Debian Bug report logs -
#902886
CVE-2018-0499: HTML escaping bug
Reported by: Olly Betts <olly@survex.com>
Date: Mon, 2 Jul 2018 21:42:02 UTC
Severity: important
Tags: patch, security, upstream
Found in versions xapian-core/1.4.2-1, xapian-core/1.4.5-1
Fixed in versions xapian-core/1.4.6-1, xapian-core/1.4.3-2+deb9u1
Done: Olly Betts <olly@survex.com>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, team@security.debian.org:
Bug#902886; Package libxapian30.
(Mon, 02 Jul 2018 21:42:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Olly Betts <olly@survex.com>:
New Bug report received and forwarded. Copy sent to team@security.debian.org.
(Mon, 02 Jul 2018 21:42:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Package: libxapian30
Version: 1.4.5-1
Severity: important
Tags: security patch upstream
I spotted an HTML escaping bug in Xapian::MSet::snippet() while working
on the code. This issue has been assigned CVE-2018-0499 by the security
team.
This bug is fixed by yesterday's upstream release 1.4.6 which I'm
intending to upload to unstable very shortly. The attached patch should
be suitable for fixing this in older 1.4.x releases (1.2.x isn't
affected).
Cheers,
Olly
[cve-2018-0499-mset-snippet-escaping.patch (text/x-diff, attachment)]
[signature.asc (application/pgp-signature, inline)]
Reply sent
to Olly Betts <olly@survex.com>:
You have taken responsibility.
(Mon, 02 Jul 2018 23:48:03 GMT) (full text, mbox, link).
Notification sent
to Olly Betts <olly@survex.com>:
Bug acknowledged by developer.
(Mon, 02 Jul 2018 23:48:03 GMT) (full text, mbox, link).
Message #10 received at 902886-close@bugs.debian.org (full text, mbox, reply):
Source: xapian-core
Source-Version: 1.4.6-1
We believe that the bug you reported is fixed in the latest version of
xapian-core, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 902886@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Olly Betts <olly@survex.com> (supplier of updated xapian-core package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Tue, 03 Jul 2018 10:23:20 +1200
Source: xapian-core
Binary: libxapian30 libxapian-dev xapian-tools xapian-doc xapian-examples
Architecture: source
Version: 1.4.6-1
Distribution: unstable
Urgency: medium
Maintainer: Olly Betts <olly@survex.com>
Changed-By: Olly Betts <olly@survex.com>
Description:
libxapian-dev - Development files for Xapian search engine library
libxapian30 - Search engine library
xapian-doc - Core Xapian documentation
xapian-examples - Xapian simple example programs
xapian-tools - Basic tools for Xapian search engine library
Closes: 902886
Changes:
xapian-core (1.4.6-1) unstable; urgency=medium
.
* New upstream release
+ MSet::snippet() fixed to escape HTML in all cases (CVE-2018-499).
(Closes: #902886)
* debian/control.in: Declare conformance with standards-version 4.1.4.
* debian/control.in: Update Vcs-* to point to salsa.d.o.
Checksums-Sha1:
465d0c09413b683fb6da50e55f8618ab2cc77ce3 2372 xapian-core_1.4.6-1.dsc
e9817b6bf122453dd5c0c4166126f8bc489e7410 2839964 xapian-core_1.4.6.orig.tar.xz
882543e5b22c642784dab002003c8ac17d296ee1 833 xapian-core_1.4.6.orig.tar.xz.asc
50b705737d9a117b37491839cd148f3cd396e340 18168 xapian-core_1.4.6-1.debian.tar.xz
022b9712d3449126c503a02708310920ceb34395 7915 xapian-core_1.4.6-1_amd64.buildinfo
Checksums-Sha256:
1b55c4dc0a3043e169d54129c302348ae55a60a8ad191e215f954dcbd37523b0 2372 xapian-core_1.4.6-1.dsc
