Version in base suite: 4.4.6+dfsg-1.1+deb12u2 Base version: request-tracker4_4.4.6+dfsg-1.1+deb12u2 Target version: request-tracker4_4.4.6+dfsg-1.1+deb12u3 Base file: /srv/ftp-master.debian.org/ftp/pool/main/r/request-tracker4/request-tracker4_4.4.6+dfsg-1.1+deb12u2.dsc Target file: /srv/ftp-master.debian.org/policy/pool/main/r/request-tracker4/request-tracker4_4.4.6+dfsg-1.1+deb12u3.dsc .git-dpm | 4 +- changelog | 8 +++++ patches/series | 1 patches/upstream_4.4.6_cve:_patchset_2025-10-07.diff | 29 +++++++++++++++++++ 4 files changed, 40 insertions(+), 2 deletions(-) diff -Nru request-tracker4-4.4.6+dfsg/debian/.git-dpm request-tracker4-4.4.6+dfsg/debian/.git-dpm --- request-tracker4-4.4.6+dfsg/debian/.git-dpm 2025-04-17 03:48:44.000000000 +0000 +++ request-tracker4-4.4.6+dfsg/debian/.git-dpm 2025-10-10 10:44:30.000000000 +0000 @@ -1,6 +1,6 @@ # see git-dpm(1) from git-dpm package -a9e5741a44b9ce67e1d6771b15c14941ed6d5a8e -a9e5741a44b9ce67e1d6771b15c14941ed6d5a8e +45fb0940803c3c233ea44e246b2340d9198a48ca +45fb0940803c3c233ea44e246b2340d9198a48ca 55d7d688b083f85df5b32d685ea4c2d6a4341705 55d7d688b083f85df5b32d685ea4c2d6a4341705 request-tracker4_4.4.6+dfsg.orig.tar.gz diff -Nru request-tracker4-4.4.6+dfsg/debian/changelog request-tracker4-4.4.6+dfsg/debian/changelog --- request-tracker4-4.4.6+dfsg/debian/changelog 2025-04-17 03:48:48.000000000 +0000 +++ request-tracker4-4.4.6+dfsg/debian/changelog 2025-10-10 10:44:30.000000000 +0000 @@ -1,3 +1,11 @@ +request-tracker4 (4.4.6+dfsg-1.1+deb12u3) bookworm-security; urgency=medium + + * Apply upstream patch which fixes a security vulnerability. + - [CVE-2025-61873] Fix CSV injection via ticket values with special + characters that are exported to a TSV from search results. + + -- Andrew Ruthven Fri, 10 Oct 2025 23:44:30 +1300 + request-tracker4 (4.4.6+dfsg-1.1+deb12u2) bookworm-security; urgency=medium * Apply upstream patches which fixes several security vulnerabilities. diff -Nru request-tracker4-4.4.6+dfsg/debian/patches/series request-tracker4-4.4.6+dfsg/debian/patches/series --- request-tracker4-4.4.6+dfsg/debian/patches/series 2025-04-17 03:48:44.000000000 +0000 +++ request-tracker4-4.4.6+dfsg/debian/patches/series 2025-10-10 10:44:30.000000000 +0000 @@ -29,3 +29,4 @@ upstream_4.4.6_cve:_patchset_2025-04-11.diff fix_CVE-2024-3262.diff fix_CVE-2024-3262_2.diff +upstream_4.4.6_cve:_patchset_2025-10-07.diff diff -Nru request-tracker4-4.4.6+dfsg/debian/patches/upstream_4.4.6_cve:_patchset_2025-10-07.diff request-tracker4-4.4.6+dfsg/debian/patches/upstream_4.4.6_cve:_patchset_2025-10-07.diff --- request-tracker4-4.4.6+dfsg/debian/patches/upstream_4.4.6_cve:_patchset_2025-10-07.diff 1970-01-01 00:00:00.000000000 +0000 +++ request-tracker4-4.4.6+dfsg/debian/patches/upstream_4.4.6_cve:_patchset_2025-10-07.diff 2025-10-10 10:44:30.000000000 +0000 @@ -0,0 +1,29 @@ +From 45fb0940803c3c233ea44e246b2340d9198a48ca Mon Sep 17 00:00:00 2001 +From: Andrew Ruthven +Date: Wed, 8 Oct 2025 21:07:45 +1300 +Subject: Fix for CVE-2025-61873 + +Resolve a vulnerability regarding CSV injection via ticket values with special +characters that are exported to a TSV from search results. + +Patch-Name: upstream_4.4.6_cve:_patchset_2025-10-07.diff +Author: Best Practical +Forwarded: not-needed +Applied: 4.4.9 +--- + share/html/Elements/TSVExport | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/share/html/Elements/TSVExport b/share/html/Elements/TSVExport +index 5a13fecb..13f03ccd 100644 +--- a/share/html/Elements/TSVExport ++++ b/share/html/Elements/TSVExport +@@ -122,6 +122,8 @@ while (my $row = $Collection->Next) { + $val =~ s/(?:\n|\r)+/ /g; $val =~ s{\t}{ }g; + $val = $no_html->scrub($val); + $val = HTML::Entities::decode_entities($val); ++ # To prevent injection, add a leading space to make sure excel-ish applications treat it like a literal ++ $val =~ s/^(?=-|\+|=|\@|")/ /; + $val; + } @$col)."\n"); + }