Version in base suite: 1.17.0+dfsg-1

Base version: python-memray_1.17.0+dfsg-1
Target version: python-memray_1.17.0+dfsg-1+deb13u1
Base file: /srv/ftp-master.debian.org/ftp/pool/main/p/python-memray/python-memray_1.17.0+dfsg-1.dsc
Target file: /srv/ftp-master.debian.org/policy/pool/main/p/python-memray/python-memray_1.17.0+dfsg-1+deb13u1.dsc

 changelog                                       |    8 ++
 patches/0001-Fix-escaping-in-HTML-reports.patch |   88 ++++++++++++++++++++++++
 patches/series                                  |    1 
 3 files changed, 97 insertions(+)

dpkg-source: warning: cannot verify inline signature for /srv/release.debian.org/tmp/tmpgar_uria/python-memray_1.17.0+dfsg-1.dsc: no acceptable signature found
dpkg-source: warning: cannot verify inline signature for /srv/release.debian.org/tmp/tmpgar_uria/python-memray_1.17.0+dfsg-1+deb13u1.dsc: no acceptable signature found
diff -Nru python-memray-1.17.0+dfsg/debian/changelog python-memray-1.17.0+dfsg/debian/changelog
--- python-memray-1.17.0+dfsg/debian/changelog	2025-04-04 19:28:26.000000000 +0000
+++ python-memray-1.17.0+dfsg/debian/changelog	2026-06-27 13:51:20.000000000 +0000
@@ -1,3 +1,11 @@
+python-memray (1.17.0+dfsg-1+deb13u1) trixie; urgency=medium
+
+  * Non-maintainer upload.
+  * CVE-2026-32722: XSS in generated HTML reports via unescaped
+    command-line metadata (Closes: #1131372)
+
+ -- Adrian Bunk <bunk@debian.org>  Sat, 27 Jun 2026 16:51:20 +0300
+
 python-memray (1.17.0+dfsg-1) unstable; urgency=medium
 
   * New upstream version 1.17.0.
diff -Nru python-memray-1.17.0+dfsg/debian/patches/0001-Fix-escaping-in-HTML-reports.patch python-memray-1.17.0+dfsg/debian/patches/0001-Fix-escaping-in-HTML-reports.patch
--- python-memray-1.17.0+dfsg/debian/patches/0001-Fix-escaping-in-HTML-reports.patch	1970-01-01 00:00:00.000000000 +0000
+++ python-memray-1.17.0+dfsg/debian/patches/0001-Fix-escaping-in-HTML-reports.patch	2026-06-24 11:32:46.000000000 +0000
@@ -0,0 +1,88 @@
+From b08620f772126ed3e340ddbb9893819a32289ab5 Mon Sep 17 00:00:00 2001
+From: Matt Wozniski <mwozniski@bloomberg.net>
+Date: Wed, 11 Mar 2026 14:52:56 -0400
+Subject: Fix escaping in HTML reports
+
+Ensure the command line is properly HTML escaped when writing it into
+flamegraph and table reports.
+
+Signed-off-by: Matt Wozniski <mwozniski@bloomberg.net>
+---
+ src/memray/reporters/templates/base.html |  2 +-
+ tests/unit/test_templates.py             | 43 ++++++++++++++++++++++++
+ 2 files changed, 44 insertions(+), 1 deletion(-)
+
+diff --git a/src/memray/reporters/templates/base.html b/src/memray/reporters/templates/base.html
+index b3bfc94..ce5f4ea 100644
+--- a/src/memray/reporters/templates/base.html
++++ b/src/memray/reporters/templates/base.html
+@@ -95,7 +95,7 @@
+           </button>
+         </div>
+         <div class="modal-body">
+-          Command line: <code>{{ metadata.command_line }}</code><br>
++          Command line: <code>{{ metadata.command_line|e }}</code><br>
+           Start time: <span id="stats-start-time"> {{ metadata.start_time }}</span><br>
+           End time: <span id="stats-end-time"> {{ metadata.end_time }}</span><br>
+           Duration: {{ metadata.end_time - metadata.start_time }}<br>
+diff --git a/tests/unit/test_templates.py b/tests/unit/test_templates.py
+index 2a57ef3..1938f5c 100644
+--- a/tests/unit/test_templates.py
++++ b/tests/unit/test_templates.py
+@@ -1,6 +1,11 @@
++from datetime import datetime
++
+ import pytest
+ 
++from memray import Metadata
++from memray._memray import FileFormat
+ from memray.reporters.templates import get_report_title
++from memray.reporters.templates import render_report
+ 
+ 
+ @pytest.mark.parametrize(
+@@ -21,3 +26,41 @@ def test_title_for_regular_report(kind, show_memory_leaks, inverted, expected):
+         )
+         == expected
+     )
++
++
++@pytest.mark.parametrize(
++    "kind",
++    ["flamegraph", "table"],
++)
++def test_html_report_escaping(kind):
++    """Test that command line arguments are properly escaped."""
++    # GIVEN
++    metadata = Metadata(
++        start_time=datetime(2024, 1, 1, 0, 0, 0),
++        end_time=datetime(2024, 1, 1, 0, 1, 0),
++        total_allocations=100,
++        total_frames=10,
++        peak_memory=1024,
++        command_line="python test.py </code>",
++        pid=12345,
++        main_thread_id=1,
++        python_allocator="pymalloc",
++        has_native_traces=False,
++        trace_python_allocators=False,
++        file_format=FileFormat.ALL_ALLOCATIONS,
++    )
++
++    # WHEN
++    html_output = render_report(
++        kind=kind,
++        data=[],
++        metadata=metadata,
++        memory_records=[],
++        show_memory_leaks=False,
++        merge_threads=False,
++        inverted=False,
++    )
++
++    # THEN
++    assert html_output.count("<code>") == html_output.count("</code>")
++    assert "python test.py &lt;/code&gt;" in html_output
+-- 
+2.47.3
+
diff -Nru python-memray-1.17.0+dfsg/debian/patches/series python-memray-1.17.0+dfsg/debian/patches/series
--- python-memray-1.17.0+dfsg/debian/patches/series	2025-04-04 19:28:26.000000000 +0000
+++ python-memray-1.17.0+dfsg/debian/patches/series	2026-06-24 11:32:44.000000000 +0000
@@ -3,3 +3,4 @@
 003-rm-distutils-from-setup.patch
 002-rm-external-git-link.patch
 001-fix-html-privacy-breach.patch
+0001-Fix-escaping-in-HTML-reports.patch