[pkg-php-pear] Bug#1112542: bookworm-pu: package shaarli/0.12.1+dfsg-8+deb12u1

[James Valleroy]

Package: release.debian.org
Severity: normal
Tags: bookworm
X-Debbugs-Cc: shaarli at packages.debian.org, jvalleroy at mailbox.org
Control: affects -1 + src:shaarli
User: release.debian.org at packages.debian.org
Usertags: pu

[ Reason ]
Fixes CVE-2025-55291:
  Prior to 0.15.0, the input string in the cloud tag page is not
  properly sanitized. This allows the </title> tag to be prematurely
  closed, leading to a reflected Cross-Site Scripting (XSS)
  vulnerability. This vulnerability is fixed in 0.15.0.

The issue affects all versions of shaarli prior to 0.15.0.

[ Impact ]
The tag search functionality with the XSS vulnerability is accessible
in instances of Shaarli that are on the public Internet, even without
login.

[ Tests ]
I manually tested for the exploit before and after the fix.

[ Risks ]
It is a very simple change, so the risk appears to be low.

[ Checklist ]
   [x] *all* changes are documented in the d/changelog
   [x] I reviewed all changes and I approve them
   [x] attach debdiff against the package in (old)stable
   [x] the issue is verified as fixed in unstable

[ Changes ]
Wrap the $searchTags variable in escape() to sanitize the user input.
This change is from an upstream commit that applied directly to the older
version.

[ Other info ]
I have already uploaded the package to bookworm-proposed-updates.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: shaarli_0.12.1+dfsg-8_0.12.1+dfsg-8+deb12u1.diff
Type: text/x-patch
Size: 2817 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-php-pear/attachments/20250830/352b2a7d/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature.asc
Type: application/pgp-signature
Size: 840 bytes
Desc: OpenPGP digital signature
URL: <http://alioth-lists.debian.net/pipermail/pkg-php-pear/attachments/20250830/352b2a7d/attachment.sig>