[Pkg-mozext-maintainers] Bug#559267: Bug#559267: Bug#559267: Sage Firefox extensions vulnerabilities

Alan Woodland alan.woodland at gmail.com
Thu Dec 10 14:54:07 UTC 2009


2009/12/10  <awoodland at debian.org>:
> Ok, that makes sense. I think for the two stable releases at least that's
> too major a change to be making in a security fix, and a cruder patch might
> be the solution.
>
> I'll have a look now at dropping all HTML from the descriptions/links for
> the released versions and try to incorporate a proper fix for the forth
> coming release.

Attached to this email is one (admittedly crude) patch that passes the two new testcases (and one additional case with the link at the feed level and not the item level). The patch also fixes a regression from the 2006 vulnerability (htmlToText *must*  always be entity encoded afterwards). 

This patch is *not* a long term solution (i.e. it doesn't do whitelist HTML filtering instead of blacklist or drop privileges in any form).

I'll liaise with the security team about making uploads now.

Alan

-------------- next part --------------
A non-text attachment was scrubbed...
Name: new_xss_fix.patch
Type: text/x-diff
Size: 2121 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-mozext-maintainers/attachments/20091210/d43682c4/attachment.patch>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 272 bytes
Desc: OpenPGP digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-mozext-maintainers/attachments/20091210/d43682c4/attachment.pgp>


More information about the Pkg-mozext-maintainers mailing list