[Pkg-mozext-maintainers] firefox-sage diff for Lenny fixing CVE-2009-4102

[Steffen Joeris]

Hi Alan

Thanks for sending us this debdiff.
> Attached is my proposed diff for Lenny. It takes the 'least changes'
>  approach to fixing the problem, which isn't great long term. Having
>  applied this patch it now passes the test feeds in both html/non-html
>  mode:
> 
> http://users.aber.ac.uk/ajw/new.rss
> http://users.aber.ac.uk/ajw/newI.rss
> http://users.aber.ac.uk/ajw/everything.atom (this is the test case from
>  2006 which had a regression)
> 
> Etch is somewhat different, and still has my original patch from the 2006
>  vulnerability which means there is no regression and it also fixed one of
>  the newer test cases.
> 
> Etch actually seemed to pass all the test cases there, but I know at least
>  the malicious link one would be exploitable with only a very small change
>  to the feed. (The benign 'exploit' made a few assumptions about which
>  version of FF/IW you're using, which caused an exception to be thrown part
>  way through executing the exploit, before there is any indication of
>  failure).
> 
> Please can you review this and allow me to make an upload to
>  stable-security? I'll provide a similar patch for etch shortly too.
The patch looks good, but when looking at it, I was wondering whether it 
misses a few parts?

Do we need to call entityEncode around 
this.simpleHtmlParser.parse(item.getContent()); (line 242)

There are also a few more itemget*() calls, where I am unable to determine 
whether they are all plain user input, maybe easier for someone that uses 
firefox-sage.

If you can determine that this is all we need, then please go ahead.

Cheers
Steffen
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: This is a digitally signed message part.
URL: <http://lists.alioth.debian.org/pipermail/pkg-mozext-maintainers/attachments/20091211/4d46e174/attachment.pgp>