Version in base suite: 5.0.3+dfsg-3~deb12u3

Base version: request-tracker5_5.0.3+dfsg-3~deb12u3
Target version: request-tracker5_5.0.3+dfsg-3~deb12u4
Base file: /srv/ftp-master.debian.org/ftp/pool/main/r/request-tracker5/request-tracker5_5.0.3+dfsg-3~deb12u3.dsc
Target file: /srv/ftp-master.debian.org/policy/pool/main/r/request-tracker5/request-tracker5_5.0.3+dfsg-3~deb12u4.dsc

 .git-dpm                                             |    4 +-
 changelog                                            |   11 ++++++-
 patches/series                                       |    1 
 patches/upstream_5.0.3_cve:_patchset_2025-10-07.diff |   29 +++++++++++++++++++
 4 files changed, 42 insertions(+), 3 deletions(-)

diff -Nru request-tracker5-5.0.3+dfsg/debian/.git-dpm request-tracker5-5.0.3+dfsg/debian/.git-dpm
--- request-tracker5-5.0.3+dfsg/debian/.git-dpm	2025-04-17 03:57:03.000000000 +0000
+++ request-tracker5-5.0.3+dfsg/debian/.git-dpm	2025-10-08 07:40:55.000000000 +0000
@@ -1,6 +1,6 @@
 # see git-dpm(1) from git-dpm package
-d2c7fa38ee6df57c354556aa5cd430ff03bd0f35
-d2c7fa38ee6df57c354556aa5cd430ff03bd0f35
+145bc6052a83e98c8bf51a1bd8bad9a59ab02b17
+145bc6052a83e98c8bf51a1bd8bad9a59ab02b17
 52cb0ca22325e7a067f0a3411ffb55ef03d47aa4
 52cb0ca22325e7a067f0a3411ffb55ef03d47aa4
 request-tracker5_5.0.3+dfsg.orig.tar.gz
diff -Nru request-tracker5-5.0.3+dfsg/debian/changelog request-tracker5-5.0.3+dfsg/debian/changelog
--- request-tracker5-5.0.3+dfsg/debian/changelog	2025-04-17 03:57:24.000000000 +0000
+++ request-tracker5-5.0.3+dfsg/debian/changelog	2025-10-08 07:40:55.000000000 +0000
@@ -1,3 +1,11 @@
+request-tracker5 (5.0.3+dfsg-3~deb12u4) bookworm-security; urgency=medium
+
+  * Apply upstream patch which fixes a security vulnerability.
+    - [CVE-2025-61873] Fix CSV injection via ticket values with special
+      characters that are exported to a TSV from search results.
+
+ -- Andrew Ruthven <andrew@etc.gen.nz>  Wed, 08 Oct 2025 20:40:55 +1300
+
 request-tracker5 (5.0.3+dfsg-3~deb12u3) bookworm-security; urgency=medium
 
   * Correct CVE-2023-41260 number in previous entry (Closes: #1055128).
@@ -5,6 +13,7 @@
     vulnerability due to browser cache usage. If you have sensitive
     information enable the $WebStrictBrowserCache option (Closes: #1068453).
   * Apply upstream patches which fix several security vulnerabilities.
+    (Closes: #1104422).
     - [CVE-2025-30087] Vulnerable to Cross Site Scripting via injection of
       malicious parameters in a search URL.
     - [CVE-2025-2545] RT uses the default OpenSSL cipher, 3DES (des3), for
@@ -15,7 +24,7 @@
     - [CVE-2025-31501] Vulnerable to Cross Site Scripting via JavaScript
       injection in an Asset name. 
     - [CVE-2025-31500] Vulnerable to Cross Site Scripting via JavaScript
-      injection in an RT permalink. 
+      injection in a RT permalink.
 
  -- Andrew Ruthven <andrew@etc.gen.nz>  Thu, 17 Apr 2025 15:57:24 +1200
 
diff -Nru request-tracker5-5.0.3+dfsg/debian/patches/series request-tracker5-5.0.3+dfsg/debian/patches/series
--- request-tracker5-5.0.3+dfsg/debian/patches/series	2025-04-17 03:57:03.000000000 +0000
+++ request-tracker5-5.0.3+dfsg/debian/patches/series	2025-10-08 07:40:55.000000000 +0000
@@ -31,3 +31,4 @@
 fix_browser_cache2.diff
 upstream_5.0.3_cve:_patchset_2025-04-08.diff
 upstream_5.0.3_cve:_patchset_2025-04-11.diff
+upstream_5.0.3_cve:_patchset_2025-10-07.diff
diff -Nru request-tracker5-5.0.3+dfsg/debian/patches/upstream_5.0.3_cve:_patchset_2025-10-07.diff request-tracker5-5.0.3+dfsg/debian/patches/upstream_5.0.3_cve:_patchset_2025-10-07.diff
--- request-tracker5-5.0.3+dfsg/debian/patches/upstream_5.0.3_cve:_patchset_2025-10-07.diff	1970-01-01 00:00:00.000000000 +0000
+++ request-tracker5-5.0.3+dfsg/debian/patches/upstream_5.0.3_cve:_patchset_2025-10-07.diff	2025-10-08 07:40:55.000000000 +0000
@@ -0,0 +1,29 @@
+From 145bc6052a83e98c8bf51a1bd8bad9a59ab02b17 Mon Sep 17 00:00:00 2001
+From: Andrew Ruthven <andrew@etc.gen.nz>
+Date: Wed, 8 Oct 2025 20:31:07 +1300
+Subject: Fix for CVE-2025-61873
+
+Resolve a vulnerability regarding CSV injection via ticket values with special
+characters that are exported to a TSV from search results.
+
+Patch-Name: upstream_5.0.3_cve:_patchset_2025-10-07.diff
+Author: Best Practical <support@bestpractical.com>
+Forwarded: not-needed
+Applied: 5.0.9
+---
+ share/html/Elements/TSVExport | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/share/html/Elements/TSVExport b/share/html/Elements/TSVExport
+index 5a13fecb..13f03ccd 100644
+--- a/share/html/Elements/TSVExport
++++ b/share/html/Elements/TSVExport
+@@ -122,6 +122,8 @@ while (my $row = $Collection->Next) {
+             $val =~ s/(?:\n|\r)+/ /g; $val =~ s{\t}{    }g;
+             $val = $no_html->scrub($val);
+             $val = HTML::Entities::decode_entities($val);
++            # To prevent injection, add a leading space to make sure excel-ish applications treat it like a literal
++            $val =~ s/^(?=-|\+|=|\@|")/ /;
+             $val;
+         } @$col)."\n");
+     }