Version in base suite: 5.0.7+dfsg-4

Base version: request-tracker5_5.0.7+dfsg-4
Target version: request-tracker5_5.0.7+dfsg-4+deb13u1
Base file: /srv/ftp-master.debian.org/ftp/pool/main/r/request-tracker5/request-tracker5_5.0.7+dfsg-4.dsc
Target file: /srv/ftp-master.debian.org/policy/pool/main/r/request-tracker5/request-tracker5_5.0.7+dfsg-4+deb13u1.dsc

 .git-dpm                                             |    4 -
 changelog                                            |    9 +++
 patches/series                                       |    1 
 patches/upstream_5.0.7_cve:_patchset_2025-10-07.diff |   46 +++++++++++++++++++
 4 files changed, 58 insertions(+), 2 deletions(-)

diff -Nru request-tracker5-5.0.7+dfsg/debian/.git-dpm request-tracker5-5.0.7+dfsg/debian/.git-dpm
--- request-tracker5-5.0.7+dfsg/debian/.git-dpm	2025-05-21 08:41:00.000000000 +0000
+++ request-tracker5-5.0.7+dfsg/debian/.git-dpm	2025-10-08 08:16:58.000000000 +0000
@@ -1,6 +1,6 @@
 # see git-dpm(1) from git-dpm package
-dd4e7d0f705ba5173a61c7a674b3184a063b9c61
-dd4e7d0f705ba5173a61c7a674b3184a063b9c61
+72d03f2d58a19d24c22aaf30fe8a2290fa26fc29
+72d03f2d58a19d24c22aaf30fe8a2290fa26fc29
 7ffdc76a3d7dde5bc3954f1c874ec200bdc3310a
 7ffdc76a3d7dde5bc3954f1c874ec200bdc3310a
 request-tracker5_5.0.7+dfsg.orig.tar.gz
diff -Nru request-tracker5-5.0.7+dfsg/debian/changelog request-tracker5-5.0.7+dfsg/debian/changelog
--- request-tracker5-5.0.7+dfsg/debian/changelog	2025-05-21 08:43:14.000000000 +0000
+++ request-tracker5-5.0.7+dfsg/debian/changelog	2025-10-08 08:16:58.000000000 +0000
@@ -1,3 +1,12 @@
+request-tracker5 (5.0.7+dfsg-4+deb13u1) trixie-security; urgency=medium
+
+  * Apply upstream patch which fixes several security vulnerabilities:
+    - [CVE-2025-61873] Fix CSV injection via ticket values with special
+      characters that are exported to a TSV from search results.
+    - [CVE-2025-9158] Fix XSS via calendar invitations added to a ticket.
+
+ -- Andrew Ruthven <andrew@etc.gen.nz>  Wed, 08 Oct 2025 21:16:58 +1300
+
 request-tracker5 (5.0.7+dfsg-4) unstable; urgency=high
 
   * Update d/watch to only look for versions that match 5.x.y as version 6 will
diff -Nru request-tracker5-5.0.7+dfsg/debian/patches/series request-tracker5-5.0.7+dfsg/debian/patches/series
--- request-tracker5-5.0.7+dfsg/debian/patches/series	2025-05-21 08:41:00.000000000 +0000
+++ request-tracker5-5.0.7+dfsg/debian/patches/series	2025-10-08 08:16:58.000000000 +0000
@@ -30,3 +30,4 @@
 upstream_5.0.8_test_web:_patchset_2025-04-08.diff
 debianize_UPGRADING-5.0.diff
 debianize_UPGRADING-4.4.diff
+upstream_5.0.7_cve:_patchset_2025-10-07.diff
diff -Nru request-tracker5-5.0.7+dfsg/debian/patches/upstream_5.0.7_cve:_patchset_2025-10-07.diff request-tracker5-5.0.7+dfsg/debian/patches/upstream_5.0.7_cve:_patchset_2025-10-07.diff
--- request-tracker5-5.0.7+dfsg/debian/patches/upstream_5.0.7_cve:_patchset_2025-10-07.diff	1970-01-01 00:00:00.000000000 +0000
+++ request-tracker5-5.0.7+dfsg/debian/patches/upstream_5.0.7_cve:_patchset_2025-10-07.diff	2025-10-08 08:16:58.000000000 +0000
@@ -0,0 +1,46 @@
+From 72d03f2d58a19d24c22aaf30fe8a2290fa26fc29 Mon Sep 17 00:00:00 2001
+From: Andrew Ruthven <andrew@etc.gen.nz>
+Date: Wed, 8 Oct 2025 21:16:17 +1300
+Subject: Fix for CVE-2025-61873 and CVE-2025-9158
+
+Resolve vulnerabilities:
+
+- regarding CSV injection via ticket values with special characters that are
+  exported to a TSV from search results (CVE-2025-61873).
+- XSS via calendar invitations added to a ticket (CVE-2025-9158).
+
+Patch-Name: upstream_5.0.7_cve:_patchset_2025-10-07.diff
+Author: Best Practical <support@bestpractical.com>
+Forwarded: not-needed
+Applied: 5.0.9
+---
+ share/html/Elements/ShowCalendarInvitation | 2 +-
+ share/html/Elements/TSVExport              | 2 ++
+ 2 files changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/share/html/Elements/ShowCalendarInvitation b/share/html/Elements/ShowCalendarInvitation
+index 42a97634..9f24f76d 100644
+--- a/share/html/Elements/ShowCalendarInvitation
++++ b/share/html/Elements/ShowCalendarInvitation
+@@ -52,7 +52,7 @@
+       <tr>
+         <td align="right" class="message-header-key text-nowrap"><% $header->{'Tag'} %>:</td>
+         <td class="message-header-value <% # css classes %>">
+-          <% $header->{'Value'} | n %>
++          <% $header->{'Value'} %>
+         </td>
+       </tr>
+ %   }
+diff --git a/share/html/Elements/TSVExport b/share/html/Elements/TSVExport
+index beaa4cc6..ecb19640 100644
+--- a/share/html/Elements/TSVExport
++++ b/share/html/Elements/TSVExport
+@@ -145,6 +145,8 @@ while (my $row = $Collection->Next) {
+             $val =~ s/(?:\n|\r)+/ /g; $val =~ s{\t}{    }g;
+             $val = $no_html->scrub($val);
+             $val = HTML::Entities::decode_entities($val);
++            # To prevent injection, add a leading space to make sure excel-ish applications treat it like a literal
++            $val =~ s/^(?=-|\+|=|\@|")/ /;
+             $val;
+         } @$col)."\n");
+     }