[Pkg-mozext-maintainers] Bug#559267: Sage Firefox extensions vulnerabilities

[awoodland at debian.org]

The attached patch fixes a security bug in firefox-sage. It's not clear if this is the  same bug CVE-2009-4102 reported, or if it's a regression of CVE-2006-4712. (#388149). Test cases for CVE-2009-4102 would be rather helpful in deciding this.

The basic problem this patch fixes is a problem with htmlToText, which is designed to convert HTML into plain text. Unfortunately this process also causes &gt; and &lt; to be converted into < and > respectively, which means the output from htmlToText can still contain HTML tags.

Without this patch applied the version of firefox-sage in sid (and lenny) both fail two tests in 'no HTML mode' on the feed at http://users.aber.ac.uk/ajw/everything.atom that was provided with the 2006 CVE. With this patch applied no tests in that feed fail.

The version in Etch passes all tests from this feed - it has my original patch from the 2006 CVE, and not the version that got included upstream later.

Given that I'm not very clear still if this really is a new bug, or just the regression I've previously described I'd rather like to get some verification/guidance before declaring that this patch fixes it.

Alan
-------------- next part --------------
A non-text attachment was scrubbed...
Name: new_xss_fix.patch
Type: text/x-diff
Size: 543 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-mozext-maintainers/attachments/20091206/de1cdd35/attachment.patch>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 272 bytes
Desc: OpenPGP digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-mozext-maintainers/attachments/20091206/de1cdd35/attachment.pgp>