[libhtml-scrubber-perl] 01/01: Fix CVE-2015-5667 in squeeze-lts

Tue Nov 3 14:12:22 UTC 2015

This is an automated email from the git hooks/post-receive script.

hertzog pushed a commit to branch squeeze
in repository libhtml-scrubber-perl.

commit f48c0a9389d35e59253bbb0ba4bd2cff0cb7eaf0
Author: Raphaël Hertzog <hertzog at debian.org>
Date:   Tue Nov 3 11:07:52 2015 +0000

    Fix CVE-2015-5667 in squeeze-lts
---
 Scrubber.pm                        | 16 +++++---
 debian/changelog                   |  9 +++++
 debian/patches/CVE-2015-5667.patch | 80 ++++++++++++++++++++++++++++++++++++++
 t/jvn53973084.t                    | 21 ++++++++++
 4 files changed, 121 insertions(+), 5 deletions(-)

diff --git a/Scrubber.pm b/Scrubber.pm
index a6d990c..af5ce54 100644
--- a/Scrubber.pm
+++ b/Scrubber.pm
@@ -444,10 +444,13 @@ sub _scrub_fh {
     }
     elsif ( $e eq 'comment' )
     {
-        print
-            {$s->{_out}}
-                $text
-                    if $s->{_comment};
+	if ($s->{_comment}) {
+	    # only copy comments through if they are well formed...
+	    print
+		{$s->{_out}}
+		    $text
+			if ( $text =~ m|^<!--.*-->$|ms );
+	}
     }
     elsif ( $e eq 'process' )
     {
@@ -507,7 +510,10 @@ sub _scrub {
     }
     elsif ( $e eq 'comment' )
     {
-        $s->{_r} .= $text if $s->{_comment};
+	if ($s->{_comment}) {
+	    # only copy comments through if they are well formed...
+	    $s->{_r} .= $text if ( $text =~ m|^<!--.*-->$|ms );
+	}
     }
     elsif ( $e eq 'process' )
     {
diff --git a/debian/changelog b/debian/changelog
index fac42be..861daff 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,12 @@
+libhtml-scrubber-perl (0.08-4+deb6u1) squeeze-lts; urgency=low
+
+  * Non maintainer upload by the Debian LTS team.
+  * Backport upstream fix for CVE-2015-5667. Apply the patch
+    directly in the source package but keep a copy for reference
+    in debian/patches/CVE-2015-5667.patch.
+
+ -- Raphaël Hertzog <hertzog at debian.org>  Tue, 03 Nov 2015 11:06:14 +0000
+
 libhtml-scrubber-perl (0.08-4) unstable; urgency=low
 
   * New maintainer.
diff --git a/debian/patches/CVE-2015-5667.patch b/debian/patches/CVE-2015-5667.patch
new file mode 100644
index 0000000..fe0a6a5
--- /dev/null
+++ b/debian/patches/CVE-2015-5667.patch
@@ -0,0 +1,80 @@
+From: Nigel Metheringham <nigelm at cpan.org>
+Date: Sat, 10 Oct 2015 15:01:14 +0100
+Subject: [PATCH] Test and fix for JVN53973084
+
+Malformed tags can pass through as comments.
+Thus comments are now only passed through if
+they are well formed - currently defined as
+matching a regular expression.
+
+[hertzog at debian.org:
+Backported to version 0.08 by implementing the new check
+in _scrub_fh() and _scrub() and adapted the test case
+to use "Test" instead of Test::More.
+
+Fixes CVE-2015-5667.
+]
+
+Origin: backport, https://github.com/nigelm/html-scrubber/commit/e1978cc37867e85c06a84a4651745235010cd6cd
+
+diff --git a/Scrubber.pm b/Scrubber.pm
+index a6d990c..af5ce54 100644
+--- a/Scrubber.pm
++++ b/Scrubber.pm
+@@ -444,10 +444,13 @@ sub _scrub_fh {
+     }
+     elsif ( $e eq 'comment' )
+     {
+-        print
+-            {$s->{_out}}
+-                $text
+-                    if $s->{_comment};
++	if ($s->{_comment}) {
++	    # only copy comments through if they are well formed...
++	    print
++		{$s->{_out}}
++		    $text
++			if ( $text =~ m|^<!--.*-->$|ms );
++	}
+     }
+     elsif ( $e eq 'process' )
+     {
+@@ -507,7 +510,10 @@ sub _scrub {
+     }
+     elsif ( $e eq 'comment' )
+     {
+-        $s->{_r} .= $text if $s->{_comment};
++	if ($s->{_comment}) {
++	    # only copy comments through if they are well formed...
++	    $s->{_r} .= $text if ( $text =~ m|^<!--.*-->$|ms );
++	}
+     }
+     elsif ( $e eq 'process' )
+     {
+diff --git a/t/jvn53973084.t b/t/jvn53973084.t
+new file mode 100644
+index 0000000..955de0d
+--- /dev/null
++++ b/t/jvn53973084.t
+@@ -0,0 +1,21 @@
++# Tests related to JVN53973084
++
++use strict;
++use warnings;
++use Test;
++
++BEGIN { plan tests => 4 }
++
++use HTML::Scrubber;
++
++my @allow = qw[
++    hr
++];
++
++my $html_1 = q[<hr><a href="javascript:alert(1)"<hr>abc];
++my $html_2 = q[<img src="javascript:alert(1)"];
++foreach my $comment_value ( 0, 1 ) {
++    my $scrubber = HTML::Scrubber->new( allow => \@allow, comment => $comment_value );
++    ok( $scrubber->scrub($html_1), '<hr>abc', "correct result (1) - with comment => $comment_value" );
++    ok( $scrubber->scrub($html_2), '',            "correct result (2) - with comment => $comment_value" );
++}
diff --git a/t/jvn53973084.t b/t/jvn53973084.t
new file mode 100644
index 0000000..955de0d
--- /dev/null
+++ b/t/jvn53973084.t
@@ -0,0 +1,21 @@
+# Tests related to JVN53973084
+
+use strict;
+use warnings;
+use Test;
+
+BEGIN { plan tests => 4 }
+
+use HTML::Scrubber;
+
+my @allow = qw[
+    hr
+];
+
+my $html_1 = q[<hr><a href="javascript:alert(1)"<hr>abc];
+my $html_2 = q[<img src="javascript:alert(1)"];
+foreach my $comment_value ( 0, 1 ) {
+    my $scrubber = HTML::Scrubber->new( allow => \@allow, comment => $comment_value );
+    ok( $scrubber->scrub($html_1), '<hr>abc', "correct result (1) - with comment => $comment_value" );
+    ok( $scrubber->scrub($html_2), '',            "correct result (2) - with comment => $comment_value" );
+}

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-perl/packages/libhtml-scrubber-perl.git

