cc31aa 112708 libhtml-template-pro-perl_0.9502-1+squeeze1_amd64.deb
Files: 
 64db4c4ac7f4fd0e708393abf527361e 2398 perl optional libhtml-template-pro-perl_0.9502-1+squeeze1.dsc
 d2a56e7c2e2b1dc4a012b8ba5b4cf048 6170 perl optional libhtml-template-pro-perl_0.9502-1+squeeze1.debian.tar.gz
 f6bb1e8da247686f0086a648283b09c1 112708 perl optional libhtml-template-pro-perl_0.9502-1+squeeze1_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iQIcBAEBCgAGBQJO+hHXAAoJEIATJTTdNH3IzTkQAN76RHbbuCQQwLMIpMTxnowp
WvbEBIZQqAVtyGV0c5ifmCFZwGDPekUsNsWj73jZhALOkRNwar/McuTjEKdPmm/D
gGx3DOaq91Z1huQqCnFh5sG9TDnyQpE2oEVe+mSyQRWBlWyHGYPziEhLMP+CvaMT
yTug4YMUYyWQ3ojOBKn7zt67oi7XsuLYyefm+tp18+8OyCQZ1hiE9PiBq8pxaThU
CDfmEGCKA1XfelzacvXht7Y3sbDQhVGJEGVQkRuUQiuPLMH8rlzNHzYN2wEmsYQR
vAhS49UprRa/m2ZWP7bEo1mQGvlLuOnPb9u5qQiZcY8D2LkLEuJLKP2D9z2w7AbL
lzUpblcyGwANTynh2OC70UCs5nwLhf8508gUy0LDNLcMBRWN8+dFj/006y4KT4cz
v+qOC0DGrVwLBUDwr7dW34vazrBmpCXfMpcsrCbnGarvscsA9rYkLF/2CDlyZv/t
B/n4f1NlAvcDUCUc4NcsBuSH6u7ORenhIFdVQZgjD4G12pA9Un0Ldqzs+RXE/apS
fAW4n+Ks+DrR0CyKvub3krNV75hUOJgD15krBrwSYL/dNYnYftsJoQ01QXxMorcC
O0IPUw95CMjHk3cUV8NTGRaUk0ufiPy8C0lX8BL67WopKaC2phh418wYXppCKhwa
5twvkA2LvxPZ13ohNdSA
=3eUo
-----END PGP SIGNATURE-----





Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Wed, 25 Jan 2012 07:44:24 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Apr 16 11:34:12 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.