1e0ef1c1d3e2119874d545b7edbb60e6e17d7d18fb802eb890d9ef7bb0bbd898 2839964 xapian-core_1.4.6.orig.tar.xz
b189d50f7311567161857c61ca1a9ee408a2a76c2a09c3852a01f647948075bf 833 xapian-core_1.4.6.orig.tar.xz.asc
8cdb932455bac452158dac675fbcc9a096969de5b60a8a501c8f928fee9fc942 18168 xapian-core_1.4.6-1.debian.tar.xz
8d6d419374960448082db6ba50db74a041e849fc50b0ce38b252c51b077bd392 7915 xapian-core_1.4.6-1_amd64.buildinfo
Files:
ce79369ffb99bcea8ec030dea09fbbf2 2372 libs optional xapian-core_1.4.6-1.dsc
8978a75ea269bb902000a2b3ba5e6ed9 2839964 libs optional xapian-core_1.4.6.orig.tar.xz
cf773fce53c2fe253ed9e9179096fa96 833 libs optional xapian-core_1.4.6.orig.tar.xz.asc
6720970bb06626d470323dd8860287c2 18168 libs optional xapian-core_1.4.6-1.debian.tar.xz
b8fcbb2453dafa0943138a1d0cef124f 7915 libs optional xapian-core_1.4.6-1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEECOJAD/f+j+3jrLUoGBR7BzutKwcFAls6rbwACgkQGBR7Bzut
KwcR6g//ehaE5ARi/c+hBO3ahv51TFdWLte2zHnr41TBQ0MhaHZpc0CN5RvoLUAg
ouGIyebPogW3W0kkaSLIkQLL5bUj1v8OLnKsopDvWffuaO2/wUAl28UqlDDM+jxj
p7RaAzLMp6ejv01wBO/D3yhgwICWumWjNrXKa1VaMxH5HEhsKVGvCbYW5PqMvhPG
GMMly03AgwK0IvB3g1/c4pXyzsjwXBWySkBOz5FOi/VcleyRQtrq/XBloMOSuPvh
kaifpY8YmDb3rUAghjlfePbcDtsxpxjRzi4DGjQgJ7ekD1P05mNgO+/GGYWyOD66
iDtqeWHUofFdToO51HBl8/Fn/gCXYyO3bWwWcadkeAYzxJxUPRzTPfQV1iQoW6yt
UvZVRLb3/7rrAbQvaH45AXejrvaE8i64d7mAJCRDQnRs7D+AKhpTvYye9N9tUo08
0fjRpMWUk0B6N9M+UsJCFoXOFa4zAXDgbDIalRx+UIiyJSAVEGj0E0AcFd2Ifxx0
qDOPmQ3ODu/Fo+J0uD2o1xuXA1sIg/m+UJlUQH12wI7wuOBAxurK7yS6PZHodFDA
clhoj+nQ9Rf+hGrzCfMbMocZHudW8R9E3cSTM16GwSKHkja6CLJVJe0y57hUlkR+
RdBqEUIwsD/O14GVCLPgs27VDVSEzJEbbRYO6a6dgb0ex1fvZUY=
=TobJ
-----END PGP SIGNATURE-----
Marked as found in versions xapian-core/1.4.2-1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Tue, 03 Jul 2018 04:30:02 GMT) (full text, mbox, link).
Reply sent
to Olly Betts <olly@survex.com>:
You have taken responsibility.
(Fri, 06 Jul 2018 14:36:12 GMT) (full text, mbox, link).
Notification sent
to Olly Betts <olly@survex.com>:
Bug acknowledged by developer.
(Fri, 06 Jul 2018 14:36:12 GMT) (full text, mbox, link).
Message #17 received at 902886-close@bugs.debian.org (full text, mbox, reply):
Source: xapian-core
Source-Version: 1.4.3-2+deb9u1
We believe that the bug you reported is fixed in the latest version of
xapian-core, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 902886@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Olly Betts <olly@survex.com> (supplier of updated xapian-core package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Fri, 06 Jul 2018 09:52:48 +1200
Source: xapian-core
Binary: libxapian30 libxapian30-dbg libxapian-dev xapian-tools xapian-doc xapian-examples
Architecture: source amd64 all
Version: 1.4.3-2+deb9u1
Distribution: stretch
Urgency: medium
Maintainer: Olly Betts <olly@survex.com>
Changed-By: Olly Betts <olly@survex.com>
Description:
libxapian-dev - Development files for Xapian search engine library
libxapian30 - Search engine library
libxapian30-dbg - Debugging symbols for the Xapian Search engine library
xapian-doc - Core Xapian documentation
xapian-examples - Xapian simple example programs
xapian-tools - Basic tools for Xapian search engine library
Closes: 902886
Changes:
xapian-core (1.4.3-2+deb9u1) stretch; urgency=medium
.
* Fix MSet::snippet() to escape HTML in all cases (CVE-2018-499).
