XSS in HTML purifier 3.0.0 and 4.0.0

I have just attached the commit in 4.1.0 which fixes that problem.

Thanks for taking the time to report this bug and helping to make Ubuntu better. Since the package referred to in this bug is in universe or multiverse, it is community maintained. If you are able, I suggest posting a debdiff for this issue. When a debdiff is available, members of the security team will review it and publish the package. See the following link for more information: https://wiki.ubuntu.com/SecurityTeam/UpdateProcedures

I have extracted the two upstream commits which fix this issue.

Here are patches for HTML Purifier 3.3.0 (in karmic) and 4.0.0 (in lucid)

François, are you sure that maverick's version (4.1.0) fixes the issue? I don't see a code from your attached patch applied in upstream tarball. From me +1 for patching maverick.

The version is Maverick is also affected, but I figured I would just get it fixed in Debian first and then request a sync of the new upstream version (4.1.1).

Here's the patch that would be required however if you choose not to sync the new version from Debian.

We can add these patches into packages and when Debian will do it the same, we will drop delta and sync package. I can prepare a patches for karmic, lucid and maverick, but I will be happy if you will test packages. Are you interested, François?

Thanks for your contribution.

Sure, I can test both the karmic and the lucid packages as part of updating the Mahara package to make use of the system version of HTML purifier.

Just let me know where I can find them.

I'll prepare a .deb files for you at the latest next week.

Please sync php-htmlpurifier 4.1.1+dfsg1-1 (universe) from Debian sid (main)

I’ve just uploaded an upgraded version of this package into Debian, after noticing not only that
a newer version is available on my QA page but also it’s security relevant (I’m not the maintainer
for this package, I just jumped in to fix it once…).

There were no *buntu changes. I have run the testsuite, no regressions.

http://packages.qa.debian.org/p/php-htmlpurifier/news/20100617T153520Z.html

François Marier: would you be interested in helping with the package’s development?
I’m doing this as part of my work on FusionForge, but we don’t have any real test
cases, and so I’m usually wary of uploading anything in fear of breaking things…
drop me (tg@d.o) an eMail if you’re interested…

Thorsten, we have not delta in this package, so it will come automatically into maverick.

This bug was fixed in the package php-htmlpurifier - 4.1.1+dfsg1-1

---------------
php-htmlpurifier (4.1.1+dfsg1-1) unstable; urgency=high

  * New upstream release; upstream WHATSNEW says:
    | HTML Purifier 4.1.1 is a major security and bugfix release that
    | improves on 4.1's fix for an XSS vulnerability exploitable on Internet
    | Explorer. It also contains a number of important bugfixes, including
    | the removal of improper logic that could result in infinite loops and
    | fixed parsing for single-attributes with entities with DirectLex.
  * Set urgency=high due to second attempt at XSS bugfix, no CVE number
    (SA39613) (Closes: #586061) (LP: #582576)
  * /usr/share/php-htmlpurifier/tests/index.php no longer has a shebang,
    so do not chmod +x it
 -- Ubuntu Archive Auto-Sync <email address hidden> Sun, 20 Jun 2010 09:07:52 +0100

OK François, packages are done. Let's try to test from following PPA: https://launchpad.net/~ari-tczew/+archive/testing
You can choice packages for karmic and lucid. Deb files could be downloaded manually or you can add a repository to your /etc/apt/sources.list. Instruction are available in above link in field called "Adding this PPA to your system".

I look forward to your feedback.

The karmic and lucid packages that are in Artur's PPA are working fine for me.

Artur, since your patch is verified to work, would you be able to prepare debdiffs for karmic and lucid by following https://wiki.ubuntu.com/SecurityTeam/UpdatePreparation#Packaging? Unsubscribing ubuntu-security-sponsors. Please resubscribe ubuntu-security-sponsors if you upload a debdiff. Thanks!

NAK for karmic: FTBFS due to patch not applying during the build.

NAK for lucid: patch is not identical to the patch attached in this bug.

Unsubscribing ubuntu-security-sponsors. Please resubscribe ubuntu-security-sponsors and set the status to 'NEW' when the changes are complete. Please also detail the testing performed.

ACK on the two debdiffs. Packages have been uploaded and are building now.

This bug was fixed in the package php-htmlpurifier - 4.0.0+dfsg1-1ubuntu0.1

---------------
php-htmlpurifier (4.0.0+dfsg1-1ubuntu0.1) lucid-security; urgency=low

  * SECURITY UPDATE (LP: #582576).
  * A vulnerability has been reported in HTML Purifier, which can be
    exploited by malicious people to conduct cross-site scripting
    attacks.
  * CVE-2010-2479
 -- Artur Rona <email address hidden> Wed, 24 Nov 2010 22:36:10 +0100

This bug was fixed in the package php-htmlpurifier - 3.3.0-1ubuntu0.1

---------------
php-htmlpurifier (3.3.0-1ubuntu0.1) karmic-security; urgency=low

  * SECURITY UPDATE (LP: #582576).
  * A vulnerability has been reported in HTML Purifier, which can be
    exploited by malicious people to conduct cross-site scripting
    attacks.
  * CVE-2010-2479
 -- Artur Rona <email address hidden> Wed, 24 Nov 2010 22:23:20 +0100