[pkg-php-pear] Bug#1112529: trixie-pu: package shaarli/0.14.0+dfsg-2

James Valleroy jvalleroy at mailbox.org
Sat Aug 30 14:05:21 BST 2025 

Package: release.debian.org
Severity: normal
Tags: trixie
X-Debbugs-Cc: shaarli at packages.debian.org, jvalleroy at mailbox.org
Control: affects -1 + src:shaarli
User: release.debian.org at packages.debian.org
Usertags: pu

[ Reason ]
Fixes CVE-2025-55291:
  Prior to 0.15.0, the input string in the cloud tag page is not
  properly sanitized. This allows the </title> tag to be prematurely
  closed, leading to a reflected Cross-Site Scripting (XSS)
  vulnerability. This vulnerability is fixed in 0.15.0.

This issue is also present in old-stable.

In discussion with the security team, they requested it to be fixed in
the upcoming point release.

[ Impact ]
The tag search functionality with the XSS vulnerability is accessible
in instances of Shaarli that are on the public Internet, even without
login.

[ Tests ]
I manually tested for the exploit before and after the fix.

[ Risks ]
It is a very simple change, so the risk appears to be low.

[ Checklist ]
   [x] *all* changes are documented in the d/changelog
   [x] I reviewed all changes and I approve them
   [x] attach debdiff against the package in (old)stable
   [x] the issue is verified as fixed in unstable

[ Changes ]
Wrap the $searchTags variable in escape() to sanitize the user input.
This change is from an upstream commit that applied directly to the older
version.

I have already uploaded the package to proposed-updates.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: shaarli_0.14.0+dfsg-1_0.14.0+dfsg-2.diff
Type: text/x-patch
Size: 2831 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-php-pear/attachments/20250830/319c8ff7/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature.asc
Type: application/pgp-signature
Size: 840 bytes
Desc: OpenPGP digital signature
URL: <http://alioth-lists.debian.net/pipermail/pkg-php-pear/attachments/20250830/319c8ff7/attachment.sig>

More information about the pkg-php-pear mailing list