New patch: cve-2018-0499-mset-snippet-escaping.patch (Closes: #902886)
Checksums-Sha1:
f164fb4186db02dbe551b9978ba6d6245f42b21e 2242 xapian-core_1.4.3-2+deb9u1.dsc
2a8e952201e49e587f25e5bd8898e189a6b6d5f4 19944 xapian-core_1.4.3-2+deb9u1.debian.tar.xz
24d2facb00e0029a4c32ada4a45e7ab30133fc3c 508312 libxapian-dev_1.4.3-2+deb9u1_amd64.deb
cf8b8999caf6d2d44d93132a4cad8c94865842c1 11185908 libxapian30-dbg_1.4.3-2+deb9u1_amd64.deb
69880a4ea0b9615e42a28043c147539c8d99ea55 1067390 libxapian30_1.4.3-2+deb9u1_amd64.deb
e21a2562168f23093b9c0457d089629327dac6ed 7400 xapian-core_1.4.3-2+deb9u1_amd64.buildinfo
cea4621d7afde74cf8e75df81f1dd68a093a3946 1450934 xapian-doc_1.4.3-2+deb9u1_all.deb
341ff4780fa47bcd9490af9cf90ec63259498f14 448900 xapian-examples_1.4.3-2+deb9u1_amd64.deb
ee5890ad96d486703f537746b2f81db96f6ddc27 478220 xapian-tools_1.4.3-2+deb9u1_amd64.deb
Checksums-Sha256:
5182f2e68461e5a0f70d8266af423062d691244c28cca3263f355788f84fb448 2242 xapian-core_1.4.3-2+deb9u1.dsc
24a70fa5fda65dd68b5a54d92309340b847d3e2a7835e098aab7bae01a01a3ea 19944 xapian-core_1.4.3-2+deb9u1.debian.tar.xz
ead1feebeeb6a30c4b799d9348c62f9b8ab27c7c9ada6bda7556c07108c90e1e 508312 libxapian-dev_1.4.3-2+deb9u1_amd64.deb
33b3dacc9c87c05993f354f245a90a0011a3ab073556064a593464d3450f4d6d 11185908 libxapian30-dbg_1.4.3-2+deb9u1_amd64.deb
4f56768badd15555aecd03d979638a34d1f6b5536549f4b0fc41ee926bafa976 1067390 libxapian30_1.4.3-2+deb9u1_amd64.deb
9365f2fcff4471d31e514aa1b0bfa2db45b7b5c9c0162733966614a8081268a7 7400 xapian-core_1.4.3-2+deb9u1_amd64.buildinfo
530189da6a7c15ffd01a9dab091b44d6bc8430c2c65f3375894e1149067f8c6b 1450934 xapian-doc_1.4.3-2+deb9u1_all.deb
ea0456202591d9bacae50a2c3cac28f5589507e6693b6f4a104daee87ed2ec03 448900 xapian-examples_1.4.3-2+deb9u1_amd64.deb
ac8c780f6678c7b681d6dc4f626a7c0f02a94e5fa3b4053fd1a1c9d2181f3ac8 478220 xapian-tools_1.4.3-2+deb9u1_amd64.deb
Files:
a22b350ac24b1dd7f3336a8bbfc36f2f 2242 libs important xapian-core_1.4.3-2+deb9u1.dsc
43ce4a1fb1dc1f6b8ba205b727f876dc 19944 libs important xapian-core_1.4.3-2+deb9u1.debian.tar.xz
28bc6ea22f39e62ec19bd4f39c04b4d9 508312 libdevel optional libxapian-dev_1.4.3-2+deb9u1_amd64.deb
0764dc1a5ef8b2f4271162efa3e257be 11185908 debug extra libxapian30-dbg_1.4.3-2+deb9u1_amd64.deb
38c0d4e481590014a4e9154eaf556436 1067390 libs important libxapian30_1.4.3-2+deb9u1_amd64.deb
a694a6587beae9b73225d7480e00a564 7400 libs important xapian-core_1.4.3-2+deb9u1_amd64.buildinfo
d868f1517ba1ef597a00cb7285ac69f5 1450934 doc optional xapian-doc_1.4.3-2+deb9u1_all.deb
720fc01ed7250aeaf89fe2b991b87a5d 448900 doc optional xapian-examples_1.4.3-2+deb9u1_amd64.deb
832bcaa4194818df5a485eb935f76c7b 478220 utils optional xapian-tools_1.4.3-2+deb9u1_amd64.deb
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEECOJAD/f+j+3jrLUoGBR7BzutKwcFAls+l4sACgkQGBR7Bzut
KwfxJw//TKH3ORdH4q3yPkg28vUppwyaHxskzWianY3aLwtdmqC886j5OlRX5ojk
faA7x/BLlv24VEPS1TaODJpNWSkNu91xf7spk8UNwTOAkc/mGNt+il/Af5s51ihu
vpm/DWP6fNvC1G8Ef0VTDdL+gXSGBUntW721BmLRqlt81SM8tywyJrWljUzSbuUz
c/mITpXtDQNDJmNsOjpSsHUAxspsMb3T3auFyDL78oaEbJBoXYnt7G7lcfmJshJx
m7u0bpXn2jMocvCXzvmgPz7C5BmqOBKDCn8CyXSZDJTzzxcv+IBCp0Ho4ipql3vT
dptfHaEpESYtIS0TTq0RNszFxWvg7i77/KKfp9fVDyYX0J9Iz1qEogQg0+PWd0Ct
q7r1MsSnw0HJB3cEP4wVNs0jyOQf5SolRvLeuutYPemV/q8c8Jz32SPPPA8I9iJw
6dCGrSSH7HAKzkT77d3sGRPaCXJry3JmaZMG5HGPMXQDALuby/kKXjIeE29g/of+
2vtpbSKZKpsE3yXX7IPg85qJDKlFq1yq3lLJUcID29i06BUTFu5wgXWnf0iIJw1K
hukJGV+7fbE+NqnspB64kFc/pl/GdsYFAe3vm0RxSfHMoPlvdLgBTKHUXmO8Mjtq
57eVlRb+Xvlufjddj+JEQdJPAI5NYAnDd8wPJ3W7MJ48DlhKP/w=
=HmQ9
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Mon, 06 Aug 2018 07:37:06 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 17:21:20 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon